This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos clean could not be installed (error 00000067)

Hi,

some of our Endpoints show the above error in the management console. On the clients, "Update failed" is shown, although in the management console they are up to date.

The clean installation log says:

2019-07-18 14:44:13.309 [ 204:7808] - Beginning install
a 2019-07-18 14:44:13.309 [ 204:7808] - Running installation from C:\ProgramData\Sophos\AutoUpdate\cache\clean64
a 2019-07-18 14:44:13.309 [ 204:7808] - Running: C:\Program Files\Sophos\Clean\SophosClean.exe commandline: C:\Program Files\Sophos\Clean\SophosClean.exe /uninstallsophos
a 2019-07-18 14:44:13.418 [ 204:7808] - C:\Program Files\Sophos\Clean\SophosClean.exe /uninstallsophos completed with exitcode: 1
a 2019-07-18 14:44:13.418 [ 204:7808] - Sophos Clean Add/Remove Programs key does not exist (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SophosClean\)
a 2019-07-18 14:44:13.418 [ 204:7808] - Running: C:\ProgramData\Sophos\AutoUpdate\cache\clean64\SophosClean.exe commandline: C:\ProgramData\Sophos\AutoUpdate\cache\clean64\SophosClean.exe /installsophos
a 2019-07-18 14:44:19.246 [ 204:7808] - C:\ProgramData\Sophos\AutoUpdate\cache\clean64\SophosClean.exe /installsophos completed with exitcode: 3221225477
e 2019-07-18 14:44:19.246 [ 204:7808] - Install failed with exception: Installation failed.

 

What can I do here?



This thread was automatically locked due to age.
Parents
  • Hello Thomas Schlüter,

    the side note first: "Update failed" is shown, although in the management console they are up to date - the up-to-dateness is determined by the SAVXP component (software and detection data). Thus Up to date means the endpoint has successfully installed Sophos Anti-Virus, the VDL (virus Data Libraries), and the latest IDEs. Other components are not considered.

    The line Sophos Clean Add/Remove Programs key does not exist seems to indicate the problem as it should be there.
    The install error code in normal "programmer language" is 0xC0000005, Access violation. As almost 6 seconds have elapsed since the start of the installation I assume the happens when the registry key should be set as (one of the) final action(s), the copy of uninstall.exe, scf.dat and sof.dat from the cache to the program directory has not be done (or isn't logged). AutoUpdate attempts to install Clean with every update check? It shouldn't install very often (on my machine it did so last in May 2018). Are these new installs?

    Christian     

  • Hello QC,

    I compared the above logs with the logs of another machine where the installation was succesful. The line "Sophos Clean Add/remove Programs key does not exist" is there, too, although on the ("succesful") machine, there is a check for a previous installation, whereas the failed machine does not log such an event but tries to uninstall (a previous installation), which fails. Here are the logs of the "succesful":

    a 2019-07-24 08:11:27.684 [ 740:2896] - Beginning install
    a 2019-07-24 08:11:27.684 [ 740:2896] - Running installation from C:\ProgramData\Sophos\AutoUpdate\cache\clean64
    a 2019-07-24 08:11:27.685 [ 740:2896] - Looking for previously installed standalone version of Sophos Clean...
    a 2019-07-24 08:11:27.685 [ 740:2896] - Standalone version of Sophos Clean not installed on this endpoint.
    a 2019-07-24 08:11:27.685 [ 740:2896] - Sophos Clean Add/Remove Programs key does not exist (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SophosClean\)
    a 2019-07-24 08:11:27.685 [ 740:2896] - Running: C:\ProgramData\Sophos\AutoUpdate\cache\clean64\SophosClean.exe commandline: C:\ProgramData\Sophos\AutoUpdate\cache\clean64\SophosClean.exe /installsophos
    a 2019-07-24 08:11:33.090 [ 740:2896] - C:\ProgramData\Sophos\AutoUpdate\cache\clean64\SophosClean.exe /installsophos completed with exitcode: 1
    a 2019-07-24 08:11:33.091 [ 740:2896] - Copying "C:\ProgramData\Sophos\AutoUpdate\cache\clean64\uninstall.exe" to "C:\Program Files\Sophos\Clean\uninstall.exe"
    a 2019-07-24 08:11:33.094 [ 740:2896] - Copying "C:\ProgramData\Sophos\AutoUpdate\cache\clean64\scf.dat" to "C:\Program Files\Sophos\Clean\scf.dat"
    a 2019-07-24 08:11:33.095 [ 740:2896] - Copying "C:\ProgramData\Sophos\AutoUpdate\cache\clean64\sof.dat" to "C:\Program Files\Sophos\Clean\sof.dat"
    a 2019-07-24 08:11:33.096 [ 740:2896] - Adding Sophos Clean to Add/Remove Program registry
    a 2019-07-24 08:11:34.538 [ 740:2896] - Install succeeded!
    a 2019-07-24 08:11:34.538 [ 740:2896] - Action was successful, reboot is not required

    There, the installation end with exit code 1 (whereas on the other machine it ends with exit code 3221225477).

    After copying the files that you mentioned, the installation is succesful (although it exited with code 1). Very strange...

    These are not complete new installs. Installation was pushed via Management console ("Protect computer").

     

  • Helllo Thomas Schlüter,

    successful (although it exited with code 1). Very strange...
    take a look at the ALUpdate logs, 1 is the value that indicates success (search for returns 1 or result state 1).

    So it did work after you copied the uninstall.exe to \Sophos\Clean\? Strange that \Sophos\Clean\SophosClean.exe /uninstallsophos returned 1. Found another thread with a similar problem where it returned 3.

    Christian

  • Hello QC,

    i now have

    - copied the three missing files uninstall.exe, sfc.dat and sof.dat into the Clean folder where only SophosClean.exe existed.

    - disabled TamperProtection and Sophos service

    - uninstalled Clean uninstall.exe

    - enabled Tamperprotection and Sophos Service again

    - tried to install clean with "update now" (Client) / "Protect computer" (Management console)

    But, again, installation fails. There is only one file (SophosClean.exe), the other files are missing again.

    Situation as before. The clean application - although - can be started.

  • Hello Thomas Schlüter,

    The clean application - although - can be started
    is the Sophos Clean Service installed and running? I assume that /installsophos does not much more than trying to install the service and for some reason encounters an exception that is nevertheless caught. The cause for 0xC0000005 can be "almost anything", from hardware fault, programming error, race condition, to permissions. I'd rule out most of them. Thinking about it - there should be a corresponding Windows Event. Do you still have the log from the first attempt to install Clean on this machine?

    It looks like everything else works as intended. As AutoUpdate has not recorded a successful install it tries to install using the setup plugin (setup.dll in the vlean64 cache) that finds the programs directory, calls the contained SophosClean.exe /uninstallsophos, and subsequently SophosClean.exe /installsophos from the cache. Wild guess (but might be totally wrong): /installsophos fails to install the service but /uninstallsophos succeeds as it doesn't have to uninstall it.

    Perhaps the Windows Event log gives some insight, if it's permissions ProcessMonitor could be of help.

    Christian

  • Hello Christian,

    the Clean service is installed but not running. When running the Application, the service does not start either. When manually trying to start it, it fails, messaging: "The servicestarted and then stopped. Some services stop automatically if they are not in use by other services or programs".
    The first error in the event log is similar to the other ones, with ftapihook64.dll as the responsible file:


    Faulting application name: SophosClean.exe, version: 3.7.21.3, time stamp: 0x59d657b2
    Faulting module name: ftapihook64.dll, version: 2.2.6.0, time stamp: 0x59bec026
    Exception code: 0xc0000005
    Fault offset: 0x0000000000005c4e
    Faulting process ID: 0x19b8
    Faulting application start time: 0x01d53baae4edc624
    Faulting application path: C:\ProgramData\Sophos\AutoUpdate\cache\clean64\SophosClean.exe
    Faulting module path: C:\Windows\SYSTEM32\ftapihook64.dll
    Report ID: 907fb01e-45a1-4c42-8b8e-fedd24807d4f
    Faulting package full name:
    Faulting package-relative application ID:

    There are errors regarding the WSCClient...has this perhaps something to do with it?

    Faulting application name: WSCClient.exe, version: 10.8.2.363, time stamp: 0x5cb112e2
    Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception code: 0xc0000005
    Fault offset: 0x00000000770b6e00
    Faulting process ID: 0x2584
    Faulting application start time: 0x01d50bdfba0d86ed
    Faulting application path: C:\PROGRA~2\Sophos\SOPHOS~2\WSCClient.exe
    Faulting module path: unknown
    Report ID: 4dc6ab47-5a1c-4170-b1c1-f12cce5d68a9
    Faulting package full name:
    Faulting package-relative application ID:

  • Hello Thomas Schlüter,

    the error code fits. Wonder what this ftapihook64.dll is. Never heard of it, doesn't ring a bell. hook suggests it's not "native Windows". Do you you what this is or where it's from? Is it on the other machines as well?

    Christian

  • Hello QC,

    I don't exactly know what ftapihook64.dll is. It seems to be on all our Win10-VM's, but it is not on the machine where the Clean-Installation works. Our VMs have the LTSC version of Windows installed.

    I found an entry in the registry for the dll in:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\66FCAB8D8ACC8BF4586377D8787AA8EE

    The S-1-5-18 user is the "local system", but which component it is i could not find out...
    Perhaps it is part of the LTSC version...

    I then tried to add the NT Service\TrustedInstaller to the ftapihook64.dll's file permissions, which results in installation failure again. I then simply renamed the file, updated from the client, and renamed back. This worked. Probably not the best solution, but it works.

  • Hello Thomas Schlüter,

    I'm practically on vacation, be back in a few weeks.

    Quite interesting. Any vendor information on the .dll itself? When I'm back I'll check with our LTSC guys if they have seen it.

    Christian

  • Hello QC,

    I found the file on our Windows 7 VMs, too - so it's not Win10-LTSC. I now guess it's part of VMware Horizon.

    It is from FabulaTech - NtApi isolation module. Product name says "Scanner Redirection". I googled it and found it is for USB over RDP.

    T.S.

Reply
  • Hello QC,

    I found the file on our Windows 7 VMs, too - so it's not Win10-LTSC. I now guess it's part of VMware Horizon.

    It is from FabulaTech - NtApi isolation module. Product name says "Scanner Redirection". I googled it and found it is for USB over RDP.

    T.S.

Children
No Data