failed installation of cloud server - heartbeat issue?

Installing sophos cloud for server 2008 r2

downloaded the server installer and installation fails.

looks like the heartbeat fails to install.  Below is the log

 

Sophos Heartbeat 4.3.219 setup log

16-04-2018 09:10:49 In CPlugin::Install().
16-04-2018 09:10:49 In MsiLib::GetPackageProductInfo().
16-04-2018 09:10:49 In MsiLib::GetPackageProperty().
16-04-2018 09:10:49 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
16-04-2018 09:10:49 In MsiLib::GetPackageProperty().
16-04-2018 09:10:49 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
16-04-2018 09:10:49 In MsiLib::GetPackageProperty().
16-04-2018 09:10:49 Leaving MsiLib::GetPackageProperty() with ERROR_SUCCESS.
16-04-2018 09:10:49 Leaving MsiLib::GetPackageProductInfo().
16-04-2018 09:10:49 In MsiLib::IsProductInstalled().
16-04-2018 09:10:49 Leaving MsiLib::IsProductInstalled() with false.
16-04-2018 09:10:49 Installation type: Fresh install
16-04-2018 09:10:49 Installing version: 4.3.219
16-04-2018 09:11:22 Installation of Sophos Heartbeat version: 4.3.219 failed with return code : 1603.
16-04-2018 09:11:22 REBOOTCODE: 0

  • Can you attach the heartbeat MSI log.  

    It should be in the temp directory of the account that ran the MSI.  With the new thin installer this is likely %temp%.  

    Regards,

    Jak

  • In reply to jak:

    Sophos Heartbeat 4.3.219 install log 20180416 103835.txt

    attached is the Sophos Heartbeat 4.3.219 install log 20180416 103835

     

    SetupSspUserAccount: Initialized.
    MSI (s) (40!28) [10:38:37:918]: Closing MSIHANDLE (770) of type 790531 for thread 4648
    MSI (s) (40!28) [10:38:37:918]: Creating MSIHANDLE (771) of type 790531 for thread 4648
    SetupSspUserAccount: LoadAccount(SophosSSPUser) failed (error 1332)
    MSI (s) (40!28) [10:38:37:918]: Closing MSIHANDLE (771) of type 790531 for thread 4648
    MSI (s) (40!28) [10:38:38:433]: Creating MSIHANDLE (772) of type 790531 for thread 4648
    SetupSspUserAccount: Granting permissions to user "NT SERVICE\Sophos Heartbeat"
    MSI (s) (40!28) [10:38:38:433]: Closing MSIHANDLE (772) of type 790531 for thread 4648
    MSI (s) (40:C0) [10:38:38:495]: Closing MSIHANDLE (768) of type 790536 for thread 4736
    MSI (s) (40:80) [10:38:38:495]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: [1])
    SetupSspUserAccount: Service has stopped, now starting.
    MSI (s) (40:80) [10:38:38:495]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
    MSI (s) (40:80) [10:38:38:495]: Executing op: ServiceControl(,Name=Sophos Heartbeat,Action=1,Wait=1,)
    MSI (s) (40:80) [10:39:09:337]: Product: Sophos Heartbeat -- Error 1920. Service 'Sophos Heartbeat' (Sophos Heartbeat) failed to start. Verify that you have sufficient privileges to start system services.

    Error 1920. Service 'Sophos Heartbeat' (Sophos Heartbeat) failed to start. Verify that you have sufficient privileges to start system services.
    MSI (s) (40:80) [10:39:09:337]: User policy value 'DisableRollback' is 0
    MSI (s) (40:80) [10:39:09:337]: Machine policy value 'DisableRollback' is 0

  • In reply to waynecutler:

    Well this is the reason for the failure:

    MSI (s) (40:80) [10:38:38:495]: Executing op: ServiceControl(,Name=Sophos Heartbeat,Action=1,Wait=1,)
    MSI (s) (40:80) [10:39:09:337]: Product: Sophos Heartbeat -- Error 1920. Service 'Sophos Heartbeat' (Sophos Heartbeat) failed to start. Verify that you have sufficient privileges to start system services.

    Error 1920. Service 'Sophos Heartbeat' (Sophos Heartbeat) failed to start. Verify that you have sufficient privileges to start system services.
    MSI (s) (40:80) [10:39:09:337]: User policy value 'DisableRollback' is 0
    MSI (s) (40:80) [10:39:09:337]: Machine policy value 'DisableRollback' is 0
    Action ended 10:39:09: InstallFinalize. Return value 3.

    So for whatever reason, and it's unlikely this log will tell us why, the Sophos Heartbeat service was just not able to start during the install which was fatal.

    I would suggest run Process Monitor - docs.microsoft.com/.../procmon - while an installation is taking place.  Once you have the PML file, you can correlate the MSI log, with what's going on in the PML when it fails.  Does the service process start, load modules, encounter some permission problem accessing a file or registry key etc, If the process does start, what is the exit code.  That might help as would an error in probably the Application Event log at the point it tries to start the service.  E.g. a SXS error.

    Regards,
    Jak

  • In reply to jak:

    not sure what i should be looking for in the pml file

     

    event log error

    Product: Sophos Heartbeat -- Error 1920. Service 'Sophos Heartbeat' (Sophos Heartbeat) failed to start.  Verify that you have sufficient privileges to start system services.

  • In reply to waynecutler:

    I had a similar issue when installing Sophos on desktops.

    The heartbeat folder had to be written into my script but overall it created the folder, and assigned it the permissions it needed.

    C:\ProgramData\Heartbeat needed to be created

     

    SYSTEM, LOCAL SERVICE, Administrators, and NETWORK SERVICE needed to be given permissions to this folder.

     

    System and Administators was always added, so I added the other two

     

    icacls C:\ProgramData\Sophos\Heartbeat /grant "LOCAL SERVICE":(OI)(CI)F
    icacls C:\ProgramData\Sophos\Heartbeat /grant "NETWORK SERVICE":(OI)(CI)F

     

    Not sure if this will apply to you, but I figured I would mention it just in case.

  • In reply to waynecutler:

    At that time in the PML do you see a process get created with the name Heartbeat.exe?

    If you look in the process tree view of the PML, do you see a process called Heartbeat.exe get created?

    If so, then you should be able to locate this in the list view.  I would start by filtering to the heartbeat process.  Scroll to the bottom and you should find the Process Exit event.  What is the return code from that.  Any Access Denied events for example just before?

    I would suggest posing the MSI log and PML but the PML is quite large and will have quite a bit of PI in it.  Maybe open a support case and submit the PML and MSI log.

    Regards,

    Jak

  • In reply to jak:

    here is the process exit info

    8:35:01.3536106 AM Heartbeat.exe 7688 Process Exit SUCCESS Exit Status: 575, User Time: 0.0312002 seconds, Kernel Time: 0.0312002 seconds, Private Bytes: 1,298,432, Peak Private Bytes: 1,318,912, Working Set: 5,410,816, Peak Working Set: 5,410,816

    right before that

    8:35:01.3496859 AM Heartbeat.exe 7688 CreateFile C:\ProgramData\Sophos\Heartbeat\Persist\ObjectNames ACCESS DENIED Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0

  • In reply to waynecutler:

    I got it to work.  Had to make the security permission changes as listed below in the c:\programdata\sophos folder for it to work.

    weird as other programs with services were able to be installed with previous settings.

     

  • In reply to waynecutler:

    Great!

    I am glad that worked for you!