Up to 50 pc's reporting Missing: Sophos System Protection Service

We've had a variety of problems with the Central installer lately.  Services not running, tamper protection can't be disabled, etc.  One of the major causes appears to be that the installer can't always remove all components of a previous installation (Sophos has been making changes to the services recently so new services are being installed).  The only reliable fix I've found so far is to boot to safe mode, disable tamper protection, boot to normal mode, find all of the uninstall strings for Sophos in the registry and remove them, reboot, and then reinstall the Endpoint.  It's been a big pain and I have a couple of tickets open with support about it.

As I have just suggested in my post here:
https://community.sophos.com/products/sophos-central/f/sophos-central/96303/some-sophos-services-are-not-running-missing#pi2151=6

If the SED component is failing to install because the old SSP component failed to uninstall for whatever reason.  It might be possible to delete the old service, i.e.

SC DELETE SOPHOSSSP 

This may then enable the Endpoint Defense component to install on the next update as it needs to create the new SSP service which was perhaps previously failing.

Once that has installed you might be able to then disable TP via policy in order to uninstall the old SSP component and Heartbeat if that also failed to uninstall, without the need for safe mode.

Regards,
Jak

Hi Jak

Thanks for this update.

I have managed to clear 40 devices with this error now, but several remaining ones differ slightly in that the Sophos Heartbeat service is present but stopped. Deleting System Protection Service and disabling Tamper Protection wil not work. So I guess the Heartbeat service hasn't uninstalled properly on these devices

Any ideas?

You can uninstall that using the MSI also:

Going by this KBA: https://community.sophos.com/kb/en-us/122126, as I no longer have that component to check.

The following command should do it:
MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress

I am assuming that ProductCode is still the correct one. 

If not take a look under: \HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ to see if you can find the UninstallString of Heartbeat.  I believe it is a 32-bit component.  For a 32-bit computer it would be: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ of course.

For the MSI to uninstall, if you have Tamper Protection enabled, then:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
SEDEnabled will be set to 1.

This will cause the uninstall to fail.  Disabling TP should set the above value to 0 and the MSI will uninstall.  

Regards,

Jak

You can uninstall that using the MSI also:

Going by this KBA: https://community.sophos.com/kb/en-us/122126, as I no longer have that component to check.

The following command should do it:
MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress

I am assuming that ProductCode is still the correct one. 

If not take a look under: \HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ to see if you can find the UninstallString of Heartbeat.  I believe it is a 32-bit component.  For a 32-bit computer it would be: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ of course.

For the MSI to uninstall, if you have Tamper Protection enabled, then:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
SEDEnabled will be set to 1.

This will cause the uninstall to fail.  Disabling TP should set the above value to 0 and the MSI will uninstall.  

Regards,

Jak