Up to 50 pc's reporting Missing: Sophos System Protection Service

In your \Windows\temp\ directory, is there:

- A Sophos System Protection log file from where this component was updated?  I wonder if the un-installation of the old version failed?
- A Endpoint Defense install log in the same directory, does that show failure?

SSP is no longer a component since version 2 as its functionality is now part of Endpoint Defense but it does have a "new" SSP service still.

Regards,

Jak

Hi Jak

Thanks for the response

Here are the log contents

SophosSystemProtectionSetup.log

2018-02-19 08:34:41 Info: ssp msi package not found. uninstalling ssp.
2018-02-19 08:34:41 Info: Requesting Sophos Endpoint Defense disable tamper protection of SSP.
2018-02-19 08:34:41 Info: Waiting on SSP service becoming stoppable.
=== Verbose logging started: 19/02/2018  08:34:41  Build type: SHIP UNICODE 5.00.10011.00  Calling process: C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\SophosUpdate.exe ===
MSI (c) (E8:A0) [08:34:41:684]: Resetting cached policy values
MSI (c) (E8:A0) [08:34:41:684]: Machine policy value 'Debug' is 0
MSI (c) (E8:A0) [08:34:41:684]: ******* RunEngine:
           ******* Product: {934BEF80-B9D1-4A86-8B42-D8A6716A8D27}
           ******* Action:
           ******* CommandLine: **********
MSI (c) (E8:A0) [08:34:41:684]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (E8:A0) [08:34:44:689]: Failed to grab execution mutex. System error 258.
MSI (c) (E8:A0) [08:34:44:694]: Cloaking enabled.
MSI (c) (E8:A0) [08:34:44:694]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (E8:A0) [08:34:44:696]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (c) (E8:A0) [08:34:44:700]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (E8:A0) [08:34:44:700]: MainEngineThread is returning 1618
=== Verbose logging stopped: 19/02/2018  08:34:44 ===

SophosEndpointDefense log

Started C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\SophosUpdate.exe
20/02/2018 18:57:29, INFO : Driver is already installed.
20/02/2018 18:57:29, INFO : Starting Sophos Endpoint Defense upgrade/downgrade (1.3.0.369)
20/02/2018 18:57:29, INFO : Unregistering MCS adapter: CORC
20/02/2018 18:57:29, INFO : CORC adapter unload not needed: MCS adapter does not exist.
20/02/2018 18:57:29, INFO : Unregistering MCS adapter: CORE
20/02/2018 18:57:29, INFO : CORE adapter unload not needed: MCS adapter does not exist.
20/02/2018 18:57:29, INFO : Unregistering MCS adapter: SED
20/02/2018 18:57:29, INFO : SED adapter unload not needed: MCS adapter does not exist.
20/02/2018 18:57:29, INFO : Installing Sophos System Protection Service ...
20/02/2018 18:57:29, ERROR : Error code: 1078
20/02/2018 18:57:29, ERROR : Error upgrading/downgrading Sophos Endpoint Defense: Failed to create Sophos System Protection Service service.
20/02/2018 18:57:29, ERROR : SetupPlugin install error: Failed to upgrade/downgrade Sophos Endpoint Defense.

Thanks for the logs, they are useful given the error code 1078:

net helpmsg 1078 = "The name is already in use as either a service name or a service display name."

So it's failing to install the new "Sophos System Protection Service" - "C:\Program Files\Sophos\Endpoint Defense\SSPService.exe" presumably because the old one is still present.

I assume that the old Sophos System Protection component (which is now not a component but a feature of Endpoint Defense) is still installed and therefore removing it would allow the new version to be installed.

The old version should have been removed by AutoUpdate but you should be able to remove it manually.

I don't have the old version to hand to know the product code for it.  It maybe one of these:

MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress
MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress

But if not: If you open the Registry edit (regedit.exe) and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

I can't remember if SSP is a 32bit or 64-bit package, check all subkeys of the above keys for the DisplayName being "Sophos System Protection".

The UninstallString value will give your the command to remove it.  You can then add the additional switches as I have done above to make it silent and not force a reboot.

REBOOT=ReallySuppress 
/qn

Once the old version has gone, the next "Update now" should fix the new SSP service.

Hope it helps.

Regards,

Jak

Sophos does appear to have "broken" something in their updater/installer as I receive the exact same error code when trying to migrate endpoints from on premises to Central. Like Alwyn, it was working fine up until about a week or two ago.

To workaround our issue I've been completely removing Endpoint and reinstalling it which then allows subsequent installs to complete successfully although not ideal when we have hundreds to migrate. This probably concurs with what jak said about something failing to be removed as part of the update/install process.

Hello Jak,

what do you think of MainEngineThread is returning 1618 in the SophosSystemProtectionSetup.log? Which other installation could be in progress? Or is it a red herring?

Christian

Tried removing using

MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress

which is the correct one and present in registry but it fails to rewmove.

Event ID: 11725 Product: Sophos System Protection -- Removal failed.

This may be because I am unable to turn tamper protection off on these machines? The Tamper password from the console does not work, and because the machines are not updating it does not turn tamper off when it is turned off in the console.

Hi

I think this is being caused by the Tamper Protection not allowing old Sophos Sytem Protection Service to be removed ?

Sophos can you please provide a fix as soon as possible for this as it is not practical to carry this out manually on over 70 machines

I have managed to get around on one machine by:

Disabling Tamper Protection in Safe Mode

1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004
5. Go to the following location in the registry editor:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
6. Go to the following location in the registry editor:
   HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.

Removing the old Sophos System Protection Service using:

MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress

Restart the Sophos Anti-Virus service and set to Automatic

Allowing Sophos to now update

Changing the Registry values back to original values.

Restart

Reenable Tamper protection within Sophos Console

Now all working again

Although we aren't experiencing exactly the same issue (just the same error) I don't think it's directly related to Tamper Protection as we removed it prior to trying to migrate the Endpoints.

I can confirm that just removing the Sophos System Protection Service rather than the whole Endpoint (as I was doing previously) allows the installation to succeed.

Hi

Yes does not sound exactly the same,as we are unable to remove Tamper protection form within Sophos Console or the Sophos GUI on the affected devices. Hence having to disable Tamper in Safe Mode first and then removing the old Sophos Sytem Protection service.

Thamnks

We have the same problem here, a lot of clients with the SED install failing because the SSP service exists. Disabling tamper protection from Sophos Central doesn't get actioned on the client and it looks like the message doesn't get queued, which is weird, so we can't uninstall SSP. I found a few where the SSP service was STOPPABLE even though TP protection was enabled, and stopping and deleting the SSP service was enough for the next update to succeed, but that may just cause more problems down the line.