software update failed

Hello

 

We have two update managers and both are reporting as Software update failed. I only noticed today but it seems to be there for a few weeks. When i check the log viewer it gives the following

 

06/02/2020 16:22:28 Error Sophos Update Manager failed to update from product release 'Payload-SDDM' with version 84.18 as the installer returned an error: 1603

 

In the %windir%temp% i find the following error messages in the MSI logs

 

Property(S): IS_NET_API_LOGON_USERNAME_TOKEN = SophosUpdateMgr
Property(S): InstallShieldTempProp = 0
MSI (s) (68:E8) [15:24:09:153]: Note: 1: 1729
MSI (s) (68:E8) [15:24:09:153]: Product: Sophos Update Manager -- Configuration failed.

MSI (s) (68:E8) [15:24:09:153]: Windows Installer reconfigured the product. Product Name: Sophos Update Manager. Product Version: 1.7.1.19. Product Language: 1033. Manufacturer: Sophos Limited. Reconfiguration success or error status: 1603.

MSI (s) (68:E8) [15:24:09:153]: Closing MSIHANDLE (1) of type 790542 for thread 3304
MSI (s) (68:E8) [15:24:09:185]: Deferring clean up of packages/files, if any exist
MSI (s) (68:E8) [15:24:09:185]: MainEngineThread is returning 1603
MSI (s) (68:0C) [15:24:09:185]: No System Restore sequence number for this installation.
=== Logging stopped: 06/02/2020 15:24:09 ===
MSI (s) (68:0C) [15:24:09:185]: User policy value 'DisableRollback' is 0
MSI (s) (68:0C) [15:24:09:185]: Machine policy value 'DisableRollback' is 0
MSI (s) (68:0C) [15:24:09:185]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (68:0C) [15:24:09:185]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (68:0C) [15:24:09:185]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (68:0C) [15:24:09:185]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (68:0C) [15:24:09:185]: Destroying RemoteAPI object.
MSI (s) (68:74) [15:24:09:185]: Custom Action Manager thread ending.
MSI (c) (D8:E4) [15:24:09:185]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (D8:E4) [15:24:09:185]: MainEngineThread is returning 1603
=== Verbose logging stopped: 06/02/2020 15:24:09 ===

 

I checked and the latest ides are there from today. Does anyone have any idea what could be causing this issue?

 

 

Thanks

  • Hello  

    Can  you please test if disabling Tamper Protection on the device resolves the issue?

    The error could be because of this -- Sophos Endpoint Defense: Enhanced tamper protection not supported on systems with Sophos Update Manager

  • In reply to DianneY:

    Hello,

     

    Thanks for the response. No tamper protection is not enabled as a feature.

     

    I am unsure of what the consequences of this are. As far as i can see the warehouse is still populating with ides. I am concerned about the clients connecting to it. Will they still be protected while i sort this out?

     

    Thanks,

    Fiona

  • In reply to Fiona Johnson:

    Hi  

    Are there any recent changes in your network? Would you please check and perform the steps listed here and see if it helps to resolve the issue. 

  • In reply to Shweta:

    Hi,

     

    Thanks for your response but no there were no recent changes to the network. I have checked with our networks team.

     

    I disabled the firewall on the box before and tried to push down an  update successfully but it still failed.

    I followed through all the steps listed above. I had already granted those permissions to the folders previously following another thread where someone was having the same issues. Anyway the steps did not work. The folders recreated fine but after i forced the update and it downloaded binaries it still says software update failed. I checked the logviewer and it is still reporting that error failed to update from product release "Payload-SSDM"

  • In reply to Fiona Johnson:

    Hi  

    Could you also confirm if the user account for SUM has been modified? Also please provide more details from the logs, by searching the value 3 under SUM MSI logs and check the exact error. 

  • In reply to Shweta:

    Hello,

     

    Not the account has not been modfified since the server was created. I searched for Value 3 in the logs as requested and this is the output.

     

     

    MSI (s) (84!30) [23:57:28:995]: Creating MSIHANDLE (277) of type 790531 for thread 5168
    MSI (s) (84!30) [23:57:28:995]: Closing MSIHANDLE (277) of type 790531 for thread 5168
    MSI (s) (84!30) [23:57:28:995]: Creating MSIHANDLE (278) of type 790531 for thread 5168
    Info 25052.Failed to load the security descriptor for \\SOPHOSSRV5\SophosUpdate. The error returned by the API was 2114.
    MSI (s) (84!30) [23:57:28:995]: Closing MSIHANDLE (278) of type 790531 for thread 5168
    MSI (s) (84!30) [23:57:28:995]: Creating MSIHANDLE (279) of type 790531 for thread 5168
    Info 25052.Failed to load the security descriptor for \\SOPHOSSRV5\SophosUpdate. The error returned by the API was 2114.
    MSI (s) (84!30) [23:57:28:995]: Closing MSIHANDLE (279) of type 790531 for thread 5168
    Info 25041.Could not modify permissions for user or group SOPHOSSRV5\SophosUpdateMgr on share SophosUpdate. An error occurred and it is probably explained above.
    MSI (s) (84:A4) [23:57:28:995]: Closing MSIHANDLE (276) of type 790536 for thread 1896
    CustomAction CA_CallModifyObjectPermissions01 returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (84:68) [23:57:28:995]: Note: 1: 2265 2: 3: -2147287035
    MSI (s) (84:68) [23:57:28:995]: User policy value 'DisableRollback' is 0
    MSI (s) (84:68) [23:57:28:995]: Machine policy value 'DisableRollback' is 0
    Action ended 23:57:28: InstallFinalize. Return value 3.
    MSI (s) (84:68) [23:57:28:995]: Note: 1: 2318 2:
    MSI (s) (84:68) [23:57:28:995]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1347075885,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
    MSI (s) (84:68) [23:57:28:995]: Executing op: DialogInfo(Type=0,Argument=1033)
    MSI (s) (84:68) [23:57:28:995]: Executing op: DialogInfo(Type=1,Argument=Sophos Update Manager)
    MSI (s) (84:68) [23:57:28:995]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
    MSI (s) (84:68) [23:57:28:995]: Executing op: RegisterBackupFile(File=C:\Config.Msi\11d1b782.rbf)
    MSI (s) (84:68) [23:57:28:995]: Executing op: RegisterBackupFile(File=C:\Config.Msi\11d1b783.rbf)
    MSI (s) (84:68) [23:57:28:995]: Executing op: RegisterBackupFile(File=C:\Config.Msi\11d1b784.rbf)
    MSI (s) (84:68) [23:57:28:995]: Executing op: RegisterBackupFile(File=C:\Config.Msi\11d1b785.rbf)
    MSI (s) (84:68) [23:57:28:995]: Executing op: RegisterBackupFile(File=C:\Config.Msi\11d1b786.rbf)
    MSI (s) (84:68) [23:57:28:995]: Executing op: RegisterBackupFile(File=C:\Config.Msi\11d1b787.rbf)

     

    SI (s) (84:68) [23:57:31:278]: Executing op: ComponentRegister(ComponentId={9BCE06D3-11F9-43B5-9628-B361C081EF5C},KeyPath=C:\Program Files (x86)\Sophos\Update Manager\SUMAdapter.dll,State=3,ProductKey={2C7A82DB-69BC-4198-AC26-BB862F1BE4D0},,SharedDllRefCount=0,BinaryType=0)
    MSI (s) (84:68) [23:57:31:278]: WIN64DUALFOLDERS: Substitution in 'C:\Program Files (x86)\Sophos\Update Manager\SUMAdapter.dll' folder had been blocked by the 1 mask argument (the folder pair's iSwapAttrib member = 0).
    MSI (s) (84:68) [23:57:31:278]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
    MSI (s) (84:68) [23:57:31:278]: Error in rollback skipped. Return: 5
    MSI (s) (84:68) [23:57:31:278]: No System Restore sequence number for this installation.
    MSI (s) (84:68) [23:57:31:278]: Unlocking Server
    MSI (s) (84:68) [23:57:31:278]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
    Action ended 23:57:31: INSTALL. Return value 3.
    Property(S): DiskPrompt = [1]
    Property(S): SourcedirProduct = {2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}
    Property(S): SOURCEDIR = C:\ProgramData\Sophos\Update Manager\Working\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1\
    Property(S): SUM_INSTALLSOURCE = C:\ProgramData\Sophos\Update Manager\Working\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1\
    Property(S): SUM_SHARE_EXISTS = 2
    Property(S): UpgradeCode = {D02E89AC-F27B-4BFA-8327-BE980F821C73}
    Property(S): PrimaryVolumeSpaceRemaining = 0
    Property(S): PrimaryVolumeSpaceRequired = 0
    Property(S): PrimaryVolumeSpaceAvailable = 0
    Property(S): OutOfNoRbDiskSpace = 0
    Property(S): OutOfDiskSpace = 0
    Property(S): CostingComplete = 1
    Property(S): Installed = 2019/11/11 14:32:58
    Property(S): ROOTDRIVE = C:\
    Property(S): IS_NET_API_TOKEN_WS = 1
    Property(S): IS_NET_API_TOKEN_VALID = 1
    Property(S): IS_NET_API_LOGON_SERVER_TOKEN = SOPHOSSRV5
    Property(S): ACTION = INSTALL
    Property(S): Preselected = 1
    Property(S): QFEUpgrade = 1
    Property(S): UILevel = 2
    Property(S): OriginalDatabase = C:\ProgramData\Sophos\Update Manager\Working\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1\SUM.msi
    Property(S): DATABASE = C:\Windows\Installer\11d1b77f.msi
    Property(S): USERNAME = Windows User

     

     

     

     

  • In reply to Fiona Johnson:

    Hello Fiona Johnson,

    Info 25052.Failed to load the security descriptor for \\SOPHOSSRV5\SophosUpdate. The error returned by the API was 2114.
    Can't say which API and the code doesn't ring a bell. Both SUMs report this error (with the applicable server name of course)?

    Christian

  • In reply to QC:

    Hi Stephen,

     

    Yes both consoles are failing to do a software update and reporting the same API error code.

  • In reply to Fiona Johnson:

    Hello Fiona Johnson,

    to make sure there's no misinterpretation of your issue:
    These are two SUMs managed by the same SEC server and both additional SUMs, or? Also, one share is on SOPHOSSRV5 and the other on a different server?

    Christian 

  • In reply to QC:

    Hi Christian,

     

    I have two update managers running on 2 different servers SophosSrv5 and 6 and both are encountering this issue. They did work fine originally but i am not sure when this issue started to occur because once the clients are updating fine, i don't check. I only noticed last week when i was looking at something else.

  • In reply to Fiona Johnson:

    Hello Fiona Johnson,

    I re-read my post, I do think it is clear but perhaps it isn't. And one more question (stupid as it might seem)

    1. two SUMs (of several) managed by the same SEC server?
    2. the shares in the error message are \\SOPHOSSRV5\SophosUpdate and \\SOPHOSSRV6\SophosUpdate respectively?
    3. the servers do not cross-deploy (i.e. SOPHOSSRV5 doesn't write to SOPHOSSRV6 and v.v. - I vaguely remember a thread where such a configuration was mentioned)?

    Christian

  • In reply to QC:

    Hi Stephen,

     

    We only have 2 SUMS. They run on seperate sophos enterprise console servers and they do not cross deploy.

     

    The two shares are as you mentioned

    \SOPHOSSRV5\SophosUpdate and \\SOPHOSSRV6\SophosUpdate

     

    We have 3 seperate endpoint management servers which we use just to have our clients report into but all clients point to these two update servers as their primary update source.   Both of these SUM on both servers are reporting this issue.

     

    I have tried a number of steps so far, including the ones mentioned for permissions on the share. I have checked the registry setting mentioned to make sure it is the right account and password which is being used but so far nothing has worked, they both continue to report a failure to update software.

     

  • In reply to Fiona Johnson:

    Hello Fiona Johnson,

    thanks. As far as I can see from a SUM 1.7.0 MSI log (late October 2019) there haven't been changes in the installer logic lately.

    The SelfUpdater logs (C:\ProgramData\Sophos\Update Manager\Logs\SUMSelfUpdaterLog.txt) should tell when this started to fail, and whether at the same time for both servers (BTW - the SUM on the third management server doesn't have this issue?). 
    The Failed to load the security descriptor for \\SOPHOSSRV5\SophosUpdate might indicate a corrupted ACL - OTOH it'd be a strange coincidence that it just happened on two servers. Can PowerShell display the ACL?

    Get-Acl \\SOPHOSSRV5\SophosUpdate|Format-List

    Christian

  • In reply to QC:

    Hello Christian,

    Unfortunately i cannot run that command on this box.

     

    I am not reallly sure what i am searching for in the self updater file but from what i can see i was getting successful messages

    topTheService finished at 2019-12-04 11:16:34Z
    StopTheLogViewerIfRunning started at 2019-12-04 11:16:34Z
    StopTheLogViewerIfRunning finished at 2019-12-04 11:16:34Z
    RunTheInstaller started at 2019-12-04 11:16:34Z
    SUM version before upgrade: 1.7.1.19
    Running the installer...
    About to run the installer, path = C:\ProgramData\Sophos\Update Manager\Working\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1\SUM.msi parameters = REINSTALLMODE=vdmus REINSTALL=ALL SELFUPDATE=1 REBOOT=ReallySuppress
    RunSUMInstaller: MsiInstallProductW returned 0
    Installer finished with result: 0
    SUM version after upgrade: 1.7.1.19
    RunTheInstaller finished at 2019-12-04 11:17:14Z
    UpdateTheStatusFile started at 2019-12-04 11:17:14Z
    Status File Update: Status File Path = C:\Program Files (x86)\Sophos\Update Manager\SUM_Status.xml
    Status File Update: Tag to replace = Self-UpdateResultForActionAt:2019-12-04T11:16:33
    Status File Update: Replacement string = 0
    Opening the status file...
    File opened.
    Status file size = 20802
    File read. BytesRead = 20802

     

    The the next entry is as follows

     

    Pre-execution step starting...
    Found update triggered flag value: Self-UpdateResultForActionAt:2020-01-20T12:23:05
    Removing the update triggered flag...
    Detected Windows major version: 6
    StopOtherSumSelfUpdaterIfRunning started at 2020-01-20 12:23:05Z
    StopOtherSumSelfUpdaterIfRunning finished at 2020-01-20 12:23:06Z
    Pre-execution step finished successfully.
    Execution starting...
    StopTheService started at 2020-01-20 12:23:06Z
    Stopping service SUM
    Service stop pending...
    The service is already in the expected state.
    The service is now in stopped state.
    StopTheService finished at 2020-01-20 12:23:07Z
    StopTheLogViewerIfRunning started at 2020-01-20 12:23:07Z
    StopTheLogViewerIfRunning finished at 2020-01-20 12:23:07Z
    RunTheInstaller started at 2020-01-20 12:23:07Z
    SUM version before upgrade: 1.7.1.19
    Running the installer...
    About to run the installer, path = C:\ProgramData\Sophos\Update Manager\Working\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1\SUM.msi parameters = REINSTALLMODE=vdmus REINSTALL=ALL SELFUPDATE=1 REBOOT=ReallySuppress
    RunSUMInstaller: MsiInstallProductW returned 1603
    Installer finished with result: 1603
    SUM version after upgrade: 1.7.1.19
    RunTheInstaller finished at 2020-01-20 12:23:26Z
    Installation failed. Installer return code: 1603
    UpdateTheStatusFile started at 2020-01-20 12:23:26Z
    Status File Update: Status File Path = C:\Program Files (x86)\Sophos\Update Manager\SUM_Status.xml
    Status File Update: Tag to replace = Self-UpdateResultForActionAt:2020-01-20T12:23:05
    Status File Update: Replacement string = 1603
    Opening the status file...
    File opened.

     

    Is this the error message i should be looking for.

     

    I know it seems likely its a network problem but i just checked with our networks team and nothing has changed on these boxes recently. They are both open internally amongest all our networks and externally over 443 and 80. Is there something else that would be blocking this?

     

    Thanks,

    Fiona

  • In reply to Fiona Johnson:

    Sorry i meant to add this is the exact same on both boxes. There are only two boxes, not three so there is no third one that is working.