Sophos Enterprise Console won't install Anti Virus

Hello,

 

I have migrated our Sophos Enterprise Console from Windows Server 2008 R2 to Windows Server 2016. The Enterprise Console on the server runs fine. Now I want to complete step 14 from migration guide (Redirect Endpoints to new Enterprise Console). When I click on "Protect computer" the endpoint stuck with the orange arrow.

 

Next step was to uninstall all sophos components on an endpoint. After uninstall was done, the procedere repeats, but now the endpoint installs only AutoUpdate Service, Certification and Remote Management Folders in ProgramData and AUtoUpdate and Remote Management System in Program Files. The other components (e.g Anti-Virus) won't install. I couldn't find any installation logs on endpoint or server. Maybe I was looking in the wrong paths. I tried it on two endpoints with Windows Server 2016 and Windows 10 1909. Another endpoint with Windows Server 2012 R2 hangs during an installation but cannot be restarted at the moment. The restart or shutdown of services regarding Sophos won't change the state.

 

I also restarted the server where the enterprise console is installed several times, but nothing happens at the endpoints. What irritates me, is that the communication with the old enterprise console is fine and the new enterprise console shows no connected endpoints after the changing the Update Manager and the updating policy.

 

System Information:

Enterprise Console 5.5.2 on Windows Server 2016

50-60 Endpoints with Windows 2012 R2, Windows 10 or Windows Server 2016

  • Hello SomeITguy,

    first of all, Endpoint component installation (MSI) logs are only on the endpoints, %windir%\Temp\, never on the server. In addition the ALUpdate log (%ProgramData%\Sophos\AutoUpdate\Logs\) records pre-install and download errors. Instead of trying this or that it's better to check what is installed, what not, and - checking the logs - why.

    restarted the server where the enterprise console is installed
    the management server just creates and starts a scheduled task on the endpoint, then waits for the endpoint to call back.

    communication with the old enterprise console is fine
    once RMS is installed from the new update location endpoints should report to the new server. I assume you have migrated the database as well, did you amend the updating policies so that they point to the new location?

    Christian

  • In reply to QC:

    Hello Christian,

     

    communication with the old enterprise console is fine
    once RMS is installed from the new update location endpoints should report to the new server. I assume you have migrated the database as well, did you amend the updating policies so that they point to the new location?

     

    I have migrated the database and change updating policies on the server not on the old one.

     

    first of all, Endpoint component installation (MSI) logs are only on the endpoints, %windir%\Temp\, never on the server. In addition the ALUpdate log (%ProgramData%\Sophos\AutoUpdate\Logs\) records pre-install and download errors. Instead of trying this or that it's better to check what is installed, what not, and - checking the logs - why.

    The ALUpdate-log at %ProgramData%\Sophos\AutoUpdate\Logs contains an error regarding Windows error 1326 and that Router and Managent Tools registry could not open. Further down are lines from which are the first one indicating an error.

     

    [...]

    Trace(2020-Jun-24 13:38:11): Logging on network access user
    Trace(2020-Jun-24 13:38:11): Attempting to make a connection to remote machine \\NewServer\SophosUpdate\CIDs\S000\SAVSCFXP\
    Trace(2020-Jun-24 13:38:11): CIDUpdate(Info): Could not add a connection to server \\NewServer\SophosUpdate; user DOMAIN\PrivilegedUser; Windows error 1326
    Trace(2020-Jun-24 13:38:11): GetCacDotPemFromLocalRMS could not open the Router registry key.
    Trace(2020-Jun-24 13:38:11): GetCacDotPemFromSUM could not open the Management Tools registry key.
    Trace(2020-Jun-24 13:38:11): Custom certificate could not be obtained.
    Trace(2020-Jun-24 13:38:11): Remote connection over UNC.
    Trace(2020-Jun-24 13:38:11): File master.upd not found (Remote). Return code 0x80040f04

    [...]

     

    According to windows the error 1326 indicates a false username or password. I am certain that the user and password combination is correct.

  • In reply to SomeITguy:

    The hint with the logs was the right one (as always ;-))

     

    The user, which was running sophos services on the server doesn't have the right permissions. Permissions were given and the first endpoints were installed correctly.

     

    Thank you for your brain and the hint, Christian.