Up to 50 pc's reporting Missing: Sophos System Protection Service

In your \Windows\temp\ directory, is there:

- A Sophos System Protection log file from where this component was updated?  I wonder if the un-installation of the old version failed?
- A Endpoint Defense install log in the same directory, does that show failure?

SSP is no longer a component since version 2 as its functionality is now part of Endpoint Defense but it does have a "new" SSP service still.

Regards,

Jak

Hi Jak

Thanks for the response

Here are the log contents

SophosSystemProtectionSetup.log

2018-02-19 08:34:41 Info: ssp msi package not found. uninstalling ssp.
2018-02-19 08:34:41 Info: Requesting Sophos Endpoint Defense disable tamper protection of SSP.
2018-02-19 08:34:41 Info: Waiting on SSP service becoming stoppable.
=== Verbose logging started: 19/02/2018  08:34:41  Build type: SHIP UNICODE 5.00.10011.00  Calling process: C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\SophosUpdate.exe ===
MSI (c) (E8:A0) [08:34:41:684]: Resetting cached policy values
MSI (c) (E8:A0) [08:34:41:684]: Machine policy value 'Debug' is 0
MSI (c) (E8:A0) [08:34:41:684]: ******* RunEngine:
           ******* Product: {934BEF80-B9D1-4A86-8B42-D8A6716A8D27}
           ******* Action:
           ******* CommandLine: **********
MSI (c) (E8:A0) [08:34:41:684]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (E8:A0) [08:34:44:689]: Failed to grab execution mutex. System error 258.
MSI (c) (E8:A0) [08:34:44:694]: Cloaking enabled.
MSI (c) (E8:A0) [08:34:44:694]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (E8:A0) [08:34:44:696]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (c) (E8:A0) [08:34:44:700]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (E8:A0) [08:34:44:700]: MainEngineThread is returning 1618
=== Verbose logging stopped: 19/02/2018  08:34:44 ===

SophosEndpointDefense log

Started C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\SophosUpdate.exe
20/02/2018 18:57:29, INFO : Driver is already installed.
20/02/2018 18:57:29, INFO : Starting Sophos Endpoint Defense upgrade/downgrade (1.3.0.369)
20/02/2018 18:57:29, INFO : Unregistering MCS adapter: CORC
20/02/2018 18:57:29, INFO : CORC adapter unload not needed: MCS adapter does not exist.
20/02/2018 18:57:29, INFO : Unregistering MCS adapter: CORE
20/02/2018 18:57:29, INFO : CORE adapter unload not needed: MCS adapter does not exist.
20/02/2018 18:57:29, INFO : Unregistering MCS adapter: SED
20/02/2018 18:57:29, INFO : SED adapter unload not needed: MCS adapter does not exist.
20/02/2018 18:57:29, INFO : Installing Sophos System Protection Service ...
20/02/2018 18:57:29, ERROR : Error code: 1078
20/02/2018 18:57:29, ERROR : Error upgrading/downgrading Sophos Endpoint Defense: Failed to create Sophos System Protection Service service.
20/02/2018 18:57:29, ERROR : SetupPlugin install error: Failed to upgrade/downgrade Sophos Endpoint Defense.

Thanks for the logs, they are useful given the error code 1078:

net helpmsg 1078 = "The name is already in use as either a service name or a service display name."

So it's failing to install the new "Sophos System Protection Service" - "C:\Program Files\Sophos\Endpoint Defense\SSPService.exe" presumably because the old one is still present.

I assume that the old Sophos System Protection component (which is now not a component but a feature of Endpoint Defense) is still installed and therefore removing it would allow the new version to be installed.

The old version should have been removed by AutoUpdate but you should be able to remove it manually.

I don't have the old version to hand to know the product code for it.  It maybe one of these:

MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress
MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress

But if not: If you open the Registry edit (regedit.exe) and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

I can't remember if SSP is a 32bit or 64-bit package, check all subkeys of the above keys for the DisplayName being "Sophos System Protection".

The UninstallString value will give your the command to remove it.  You can then add the additional switches as I have done above to make it silent and not force a reboot.

REBOOT=ReallySuppress 
/qn

Once the old version has gone, the next "Update now" should fix the new SSP service.

Hope it helps.

Regards,

Jak

Hello Jak,

what do you think of MainEngineThread is returning 1618 in the SophosSystemProtectionSetup.log? Which other installation could be in progress? Or is it a red herring?

Christian

Hello Jak,

what do you think of MainEngineThread is returning 1618 in the SophosSystemProtectionSetup.log? Which other installation could be in progress? Or is it a red herring?

Christian