Jamf Nation Community

Awesome! I've been fighting this for the last 24 hours and I finally gave up!

Thanks for this. It seems to be working currently!

Thanks @dmarcnw for this! Really helpful when updating my Sophos workflows!

If anyone doesn't want to be bound to creating a .pkg and would rather just have a script that can be run from Jamf Pro, this worked for me:

#!/bin/bash
mkdir /private/var/tmp/sophos
cd /private/var/tmp/sophos

# Installing Sophos
curl -L -O "https://your.url.for.sophos/SophosInstall.zip"
unzip SophosInstall.zip
chmod a+x /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer
chmod a+x /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper
sudo /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer --install;
/bin/rm -rf /private/var/tmp/sophos;
exit 0      ## Success
exit 1      ## Failure

You can work out your unique Sophos download link from within Sophos Central Admin. Open up Chrome and when you click on the "Download macOS Installer" link make sure you "inspect" the page and go to the Network tab. You can then copy the URL.

Hopefully this helps someone with managing this horrific product!

We are going through this too. One thing we've run into is that the installers these links provide don't work after 90-days. How are you getting fresh links or installers? Just get new links and put it in the script every couple months?

thank you! this was helpful.

@dmarcnw Thank you very much for your post!!! Saved the day

This script works, up to a point. It looks like Sophos installs correctly, but the AutoUpdating is not configured, so each client doesn't automatically receive definitions updates. I'm still exploring and might find an answer. Is anyone else seeing this? Any ideas?

I usually see it say AutoUpdate isn't configured for like an hour or so after the install, and then it fixes itself at some point after that. Could do an extension attribute to pull the last definition date and possible do a policy to reinstall it from there.

I had this working with Munki (as an installer script) - it would take a little time for the client to report in and update. Sometimes it would do it quickly (15min or less) most times longer than that. I don't pay that much attention to when. Anyhow, what I saw with this in my testing, was no appearance of a launch agent or daemon. …still digging into this, could be a 10.13 related thing (but that's where I need this most).

I'm a small bit closer to figuring this out. Seems that this error where Sophos installs but then doesn't get the AutoUpdate configuration settings only applies to computers where Sophos was previous installed.

I've tried this on computers where I have used the Sophos Uninstaller to remove the software and then run the script to install it again, and I get this problem.

If I run the GUI installer on a computer where Sophos was previously installed, it installs correctly and gets the AutoUpdate settings. I have no idea why the GUI installer would work but the silent install would not give me the expected and desired results. Fortunately, for me, it's a relatively small number of computers that are exhibiting this problem in my environment, so I can pull them in and manually install Sophos using the GUI installer. Any new computers that I image and then deploy have never had Sophos installed on them, so the silent install via script will install Sophos and then enroll them in Sophos Cloud and updates will continue.

If you're reinstalling you'll want to uninstall first. In my experience with Sophos you won't have any luck running an installer over the top of a Mac with Sophos already installed.

I didn't think Sophos forums would post this, but seeing as it's now public knowledge (I had to direct message someone at Sophos to get this) here is the method for disabling tamper protection before uninstalling Sophos https://community.sophos.com/products/sophos-central/f/sophos-central/79952/computer-removed-with-tamper-protection-enabled-mac/305286#305286

This script below will disable tamper protection and forcibly remove Sophos from a Mac, getting it in a state ready to reinstall:

defaults write /Library/Preferences/com.sophos.sav TamperProtectionEnabled -int 0
killall -kill SophosServiceManager
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

You could technically just have this run at the start of your Sophos install script all the time... I separated my scripts into an install, reinstall and uninstall versions.

Hopefully this helps someone on this thread!

Banged my head against the keyboard for the last few hours re-writing a bash script that I knew worked in the past, but couldn't get working. Anyway, thank you @dmarcnw, your contribution is much appreciated.

Has anyone made a EXT Attribute to see if Sophos is not installed. I tired this and set it to none but I don't get any results.

#!/bin/sh
if [ -d /Applications/Sophos Anti-Virus.app ] ; then
    RESULT=$( sudo defaults read /Applications/Sophos Anti-Virus.app/Contents/Info.plist CFBundleShortVersionString )
    echo "<result>$RESULT</result>"
else
    echo "<result>Not Installed</result>"
fi

anyone else having issues w/sophos cloud client installing since they made a new installer last week?

I've got a ticket open with them, but they taking their time.

Yup. My old 9.6 installers were as smooth as silk. Pulled the new installers yesterday and started testing today. Not a single successful test :-(

I am seeing their new install fail on certain models. It succeeds for me on Mac Pro, MBP-Touch, Newer imacs, Fails on MBA's, MBP's (non-touch), Some iMac's and Mini's . Also not getting help good or timely from Sophos.

@ooshnoo @gbyers have you heard from Sophos? I just created a support ticket.

I can confirm repeated failing of Sophos Installer version 1.1.0 (downloaded today) on 2015 MacBook Airs running macOS Sierra 10.12.6.

Fails by GUI:

Or script initiation as root:

2018-02-21 09:41:25.135 Sophos Installer[68217:1926186] Starting Sophos Bootstrap Installer.
2018-02-21 09:41:25.707 Sophos Installer[68217:1926186] Installation failed. See install.log for detailed information.

Note, nothing is logged at install.log.

Update, Wed Feb 21 11:21:07 PST 2018: Now my previously functional 9.6.2 Sophos Installer fails. This is via GUI. The installer appears to finish its needed downloading, says "Verifying..." then fails. This is on multiple 2017 Touch MacBook Pros running macOS High Sierra 10.13.3. These are fresh macs done with our DEP flow and with FileVault encryption completed.

Seeing similar issues here trying to build an installer with the new version Sophos pushed out. Getting endless errors similar to @jggr. Install.log gives up no details... I can run the installer in the gui, CLI is a no go.

Same issues, still no working installer!

I received an answer from Sophos Support

Mid-last year there was an attack demonstrated at DEFCON (A hacker conference) that specifically attacked software which runs as root (and was demonstrated against our installer), during install time, by using non-standard privileges on several folders (including / and /Library). This prompted us to release a KB to check the validity of our installer.

Article ID: 127252 Title: Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer

URL: https://sophos.com/kb/127252

This was always intended as a stopgap measure until we could implement checking of the locations to install to. This exploit requires non-standard rights on / and /Library, both of which Apple protects with SIP. When we updated our installed in late January 2018, we implemented these security checks to make sure that we could not get exploited by this, by ensuring the default rights of 755 Root Wheel were applied. We first had reports of customers running into this security check about 1.5 weeks ago, and thus created the KB you were sent, to validate the rights and how to correct it. I have opened a discussion with development to improve the messaging around this detection, including updating the GUI of the installer to properly notify when the installer runs into it, and directing to the appropriate article to correct the permissions. At this time, we are not intending on changing the security check and stop, since it is in response to a legitimate, known way of hacking our software, and it just requires Apple's default permissions on their security locked down directories. But we can convey this information better, and I am working with development on that.

Started the pkg making process over again and it seems to work fine now all of the sudden! Nothing done differently, other than starting it from scratch. I did notice that the Application is now called "Sophos Endpoint.app" instead of "Sophos Anti-Virus.app", which made me have to alter my Policies, yet again.

I do seem to be able to get the installer to run from terminal when the installer package is located in the /Libray/Application Support/JAMF/ folder, but if I move everything to the /private/var/tmp/ folder, the installer seems to hang (with nothing showing in Console either). Is anyone else seeing similar behavior?

Thanks @ooshnoo. Looks like that would explain numerous entries similar to these in the SophosDiagnostic log:

02:20:21 +0000}, Call History=SMEInstallerFileManager.m:654 | SMEInstallerFileManager.m:724}" UserInfo={NSLocalizedDescription=Error: supplied secure destination is not secure. path: /Library/Application Support/Sophos/temp_19251
2018-02-22 20:22:30.549 [Sophos Installer 19248:780542 install error] Original Error: Error Domain=com.sophos.installer Code=30 "Error: path is not secure. /

After reading this Sophos kb and since I'm working remotely, I had some hands on-prem run the Sophos installer (Version 1.1.0, shown in Get Info in Finder) on 2017 Retina Touch MacBook Pros running 10.13.3 and the installation that previously failed, succeeded. Note, however, I saw no evidence of a need to manually allow blocked kexts in Sys Prefs Security & Privacy. The app installed was Sophos Endpoint 9.7.4

I'm still unable to install or reinstall Sophos Endpoint 9.7.4 on various 2015 MacBook Airs running 10.12.6. The steps in this Sophos kb helped a little.

@JoshRouthier I had repeated hangs yesterday. Today the Sophos installer fails immediately, cli or GUI.

Update, Thu Feb 22 23:37:42 PST 2018: Based on this Sophos kb our . /Library permissions are correct but the / perms are not:

MBAir:/ root# ls -lah / | tail -n +2 | head -2
drwxrwxr-x@ 31 root      wheel      1.1K Jan 24 18:20 .
drwxrwxr-x@ 31 root      wheel      1.1K Jan 24 18:20 ..

The installer succeeds on test 2015 MacBook Airs running Sierra 10.12.6 with perms on / as 755:

Test-4-MBAir:/ root# ls -lah / | tail -n +2 | head -2
drwxr-xr-x  30 root         wheel   1.1K Jan 24 15:50 .
drwxr-xr-x  30 root         wheel   1.1K Jan 24 15:50 ..

Update, Fri Feb 23 23:44:03 PST 2018: Changed permissions on / from 775 to 755 and the installer now runs to completion. This is via the GUI or scripts like @calvins unzipping SophosInstall.zip in either /private/var/tmp or /private/tmp. Haven't tried building a pkg but I don't see why that wouldn't work.

If it helps at all, here's my Sophos installer. I generate a download link from the Sophos Central console and put it in the $4 parameter in a policy.

I got working new installs of 9.7.4 as recently as yesterday with this exact script. I also used this to upgrade around ~2000 machines from the older on-prem Sophos we had to the newer Endpoint in the past month.

#!/bin/bash
#1.0 Calvin S. 10/2017.
#1.1 Calvin S. 03/2018. Added checks for owner, group, and permissions.

#Variables.
######################################################################################################################################################
downloadLink=$4                                                 #A public download link for the Mac Sophos client .zip. 
######################################################################################################################################################

if [[ -z "$downloadLink" ]]; 
    then
        echo "Download link not specified. Please specify in parameter 4."
        exit 1
    else
        echo "We are getting Sophos Endpoint from: $downloadLink"
fi

#Function definitions
########################################################################################
check_permissions()
{
    #The Sophos installer wants the permissions on /, /Library, and "/Library/Application Support" to be exactly the default SIP-protected permissions.
    #https://community.sophos.com/kb/en-us/131749

    if [[ ! $( ls -ld / | grep -w "drwxr-xr-x" ) ]];
        then
            echo "Permissions on / might not be right."
    fi

    if [[ ! $( ls -ld /Library/ | grep -w "drwxr-xr-x" ) ]];
        then
            echo "Permissions on /Library might not be right."
    fi

    if [[ ! $( ls -ld /Library/Application Support/ | grep -w "drwxr-xr-x" ) ]];
        then
            echo "Permissions on /Library/Application Support/ might not be right."
    fi      

    if [[ ! $( ls -ld / | grep -w "root  wheel" ) ]];
        then
            echo "Owner and group on / might not be right."
    fi

    if [[ ! $( ls -ld /Library/ | grep -w "root  wheel" ) ]];
        then
            echo "Owner and group on /Library might not be right."
    fi

    if [[ ! $( ls -ld /Library/Application Support/ | grep -w "root  admin" ) ]];
        then
            echo "Owner and group on /Library/Application Support/ might not be right."
    fi              
}

download_Sophos()
{
    rm -rf /private/tmp/*Sophos*                                                        #Clean out TMP of Sophos stuff in case there are leftovers from a previous failed attempt.
    cd /private/tmp/                                                                    
    curl -O $downloadLink                                                               #Download the zip from Sophos
}

install_Sophos()
{
    if [[ -e "/private/tmp/SophosInstall.zip" ]];
        then
            cd /private/tmp/
            unzip ./SophosInstall.zip &> /dev/null                                               #Unzip Sophos and send the output to null otherwise it'll falsely error out.
            chmod -R +x ./Sophos Installer.app/                                                #Set the .app executable as recommended by Sophos in https://community.sophos.com/kb/en-us/120570
            ./Sophos Installer.app/Contents/MacOS/Sophos Installer --install                  #Run the install command.
            exit_status=$?
            if [[ $exit_status -eq 1 ]]; 
                then
                    echo "The Endpoint installer failed. See /var/log/install.log and /Library/Logs/SophosDiagnostics.gz"
                    exit 1
            fi
        else
            echo "Didn't find the Sophos Installer for some reason. Check the download link is actually valid."
            exit 1
    fi
}
########################################################################################

#Actually run the stuff.
check_permissions
download_Sophos
install_Sophos

@arepko
can you elaborate?

@calvins how did you generate the download link from the web console?

Im having issues installing on fresh images of 10.126 and 10.13.1 -- installer will automatically fail. Anyone else seeing this?

Log into the "cloud.sophos.com" console > Protect Devices in the left-side navigator > Send Link to Users > Picked myself > took the Mac download link out of the email it sent me.

I've heard you can use the Sophos API to generate a user-less download link, but I've never found any supporting info on that. It does have the downside of attaching all machines that get it via that link to my Sophos user, but we don't use that for any purpose so we ignored that bit.

I had problems installing it on machines that had a conflicting AV or Sophos Home, but those were far between so I didn't account for them in the installer. It also seems to fail on Macs that were imaged via a clone, but those are also far between.

As of friday I now have 5 machines that will not install Sophos Endpoint Client.

It works accross the board except these 5 machines, and they all produce the same errors in the logs:

default 11:39:36.874008 -0500   com.sophos.bootstrap.helper [SMEDownloadController.m:574] failed to secure folders. Error Domain=com.sophos.installer Code=1 "Error: programming error. Nil passed as SecureLocation" UserInfo={NSLocalizedDescription=Error: programming error. Nil passed as SecureLocation, Call History=SMEInstallerFileManager.m:806}
default 11:39:36.874149 -0500   com.sophos.bootstrap.helper [SMEDownloadController.m:601] Failed to launch InstallationDeployer. Error Domain=com.sophos.installer Code=1 "Error: programming error. Nil passed as SecureLocation" UserInfo={NSLocalizedDescription=Error: programming error. Nil passed as SecureLocation, Call History=SMEInstallerFileManager.m:806}
default 11:39:37.075824 -0500   Sophos Installer    [SMESophosBootstrapAppDelegate.m:1225] Received failure notification: (1)
default 11:39:40.994218 -0500   kernel  [Sophos Installer pid 97785 mux-aware] exiting, non-mux-aware app count 0, runtime: 0:00:49.832

/ and /Library have correct permissions and the previous Security Software (SEP 12) was removed prior to attempted install. The error occurs during the verify step both when installed by JAMF Pro or Locally.

Totally at a loss here. All 5 of these machines are developers so I am almost certain this is a matter of them FUBARing folder permissions on something the installer is trying to access, but I don't know where to even start.

ideas?

Anyone had any luck lately with installing the Sophos cloud client. I tried the scripts from dmarcnw. It didn't install and doesn't give an errors? Not sure what to try next.

I resolved my issue:

Sophos tells you to verify the permissions of /, /Library and /Library/Application Support but it goes deeper than that.

You also need to check permissions of the contents of /Library and verify they are set to the default. Lots of stuff in there is not SIP protected so users with sudo can mess stuff up.

Specifically in my case users had changed the ownership of /Library/Caches and /Library/Developer. Once I set those back to default it installed without issue.

@hkabik What did you change the ownership and permissions to?

The default ownership for those: root:admin.

I resolved my issue. Im now able to install sophos. For some reason when imaging via Deploystudio, it changes the permissions/group of /Library to root:admin

https://www.jamf.com/jamf-nation/discussions/27249/deploystudio-imaging-library-permission-group-changed

Doesn't seem to matter what I try. It's not working. I do have an open ticket with Sophos. They had me run their diagnostic tool. More to come...

…as soon as I posted that, I tried one more thing with running their installer. They must have a ton of perm dependencies that are just wacky. I got it to work now (wouldn't you know it) , but I'm not confident that it'll work consistently on any given machine. - well, I got the basic installer to work (by downloading the installer bits), still failed the installation.

Am also trying to install 9.7.4.
I have managed to silent install sophos using terminal - after using a permission changing command.
But if i use the same commands within a .pkg file the install/quit screen appears. I cannot get it to install silent - sophos closed my ticket because it now works via terminal ...boooo

@steve1127 can u elaborate on what permission change you did, and when in your workflow you are running it?

We had the issue where the manual install would fall straight away.
After sending logs off to Sophos they found that a file didn't have the correct permissions (see below)

com.sophos.bootstrap.helper using com.sophos.macendpoint.Installer.HelperTool. Error Domain=com.sophos.installer
Code=1 "Error: supplied secure destination is not secure. path: /Library/Application Support/Sophos/temp_2052

Sophos' solution was to disable SIP and run a command.... not happening

So @gazlee found that the command "sudo chmod 0755 /Library/Application Support/” can be ran without disabling the SIP and corrects the permission(s)

This was added to a .pkg file (post script) with the path to the file which runs the manual install + sorts the permissions

In terminal if this permissions command is ran and then use the silent installer one provided by sophos ..it works.
sudo /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

My problem is now if these are combined into composer the sophos install/quit screen opens so is not silent - this is where Sophos did a runner..

I haven't had much experience with postinstall scripts, but can confirm this works great as a separate script to run after caching the installer files.

sudo chmod a+x /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer
sudo chmod a+x /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper
sudo /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install
sudo rm -rf /pathtoinstaller/SophosInstall/

https://community.sophos.com/kb/en-us/120570