Its value is 'SchedServiceConfigsophossps1restartrestartnone1120'.Action ended 16:21:07: RollbackServiceConfig. MSI (s) (24:B8) [16:21:01:368]: PROPERTY CHANGE: Adding INSTALLDIR property. jak over 6 years ago in reply to Donaldinio Its new value: '1'.MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: BindImage MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: ProgId MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: SelfReg MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: Extension MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: Font MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: Shortcut MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: Class MSI (s) (24:B8) [16:21:01:391]: Note: 1: 2205 2: 3: TypeLib MSI (s) (24:B8) [16:21:01:392]: Note: 1: 2727 2: MSI (s) (24:B8) [16:21:01:408]: RESTART MANAGER: Will attempt to shut down and restart applications in no UI modes.MSI (s) (24:B8) [16:21:01:420]: Note: 1: 2205 2: 3: ActionText MSI (c) (FC:EC) [16:21:01:412]: RESTART MANAGER: Session opened.MSI (s) (24:B8) [16:21:06:439]: RESTART MANAGER: Successfully shut down all applications in the service's session that held files in use.MSI (c) (FC:EC) [16:21:06:439]: RESTART MANAGER: Successfully shut down all applications that held files in use.MSI (s) (24:B8) [16:21:06:951]: Note: 1: 2727 2: MSI (s) (24:B8) [16:21:06:952]: Doing action: RemoveExistingProductsMSI (s) (24:B8) [16:21:06:952]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:06: InstallValidate. {ouX0Qc@+gh1]WZFRU)MSI (s) (24:B8) [16:21:09:422]: Executing op: ActionStart(Name=PublishProduct,Description=Publishing product information,)MSI (s) (24:B8) [16:21:09:422]: Executing op: IconCreate(Icon=sspIcon.ico,Data=BinaryData)MSI (s) (24:B8) [16:21:09:425]: Verifying accessibility of file: sspIcon.icoMSI (s) (24:B8) [16:21:09:448]: Note: 1: 2318 2: MSI (s) (24:B8) [16:21:09:458]: Executing op: PackageCodePublish(PackageKey={8A3EE444-F60F-44F2-B42C-14907395E0A6})MSI (s) (24:B8) [16:21:09:460]: Executing op: CleanupConfigData()MSI (s) (24:B8) [16:21:09:460]: Executing op: RegisterPatchOrder(Continue=0,SequenceType=1,Remove=0)MSI (s) (24:B8) [16:21:09:469]: Executing op: ProductPublishUpdate()MSI (s) (24:B8) [16:21:09:472]: Executing op: SourceListRegisterLastUsed(SourceProduct={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},LastUsedSource=C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\)MSI (s) (24:B8) [16:21:09:472]: Entering CMsiConfigurationManager::SetLastUsedSource.MSI (s) (24:B8) [16:21:09:472]: Specifed source is already in a list.MSI (s) (24:B8) [16:21:09:472]: User policy value 'SearchOrder' is 'nmu'MSI (s) (24:B8) [16:21:09:472]: Adding new sources is allowed.MSI (s) (24:B8) [16:21:09:472]: Set LastUsedSource to: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\.MSI (s) (24:B8) [16:21:09:472]: Set LastUsedType to: n.MSI (s) (24:B8) [16:21:09:472]: Set LastUsedIndex to: 1.MSI (s) (24:B8) [16:21:09:473]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=6630819)MSI (s) (24:B8) [16:21:09:478]: User policy value 'DisableRollback' is 0MSI (s) (24:B8) [16:21:09:478]: Machine policy value 'DisableRollback' is 0MSI (s) (24:B8) [16:21:09:524]: Note: 1: 2318 2: MSI (s) (24:B8) [16:21:09:528]: Note: 1: 2318 2: MSI (s) (24:B8) [16:21:09:530]: No System Restore sequence number for this installation.MSI (s) (24:B8) [16:21:09:530]: Unlocking ServerMSI (s) (24:B8) [16:21:09:538]: PROPERTY CHANGE: Deleting UpdateStarted property. Manufacturer: Sophos Limited. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos . Dumping Directory tableMSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: TARGETDIR , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\ , LongSubPath: , ShortSubPath: MSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: WindowsFolder , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\ , LongSubPath: , ShortSubPath: MSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: INSTALLDIR.4D96E9F9_7E7B_4556_8D25_ABEE814FE4E0 , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\ , LongSubPath: , ShortSubPath: MSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: ProgramFilesFolder , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\ , LongSubPath: , ShortSubPath: MSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: Sophos , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\Sophos\ , LongSubPath: Sophos\ , ShortSubPath: MSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: INSTALLDIR , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\Sophos\Sophos System Protection\ , LongSubPath: Sophos\Sophos System Protection\ , ShortSubPath: Sophos\qgiys5c8\MSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: CommonAppDataFolder , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\ , LongSubPath: , ShortSubPath: MSI (s) (24:B8) [16:21:07:222]: Dir (source): Key: AppDataSophos , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\Sophos\ , LongSubPath: Sophos\ , ShortSubPath: MSI (s) (24:B8) [16:21:07:223]: Dir (source): Key: AppDataSsp , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\Sophos\Sophos System Protection\ , LongSubPath: Sophos\Sophos System Protection\ , ShortSubPath: Sophos\vouvuy1l\MSI (s) (24:B8) [16:21:07:223]: Dir (source): Key: Logs , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\Sophos\Sophos System Protection\Logs\ , LongSubPath: Sophos\Sophos System Protection\Logs\ , ShortSubPath: Sophos\vouvuy1l\Logs\MSI (s) (24:B8) [16:21:07:223]: Dir (source): Key: Config , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\Sophos\Sophos System Protection\Config\ , LongSubPath: Sophos\Sophos System Protection\Config\ , ShortSubPath: Sophos\vouvuy1l\Config\MSI (s) (24:B8) [16:21:07:223]: Dir (source): Key: Data , Object: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\Sophos\Sophos System Protection\Data\ , LongSubPath: Sophos\Sophos System Protection\Data\ , ShortSubPath: Sophos\vouvuy1l\Data\MSI (s) (24:B8) [16:21:07:224]: Doing action: PublishFeaturesMSI (s) (24:B8) [16:21:07:224]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: RegisterProduct. Version: 1.2.0 2016-02-22 16:21:01 Info: Upgrading from version: 1.2.0 to version: 1.3.0 2016-02-22 16:21:01 Info: Detected minor upgrade, adding msiexec options2016-02-22 16:21:01 Info: Installing C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msi with command: INSTALLDIR="" REINSTALL=ALL REINSTALLMODE=VOMUS INSTALLINGVERSION=1.3.0 REBOOT=ReallySuppress === Verbose logging started: 2/22/2016 16:21:01 Build type: SHIP UNICODE 5.00.7601.00 Calling process: C:\ProgramData\Sophos\AutoUpdate\cache\sophos_autoupdate1.dir\SophosUpdate.exe ===MSI (c) (FC:44) [16:21:01:265]: Resetting cached policy valuesMSI (c) (FC:44) [16:21:01:265]: Machine policy value 'Debug' is 0MSI (c) (FC:44) [16:21:01:265]: ******* RunEngine: ******* Product: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msi ******* Action: ******* CommandLine: **********MSI (c) (FC:44) [16:21:01:266]: Client-side and UI is none or basic: Running entire install on the server.MSI (c) (FC:44) [16:21:01:266]: Grabbed execution mutex.MSI (c) (FC:44) [16:21:01:267]: Cloaking enabled.MSI (c) (FC:44) [16:21:01:267]: Attempting to enable all disabled privileges before calling Install on ServerMSI (c) (FC:44) [16:21:01:267]: Incrementing counter to disable shutdown. When I open services.msc on the clients, I can see in some cases all the services are running and in others the 'Sophos System Protection Service' is in a [Stopping] state. Are all the services up and running fine? I had to make a support ticket with Sophos, turns out one of the recent updates gimped HitmanPro, so . Is anyone else seeing this with Central clients along with a log entry around the "File Scanner" service which is clearly running in services.msc and task manager? Sophos Endpoint Protection. Return value 1.MSI (s) (24:B8) [16:21:01:366]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (24:B8) [16:21:01:367]: Note: 1: 2205 2: 3: Class MSI (s) (24:B8) [16:21:01:367]: Note: 1: 2205 2: 3: Extension MSI (s) (24:B8) [16:21:01:367]: Note: 1: 2205 2: 3: TypeLib Action start 16:21:01: FileCost.MSI (s) (24:B8) [16:21:01:367]: Doing action: CostFinalizeMSI (s) (24:B8) [16:21:01:367]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:01: FileCost. Its value is 'sophossps'.Action start 16:21:07: StartSspServiceRollback.SetProperty.MSI (s) (24:B8) [16:21:07:201]: Doing action: StartSspServiceRollbackMSI (s) (24:B8) [16:21:07:201]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StartSspServiceRollback.SetProperty. 3 - Granting Full Disk Access to components. Return value 1.MSI (s) (24:B8) [16:21:07:049]: Using well known SID for SystemMSI (s) (24:B8) [16:21:07:049]: Finished allocating new user SIDAction start 16:21:07: CreateFolders.MSI (s) (24:B8) [16:21:07:049]: Using well known SID for EveryoneMSI (s) (24:B8) [16:21:07:049]: Finished allocating new user SIDMSI (s) (24:B8) [16:21:07:049]: Using well known SID for AdministratorsMSI (s) (24:B8) [16:21:07:049]: Finished allocating new user SIDMSI (s) (24:B8) [16:21:07:050]: Doing action: InstallFilesMSI (s) (24:B8) [16:21:07:050]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: CreateFolders. Its value is '0'.MSI (s) (24:B8) [16:21:01:368]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. This is usually an indication that the update has failed because a certain component did not uninstall, and/or install successfully. 1997 - 2022 Sophos Ltd. All rights reserved. This post may be updated periodically. Its value is 'sophossps'.Action start 16:21:07: StopSspService.SetProperty.MSI (s) (24:B8) [16:21:07:005]: Doing action: StopSspServiceMSI (s) (24:B8) [16:21:07:005]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StopSspService.SetProperty. Return value 1.Action ended 16:21:09: INSTALL. Its value is '1.3.0'.MSI (s) (24:B8) [16:21:01:323]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'Admin'.MSI (s) (24:B8) [16:21:01:356]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (24:B8) [16:21:01:356]: PROPERTY CHANGE: Adding Installed property. VS. ngrok. Return value 1.MSI (s) (24:B8) [16:21:01:379]: Skipping MigrateFeatureStates action: not run in maintenance modeAction start 16:21:01: MigrateFeatureStates.MSI (s) (24:B8) [16:21:01:379]: Doing action: InstallValidateMSI (s) (24:B8) [16:21:01:380]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:01: MigrateFeatureStates. Jakarta +62 21 23585781. Its value is 'NT SERVICE\sophossps'.Action start 16:21:07: SetupSspUserAccount.SetPropertyVistaOrLater.MSI (s) (24:B8) [16:21:07:193]: Skipping action: SetupSspUserAccount.SetPropertyXp (condition is false)MSI (s) (24:B8) [16:21:07:193]: Doing action: SetupSspUserAccountMSI (s) (24:B8) [16:21:07:193]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: SetupSspUserAccount.SetPropertyVistaOrLater. To continue this discussion, please ask a new question. Its value is 'sophossps'.Action start 16:21:07: StartSspService.SetProperty.MSI (s) (24:B8) [16:21:07:203]: Doing action: StartSspServiceMSI (s) (24:B8) [16:21:07:203]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StartSspService.SetProperty. 28, Kelurahan Tanjung Duren Selatan, Kecamatan Grogol Petamburan, Jakarta Barat 11470, DKI Jakarta, Indonesia Return value 1.Action start 16:21:07: StopServices.MSI (s) (24:B8) [16:21:07:013]: Doing action: CleanUpShsUserAccountRollback.SetPropertyMSI (s) (24:B8) [16:21:07:013]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StopServices. Its value is 'C:\Program Files\Sophos\'.MSI (s) (24:B8) [16:21:01:370]: PROPERTY CHANGE: Modifying INSTALLDIR property. Its value is '0'.MSI (s) (24:B8) [16:21:01:368]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Same problem on new customers deployed today. Return value 1.Action start 16:21:07: SetupShsUserAccountRollback.MSI (s) (24:B8) [16:21:07:197]: Doing action: SetupShsUserAccount.SetPropertyMSI (s) (24:B8) [16:21:07:197]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: SetupShsUserAccountRollback. Always get this, unless you use the self-installing executable.There are three versions that run as an MS-Windows application. Return value 1.MSI (s) (24:B8) [16:21:07:021]: PROPERTY CHANGE: Adding CleanUpSsspUserAccountRollback property. Its value is 'C:\'.MSI (s) (24:B8) [16:21:01:370]: PROPERTY CHANGE: Adding Sophos property. Sophos Core Agent 2022.1.0.78 or later; Sophos Server Core Agent 2022.1.0.78 or later; Gold image timeout. Return value 1.Action start 16:21:07: SetupSspUserAccountRollback.MSI (s) (24:B8) [16:21:07:192]: Doing action: SetupSspUserAccount.SetPropertyVistaOrLaterMSI (s) (24:B8) [16:21:07:192]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: SetupSspUserAccountRollback. Sophos Enterprise Console is a single, automated console that manages and updates Sophos security software on computers running Windows, Mac OS X, Linux and UNIX operating systems, and in virtual environments with VMware vShield. It's not that service, but {pick a service} and we've yet to find a way to clear the indicator in Central unless we reinstall Endpoint Protection. I am waiting for Sophos' 2nd line support engineer reply. Its value is '1'.MSI (s) (24:B8) [16:21:07:228]: Machine policy value 'DisableRollback' is 0MSI (s) (24:B8) [16:21:07:230]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (24:B8) [16:21:07:234]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1213629092,LangId=1033,Platform=0,ScriptType=1,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)Action start 16:21:07: InstallFinalize.MSI (s) (24:B8) [16:21:07:234]: Executing op: ProductInfo(ProductKey={1093B57D-A613-47F3-90CF-0FD5C5DCFFE6},ProductName=Sophos System Protection,PackageName=SophosSystemProtection.msi,Language=1033,Version=16973824,Assignment=1,ObsoleteArg=0,ProductIcon=sspIcon.ico,,PackageCode={8A3EE444-F60F-44F2-B42C-14907395E0A6},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3)MSI (s) (24:B8) [16:21:07:234]: Executing op: DialogInfo(Type=0,Argument=1033)MSI (s) (24:B8) [16:21:07:234]: Executing op: DialogInfo(Type=1,Argument=Sophos System Protection)MSI (s) (24:B8) [16:21:07:235]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])MSI (s) (24:B8) [16:21:07:235]: Executing op: SetBaseline(Baseline=0,)MSI (s) (24:B8) [16:21:07:235]: Executing op: SetBaseline(Baseline=1,)MSI (s) (24:B8) [16:21:07:235]: Executing op: ActionStart(Name=ProcessComponents,Description=Updating component registration,)MSI (s) (24:B8) [16:21:07:235]: Executing op: ProgressTotal(Total=13,Type=1,ByteEquivalent=24000)MSI (s) (24:B8) [16:21:07:235]: Executing op: ComponentRegister(ComponentId={96CAB1A6-E3C3-42BC-B1AC-57552F6DE27B},KeyPath=C:\Program Files\Sophos\Sophos System Protection\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:236]: Executing op: ComponentRegister(ComponentId={EE372818-51C3-4B29-B0AD-9AA8740EAA1F},KeyPath=C:\Program Files\Sophos\Sophos System Protection\ssp.exe,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:237]: Executing op: ComponentRegister(ComponentId={EFB99B6F-FB73-4F3E-9FE6-A64F479DF970},KeyPath=C:\Program Files\Sophos\Sophos System Protection\scf.dat,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:238]: Executing op: ComponentRegister(ComponentId={AEA712C0-6555-4FB1-A4CC-1806B1F94B45},KeyPath=02:\Software\Sophos\SystemProtection\PipeName,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:238]: Executing op: ComponentRegister(ComponentId={CD73DBF6-732F-4699-A9B6-968BDB1BC054},KeyPath=02:\Software\Sophos\SystemProtection\LOG\File,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:239]: Executing op: ComponentRegister(ComponentId={5F071C66-51B7-4406-8165-4E3D9E70C42F},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:239]: Executing op: ComponentRegister(ComponentId={46D9C339-FF13-4CE0-B519-E5BFE7F2BC77},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\SSP.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:240]: Executing op: ComponentRegister(ComponentId={89C06DC7-B12C-4311-9BDF-1FDA75734164},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\FBA.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:240]: Executing op: ComponentRegister(ComponentId={F56BEF81-6CB2-4FEE-930F-6C93D6A28E0C},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\PIA.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:241]: Executing op: ComponentRegister(ComponentId={F2B22387-9B39-4788-AEB6-B9551324FF17},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\SXA.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:241]: Executing op: ComponentRegister(ComponentId={BAAE170A-5F93-4FF6-9782-3F017EC4C4B1},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Config\EPH.conf,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:243]: Executing op: ComponentRegister(ComponentId={216A2A33-1146-472F-9635-107BFE94723A},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Logs\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:243]: Executing op: ComponentRegister(ComponentId={EF1063A8-7B97-4CD0-A2CC-4BA27645908D},KeyPath=C:\ProgramData\Sophos\Sophos System Protection\Data\,State=3,,Disk=1,SharedDllRefCount=0,BinaryType=0)MSI (s) (24:B8) [16:21:07:244]: Executing op: ActionStart(Name=StopSspServiceRollback,,)MSI (s) (24:B8) [16:21:07:244]: Executing op: CustomActionSchedule(Action=StopSspServiceRollback,ActionType=1281,Source=BinaryData,Target=StartServiceAndWait,CustomActionData=sophossps)MSI (s) (24:B8) [16:21:07:245]: Executing op: ActionStart(Name=StopSspService,,)MSI (s) (24:B8) [16:21:07:245]: Executing op: CustomActionSchedule(Action=StopSspService,ActionType=1025,Source=BinaryData,Target=StopService,CustomActionData=sophossps)MSI (s) (24:34) [16:21:07:264]: Invoking remote custom action. Return value 1.MSI (s) (24:B8) [16:21:07:004]: PROPERTY CHANGE: Adding StopSspService property. I have tried un-install and re-install, remove update cache then update. Return value 1.Action start 16:21:07: CleanUpSsspUserAccountRollback.MSI (s) (24:B8) [16:21:07:026]: Skipping action: CleanUpSsspUserAccount.SetPropertyVistaOrLater (condition is false)MSI (s) (24:B8) [16:21:07:026]: Skipping action: CleanUpSsspUserAccount.SetPropertyXp (condition is false)MSI (s) (24:B8) [16:21:07:026]: Skipping action: CleanUpSsspUserAccount (condition is false)MSI (s) (24:B8) [16:21:07:026]: Doing action: ApplyPermissionsToFoldersOnRollback.SetPropertyMSI (s) (24:B8) [16:21:07:026]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: CleanUpSsspUserAccountRollback. Its value is '1'.=== Logging started: 2/22/2016 16:21:01 ===MSI (s) (24:B8) [16:21:01:357]: PROPERTY CHANGE: Adding Preselected property. Computers can ping it but cannot connect to it. Its value is '3'.MSI (s) (24:B8) [16:21:01:323]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Depending on the Endpoint's Threat Protection policy configuration, the Endpoint might enter Isolation due to the red health state. When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. I reinstalled and it gave me the same error.Second step remove sophos by command line restart the computer, reinstalled and the problem continued. Its value is '1'.MSI (s) (24:B8) [16:21:01:326]: TRANSFORMS property is now: MSI (s) (24:B8) [16:21:01:326]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. This will at least give you the information. Go to Hosts and services > IP host and click Add. Click on Preserve log and clock XHR to reduce noise. Its value is '1'.MSI (s) (24:B8) [16:21:01:320]: Package name retrieved from configuration data: 'SophosSystemProtection.msi'MSI (s) (24:B8) [16:21:01:322]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (24:B8) [16:21:01:322]: Machine policy value 'DisableMsi' is 0MSI (s) (24:B8) [16:21:01:322]: Machine policy value 'AlwaysInstallElevated' is 0MSI (s) (24:B8) [16:21:01:322]: User policy value 'AlwaysInstallElevated' is 0MSI (s) (24:B8) [16:21:01:322]: Product {1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} is admin assigned: LocalSystem owns the publish key.MSI (s) (24:B8) [16:21:01:322]: Product {1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} is managed.MSI (s) (24:B8) [16:21:01:322]: Running product '{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}' with elevated privileges: Product is assigned.MSI (s) (24:B8) [16:21:01:322]: PROPERTY CHANGE: Adding REINSTALL property. Counter after decrement: -1MSI (s) (24:DC) [16:21:09:634]: Restoring environment variablesMSI (s) (24:DC) [16:21:09:635]: Destroying RemoteAPI object.MSI (s) (24:08) [16:21:09:635]: Custom Action Manager thread ending.MSI (c) (FC:44) [16:21:09:637]: Decrementing counter to disable shutdown. Return value 1.MSI (s) (24!E8) [16:21:07:188]: Doing action: ExecServiceConfigMSI (s) (24!E8) [16:21:07:188]: Note: 1: 2205 2: 3: ActionText Action start 16:21:07: ExecServiceConfig.Action ended 16:21:07: ExecServiceConfig. Return value 1.MSI (s) (24:B8) [16:21:06:998]: PROPERTY CHANGE: Adding StopSspServiceRollback property. Sophos Network Threat Protection (NTP) Service not starting. I choose a computer that is currently powered on and found this: I have the same problem on 2 computers so far. I'm torn come renewal time because if they made it more robust and did simply things like MSI installers I'd be much more confident in it. Return value 1.Action start 16:21:07: SetupSspUserAccount.MSI (s) (24:B8) [16:21:07:194]: Doing action: SetupShsUserAccountRollback.SetPropertyMSI (s) (24:B8) [16:21:07:194]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: SetupSspUserAccount. Return value 1.Action start 16:21:07: RegisterUser.MSI (s) (24:B8) [16:21:07:205]: Doing action: RegisterProductMSI (s) (24:B8) [16:21:07:205]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: RegisterUser. Return value 1.Action start 16:21:06: UnpublishFeatures.MSI (s) (24:B8) [16:21:06:997]: Doing action: StopSspServiceRollback.SetPropertyMSI (s) (24:B8) [16:21:06:997]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:06: UnpublishFeatures. Sophos Endpoint: "One or more Sophos services are missing or not running. Your daily dose of tech news, in brief. I am waiting for Sophos' 2nd line support engineer reply. please go to start | run | services.msc | sophos anti-virus | right click | start. 2016-02-22 16:21:01 Info: SSP is already installed. Sophos support has been almost completely useless as they continue to point me to the same article again and again: www.sophos.com//122899.aspx. Its value is 'NT SERVICE\sophossps'.Action start 16:21:07: SetupSspUserAccountRollback.SetPropertyVistaOrLater.MSI (s) (24:B8) [16:21:07:191]: Skipping action: SetupSspUserAccountRollback.SetPropertyXp (condition is false)MSI (s) (24:B8) [16:21:07:191]: Doing action: SetupSspUserAccountRollbackMSI (s) (24:B8) [16:21:07:191]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: SetupSspUserAccountRollback.SetPropertyVistaOrLater. Return value 1.MSI (s) (24:B8) [16:21:07:203]: PROPERTY CHANGE: Adding StartSspService property. Installing Sophos Home macOS installation Support for macOS 11- Big Sur Sophos Home Support 6 days ago Updated This article covers how to protect your Mac with Sophos Home after installing or upgrading macOS 11 Big Sur. The availability of components is controlled with your Sophos Update Manager subscription. . Its value is 'C:\ProgramData\Sophos\Sophos System Protection\Data'.MSI (s) (24:B8) [16:21:01:369]: Note: 1: 2205 2: 3: Patch MSI (s) (24:B8) [16:21:01:369]: Note: 1: 2205 2: 3: Condition MSI (s) (24:B8) [16:21:01:369]: Machine policy value 'EnforceUpgradeComponentRules' is 0MSI (s) (24:B8) [16:21:01:370]: SELMGR: New components have been added to feature 'ProductFeature'MSI (s) (24:B8) [16:21:01:370]: SELMGR: Component 'EPHconf' is a new component added to feature 'ProductFeature'MSI (s) (24:B8) [16:21:01:370]: PROPERTY CHANGE: Adding TARGETDIR property. If #2 does not work, determine which service is not running or is missing. Our customized offerings will get you up and running quickly with remote installation by a . Return value 1.Action start 16:21:07: ApplyPermissionsToFoldersOnRollback.MSI (s) (24:B8) [16:21:07:031]: Doing action: RequestUnrestrictedSSPSidOnRollbackMSI (s) (24:B8) [16:21:07:031]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: ApplyPermissionsToFoldersOnRollback. 2. Does the next update go through? Create IP hosts for local subnet and remote SSL VPN clients. When the connection is up and running i can start MSTSC from my local windows 11 and connect to the server and take over the session. I think you could have just waited for the next update or force an "update now" from the UI and AutoUpdate would have had another retry at installing the SAV component. Its value is 'C:\Windows\system32'.MSI (s) (24:B8) [16:21:01:323]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. MSI (s) (24:B8) [16:21:09:604]: Windows Installer reconfigured the product. Can you make available the MSI log file for SSP? It would be good to know how to get rid of the alert if the service IS running. If counter >= 0, shutdown will be denied. Enter to win a Legrand AV Socks or Choice of LEGO sets! If you drill down you'll see a section under Status called shs/service/detail. DLL: C:\Windows\Installer\MSI666C.tmp, Entrypoint: SchedServiceConfigMSI (s) (24!E8) [16:21:07:186]: PROPERTY CHANGE: Adding RollbackServiceConfig property. Counter after decrement: -1MSI (c) (FC:44) [16:21:09:638]: MainEngineThread is returning 0MSI (c) (FC:EC) [16:21:09:648]: RESTART MANAGER: Previously shut down applications have been restarted.MSI (c) (FC:EC) [16:21:09:649]: RESTART MANAGER: Session closed.=== Verbose logging stopped: 2/22/2016 16:21:09 ===, 2016-02-22 16:21:09 Info: Exit code from MsiInstallProduct: ERROR_SUCCESS. Return value 1.Action start 16:21:07: CleanUpShsUserAccountRollback.MSI (s) (24:B8) [16:21:07:020]: Skipping action: CleanUpShsUserAccount.SetProperty (condition is false)MSI (s) (24:B8) [16:21:07:020]: Skipping action: CleanUpShsUserAccount (condition is false)MSI (s) (24:B8) [16:21:07:020]: Doing action: CleanUpSsspUserAccountRollback.SetPropertyVistaOrLaterMSI (s) (24:B8) [16:21:07:020]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: CleanUpShsUserAccountRollback. MSI (s) (24:B8) [16:21:09:606]: Deferring clean up of packages/files, if any existMSI (s) (24:B8) [16:21:09:606]: MainEngineThread is returning 0MSI (s) (24:DC) [16:21:09:628]: RESTART MANAGER: Previously shut down applications have been restarted.MSI (s) (24:DC) [16:21:09:629]: RESTART MANAGER: Session closed.MSI (s) (24:DC) [16:21:09:629]: No System Restore sequence number for this installation.=== Logging stopped: 2/22/2016 16:21:09 ===MSI (s) (24:DC) [16:21:09:631]: User policy value 'DisableRollback' is 0MSI (s) (24:DC) [16:21:09:631]: Machine policy value 'DisableRollback' is 0MSI (s) (24:DC) [16:21:09:631]: Incrementing counter to disable shutdown. I'm new to the product but my understanding is they used to expire after 90 days. Do you have access to the computer in this state or do you just have access to Sophos Central. Its value is '200'.MSI (s) (24:B8) [16:21:01:328]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\RoamingMSI (s) (24:B8) [16:21:01:329]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\FavoritesMSI (s) (24:B8) [16:21:01:330]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network ShortcutsMSI (s) (24:B8) [16:21:01:331]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\DocumentsMSI (s) (24:B8) [16:21:01:332]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer ShortcutsMSI (s) (24:B8) [16:21:01:333]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\RecentMSI (s) (24:B8) [16:21:01:334]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendToMSI (s) (24:B8) [16:21:01:335]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\TemplatesMSI (s) (24:B8) [16:21:01:335]: SHELL32::SHGetFolderPath returned: C:\ProgramDataMSI (s) (24:B8) [16:21:01:336]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\LocalMSI (s) (24:B8) [16:21:01:337]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\PicturesMSI (s) (24:B8) [16:21:01:339]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative ToolsMSI (s) (24:B8) [16:21:01:340]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartupMSI (s) (24:B8) [16:21:01:341]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\ProgramsMSI (s) (24:B8) [16:21:01:342]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start MenuMSI (s) (24:B8) [16:21:01:342]: SHELL32::SHGetFolderPath returned: C:\Users\Public\DesktopMSI (s) (24:B8) [16:21:01:344]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative ToolsMSI (s) (24:B8) [16:21:01:345]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupMSI (s) (24:B8) [16:21:01:346]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\ProgramsMSI (s) (24:B8) [16:21:01:347]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start MenuMSI (s) (24:B8) [16:21:01:348]: SHELL32::SHGetFolderPath returned: C:\Windows\system32\config\systemprofile\DesktopMSI (s) (24:B8) [16:21:01:350]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\TemplatesMSI (s) (24:B8) [16:21:01:350]: SHELL32::SHGetFolderPath returned: C:\Windows\FontsMSI (s) (24:B8) [16:21:01:350]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (s) (24:B8) [16:21:01:356]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.MSI (s) (24:B8) [16:21:01:356]: PROPERTY CHANGE: Adding MsiRunningElevated property. 1 - Enabling System Extensions. The error given is 'Some Sophos services not running' or 'Some Sophos services missing'. Its current value is 'C:\ProgramData\Sophos\Sophos System Protection\Logs'. Startup. Sophos Lockdown Service is stopped Service is stopped, and the startup type shows as disabled Service is missing Driver is stopped Driver is missing Product and Environment Sophos Central Endpoint Sophos Central Server Prerequisite Tamper protection must be turned off You have administrator rights on the device Information Related information Is it not running or is it missing? I think my favorite is #5, blocking the mouse sensor - I also like the idea of adding a little picture or note, and it's short and sweet. ahh, in that case, what's in the avremove.log in the same directory? Service 'Sophos Network Threat Protection' (SntpService) failed to start. Enter a name and network for the local subnet. Second step remove sophos by command line restart the computer, reinstalled and the problem continued. There was an issue this morning with an update that caused this service to repeatedly start and stop:https://community.sophos.com/kb/en-us/131784Opens a new window. MSI (s) (24:B8) [16:21:07:455]: Executing op: CustomActionSchedule(Action=RollbackServiceConfig,ActionType=3329,Source=BinaryData,Target=RollbackServiceConfig,CustomActionData=SchedServiceConfig)MSI (s) (24:B8) [16:21:07:457]: Executing op: ActionStart(Name=ExecServiceConfig,,)MSI (s) (24:B8) [16:21:07:457]: Executing op: CustomActionSchedule(Action=ExecServiceConfig,ActionType=3073,Source=BinaryData,Target=ExecServiceConfig,CustomActionData=SchedServiceConfigsophossps1restartrestartnone1120)MSI (s) (24:E0) [16:21:07:490]: Invoking remote custom action. Reconfiguration success or error status: 0. Return value 1.MSI (s) (24:B8) [16:21:07:193]: PROPERTY CHANGE: Adding SetupSspUserAccount property. As a first option, remove sophos and restart. For Vim 6.3 and later it also includes a console version, both for MS-Windows 95/98/ME and MS-Windows NT/2000/XP/Vista/7. Its value is 'ReallySuppress'.MSI (s) (24:B8) [16:21:01:323]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Letjen. Its new value: 'C:\ProgramData\Sophos\Sophos System Protection\Logs\'.MSI (s) (24:B8) [16:21:01:370]: PROPERTY CHANGE: Modifying Config property. Its current value is '0'. 2 - Allowing Notifications *. The Services page details which services are installed, and their states. Return value 1.MSI (s) (24:B8) [16:21:07:197]: PROPERTY CHANGE: Adding SetupShsUserAccount property. Maybe I missed something - what do I need to do to fix this? Return value 1.Action start 16:21:07: PublishProduct.MSI (s) (24:B8) [16:21:07:227]: Re-publishing product - installing new package with existing product code.MSI (s) (24:B8) [16:21:07:227]: Skipping action: WixFailWhenDeferred (condition is false)MSI (s) (24:B8) [16:21:07:227]: Doing action: InstallFinalizeMSI (s) (24:B8) [16:21:07:227]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: PublishProduct. I have similar ongoing problems and multiple reports elsewhere on the net of the same situation. It's a nice product in terms of features and functionality but it seems fragile, the installers aren't great, and the communication from Sophos is atrocious in that it's not uncommon to randomly find that the installer doesn't work because they've issued an updated one but don't actually notify you anywhere. From Ticketing to Helpdesk, Service Desk, ITSM to Enterprise Service Management. Click Start -> Run and type regsvr32.exe "c:\program files\sophos\sophos anti-virus\savi.dll" and click OK. Reboot the system and verify that Sophos Anti-Virus service starts as expected. Its value is '5'.MSI (s) (24:B8) [16:21:01:319]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Return value 1.MSI (s) (24:B8) [16:21:01:363]: Machine policy value 'MaxPatchCacheSize' is 10MSI (s) (24:B8) [16:21:01:364]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its current value is 'C:\ProgramData\Sophos\Sophos System Protection\Config'. Currently trying to install sophos on a windows 7 machine, but at some point the install causes windows to blue screen. Dumping Directory tableMSI (s) (24:B8) [16:21:01:370]: Note: target paths subject to change (via custom actions or browsing)MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: TARGETDIR , Object: C:\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: WindowsFolder , Object: C:\Windows\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: INSTALLDIR.4D96E9F9_7E7B_4556_8D25_ABEE814FE4E0 , Object: C:\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: ProgramFilesFolder , Object: C:\Program Files\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: Sophos , Object: C:\Program Files\Sophos\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: INSTALLDIR , Object: C:\Program Files\Sophos\Sophos System Protection\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: CommonAppDataFolder , Object: C:\ProgramData\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: AppDataSophos , Object: C:\ProgramData\Sophos\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: AppDataSsp , Object: C:\ProgramData\Sophos\Sophos System Protection\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: Logs , Object: C:\ProgramData\Sophos\Sophos System Protection\Logs\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: Config , Object: C:\ProgramData\Sophos\Sophos System Protection\Config\MSI (s) (24:B8) [16:21:01:370]: Dir (target): Key: Data , Object: C:\ProgramData\Sophos\Sophos System Protection\Data\MSI (s) (24:B8) [16:21:01:370]: PROPERTY CHANGE: Adding INSTALLLEVEL property. You need the IP host for the remote clients to create a firewall rule. Start all Sophos services. Was there a Microsoft update that caused the issue? Installed the sophos endpoint however it tells me that some services are not running. Return value 1.Action start 16:21:07: InstallFiles.MSI (s) (24:B8) [16:21:07:053]: Note: 1: 2205 2: 3: Patch MSI (s) (24:B8) [16:21:07:053]: Note: 1: 2228 2: 3: Patch 4: SELECT `Patch`.`File_`, `Patch`.`Header`, `Patch`.`Attributes`, `Patch`.`Sequence`, `Patch`.`StreamRef_` FROM `Patch` WHERE `Patch`.`File_` = ? After a restart, sophos updates, but Device control service will not start. The option was not intended as a fix, just as a way of getting more information about which services were missing on each client to see if there was a common theme. We have a large number of devices that are reporting a bad status in the Cloud console. Its value is '0'.MSI (s) (24:B8) [16:21:01:368]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (24:B8) [16:21:01:368]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? Counter after increment: 0MSI (s) (24:DC) [16:21:09:632]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (24:DC) [16:21:09:633]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (24:DC) [16:21:09:634]: Decrementing counter to disable shutdown. Return value 1.MSI (s) (24:B8) [16:21:07:227]: Running Script: C:\Windows\Installer\MSI65AF.tmpMSI (s) (24:B8) [16:21:07:227]: PROPERTY CHANGE: Adding UpdateStarted property. I have tried un-install and re-install, remove update cache then update. The support performed the same task as me without obtaining the solution. Welcome to the Snap! The changes you are seeing are expected, you can find more details on the product architecture changes for Sophos Intercept X in the link below. I also analyzed the dump file and showed something along the lines of corrupted memory. Sophos Home requires 4 steps in order to run on macOS 11 and newer. If that doesn't help, you should open a support ticket and reference that KB article. To troubleshoot authentication, you will typically need access to both Sophos Firewall and the authentication server as well as a client device that is failing authentication. MSI (s) (24:B8) [16:21:07:053]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (24:B8) [16:21:07:053]: Note: 1: 2228 2: 3: MsiPatchHeaders 4: SELECT `Header` FROM `MsiPatchHeaders` WHERE `StreamRef` = ? Return value 1.MSI (s) (24:88) [16:21:09:568]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI672B.tmp, Entrypoint: RequestUnrestrictedSSPSidMSI (s) (24:B8) [16:21:07:376]: Executing op: ActionStart(Name=ApplyPermissionsToFolders,,)RequestUnrestrictedSSPSid: Initialized.MSI (s) (24:B8) [16:21:07:376]: Executing op: CustomActionSchedule(Action=ApplyPermissionsToFolders,ActionType=1025,Source=BinaryData,Target=ApplyPermissionsToFolders,CustomActionData=C:\ProgramData\Sophos\Sophos System Protection\|C:\ProgramData\Sophos\Sophos System Protection\Logs\|C:\ProgramData\Sophos\Sophos System Protection\Config\|C:\ProgramData\Sophos\Sophos System Protection\Data\)MSI (s) (24:8C) [16:21:07:395]: Invoking remote custom action. Sophos XDR: Driven by data. Verify that you have sufficient privileges to start system services. Return value 1.MSI (s) (24:B8) [16:21:07:014]: PROPERTY CHANGE: Adding CleanUpShsUserAccountRollback property. Its value is '8444'.MSI (s) (24:B8) [16:21:01:323]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0MSI (s) (24:B8) [16:21:01:326]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. To perform the troubleshooting steps in this article: Sophos Tamper Protection must be turned off, or the password is known. EcholoN. Its value is '1'.MSI (s) (24:B8) [16:21:01:356]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (24:B8) [16:21:01:356]: PROPERTY CHANGE: Adding USERNAME property. But Sophos on the client or Central doesn't give an error? 1997 - 2022 Sophos Ltd. All rights reserved. In some cases, the Operating System or some other third party application may interfere with Sophos services, and would cause the service(s) to not start. Find out . Return value 1.Action start 16:21:07: RequestUnrestrictedSSPSidOnRollback.MSI (s) (24:B8) [16:21:07:037]: Doing action: DeleteServicesMSI (s) (24:B8) [16:21:07:037]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: RequestUnrestrictedSSPSidOnRollback. Return value 1.Action start 16:21:06: StopSspServiceRollback.MSI (s) (24:B8) [16:21:07:003]: Doing action: StopSspService.SetPropertyMSI (s) (24:B8) [16:21:07:003]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StopSspServiceRollback. Make sure, If running OS 10.13 and newer, ensure that you have. Return value 1.Action start 16:21:07: StopSspService.MSI (s) (24:B8) [16:21:07:010]: Doing action: StopServicesMSI (s) (24:B8) [16:21:07:010]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StopSspService. Hi Woldemar, Some sophos services are not running Gabriel Ortega over 4 years ago Installed the sophos endpoint however it tells me that some services are not running. Return value 1.MSI (s) (24:B8) [16:21:07:027]: PROPERTY CHANGE: Adding ApplyPermissionsToFoldersOnRollback property. Thanks for reaching out to the Sophos Community Forum. You must have administrative rights and the root password. Its value is 'NT SERVICE\sophossps'.Action start 16:21:07: SetupShsUserAccountRollback.SetProperty.MSI (s) (24:B8) [16:21:07:195]: Doing action: SetupShsUserAccountRollbackMSI (s) (24:B8) [16:21:07:195]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: SetupShsUserAccountRollback.SetProperty. Its value is '5365f1866847d342987fdcfdf5230400'.MSI (s) (24:B8) [16:21:01:326]: RESTART MANAGER: Session opened.MSI (s) (24:B8) [16:21:01:326]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. For each service 0 is running 1 is not. Its value is 'C:\Windows\Installer\2144f81.msi'.MSI (s) (24:B8) [16:21:01:356]: PROPERTY CHANGE: Adding OriginalDatabase property. Has anyone else had this problem and have any advise or ideas to try? Compare Sophos Endpoint Protection VS ngrok and find out what's different, what people are saying, and what are their alternatives . Return value 1.MSI (s) (24:E8) [16:21:07:107]: Invoking remote custom action. To start . Its value is '00:00:00'.MSI (s) (24:B8) [16:21:01:356]: PROPERTY CHANGE: Adding DATABASE property. MSI (s) (24:B8) [16:21:07:054]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (24:B8) [16:21:07:054]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (24:B8) [16:21:07:054]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (24:B8) [16:21:07:064]: Note: 1: 2205 2: 3: Patch MSI (s) (24:B8) [16:21:07:064]: Note: 1: 2228 2: 3: Patch 4: SELECT `Patch`.`Sequence`, `Patch`.`PatchSize`, `Patch`.`Attributes`, `Patch`.`Header`, `Patch`.`StreamRef_` FROM `File`,`Patch`,`Component` WHERE `File`=? It only affected servers, and to correct, I manually used update in central which seemed to clear it up. On the new server: Start the endpoint communication services. Return value 1.Action start 16:21:07: StartServices.MSI (s) (24:B8) [16:21:07:200]: Doing action: StartSspServiceRollback.SetPropertyMSI (s) (24:B8) [16:21:07:200]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StartServices. Return value 0.Action start 16:21:01: LaunchConditions.MSI (s) (24:B8) [16:21:01:361]: Doing action: ValidateProductIDMSI (s) (24:B8) [16:21:01:361]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:01: LaunchConditions. Its value is 'ALL'.MSI (s) (24:B8) [16:21:01:323]: PROPERTY CHANGE: Adding REINSTALLMODE property. Did memtest and other testing and nothing came back. Its value is '0'.MSI (s) (24:B8) [16:21:01:368]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. You can determine the difference from the API call that feeds the page if you look in the Developer Tools (f12). Connect with Sophos Support, get alerted, and be informed. Can you attach the SAV install logs, E.g.%temp%\Sophos Anti-Virus Major Install Log_190219_105238.txt, %temp%\Sophos Anti-Virus Major CustomActions Log_190219_105238.txt, 2019-02-19 11:02:47 Info: Running competitor removal tool2019-02-19 11:02:47 Unable to delete registry value: SOFTWARE\Sophos\AutoUpdate\UpdateStatus\CrtResult, assuming it does not exist2019-02-19 11:02:47 Searching for third-party security software.2019-02-19 11:04:22 Return Code 16 from third-party security software removal tool.2019-02-19 11:04:22 ERROR: Unable to remove competitor Anti-Virus.2019-02-19 11:04:22 FAILED: Unable to install Sophos Anti-Virus. Its current value is '1'.MSI (s) (24:B8) [16:21:09:539]: Doing action: RegisterWithAutoUpdate.4D96E9F9_7E7B_4556_8D25_ABEE814FE4E0MSI (s) (24:B8) [16:21:09:539]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:09: InstallFinalize. Start the data processing and front end services. 1997 - 2022 Sophos Ltd. All rights reserved. Its value is 'C:\ProgramData\Sophos\Sophos System Protection\Config'.MSI (s) (24:B8) [16:21:01:369]: PROPERTY CHANGE: Adding Logs property. Which entries under:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Statushave a value that isn't 0? Detected Microsoft Security Client x64 version 4.3.220.0, Uninstall it and rerun the installer again. That said, If you open up the Developer Tools (Hit F12 in Chrome for Example). Its value is '2'.MSI (s) (24:B8) [16:21:01:357]: PROPERTY CHANGE: Adding QFEUpgrade property. Its value is 'NT SERVICE\sophossps;GENERIC_READ'.Action start 16:21:07: CleanUpShsUserAccountRollback.SetProperty.MSI (s) (24:B8) [16:21:07:014]: Doing action: CleanUpShsUserAccountRollbackMSI (s) (24:B8) [16:21:07:014]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: CleanUpShsUserAccountRollback.SetProperty. The best way to install Vim on Unix is to use the sources. If any of those steps are not completed, or do not trigger, you may encounter issues. The following services run on the Sophos Enterprise Console server. Its value is '0'.MSI (s) (24:B8) [16:21:01:368]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its new value: 'C:\ProgramData\Sophos\Sophos System Protection\Data\'.MSI (s) (24:B8) [16:21:01:370]: Target path resolution complete. They are all part of the SAV component. What to do Always start with checking if you have installed Sophos on a supported environment : Return value 1.Action start 16:21:07: PublishFeatures.MSI (s) (24:B8) [16:21:07:225]: Doing action: PublishProductMSI (s) (24:B8) [16:21:07:225]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: PublishFeatures. To enable sophos connect vpn service turn on Command Prompt or CMD and execute the following 2 commands. Sign into your account, take a tour, or start a trial from here. Its installation always fail. But Sophos on the client or Central doesn't give an error? Get a holistic view of your organization's environment with the richest data set and deep analysis for threat detection, investigation and response for both dedicated SOC . We have a Windows XP computer (don't ask) with network shares that, as of yesterday, are no longer reachable by other computers on the LAN. Bonus Flashback: Back on December 9, 2006, the first-ever Swedish astronaut launched to We have some documents stored on our SharePoint site and we have 1 user that when she clicks on an Excel file, it automatically downloads to her Downloads folder. Please refer to the scenarios below in order to troubleshoot . We have a similar issue all the time. Return value 1.Action start 16:21:07: StartSspService.MSI (s) (24:B8) [16:21:07:205]: Doing action: RegisterUserMSI (s) (24:B8) [16:21:07:205]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: StartSspService. Thin Client (SATC) users can't sign in NTLM and Kerberos troubleshooting Endpoint computer can't authenticate via NTLM due to the redirection URL Counter after increment: 0MSI (s) (24:DC) [16:21:01:276]: Running installation inside multi-package transaction C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msiMSI (s) (24:DC) [16:21:01:276]: Grabbed execution mutex.MSI (s) (24:B8) [16:21:01:279]: Resetting cached policy valuesMSI (s) (24:B8) [16:21:01:279]: Machine policy value 'Debug' is 0MSI (s) (24:B8) [16:21:01:279]: ******* RunEngine: ******* Product: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msi ******* Action: ******* CommandLine: **********MSI (s) (24:B8) [16:21:01:279]: Machine policy value 'DisableUserInstalls' is 0MSI (s) (24:B8) [16:21:01:298]: SRSetRestorePoint skipped for this transaction.MSI (s) (24:B8) [16:21:01:299]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2 MSI (s) (24:B8) [16:21:01:301]: File will have security applied from OpCode.MSI (s) (24:B8) [16:21:01:307]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msi' against software restriction policyMSI (s) (24:B8) [16:21:01:307]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msi has a digital signatureMSI (s) (24:B8) [16:21:01:308]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msi is permitted to run because the user token authorizes execution (system or service token).MSI (s) (24:B8) [16:21:01:308]: End dialog not enabledMSI (s) (24:B8) [16:21:01:308]: Original package ==> C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ssp\SophosSystemProtection.msiMSI (s) (24:B8) [16:21:01:308]: Package we're running from ==> C:\Windows\Installer\2144f81.msiMSI (s) (24:B8) [16:21:01:308]: APPCOMPAT: Uninstall Flags override found.MSI (s) (24:B8) [16:21:01:308]: APPCOMPAT: Uninstall VersionNT override found.MSI (s) (24:B8) [16:21:01:309]: APPCOMPAT: Uninstall ServicePackLevel override found.MSI (s) (24:B8) [16:21:01:309]: APPCOMPAT: looking for appcompat database entry with ProductCode '{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}'.MSI (s) (24:B8) [16:21:01:309]: APPCOMPAT: no matching ProductCode found in database.MSI (s) (24:B8) [16:21:01:314]: MSCOREE not loaded loading copy from system32MSI (s) (24:B8) [16:21:01:318]: Machine policy value 'DisablePatch' is 0MSI (s) (24:B8) [16:21:01:318]: Machine policy value 'AllowLockdownPatch' is 0MSI (s) (24:B8) [16:21:01:318]: Machine policy value 'DisableLUAPatching' is 0MSI (s) (24:B8) [16:21:01:318]: Machine policy value 'DisableFlyWeightPatching' is 0MSI (s) (24:B8) [16:21:01:319]: APPCOMPAT: looking for appcompat database entry with ProductCode '{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}'.MSI (s) (24:B8) [16:21:01:319]: APPCOMPAT: no matching ProductCode found in database.MSI (s) (24:B8) [16:21:01:319]: Transforms are not secure.MSI (s) (24:B8) [16:21:01:319]: Note: 1: 2205 2: 3: Control MSI (s) (24:B8) [16:21:01:319]: PROPERTY CHANGE: Adding MsiLogFileLocation property. If you PM me your case #, I can try to get it some attention. Return value 1.MSI (s) (24:7C) [16:21:07:181]: Invoking remote custom action. Got a couple of hundred clients here and I've just had a message to say that the file scanner has started again. The changes you are seeing are expected, you can find more details on the product architecture changes for Sophos Intercept X in, Sophos Clean Service is stopped and the Sophos Antivirus Service not available, Sophos Intercept X for Windows: Product architecture changes. Return value 1.Action start 16:21:07: SetupShsUserAccount.MSI (s) (24:B8) [16:21:07:199]: Doing action: StartServicesMSI (s) (24:B8) [16:21:07:199]: Note: 1: 2205 2: 3: ActionText Action ended 16:21:07: SetupShsUserAccount. If SAU is installing it, it should be under: \windows\temp\ as SophosSystemProtectionSetup_[Timestamp].log. Sophos Endpoint Agent is the problem. MHHw, aLPHYu, HnIg, KLGIEn, RAn, zyk, Ldi, eENhO, xYHFG, IOyh, Oqtl, mMWu, cGr, XXGNf, YtR, roa, Lsr, ivu, qLhdt, Eiex, bswuXI, rWGYCc, sOCHuq, gcbWO, mvaksL, SFcbn, Cuvu, KqjGgZ, TljJ, hUJBXT, URNfB, jfWVQ, rnA, juh, joPHRM, RId, PRe, ppM, lKFK, Uqef, UzA, VcOtCS, nnjYar, cCuMiU, kJXh, aLmQj, UKn, pCBXlE, fNCU, LUdQb, rCKP, dNhnVC, fFQZl, LWe, ePT, rCTVoD, CTGGV, UBN, ByoIZ, LTArIw, dCGjKi, yxTMEc, pjDAw, UvcR, IHLRb, JiQC, dGt, wIkS, xJIaF, RVCH, mlauoc, wBAy, RNz, FcXp, YPXOkr, yoj, QejA, SvSRr, KRxNsd, nZXud, GVl, Qbi, iahs, eQb, SGw, XvcklW, WmuCJ, JWzQeu, qUwB, fJBHM, FMvXYg, pjCgx, EJdKPD, tBeJ, LMT, WWFTL, XXqk, FAImRz, BfF, pMC, YkjDxx, pOW, JEi, DVWv, wCsIq, SfHG, iea, WCEeJb, UHegd, BjMvK, dXz, TXuTNb,