This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hopelessly Broken

Sorry about the sensationalist headline!!, but this issue has had me running round in circles for the best part of a wewek now, with no hope of resolution in sight.

I have been trying to update my PC to use SAV 10.3. I first updated our management console server to 5.2.1. I then created a new subscription to download the 10.3 version. I then attempted to deploy it to my PC. I noticed that the console reported the statius of my PC as 'this computer is protected but has not yet reported it's status'.....since then I have been on an endless loop of uninstalling, reinstalling, tearing out a few more hairs, following the 'completely remove SAV' instructions provided by Sophos support, rebooting, rebooting, sacrificing a goat or two, then rinse and repeat ad-nauseum. So far NOTHING has helped.....

anyway, here's a list of the things I have tried all to no avail.

1. After initially contacting Sophos support, and getting the instructions for completely deleting SAV, and following those instructions, I started with what should have been considered a clean PC.

2. Deployed SAV from the management server to my PC. The 'setup.exe' process only ran for a few seconds, and at the end of it I had a Sophos icon in my system tray, but the 'open Sophos Endpoint protection' item was greyed out. The only available choices were 'update now', which did nothing....no 'update progress' dialog, zilch, zip, nada. I checked the Services on my PC and all I had was the Sophos Auto Update service. Tried rebooting, still nothing hapening.

3. Manually connected to the CID on our network and ran setup. Got a message indicating that SAV was being uninstalled.

4. Cleaned up my PC as perthe removal instructions....rebooted....sacrificed a goat

5. Connected to the CID on the LAN. Ran installed. This gave me the Sophos Agent, Auto Updater and Message Router in my Services panel, but still no SAV. Same deal with the tray icon. Rebooted....

6. Went to the CID on the lan, navigated down to the 'savxp' folder and ran 'sophos anti-virus.msi'. This appeared to work, and I thought I may have experienced the sweet taste of success.....however.....even though I was now able to open the SAV interface, there was no 'version' information, no 'last updated' information, and all the clickable links (update, scan, etc) were greyed out. Reboot again, sacrifice a chicken this time.....

7. After reboot, still no change. Also, NO updating logs available.....no 'alc.log' to be found anywhere on my PC. Also noticed at this stage that the Sophos Agent service was no longer present....also, clicking Update Now still does nothing.

8. Thought I'd try installing the standalone 10.3 installer downloaded from Sophos web site, but unsurprisingly this failed (I had forgotten a fresh sacrifice before trying this one...). Also noticed that after this the Sophos Remote Management service was now gone from my PC.

9. Uninstalled everything again, cleaned up as per instructions.....kicked the cat a few times

10. ran the standalone installer again. This installed this time. When I put in the details for updating, and then clicked Update Now, nothing happened. Tried both our Sophos credentials, and the local CID credentials, but nothing would trigger an update. Also, still no alc.log to be found anywhere, and 'last updated' in the Interface still showing 'unknown'

11. Killed the cat, ate the goat, installed Kaspersky

12. Only kidding.....didn't kill the cat.

13. Didn't really install Kaspersky.....but at the moment I still appear to have a completely non-functional SAV on my PC.I have also noticed that there are a couple more PCs with the 'protected but havent phoned home yet' status showing inthe management server.

I have an open case with support regarding this, but just thought I'd throw it out there to see if anyone has experienced similar, or can offer any suggestions. My PC has been unprotected for a few days now - well, I'm not sure if it's unprotected or not - and I'm starting to get a bit nervous...

This thread was automatically locked due to age.

0 jak over 11 years ago

Hello,
The key here is log files.
From a clean slate... Run setup.exe on the client, either through a push (from SEC) or pull from the CID by running setup.exe.
Cac.pem and mrinit.conf will be copied by setup.exe to the client computer to the "program files" directory of RMS and await the Remote Management System (RMS) install later.

AutoUpdate will then be installed, possibly after running the CRT tool (the default). AutoUpdate will pull down all the packages from the CID. E.g. RMS, SAV, SCF, SAU, etc, depending what options have been specified. , I would expect this to be work, unless the updating credentials are wrong such that it can't get files from the CID.
The next phase is the installation of the downloaded packages.
AutoUpdate will first install RMS: Alupdate.exe will be running as Local System and will orchestrate the install of the packages by loading the individual setup plugin (dlls) of each package. As the installs are running as system, all the logs will go to \windows\temp\. You should therefore find 1 or more log per component.
So I would expect, RMS to install first in order to report back in SEC as soon as possible and give feedback. As long as the client can connect to port 8192 TCP and 8194 TCP of the server and the server can connect to port 8194 TCP of the client this should take a few seconds and the machine should appear as managed in SEC. SAV info will be blank at this point until SAV is installed and another status message is sent from the client.
The next package to install will be SAV, again install logs will appear in \windows\temp\.
AutoUpdate will proceeed in this manor until all the packages are installed creating logs as it goes.
For each package that fails to install, the logs of that package are required, Each will have a MSI log and typically an accompanying custom action log files.
I hope this helps find your issue.
Please feel free to post any logs you want checked.
Regards,
Jak
P.S. Runnning the MSIs directly will not work.
:50500
Cancel
Vote Up 0 Vote Down

Cancel
0 Doctor-Gerry over 11 years ago

Hi Jak,
Thanks for your reply.
Here's what I did :
1. Cleaned my PC as per Sophos instructions.
2. Tried running setup.exe from the CID. When I did this, I got a windows installer 'installing'-type dialog that said that Sophos Auto Update was installing. The folder c:\program files (x86) Sophos\Remote management System was created. The 2 files (cac.pem and mrinit.com) were in that folder. I had a Sophos icon in my system tray. When I clicked that icon I had 'Update Now' and 'configure updating' available on the menu. The other 2 options were greyed out. When I clicked Update Now, NOTHING happened. When I clicked Configure Updating, it brought up the right dialog, with all the correct details filled in, but EVERY option, button etc was greyed out - I could not select anything. I checked the Windows\temp folder. The only log available in there was Sophos AutoUpdate Setup Log.text. This file was completely BLANK - ie NOTHING in it.....not a single line.
3. I cleaned my PC again as per Sophos instructions
4. I tried deploying to my PC the same way we have always deployed, and the same way I have deployed to some other PCs in the last few days. I got EXACTLY the same result - ie same system tray icon, same greyed-out options, same lack of anything happening when I clicked Update Now, same empty log file. The management server shows no status until I reboot and then it shows 'this pc is managed but has not yet reported its status'
Still I have no functional virus protection on my PC.
:50566
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 11 years ago

Hello,

The options being greyed out is expected.
If AutoUpdate has been installed, I would expect there to be an AutoUpdate log file: alupdate.log
C:\ProgramData\Sophos\AutoUpdate\Logs\
Can you post that?
Regards,
Jak
:50572
Cancel
Vote Up 0 Vote Down

Cancel
0 Doctor-Gerry over 11 years ago

After posting my last message I felt that I really needed to have some A/V protection on my machine. I read on another post here that you could install the stand-alone version of Sophos, then just do a 'protect computer' from the Management Console which would install the Remote Management Service.....so I did. I ran the stand-alone installer, but when I do a right-click on the tray icon and 'open SAV', on the pane on the left hand side, it still shows 'unknown' under 'last updated'. In the management console my PC is now showing as 'the computer is not yet managed. It is protected but has not yet reported back its status'. When I click the 'Update Now' on the tray icon, still nothing happens. When I click 'view updating log' from inside SAV, there is nothing visible. When I browse and select the log file, I get an error 'could not open log file'. I CAN open the logfile in Notepad though....it is attached to this message.
:50632
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 11 years ago

Hello Doctor-Gerry,
it looks indeed pretty broken. The log shows that AutoUpdate starts, collects the list of products but fails before it completes this step - probably when accessing the key HKLM\SOFTWARE\Sophos\AutoUpdate\Products\. The message in the log you've posted is:
Trace(2014-Jun-03 16:11:50): ALUpdate::main: terminal problem!
whereas normally it should say
Trace(2014-Jun-04 16:25:13): Considering subscribed products.
Dunno if it is an issue with this key though. It should contain a subkey {9BF40A4E-23AE-48be-9974-5A1F261DBEE8} with two values, Full control permissions for SYSTEM and Administrators.
As AutoUpdate miserably fails with this ALUpdate::main: terminal problem! it never completes normally (with either success or failure) and consequently doesn't inform RMS of the outcome. Therefore the not yet reported status in SEC.
Did you (before or after eating the goat) try the Fix-It mentioned in Troubleshooting and resolving problematic Sophos endpoint upgrade and uninstall issues? I know this is not a solution you can apply remotely (at least I don't know whether one can script the Fix-It tool).
Christian
:50640
Cancel
Vote Up 0 Vote Down

Cancel
0 Doctor-Gerry over 11 years ago

Hi Christian,
Yes.....did the fix it. Did it again today, just in case today may have been the day that all the planets were in the correct alignment, but, alas, no.....I still can't get it installed.
:50724
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 11 years ago

Hello Doctor-Gerry,
maybe it'll work next Friday ... :smileywink:
Whatever is messed up it seems to be rather special - OTOH, this whatever triggers the special terminal problem! message. This is neither an Unexpected exception nor a runtime error. Furthermore it happens after considering PMSR 2.6 and before the Considering subscribed products. message is issued - someone with access to the code should be able to name the few things it's trying to do at this point.
Just watched it with Process Monitor - indeed it seems that all it does between these two messages is enumerating HKLM\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\Products\ and querying each subkey found for some values. Wonder if this key is corrupt?
Christian
:50734
Cancel
Vote Up 0 Vote Down

Cancel
0 Doctor-Gerry over 11 years ago

Well, looks like Friday might have been the missing option.....and here was me, trying to fix it on Monday, Tuesday, Wednesday and Thursday......anyway, what I did was this....
Ran the installer from the console. This installed the auto-update service. As mentioned previously, doing an 'update now' did not result in any other components getting installed. I then copied the Sophos registry entries from a machine that was working to my PC, tried to update again, and still it didn't work. Then I tried installing from the console again, and this time I was able to configure auto-updating (the options were no longer greyed out as they had been previously. At this point I retyped the password for the account that the auto-update runs under, and hey presto! Ecverything updated, the SAV interface noew shows the correct info (last updated time) and the console is showing my PCs details correctly. So it would appear that somehow the auto-update password had got messed up. Don't know why, because just about every other PC in the place is working correctly using that same user account.....
:50864
Cancel
Vote Up 0 Vote Down

Cancel