New to Endpoint please help

Hi Jamie Newman1 

Would you please check under services.msc which Sophos service is not running? Also, please check under the central dashboard, you should be able to view the status of the machine on the dashboard as well. Kindly check this link as well, and see if it helps you to resolve the issue. 

Hey thank for the reply!

So upon looking at Services it would seem that Sophos Web Intelligence update has a blank status?

Thanks

Jamie

Hello Jamie Newman1 

That event is old. Please send a screenshot of the screen after clicking on "Run Diagnostic Tool" and go under Services. 

You can also look at the System tab there to see if there are any pending reboots, which could potentially resolve the issue as well.

No seen that tab yet thanks!

23/12/19 is probably about the time the Ransomware came in, everything was encrypted post Christmas break

https://community.sophos.com/kb/en-us/132846#How%20do%20I%20install%20Sophos%20File%20Integrity%20Monitoring?

I followed this step to no result in CMD

Hello Jamie Newman1 

Can you please look into the install logs for Sophos File Integrity Monitoring? It could be failing to install for some reason that is why the service is "missing" and could not start.

The logs are in C:Windows\Temp, and look for the most recent Sophos File Integrity Monitoring setup log<timestamp>.txt and Sophos File Integrity Monitoring install log<timestamp>.txt files.

See if you can find strings such as "Error" (which should eventually show an error code), or "Failed" (should also tell what failed, etc.).

This is what I found

Hello Jamie Newman1 

Okay thanks, Can you also please find the most recent Sophos File Integrity Monitoring install log<timestamp>.txt file also in C:\Windows\Temp?

Thanks!

I did check this but I found no errors but here is the text.

=== Verbose logging started: 06/01/2020 08:29:56 Build type: SHIP UNICODE 5.00.7601.00 Calling process: C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe ===
MSI (c) (44:F8) [08:29:56:455]: Cloaking enabled.
MSI (c) (44:F8) [08:29:56:455]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (44:F8) [08:29:56:455]: End dialog not enabled
MSI (c) (44:F8) [08:29:56:471]: Original package ==> C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi
MSI (c) (44:F8) [08:29:56:471]: Package we're running from ==> C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: Uninstall Flags override found.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: Uninstall VersionNT override found.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: Uninstall ServicePackLevel override found.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: looking for appcompat database entry with ProductCode '{425063CE-9566-43B8-AC61-F8D182828634}'.
MSI (c) (44:F8) [08:29:56:471]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (44:F8) [08:29:56:486]: MSCOREE not loaded loading copy from system32
MSI (c) (44:F8) [08:29:56:502]: APPCOMPAT: looking for appcompat database entry with ProductCode '{425063CE-9566-43B8-AC61-F8D182828634}'.
MSI (c) (44:F8) [08:29:56:518]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (44:F8) [08:29:56:518]: Transforms are not secure.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Windows\TEMP\Sophos File Integrity Monitoring Install Log 20200106082956455.txt'.
MSI (c) (44:F8) [08:29:56:518]: No Command Line.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2A4B14BE-081A-4CDE-A2A1-A6397314C880}'.
MSI (c) (44:F8) [08:29:56:518]: Product Code passed to Engine.Initialize: '(none)'
MSI (c) (44:F8) [08:29:56:518]: Product Code from property table before transforms: '{425063CE-9566-43B8-AC61-F8D182828634}'
MSI (c) (44:F8) [08:29:56:518]: Product Code from property table after transforms: '{425063CE-9566-43B8-AC61-F8D182828634}'
MSI (c) (44:F8) [08:29:56:518]: Product not registered: beginning first-time install
MSI (c) (44:F8) [08:29:56:518]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (c) (44:F8) [08:29:56:518]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (c) (44:F8) [08:29:56:518]: User policy value 'SearchOrder' is 'nmu'
MSI (c) (44:F8) [08:29:56:518]: Adding new sources is allowed.
MSI (c) (44:F8) [08:29:56:518]: Package name extracted from package path: 'SophosFIM.msi'
MSI (c) (44:F8) [08:29:56:518]: Package to be registered: 'SophosFIM.msi'
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (c) (44:F8) [08:29:56:518]: TRANSFORMS property is now:
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Favorites
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Documents
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Local
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Pictures
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\Desktop
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (c) (44:F8) [08:29:56:518]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (c) (44:F8) [08:29:56:518]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'server'.
MSI (c) (44:F8) [08:29:56:518]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'SRM Steadfast'.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi'.
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\fim\SophosFIM.msi'.
MSI (c) (44:F8) [08:29:56:518]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (c) (44:F8) [08:29:56:518]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (c) (44:F8) [08:29:56:518]: EEUI - Disabling MsiEmbeddedUI in quiet mode
=== Logging started: 06/01/2020 08:29:56 ===
MSI (c) (44:F8) [08:29:56:518]: Machine policy value 'DisableRollback' is 0
MSI (c) (44:F8) [08:29:56:518]: User policy value 'DisableRollback' is 0
MSI (c) (44:F8) [08:29:56:518]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (c) (44:F8) [08:29:56:518]: Creating MSIHANDLE (10) of type 790537 for thread 8696
MSI (c) (44:F8) [08:29:56:518]: MsiOpenPackageEx is returning 0
MSI (c) (44:F8) [08:29:56:518]: Closing MSIHANDLE (10) of type 790537 for thread 8696
=== Verbose logging stopped: 06/01/2020 08:29:56 ===

Hello Jamie Newman1 

Hmm, I was trying to see if the install log would have additional information why the setup log showed the error 1060 when starting the service. 

I was trying to possibly find errors in the install log that would look like:

CreateFIMDataReaderGroup:  Initialized
MSI (s) (5C!98) [07:59:43:198]: Closing MSIHANDLE (102) of type 790531 for thread 4248
MSI (s) (5C!98) [07:59:43:276]: Creating MSIHANDLE (103) of type 790531 for thread 4248
CreateFIMDataReaderGroup:  Creating group 'SophosFimDataReaders' with description 'Group allowing access to the SophosFim Export Folder'
MSI (s) (5C!98) [07:59:43:276]: Closing MSIHANDLE (103) of type 790531 for thread 4248
MSI (s) (5C!98) [07:59:43:276]: Creating MSIHANDLE (104) of type 790531 for thread 4248
CreateFIMDataReaderGroup:  NetLocalGroupAdd returned 50
MSI (s) (5C!98) [07:59:43:276]: Closing MSIHANDLE (104) of type 790531 for thread 4248
CreateFIMDataReaderGroup:  Error 0x80070032: Failed to create group
MSI (s) (5C:04) [07:59:43:276]: Closing MSIHANDLE (100) of type 790536 for thread 5484
CustomAction CreateFIMDataReaderGroup returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (5C:6C) [07:59:43:339]: Note: 1: 2265 2:  3: -2147287035

From those events it would be because Sophos is being installed on a read-only DC.

Please take a look at the FIM FAQ KB article, specifically the "Are there any issues I should be aware of?" section where it states:

Installation of Sophos File Integrity Monitoring may fail on a Windows read-only domain controller (RODC).

On installation, a local or domain group SophosFimDataReaders is created. If the first DC to be installed is a read-only domain controller (RODC), this account cannot be created and the installation will fail. To resolve, either install to a DC to allow the group to be created automatically, or manually create the domain group.

You can try looking through older versions of the FIM install log specifically, to see if you see any further errors. If there is none or there is a different error code, please Raise a support case to have our Support team look into your issue further. When you have created the ticket, please post or DM me your ticket number so we can follow the case.

Hello Jamie Newman1 

Hmm, I was trying to see if the install log would have additional information why the setup log showed the error 1060 when starting the service. 

I was trying to possibly find errors in the install log that would look like:

CreateFIMDataReaderGroup:  Initialized
MSI (s) (5C!98) [07:59:43:198]: Closing MSIHANDLE (102) of type 790531 for thread 4248
MSI (s) (5C!98) [07:59:43:276]: Creating MSIHANDLE (103) of type 790531 for thread 4248
CreateFIMDataReaderGroup:  Creating group 'SophosFimDataReaders' with description 'Group allowing access to the SophosFim Export Folder'
MSI (s) (5C!98) [07:59:43:276]: Closing MSIHANDLE (103) of type 790531 for thread 4248
MSI (s) (5C!98) [07:59:43:276]: Creating MSIHANDLE (104) of type 790531 for thread 4248
CreateFIMDataReaderGroup:  NetLocalGroupAdd returned 50
MSI (s) (5C!98) [07:59:43:276]: Closing MSIHANDLE (104) of type 790531 for thread 4248
CreateFIMDataReaderGroup:  Error 0x80070032: Failed to create group
MSI (s) (5C:04) [07:59:43:276]: Closing MSIHANDLE (100) of type 790536 for thread 5484
CustomAction CreateFIMDataReaderGroup returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (5C:6C) [07:59:43:339]: Note: 1: 2265 2:  3: -2147287035

From those events it would be because Sophos is being installed on a read-only DC.

Please take a look at the FIM FAQ KB article, specifically the "Are there any issues I should be aware of?" section where it states:

Installation of Sophos File Integrity Monitoring may fail on a Windows read-only domain controller (RODC).

On installation, a local or domain group SophosFimDataReaders is created. If the first DC to be installed is a read-only domain controller (RODC), this account cannot be created and the installation will fail. To resolve, either install to a DC to allow the group to be created automatically, or manually create the domain group.

You can try looking through older versions of the FIM install log specifically, to see if you see any further errors. If there is none or there is a different error code, please Raise a support case to have our Support team look into your issue further. When you have created the ticket, please post or DM me your ticket number so we can follow the case.