This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to install savxp: uninstalling an older product failed.

Most likely Post WINDOWS Monthly Patch Installation, Sophos status is broken.

We started the Windows updates rollout this week and already have multiple devices with this issues now.

Ex- This device was all okay once the update was installed and rebooted Sophos events shows this error.

Anyone else with this problem?



This thread was automatically locked due to age.
Parents
  • Hi  

    Would you please suggest what is the exact error it is showing under the events? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hello there,

    I have updated the Event log in the post. All the machines show the below error :

    Jun 3, 2020 1:54 PM
    Failed to install savxp: uninstalling an older product failed.

     

    Everything was normal in these devices Sophos was working fine perfectly. However there was 1903 installed they rebooted and boom Sophos AV service goes missing and other ones too.

    Hoping someone from the community can help me through.

     

    ------------------------------------------------------------------

    I have tried Support:Here is what happens

    SDU Logs shared for impacted PC's

    Request us back to re install

    We Do, and Still same problem.

    We Report back, they connect and run a PS SCRIPT or BATCH to remove Sophos, Still issue persists after re install

    Request to Re Install the OS

    -------------------------------------

  • Hi  

    Have you tried removing the older version of Anti-virus present using the Sophos ZAP tool? Kindly PM me the case number that you have already registered, so that I can review a few logs. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • When AutoUpdate updates, it always checks the OS of the computer to see if it's changed, you see this in

    C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log:

    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================
    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate is starting.
    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO AutoUpdate version : 6.4.292.0
    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO SophosUpdate version : 6.4.292.0
    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Build : 20200429173443-7acb03303197f5c0731d6b9c4afc467d5c7ff02e
    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO =========================
    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform ID: WIN_10_X64 2004 19041.264
    2020-06-07T22:37:11.405Z [15968:18684] [v6.4.292.0] INFO Platform upgraded: 0

    The values come from:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate

    Platform and PlatformRelease string values.

    In the case where the current OS and these differ, then AutoUpdate runs the setup plugins of each of the components.

    So under \windows\temp you will see the install logs for each component.  Can you attach the logs of the failed components to this post?

    Regards,
    Jak

     

     

     

  • Hello Shweta,

    Thank you for your response, Will write to you in more details once we have the results on ZAP Tool.

    Looking at the Events and logs it looks like the Monthly patches have caused this problem. 

     

    P.S-Updated the POST title to make it more relevant.

  • Thanks Jak, Deeper investigations has indicated the Windows monthly security  patches has caused this and not the Build 1909.

    We are trying to get a list of devices broken and verify for the timing of events if they match.Also a list of KB's installed that would need to verified which one could possibly cause this problem.

    P.S- I have edited the title of the POST as its Windows Update issue and not the build issue.

  • Hi  

    Once the system is patched with latest updates, let us know if you are still facing the issue with Sophos 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • The current patches (installed last week) will be there and we will not patch anytime soon in a months time.

  • Hi  

    Thank you for the update, let us know how it goes with Sophos ZAP tool. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • We have this problem also for several Win10 machines. Solved by run update from Sophos Endpoint UI on "problematic" machines and by several restarts.

    In "Sophos Central Console" are "device status" ok, but on some machines is the status Red - "you have to call IT .." (free translation from Czech language").

    On fully updated machines and also on machines with some missing patches.

     

     

     

  • Hi  

    Devices with red health status on central, does it show any specific service stopped or any other detections? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

Reply Children
  • It haven´t service stopped. It simply haven´t service installed.

    Now - after several restarts AND several "update NOW" from Sophos UI on PCs we have the following state:

     

    In Sophos Control Central - OK

    ALL Sophos services ARE running - OK

    On workstation - Sophos show errors - see the attached pictures.

  • Hi  

    Could you please translate the error message shown in the Endpoint UI? Which service state is in the stopped state? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Translated freely into English " Some services aren´t started. Call IT" But ALL services ARE running. (After several restart and reinstall from LOCAL Sophos UI)

  • Hi  

    Can you please click on About > Open Endpoint Self Help Tool > Services and check which services are not running? Do you see any components which are not installed? 

    Thanks,

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • All services ARE running

    and

     

    ALL services ARE installed.

     

     

  • Yep, same here.

    Console:

    " Failed to install savxp: uninstalling an older product failed."

     

    Log:

    "WARN  Failed to install product E17FE03B-0501-4aaa-BC69-0129D965F311 10.8.7.1000."

     

    Version agent: 10.8.6 VE3.78.5

  • Can you find (and attach) the install and uninstall logs of SAV in \windows\temp\ (if this is an AutoUpdate initiated install attempt) or under %temp% if you are performing an install with say the Sophos Central installer they would be under %temp%.

  • Hi jak,

     

    Here is it what I found:

    Sophos Anti-Virus Major Install Log

    https://pastebin.com/fdBLBRf7

     

    Sophos Anti-Virus Uninstall log

    https://pastebin.com/N83VsS2J

     

    SophosUpdate log when I initialization update from Console, maybe could help as well

    https://pastebin.com/W1zLQf6r 

  • Seeing error 1612 on SAV uninstall and install logs. The uninstall process is looking for the MSI which is missing in this path: C:\WINDOWS\Installer\60e64.msi.

    You can try uninstalling Sophos using the SophosZap tool, and then reinstall Sophos.

    Regards, 

     
    DianneY
    Technical Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  • The install is finding a version of Sophos Anti-Virus installed (ProductCode - BEEB46C0-1983-4DF2-AD40-8C464842DF24) which appears to be broken:

    2020-06-15 10:26:49 There is an incomplete SAV installation, forcing a Major Update to recover
    2020-06-15 10:26:49 Info: Performing major update of Sophos Anti-Virus using msi.
    2020-06-15 10:26:49 Info: Update is signalled.
    2020-06-15 10:26:49 In KB2918614Workaround().
    2020-06-15 10:26:49 Leaving KB2918614Workaround().
    2020-06-15 10:26:49 Product code of SAV currently installed: {BEEB46C0-1983-4DF2-AD40-8C464842DF24}
    2020-06-15 10:26:49 Product code of SAV to be installed: {D89312B9-A62F-4FF1-A7E9-077D4C4FE002}

    It is then starting the uninstall of it:

    2020-06-15 10:26:58 Info: Uninstall SAV
    2020-06-15 10:26:58 Unable to delete registry key: SOFTWARE\Sophos\Telemetry\Plugins!
    2020-06-15 10:26:58 Info: Running Uninstall of previous version using command line: msiexec.exe /x {BEEB46C0-1983-4DF2-AD40-8C464842DF24} REBOOT=ReallySuppress /qn UNINSTALLDRIVERS=0 UNINSTALLCLASSFILTER=0 UNINSTALLBOOTDRIVERS=1 UNINSTALLKMSDRIVERS=1 CHECKFORSCF=0 INSTALLINGVERSION="10.8.7.1000" /Lvp "C:\WINDOWS\TEMP\Sophos Anti-Virus Uninstall Log_200615_082658.txt"
    2020-06-15 10:26:58 Info: Finished waiting for Uninstallation of previous version. Status returned was 0l.
    2020-06-15 10:26:58 WARNING: SAV uninstall failed with error 1612

    The issue is, the uninstall is failing with1612, which is ERROR_INSTALL_SOURCE_ABSENT.  So there is no cached MSI for the product code BEEB46C0-1983-4DF2-AD40-8C464842DF24.

    The easiest thing at this point is probably to run SophosZap - https://community.sophos.com/products/endpoint-security-control/b/blog/posts/sophos-zap-is-now-available The alternative is trying to piece together a number of files from another computer.

    Regards,
    Jak