Firewall error

Hello CL,

haven't seen this one. I'd start with checking the logs in %windir%\Temp, the ones named Sophos Client Firewall xxxx Log.txt (if it exists then Sophos Client Firewall CustomActions Log.txt first). 

Christian

Hello Christian, thanks for your reply

I´ve reviewed the log of Sophos Client Firewall CustomActions Log.txt and this is the difference I found between a proper installation and failed.

PC with Firewall Error:

2011-02-09 17:28:25 RegisterSCFAdapter: Registering SCFAdapter...
2011-02-09 17:28:25 RegisterSCFAdapter: Return Success
2011-02-09 17:28:25 RegisterNAIPlugin: Registering NAIPlugin...
2011-02-09 17:28:25 RegisterNAIPlugin: Return Success
2011-02-09 17:28:26 InstallUnsignedDrivers: Installing driver...
2011-02-09 17:28:26 InstallUnsignedDrivers: Calling DriverHelperProxy::Install()...
2011-02-09 17:28:26 PlatformPath: Architecture x86, running DriverHelper_Win32.exe
2011-02-09 17:28:26 Execute: C:\WINDOWS\TEMP\{12C00~1\DRIVER~2.EXE /install C:\ARCHIV~1\Sophos\AUTOUP~1\cache\scf\
2011-02-09 17:28:44 Execute: Returned 2
2011-02-09 17:28:44 InstallUnsignedDrivers: Return Success
2011-02-09 17:28:44 CreateTempRebootFile: Creating temporary reboot file...
2011-02-09 17:28:44 CreateTempRebootFile: Return Success

PC working ok:

2010-10-13 17:39:49 InstallUnsignedDrivers: Installing driver...
2010-10-13 17:39:49 InstallUnsignedDrivers: Calling InstallAndLoadDrivers()...
2010-10-13 17:39:49 DrvInstXP::Install: Calling SetTagForLoadOrder() to set tag position in PNP_TDI GroupOrderList...
2010-10-13 17:39:49
2010-10-13 17:39:49 DrvInstXP::Install: Return Success
2010-10-13 17:39:49 InstallUnsignedDrivers: Return Success
2010-10-13 17:39:50 RegisterSCFAdapter: Registering SCFAdapter...
2010-10-13 17:39:50 RegisterSCFAdapter: Return Success
2010-10-13 17:39:50 RegisterNAIPlugin: Registering NAIPlugin...
2010-10-13 17:39:50 RegisterNAIPlugin: Return Success
2010-10-13 17:39:50 CreateTempRebootFile: Creating temporary reboot file...
2010-10-13 17:39:50 CreateTempRebootFile: Return Success

Both installations runs from the same path.

I'll be missing something?

There should also be a Sophos Client Firewall DriverHelper Log.txt which hopefully contains details about the failure.

Christian

Sorry for grave digging, but i am currently experiencing the same issue, and since this topic was left outstanding with a question; i can admit that the "Sophos Client Firewall DriverHelper Log.txt" was present.

Basically the log files all show success results ... which is no help at all, still, in the console, the OP's error code is present. This results in the customer not being able to connect to any network resources whatsoever.

Hello IK,

threads never die, they just rest :smileyhappy:

not being able to connect to any network resources whatsoever

If the error is reported to the console there must be some traffic getting through. If you turn off On-Access checking on the client - does the alert make it to SEC? Is the firewall available in the local GUI and what happens if you try to configure it, same error?

Christian

Hi Christian,

The FW is in Add/Remove Programs, but the system tray shows the Sophos icon with a red cross through it. Unfortunately I am unable to remote into this client, so I cannot be more precise in having the FW reconfigured through the GUI. Also I am able to logon to his C$ to inspect the Temp files.

As you may have noticed, I have just started deploying Sophos onto a location with handfull of servers and 50 odd clients, some clients/servers behave well .. (haven't done a mass deployment yet, still in pilot phase) .. so far only one client with FW issues and one server which constantly fails with the MSI for SAVXP (MSI 1603 error)

really appreciate your prompt responses!

Hello IK,

you'd better start a new thread for the server (1603) issue if needed.

You got the information about the status on the client from the user (as you can't remote in)? Guess you can call up the Event Viewer for this machine - there might be some additional information (e.g. service failed to start). At the moment I can't say where else to look - as the install completed successfully the logs in %TEMP% probably won't help, and SCF (if it's running) writes its logs into a database.

If the Event Log doesn't come up with something useful you'd better contact Support. They'll probably ask for the SDU logs.

Christian

I found the below in the EventVwr

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	10005
Date:		21/09/2012
Time:		16:35:43
User:		NT AUTHORITY\SYSTEM
Computer:	PDG5
Description:
Product: Sophos Client Firewall -- Sophos Anti-Virus 6 or greater must be present in order to install Sophos Client Firewall.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 31 32 43 30 30 32 39   {12C0029
0008: 39 2d 42 38 42 34 2d 34   9-B8B4-4
0010: 30 44 33 2d 39 36 36 33   0D3-9663
0018: 2d 36 36 41 42 45 41 33   -66ABEA3
0020: 31 39 38 41 42 7d         198AB}  

I found your reply for "community.sophos.com/.../message;q=Customactions#message-list" i will investigate further ... 

Some log file dumps:

GOOD LOG:

MSI (s) (9C:3C) [09:08:52:950]: Doing action: SetServicesRecoveryOptions
Action ended 09:08:52: SetServicePermissons. Return value 1.
MSI (s) (9C:3C) [09:08:52:950]: Note: 1: 2235 2:  3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'SetServicesRecoveryOptions' 
Action start 09:08:52: SetServicesRecoveryOptions.
MSI (s) (9C:3C) [09:08:52:950]: Skipping action: FirstInstallStartSCFManagerService (condition is false)
MSI (s) (9C:3C) [09:08:52:950]: Doing action: SetUpdateFinished
Action ended 09:08:52: SetServicesRecoveryOptions. Return value 1.
MSI (s) (9C:3C) [09:08:52:950]: Note: 1: 2235 2:  3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'SetUpdateFinished' 
Action start 09:08:52: SetUpdateFinished.
MSI (s) (9C:3C) [09:08:52:950]: Doing action: StartServices
Action ended 09:08:52: SetUpdateFinished. Return value 1.
Action start 09:08:52: StartServices.
MSI (s) (9C:3C) [09:08:52:950]: Skipping action: RollbackInstallSecurityCenter (condition is false)
MSI (s) (9C:3C) [09:08:52:950]: Doing action: SetInstallUnsignedDrivers
Action ended 09:08:52: StartServices. Return value 1.

FAILED LOG:

MSI (s) (A8:14) [16:52:34:103]: Doing action: SetServicesRecoveryOptions
Action ended 16:52:34: SetServicePermissons. Return value 1.
MSI (s) (A8:14) [16:52:34:103]: Note: 1: 2235 2:  3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'SetServicesRecoveryOptions' 
Action start 16:52:34: SetServicesRecoveryOptions.
MSI (s) (A8:14) [16:52:34:103]: Doing action: FirstInstallStartSCFManagerService
Action ended 16:52:34: SetServicesRecoveryOptions. Return value 1.
MSI (s) (A8:14) [16:52:34:103]: Note: 1: 2235 2:  3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'FirstInstallStartSCFManagerService' 
Action start 16:52:34: FirstInstallStartSCFManagerService.
MSI (s) (A8:14) [16:52:34:119]: Skipping action: SetUpdateFinished (condition is false)
MSI (s) (A8:14) [16:52:34:119]: Skipping action: StartServices (condition is false)
MSI (s) (A8:14) [16:52:34:119]: Doing action: RollbackInstallSecurityCenter
Action ended 16:52:34: FirstInstallStartSCFManagerService. Return value 1.
MSI (s) (A8:14) [16:52:34:119]: Note: 1: 2235 2:  3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'RollbackInstallSecurityCenter' 
Action start 16:52:34: RollbackInstallSecurityCenter.
MSI (s) (A8:14) [16:52:34:119]: Doing action: SetInstallUnsignedDrivers
Action ended 16:52:34: RollbackInstallSecurityCenter. Return value 1.