This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AutoUpdate Failure

Hello,

This is my first post, so please don't pick on me!

My side job at university requires me to look after several computers in class rooms, designed to mainly play back videos and support presentations.

Now while the job itself is usually not that challenging, I am somehow confronted with a more serious problem at the moment: Every computer is equipped with Sophos EndPoint Security System (or whatever it is called) and HDGuard. Two computers specifically have issues with Sophos:

Firstly, the "HiWI-PC", which refuses to update Sophos. It tells me, that Sophos cannot be auto updated. The weird thing is, that this happened exactly after updating Windows, there haven't been any problems right before the Windows updates. Because there's HDGuard on every PC, which resets the computer to a previously saved state after each reboot, it's necessary to have an update round every once in a while. Sophos itself is unaffected by HDGuard though, as I believe.

Secondly, the computer in room 21, which has the same problem, maybe a little bit worse: No auto update and it's impossible to get to the Sophos Endpoint Main Window (I am not sure how to call that window, you get whenever you right click on the icon in the right part of the task bar). Basically, that computer is completely unprotected, which is unacceptable.

I did some research on the error in room 21 and I have read something about problems with rights. After I have given more general rights to every user, the autoupdate lasted longer and actually created some directories, but the outcome was the same: It wasn't able to auto update. I have attached the logs here.

I am grateful for every hint, that might solve the problem.


Best regards!

:52275


This thread was automatically locked due to age.
  • I actually do have two other Update Files and various logs, in case you need them.

    :52277
  • Hello,

    Looking at the logs it appears one is failing to install AutoUpdate, the other is failing to install SAV:

    http://community.sophos.com/sophos/attachments/sophos/ESDP/18554/1/ALUpdate20140226T185523.7316650_HIWI.txt

    Trace(2014-Jul-24 16:40:19): ALUpdate(Install.Failure): Installation of product Sophos AutoUpdate failed

    http://community.sophos.com/sophos/attachments/sophos/ESDP/18554/2/ALUpdate20140715T180416.9567360_Room_21.txt

    Trace(2014-Jul-25 16:17:57): ALUpdate(Install.Failure): Installation of product SAVXP failed

    Under C:\windows\temp\ there should be install logs for each can you attach then?

    For the SAV failure you should see a pair of logs from the same attempt, for example:
    For a major update:

    Sophos Anti-Virus Major Install Log_140729_095345.txt

    Sophos Anti-Virus Major CustomActions Log_140729_095345.txt

    For a minor Update:

    Sophos Anti-Virus Install Log_140728_065631.txt

    Sophos Anti-Virus CustomActions Log_140728_065631.txt

    Note the timestamps are the same for the pair.

    There will be a log for AutoUpdate also for the computer failing to install AutoUpdate can we see that?

    Regards,

    Jak

    :52285
  • Hello,

    I can see from the "Room 21!" logs:

    Custom Action:

    2014-07-25 16:17:49 StartSAVServices: Action started
    2014-07-25 16:17:49 StartSAVServices: Failed to start the Sophos Anti-Virus service.
    2014-07-25 16:17:49 StartSAVServices: Action failed

    Install Log:

    MSI (s) (E4:B8) [16:17:49:567]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI8069.tmp, Entrypoint: StartSAVServices
    CustomAction StartSAVServices returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

    So that computer failed because the SAV Service failed to start.

    I expected the logs from HIWI to be from Sophos AutoUpdate, i.e. "Sophos AutoUpdate install log.txt", there doesn't appear to be a problem with SAV in those logs.

    For the computer that is failing to start the service, I would suggest Process Monitor (http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx) is going to be most helpful and understanding why the service is failing to start.

    In addition to that you should see the service writing to a service startup log (Sophos Anti-Virus Startup Log.txt). E.g.
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\

    Which may also hint at the problem.

    Regards,

    Jak

    :52315
  • Regarding the computer in room 21, I will have another look at it and keep you up to date on its condition.

    As for the logs from HIWI: I got these two text documents, but for some reason I can't open them properly. Does it work on your computer? If it doesn't, I'll harvest some other logs...

    :52325
  • I'm afraid there is nothing in those logs other than a bunch of NUL characters which is very odd.

    Happy to look at some more logs if you can gather them.

    Regards,

    Jak

    :52337
  • OK, I tried to gather some new data, but it seems like I have an entirely new problem: I can't start ALMon.exe, which is why I can't see any icon in the tray bar.

    I've attached a screenshot of the error, translation goes like this:

    This application could not be started, because the Side-By-Side-Configuration is invalid. For more information, have a look at the "Anwendungsereignisprotokoll" (Application event log?). You may also use the command line tool sxstrace.exe.

    I actually have no idea, where to find that "application event log", probably a mistranslation anyway on my part.

    ALsvc.exe and ALUpdate.exe are also non-executable, as it tells me to check my Windows version. Some 64-bit/32-bit problem... I've never seen that before, but I'm not sure, if these two executables are necessary. (They should be, right? Why else would they be there?)

    As for the other computer, I'll didn't have a chance to look at it, but I'll come back to that soon.

    :52355
  • Ahh, I think, I screwed it up. That is, the HiWi-Computer

    I tried to deinstall Sophos AutoUpdate via "Programs and Features", but it somehow requires me to have the file "Sophos AutoUpdate.msi". I previously deinstalled Sophos without any problem.

    Now I try to run the "Sophos10-2win.exe" to reinstall the programm, but although some Windows pop up, it doesn't really work. What am I supposed to do?

    I tried the quickfix script called "FixIssues" from the official Sophos website, but it doesn't really work. I've attached the log.

    Any ideas on my current problem?

    It really looks like my AutoUpdate is seriously broken, think of the logs. How do I properly deinstall a programm manually? I don't want to break the Windows registry with my naivety.

    I still didn't have a chance to have a look at the other computer, but I'll do so shortly.

    :52403
  • OK, I fixed the problem on this computer myself via Microsoft's FixIt Tool ( http://support.microsoft.com/mats/Program_Install_and_Uninstall/ ) Cleanly deinstalled AutoUpdate and afterwards I tried to install Sophos and it worked.

    I'll keep you up-to-date on the computer in room 21. Thanks again!

    :52405