Failed to install savxp: uninstalling an older product failed.

Hi skyisbluescreen 

Would you please suggest what is the exact error it is showing under the events? 

Hello there,

I have updated the Event log in the post. All the machines show the below error :

Everything was normal in these devices Sophos was working fine perfectly. However there was 1903 installed they rebooted and boom Sophos AV service goes missing and other ones too.

Hoping someone from the community can help me through.

------------------------------------------------------------------

I have tried Support:Here is what happens

SDU Logs shared for impacted PC's

Request us back to re install

We Do, and Still same problem.

We Report back, they connect and run a PS SCRIPT or BATCH to remove Sophos, Still issue persists after re install

Request to Re Install the OS

-------------------------------------

Hi skyisbluescreen 

Have you tried removing the older version of Anti-virus present using the Sophos ZAP tool? Kindly PM me the case number that you have already registered, so that I can review a few logs. 

When AutoUpdate updates, it always checks the OS of the computer to see if it's changed, you see this in

C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log:

2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate is starting.
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO AutoUpdate version : 6.4.292.0
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate version : 6.4.292.0
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Build : 20200429173443-7acb03303197f5c0731d6b9c4afc467d5c7ff02e
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform ID: WIN_10_X64 2004 19041.264
2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform upgraded: 0

The values come from:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate

Platform and PlatformRelease string values.

In the case where the current OS and these differ, then AutoUpdate runs the setup plugins of each of the components.

So under \windows\temp you will see the install logs for each component.  Can you attach the logs of the failed components to this post?

Regards,
Jak

Hello Shweta,

Thank you for your response, Will write to you in more details once we have the results on ZAP Tool.

Looking at the Events and logs it looks like the Monthly patches have caused this problem. 

P.S-Updated the POST title to make it more relevant.

Thanks Jak, Deeper investigations has indicated the Windows monthly security  patches has caused this and not the Build 1909.

We are trying to get a list of devices broken and verify for the timing of events if they match.Also a list of KB's installed that would need to verified which one could possibly cause this problem.

P.S- I have edited the title of the POST as its Windows Update issue and not the build issue.

Hi skyisbluescreen 

Once the system is patched with latest updates, let us know if you are still facing the issue with Sophos 

The current patches (installed last week) will be there and we will not patch anytime soon in a months time.

Hi skyisbluescreen 

Thank you for the update, let us know how it goes with Sophos ZAP tool. 

We have this problem also for several Win10 machines. Solved by run update from Sophos Endpoint UI on "problematic" machines and by several restarts.

In "Sophos Central Console" are "device status" ok, but on some machines is the status Red - "you have to call IT .." (free translation from Czech language").

On fully updated machines and also on machines with some missing patches.

We have this problem also for several Win10 machines. Solved by run update from Sophos Endpoint UI on "problematic" machines and by several restarts.

In "Sophos Central Console" are "device status" ok, but on some machines is the status Red - "you have to call IT .." (free translation from Czech language").

On fully updated machines and also on machines with some missing patches.

Hi Jiri Hadamek 

Devices with red health status on central, does it show any specific service stopped or any other detections? 

It haven´t service stopped. It simply haven´t service installed.

Now - after several restarts AND several "update NOW" from Sophos UI on PCs we have the following state:

In Sophos Control Central - OK

ALL Sophos services ARE running - OK

On workstation - Sophos show errors - see the attached pictures.

Hi Jiri Hadamek 

Could you please translate the error message shown in the Endpoint UI? Which service state is in the stopped state? 

Translated freely into English " Some services aren´t started. Call IT" But ALL services ARE running. (After several restart and reinstall from LOCAL Sophos UI)

Hi Jiri Hadamek 

Can you please click on About > Open Endpoint Self Help Tool > Services and check which services are not running? Do you see any components which are not installed? 

All services ARE running

and

ALL services ARE installed.

Yep, same here.

Console:

" Failed to install savxp: uninstalling an older product failed."

Log:

"WARN  Failed to install product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.7.1000."

Version agent: 10.8.6 VE3.78.5

Can you find (and attach) the install and uninstall logs of SAV in \windows\temp\ (if this is an AutoUpdate initiated install attempt) or under %temp% if you are performing an install with say the Sophos Central installer they would be under %temp%.

Hi jak,

Here is it what I found:

Sophos Anti-Virus Major Install Log

https://pastebin.com/fdBLBRf7

Sophos Anti-Virus Uninstall log

https://pastebin.com/N83VsS2J

SophosUpdate log when I initialization update from Console, maybe could help as well

https://pastebin.com/W1zLQf6r 

Seeing error 1612 on SAV uninstall and install logs. The uninstall process is looking for the MSI which is missing in this path: C:\WINDOWS\Installer\60e64.msi.

You can try uninstalling Sophos using the SophosZap tool, and then reinstall Sophos.