Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 6651 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC - HITMAN PRO VERSION 3.6.8.604 from 3.6.3.583 Update

skyisbluescreen

Recently we had vesion update of Exploit Prevention from 3.5 to 3.6.x,

However

1. This has ended up with a pending Reboot Status for all The Systems 

 

2. Sophos in System Tray Shows Broken(Outdated) with an Red Mark - P.S - Panicked Users with Incident Tickets Fired

3. Not all Systems are normal after reboot. Status still same as below

Any one else faced this ? 

Manual Re installation is working but cannot consider that for 3k+ Systems



This thread was automatically locked due to age.
  • 0

    I'm also getting this error message

    Deleting the reg keys [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags] makes no difference either they just re-instate themselves, We have over 16,000 endpoints currently and these reboot errors have started to build up in the console. 

     

  • 0 in reply to TomHilton

    I know a little how the upgrade should work, maybe this will help you understand the state they are in.

    The new files are downloaded from the distribution point by AutoUpdate and end up in the cache, e.g. for a Cloud endpoint C:\programdata\sophos\autoupdate\cache\decoded\hmpa64\.  The on-premise I assume is here: C:\ProgramData\Sophos\AutoUpdate\Cache\hmpa64\

    During the installation phase, AutoUpdate calls hmplaert.exe /upgrade on that file.  This "unpacks" the files to the following location: C:\program files (x86)\HitmanPro.alert\Update files\

    These are the new files that will get copied into place on restart.  

    The copy operations are performed by the Windows Sessions Manager early at startup using the PendingFileReanmeOperations key - https://technet.microsoft.com/en-us/library/cc960241.aspx.  Before the reboot you can check this key to see all the deletes and renames that will take place for the files to switch them over.

    Note: If Windows has any issues performing these operations, they will be logged in the file: C:\windows\pfro.log.

    Assuming there are no issues on restart, then I would assume on the first update check by AutoUpdate, which by default is 5 mins after the Sophos AutoUpdate service has started, then you would get a status message back from the client saying the reboot has been performed and the status is now good.

    Maybe if you have a alupdate trace log [https://community.sophos.com/kb/en-us/36262#ALUpdate.log] from a client it would help.

    I believe there will also be an install log for the HMPA operations under \windows\temp\ as the installer would be running as system.

    Regards,
    Jak

     

  • 0

    Sophos Support never did come up with a solution for this... We figured how to fix this ourselves by deleting the following key and forcing the client to update via SEC

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Unfiltered HTML