Sophos 0x80004005

Posted on  by admin
  1. Applies to the following Sophos product(s) and version(s) Enterprise Console 5.5.1, Enterprise Console 5.5.2 Update to or reinstall SEC 5.5.2 Update 5 March 2020 Sophos has released a fix for this issue which is now available to customers. Affected customers should update to or reinstall Sophos Enterprise Console 5.5.2.
  2. We removed all traces from the registry, Sophos failed to install. We contacted Sophos support, allowed a tech to remote in and run their removal script for the failed Sophos installation, attempted to re-install, this attempt also failed. We attempted that method maybe a dozen times across a few machines.
  1. Sophos 0x80004005 Software
  2. Sophos 0x80004005 Update
  3. Sophos 0x80004005 Download
0x80004005

While tidying up an old server for a client recently I removed a very old version of Sophos Control Center. We’d been running Sophos Enterprise Console on a new server for almost a year now, so I didn’t think uninstalling it would it would effect the new installation, but i was wrong!

So in this blog post I’ll look at recovering a broken Sophos Enterprise Console, specifically the following error when you open Sophos Enterprise Console:

Mar 11, 2020 Overview When running the Enterprise console installer you see the message: Sophos Enterprise Console 5.x.x Installation Failed. Note: In this failure case, there is no other message; just a red circle with a white cross appears.

The user “domainuser” is not assigned to any sub-estates. You must be a member of at least one sub-estate to run the console.

It appears that uninstalling the old version of the Sophos Enterprise Console, also removed several AD Groups, and possibly the account we used for updating.

My first port or call was the Sophos KB67106 article, in this case we have the Sophos Enterprise Console running on a DC, but no “Sophos Full Administrators” group existed. I created this as a Domain Local group in AD and added my administrator account.

After a log off and login I was now getting a different unknown error message, which wasn’t very descriptive, but still couldn’t get into the console so I took a look at the services.

Sophos

All the services appeared to be running, so I tried restarting the Sophos Management Service and got the following error message.

After doing some research on 0x80070534, it took me to Sophos KB14509 article, I noticed here that the “Sophos Console Administrators” group was missing, so I created this as a Domain Local group in AD and added my administrator account.

On trying to start the Sophos Management Service again i was now getting an Error 0x80004005, so after a little more research and I ended up at Sophos KB111898 article, I felt I was getting close to a solution. Looking through the article and checking the Event Viewer, I found Event IDs 8004 and 18456. At this point I followed the instructions and ran the sqlcmd commands below from the Enterprise Console directory.

Run the following commands in a command prompt on the database server from the Enterprise Console directory, e.g., program filessophosenterprise console (or program files (x86)... on a 64-bit computer)…

sqlcmd -E -S .SOPHOS -d SOPHOS52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SophosSecurity -i ResetUserMappings.sql

However I got the error message: The name change cannot be performed because the SID of the new name does not match the old SID of the principal.

Luckily this scenario is covered in the same KB article, so after running the following commands

sqlcmd -E -S .sophos -Q 'DROP LOGIN [SERVERNAMESophos DB Admins]'
sqlcmd -E -S .sophos -Q 'CREATE LOGIN [SERVERNAMESophos DB Admins] FROM WINDOWS'

I was able to re-run the other sqlcmd commands.
sqlcmd -E -S .SOPHOS -d SOPHOS52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SophosSecurity -i ResetUserMappings.sql

I restarted all of the Sophos Services on the server amd then opened up the Sophos Enterprise Console and hoped for the best…bingo!

The only other issue I came across was the SophosUpdateMgr account was missing, and as this is the default account to distribute updates I couldn’t deploy Sophos to a new client. The symptom was the Protect Computer wizard would return an error regarding an invalid account as soon as you clicked next after entering the domainuser and password details.

After recreating the SophosUpdateMgr account in AD, I changed the password for the different Update Policies we are using in the Sophos Enterprise Console, and the Protect Computer wizard is operational again.

The whole experience was quite involved, and if i had wanted to I could of phoned Sophos Technical Support which are excellent, but I like to try and figure things out first myself. It did reinforce one of the reasons why we use Sophos; their support, and in this case the quality and depth of their knowledge base articles is excellent.

Related Articles:

1. Sophos Endpoint: How to change the update location if it is greyed out

2. Connect to Computer missing on SBS 2008 Remote Web Workplace

3. Exchange 2010 SP3 Update Rollup 12 released and installation tips

-->

This article contains recommendations that may help an administrator determine the cause of potential instability on a computer that's running a supported version of Configuration Manager site servers, site systems, and clients when it's used together with antivirus software.

Original product version: Microsoft System Center 2012 Configuration Manager, Microsoft System Center 2012 R2 Configuration Manager, Configuration Manager (current branch)
Original KB number: 327453

Summary

We recommend you temporarily apply these procedures to evaluate a system. If your system performance or stability is improved by the recommendations that are made in this article, contact your vendor for instructions or an updated version of the antivirus software.

Important

This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment.

Antivirus real-time protection can cause many problems on Configuration Manager site servers, site systems, and clients.

Possible symptoms include:

  • Remote site system components aren't installed. SiteComp.log, Distmgr.log, hman.log, or other Configuration Manager log files may contain errors such as error 80070005.

  • The Configuration Manager client cannot be installed through client push.

  • Client inventory information is inaccurate, missing, or out-of-date.

  • Backlogs occur in the Install_DirectoryInboxes folders on site servers.

  • Backlogs occur in the Install_DirectoryMPOutboxes subfolders on management points (MP).

  • Software Center isn't populated by deployed software on client systems, or doesn't start. Also, the CCMRepair.log file may contain an error similar to the following example:

  • Software that is deployed to clients cannot be installed.

  • Compliance data for software deployments is inaccurate.

Exclusions

We recommend that you add the following real-time protection exclusions to prevent these problems.

Default installation folders

FolderPath
Configuration Manager installation folder%ProgramFiles%Microsoft Configuration Manager
MP installation folder%ProgramFiles%SMS_CCM
Client installation folder%Windir%CCM

Folder exclusions for site servers

  • ConfigMgr installation folderInboxes
  • ConfigMgr installation folderLogs
  • ConfigMgr installation folderEasySetupPayload

Folder exclusions for site systems

  • Management points
    • MP installation folderServiceData
    • Either of the following folders:
      • ConfigMgr installation folderMPOUTBOXES
      • Installation driveSMSMPOUTBOXES
  • Distribution points
    • Client installation folderServiceData
    • ContentLib_driveSMS_DP$
    • ContentLib_driveSMSPKGDrive_Letter$
    • ContentLib_driveSMSPKG
    • ContentLib_driveSMSPKGSIG
    • ContentLib_driveSMSSIG$
  • Site database servers

Folder exclusions for clients

  • Client installation folder*.sdf
  • Client installation folderServiceData
  • C:WindowsCCMCache
  • C:WindowsCCMSetup
  • Client installation folderLogs
  • C:WindowsSetupScripts
  • C:WindowsSMSTSPostUpgrade

File exclusions for MPs

  • POL00000.pol in MP installation folderPolReqStaging
0x80004005

Don't scan outgoing files on MPs

  • Most antivirus software has an option to scan files that are copied to a remote location (outgoing files). This option should be disabled on management points.

  • For Windows Defender, the policy name is Configure monitoring for incoming and outgoing file and program activity. And it should be set to Scan only incoming files.

    For more information, see Enable and configure Windows Defender Antivirus always-on protection in Group Policy.

Sophos 0x80004005

Sophos 0x80004005 Software

Process exclusions

Sophos 0x80004005 Update

Process exclusions are necessary only if aggressive antivirus programs consider Configuration Manager executables (.exe) to be high-risk processes.

  • ConfigMgr installation folderbinx64Smsexec.exe
  • Either of the following executables:
    • Client installation folderCcmexec.exe
    • MP installation folderCcmexec.exe
  • Client installation folderRemCtrlCmRcService.exe (client-side)
  • ConfigMgr installation folderbinx64Sitecomp.exe
  • ConfigMgr installation folderbinx64Smswriter.exe
  • ConfigMgr installation folderbinx64Smssqlbkup.exe, or SMS_SQLFQDNbinx64 Smssqlbkup.exe
  • ConfigMgr installation folderbinx64Cmupdate.exe
  • Client installation folderCcmrepair.exe (client-side)
  • %windir%CCMSetupCcmsetup.exe (client-side)

Sophos 0x80004005 Download

References