This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Install Fails (the UI doesn't install)

I've run into this issue a few times recently - the endpoint installer 'fails' but the only thing that fails to install is the user interface.  Naturally, this means that it registers in Sophos Central, scans fine, and basically 'works' ...you just can't disable tamper protection.  On the previous one I ran into this with I had the client bring the computer to our office so we could use safe mode to get rid of Sophos and reinstall it, but the one I just ran into this on is several states away.  Anyone else been running into this lately?  I've got the log file of the latest failed install if needed.



This thread was automatically locked due to age.
Parents
  • Hello Martin Marks ,

    Can you please upload your SDU logs so that we can review them? You can send them directly to me via PM.
    Also, please re-try installing Sophos Central by downloading a fresh copy of the installer on that computer.  

    If you need to disable tamper protection, as you mentioned the computer is listed in Central, you should be able to follow these steps.

    Please let me know the outcome.

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Hi Barb, 

    I just PMed you the SDU logs.  I uninstalled Sophos, did a new download of the installer, and attempted to install again - now it just immediately fails with Installation Failed.

  • Hi,

    When you run the Central Installer it will initially attempt to install all components as the logged on user.

    You can see in the Central Installer log file: "C:\ProgramData\Sophos\CloudInstaller\Logs\"

    The order the components are to be installed in can be seen in the log file,  E.g.

    Install sequence for components is: sdu uninstaller64 sed64 mcsep sse64 sfs64 clean64 esh64 shs ui64 efw64 savxp ntp64 sau 

    As a result all the install logs of each component go to the temp directory of the account running the installer, i.e. %temp%.  E.g. for the UI component:
    "Sophos UI Install Log 20180914 231045.txt"

    If it fails on a component, since 1.5, it will retry the component 3 times and then move on to the next component. 

    Note: In version 1.4 and earlier it would only try once per component and stop at the first component to fail. So the success rate with 1.5 should be a lot higher especially where transient errors such as Windows Installer is already in use are concerned. 

    If it installs "sau" (Sophos AutoUpdate) successfully then "sau" will then attempt to install any failed components on its first update which will be 5 minutes after the Sophos AutoUpdate service is started as part of the install of "sau".  So although the Central Installer might fail, as long as SAU is installed, it will retry any failed components after 5 mins and then on every subsequent update.

    As SAU is then managing the install rather than the Central Installer.  The logs will start going to \windows\temp\ as SAU is attempting installations as the System user.

    So you might find logs for the UI component in both %temp% and \windows\temp\.  Either will do really I suppose. 

    Can you share one?

    Regards,

    Jak

  • Hello Martin Marks,

    the error is:

    Product: Sophos Endpoint -- Error 1402. Could not open key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.  System error 5.  Verify that you have sufficient access to that key, or contact your support personnel.

    Look like a registry permissions issue.

    Christian

  • As QC says but also, do you maybe have some "security" software that prevents "auto run" locations from being updated?  Hence an application is blocking this?

    Regards,

    Jak

  • The old antivirus software was uninstalled, but I'll double check to make sure that all traces of it are gone.  We've also seen some clients have registry key lockdown before.  I'll check into both of these when I next get access to the machine (~10:15 PM tonight).  Thanks for the help!

  • Had a look at the registry keys - there was nothing set for that key already, but I was able to make a key in that location...

    Verified that there no traces of the previous AV software...

    Uninstalled the previous failed install of Sophos...

    Rebooted...

    Was told by the Sophos installer to reboot again, so I rebooted again...

    Ran the Sophos installer...install failed again.  

    Here's the archive of the install logs.

    2330.Sophos Network Threat Protection Install Log 20180920 230938.zip

  • Hello Martin Marks,

    apparently it still fails when trying to add a value to this key. What are the permissions on the key? Should be SYSTEM and Administrators Full, Users Read inherited from HKLM\Software. And - AFAIK the key. \Run\ - not a value other than (Default), is supposed to exist.
    BTW: What's the LTErrors.txt?

    Christian

  • LTErrors.txt is the error file for our remote management software, I just kind of zipped up all the temp files that were in that date range since it was late at night and needed to get some sleep.  I'll check the permissions on the key when I can access the machine again tonight.

  • Turns out nobody had permissions to do anything with that key, even view it.  I set up the permissions for it they way they were supposed to be.  Uninstalled the botched Sophos install, rebooted.  Sophos installer requested another reboot, so I rebooted again.  Started up the install, Sophos installed successfully!

     

    Thanks for the assistance!

Reply
  • Turns out nobody had permissions to do anything with that key, even view it.  I set up the permissions for it they way they were supposed to be.  Uninstalled the botched Sophos install, rebooted.  Sophos installer requested another reboot, so I rebooted again.  Started up the install, Sophos installed successfully!

     

    Thanks for the assistance!

Children
  • Looks like I've got another reappearance of this issue, except instead of the UI failing to install this time its Hitman Pro failing to install on a server.  The error logs have said that its a registry issue but I've checked the permissions this time and they're all set properly on the keys.  Here's the SDU logs. www.dropbox.com/.../APPSERVER_20180923_185927_sdulog.zip

  • Hello Martin Marks,

    I see one successful install around 2018-09-23 16:42. All others (including a subsequent one around 20:56) fail with a not found for the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HitmanPro.Alert\ key when it attempts to set the value SystemComponent. It's not clear what happened between these two attempts as the key apparently existed at 16:42.

    Christian

  • Another one of our techs resolved another issue on the machine yesterday which may have been impacting it (obscenely high CPU load caused by backup jobs botching) - I'm going to make another attempt at getting Sophos installed on it tonight.  I'm not sure it could explain the registry key issues, but its worth a shot to see if it works now.