Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 9142 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Uninstall Issue

disco_samurai

Good Morning

At my workplace we use Sophos Endpoint Security and Control v9.5 and I'm having an issue on one of the machines its installed on I wonder if anyone can suggest anything to assist me?

The PC in question had Sophos installed (via a network share) but upon first install when it does its initial update (the 3 stage update) the update window would close once it got to 'Installing Package 1 of..

Now I assumed that I had mistyped the admin password/ID so I went to uninstall it.  However when I try and uninstall Sophos it asks for a 'Sophos Anti-Virus.msi' file.  I browsed to this file on the network server but the uninstaller would not accept this MSI (I've seen a few threads on Google with this issue with no successful resolutions).

I have tried reinstalling Sophos again (same thing happened) and I've tried absolutely everything to remove Sophos, I've manually cleared the registry, manually deleted the files, logged onto safemode to try and remove it I even reinstalled the Windows Installer (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5a58b56f-60b6-4412-95b9-54d056d6f9f4&displaylang=en_) as it was suggested as a way to get round this issue on the net.  Nothing seems to work.

Any suggestions?

Cheers

Neal

:8433


This thread was automatically locked due to age.
  • 0

    Hello Neal,

    funny that just now a number of similar issues pop up.

    Combing through the logs is one option. Can you open the GUI (from the Sophos icon in the taskbar) and view the updating log? This would tell you which component fails. The ALUpdate<timestamp>.log in   [%ProgramFiles%|%ProgramData%]\Sophos\AutoUpdate\Logs\  and the Sophos logs in %windir%\Temp and/or the current user's %temp% probably contain some more information. 

    But - I expect it will tell you that uninstalling a previous version of SAVXP failed. Last time I recommended msicuu2.exe it couldn't help - maybe this time it does (did you ever remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall keys for SAV? If they contain incorrect information ... well, reinstalling MSI won't touch them for obvious reasons). 

    Christian

    :8435
  • 0

    Hi Christian and thanks for replying

    The GUI doesn't even seem to open, I can right click on the Sophos Icon and choose 'Open Endpoint....' but nothing happens.  I did remove HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall keys for Sophos but it didn't seem to make any difference (it still appears in the add/remove Programs list but no longer has a 'remove' button next to it)  I went through the registry keys several times and I'm sure I have got everything.

    Its quite frustrating, very annoying to have to reimage this machine just because of this problem, but thats looking like the easiest solution at the moment.

    I'll give msicuu2.exe a whirl first though!

    Thanks for your help

    Neal

    :8459
  • 0

    Hi all,

    We have a similar problem. We are upgrading clients from 7.6 to 9.5 and after a successful installation all subsequent updating fails at the 'Installing Package 1..."  as it closes down immediately. Our temp solution is a 3rd party uninstaller and re-installation of Sophos...not an ideal solution. After a removal / re-install all seems fine.

    We only started with this last week, up to then all worked fine.

    Will give msiccu2.exe a go.

    cheers

    Degs

    :9003
  • 0

    Hi,

    Is the failing package:

    RMS, SAV, SCF, SAU?

    Using the most recently created/modified AutoUpdate (SAU) trace log file (\ProgramData\Sophos\AutoUpdate\Logs\ALUpdate<timestamp>log), if you search from the bottom up for:

    "ALUpdate started:"

    This will signify the start of the last update and you can see from the time stamps where it skipped forward the same number of minutes as the updating interval.

    The next lines of interest are really the lines that start:

    ALUpdate(Action.Skipped)

    or

    ALUpdate(Action.Execute)

    These are in the UpdateNow method (so all the checking of the CID is complete).

    So if you see:

    ALUpdate(Action.Skipped): RMSNT
    ALUpdate(Action.Skipped): SAVXP
    ALUpdate(Action.Skipped): Sophos Client Firewall
    ALUpdate(Action.Skipped): Sophos AutoUpdate

    You can see that nothing took place as presumably all the packages were up to date.  If the SAV package was updated you would see something like:

    "SetupAction::Execute: Creating thread to install product SAVXP"

    and it would then continue loging the install.

    Once the package that is being updated is discovered the msi and custom actions logs in:

    \windows\temp

    should help.

    I typically use Notepad++ (http://notepad-plus-plus.org/) for looking at this sort of log as you can search with "Find all in current document" and it gives you a list of result lines.  So searching for:

    "ALUpdate(Action.Execute): SAVXP"

    and hitting  "Find all in current document" would show you all the times that the SAV package was updated.

    Thanks,

    Jak

    :9043
  • 0

    Hi

    From the AUpdate...log we receive this error:

    Trace(2011-Feb-17 13:20:45): SetupAction::Execute: Creating thread to install product SAVXP
    Trace(2011-Feb-17 13:20:45): SetupAction::Run: Installing Product SAVXP
    Trace(2011-Feb-17 13:20:45): ALUpdate(Action.Execute): SAVXP
    Trace(2011-Feb-17 13:20:45): SetupAction::Run: Preparing...
    Trace(2011-Feb-17 13:20:45): CIDUpdateLocation::Prepare... entered
    Trace(2011-Feb-17 13:20:47): CheckManifest completed successfully
    Trace(2011-Feb-17 13:20:47): SetupAction::Run: Prepare succeeded
    Trace(2011-Feb-17 13:20:47): SetupAction::Execute: Could not create instance of IProductSetup2. Reverting to IProductSetup
    Trace(2011-Feb-17 13:22:13): ALUpdate(Install.Failure): SAVXP
    Trace(2011-Feb-17 13:22:13): SetupAction::Execute: Thread to install SAVXP returns 0

    Any ideas ?

    Degs

    :9233
  • 0

    Ok, so it's the SAV package that is failing to install.  That being the case, can you obtain the latest pair of logs from:

    \windows\temp\

    They have the same time stamp in the files so you can spot the pair:  One is the MSI log the other log file logs the custom actions the MSI runs. I.e.

    Sophos Anti-Virus Install Log_<timestamp>.txt

    Sophos Anti-Virus CustomActions Log_<timestamp>.txt

    I would always start with the MSI log, navigate to the bottom and search up for:

    Return value 3

    This hopefully will give you the custom action that is failing or at least the time.  Hopefully from that and the custom actions log we can work out what is going wrong.

    If the MSI log is too big to post.  Maybe just post the 30 lines or so above the "return value 3" and the custom actions log: That is much smaller.

    Regards,

    Jak

    :9263
  • 0

    Hi Jak

    Logs as requested.

    MSI

    MSI (s) (BC:88) [15:59:55:015]: Executing op: ProductInfo(ProductKey={9ACB414D-9347-40B6-A453-5EFB2DB59DFA},ProductName=Sophos Anti-Virus,PackageName=Sophos Anti-Virus.msi,Language=1033,Version=151322629,Assignment=1,ObsoleteArg=0,ProductIcon=ARPPRODUCTICON.exe,,PackageCode={2DC4E77B-EA6D-433D-917D-8EAE06446005},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: DialogInfo(Type=0,Argument=1033)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: DialogInfo(Type=1,Argument=Sophos Anti-Virus)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
    MSI (s) (BC:88) [15:59:55:015]: Executing op: SetBaseline(Baseline=0,)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: SetBaseline(Baseline=1,)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: ActionStart(Name=SetUpdateFailed,,)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: CustomActionSchedule(Action=SetUpdateFailed,ActionType=1281,Source=BinaryData,Target=SetUpdateFailed,)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: ActionStart(Name=RestoreMovedFiles,,)
    MSI (s) (BC:88) [15:59:55:015]: Executing op: CustomActionSchedule(Action=RestoreMovedFiles,ActionType=1281,Source=BinaryData,Target=RestoreMovedFiles,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:88) [15:59:55:031]: Executing op: ActionStart(Name=CheckRegForNullDACLs,,)
    MSI (s) (BC:88) [15:59:55:031]: Executing op: CustomActionSchedule(Action=CheckRegForNullDACLs,ActionType=1025,Source=BinaryData,Target=CheckRegForNullDACLs,)
    MSI (s) (BC:CC) [15:59:55:031]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2C6.tmp, Entrypoint: CheckRegForNullDACLs
    MSI (s) (BC:88) [15:59:55:359]: Executing op: ActionStart(Name=RunErrorScript,,)
    MSI (s) (BC:88) [15:59:55:359]: Executing op: CustomActionSchedule(Action=RunErrorScript,ActionType=1345,Source=BinaryData,Target=RunErrorScripts,CustomActionData="C:\Program Files\Sophos\Sophos Anti-Virus\""C:\Program Files\Sophos\AutoUpdate\cache\savxp\""9.5.5")
    MSI (s) (BC:88) [15:59:55:375]: Executing op: ActionStart(Name=SetUpdateBegin,,)
    MSI (s) (BC:88) [15:59:55:375]: Executing op: CustomActionSchedule(Action=SetUpdateBegin,ActionType=1025,Source=BinaryData,Target=SetUpdateBegin,)
    MSI (s) (BC:C8) [15:59:55:390]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2C7.tmp, Entrypoint: SetUpdateBegin
    MSI (s) (BC:88) [15:59:56:515]: Executing op: ActionStart(Name=CloseSavMainWindow,,)
    MSI (s) (BC:88) [15:59:56:515]: Executing op: CustomActionSchedule(Action=CloseSavMainWindow,ActionType=1025,Source=BinaryData,Target=CloseSavMainWindow,)
    MSI (s) (BC:5C) [15:59:56:531]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2C8.tmp, Entrypoint: CloseSavMainWindow
    MSI (s) (BC:88) [15:59:57:015]: Executing op: ActionStart(Name=SwiService_dereg.11DACB83_28A7_4FA6_AF5B_C006E340C101,,)
    MSI (s) (BC:88) [15:59:57:015]: Executing op: CustomActionSchedule(Action=SwiService_dereg.11DACB83_28A7_4FA6_AF5B_C006E340C101,ActionType=1058,Source=C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\,Target="C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" /unregisterService,)
    MSI (s) (BC:88) [16:00:12:046]: Executing op: ActionStart(Name=WaitForSAVService,,)
    MSI (s) (BC:88) [16:00:12:046]: Executing op: CustomActionSchedule(Action=WaitForSAVService,ActionType=1025,Source=BinaryData,Target=WaitForSAVService,)
    MSI (s) (BC:40) [16:00:12:062]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2C9.tmp, Entrypoint: WaitForSAVService
    MSI (s) (BC:88) [16:00:42:109]: Executing op: ActionStart(Name=RemoveODBC,Description=Removing ODBC components,)
    MSI (s) (BC:88) [16:00:42:109]: Executing op: ODBCDriverManager(,BinaryType=0)
    MSI (s) (BC:88) [16:00:42:109]: Executing op: ODBCDriverManager(,BinaryType=1)
    MSI (s) (BC:88) [16:00:42:109]: Executing op: ActionStart(Name=CheckUninstallDrivers,,)
    MSI (s) (BC:88) [16:00:42:109]: Executing op: CustomActionSchedule(Action=CheckUninstallDrivers,ActionType=1025,Source=BinaryData,Target=CheckUninstallDrivers,)
    MSI (s) (BC:70) [16:00:42:125]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2CA.tmp, Entrypoint: CheckUninstallDrivers
    MSI (s) (BC:88) [16:00:42:156]: Executing op: ActionStart(Name=DeleteIDEs,,)
    MSI (s) (BC:88) [16:00:42:156]: Executing op: CustomActionSchedule(Action=DeleteIDEs,ActionType=1025,Source=BinaryData,Target=DeleteIDEs,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:A8) [16:00:42:171]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2CB.tmp, Entrypoint: DeleteIDEs
    MSI (s) (BC:88) [16:00:42:265]: Executing op: ActionStart(Name=DeleteBDLs,,)
    MSI (s) (BC:88) [16:00:42:265]: Executing op: CustomActionSchedule(Action=DeleteBDLs,ActionType=1025,Source=BinaryData,Target=DeleteBDLs,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:FC) [16:00:42:281]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2CC.tmp, Entrypoint: DeleteBDLs
    MSI (s) (BC:88) [16:00:42:312]: Executing op: ActionStart(Name=DeleteHIPSConfig,,)
    MSI (s) (BC:88) [16:00:42:312]: Executing op: CustomActionSchedule(Action=DeleteHIPSConfig,ActionType=1025,Source=BinaryData,Target=DeleteHIPSConfig,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:8C) [16:00:42:343]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2CD.tmp, Entrypoint: DeleteHIPSConfig
    MSI (s) (BC:88) [16:00:42:375]: Executing op: ActionStart(Name=RemoveFilesOnUpgrade,,)
    MSI (s) (BC:88) [16:00:42:375]: Executing op: CustomActionSchedule(Action=RemoveFilesOnUpgrade,ActionType=1025,Source=BinaryData,Target=RemoveFilesOnUpgrade,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:50) [16:00:42:390]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2CE.tmp, Entrypoint: RemoveFilesOnUpgrade
    MSI (s) (BC:88) [16:00:42:421]: Executing op: ActionStart(Name=RollbackUpdateSavAdapterDll,,)
    MSI (s) (BC:88) [16:00:42:421]: Executing op: CustomActionSchedule(Action=RollbackUpdateSavAdapterDll,ActionType=1281,Source=BinaryData,Target=RollbackUpdateSavAdapterDll,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:88) [16:00:42:421]: Executing op: ActionStart(Name=UpdateSavAdapterDll,,)
    MSI (s) (BC:88) [16:00:42:421]: Executing op: CustomActionSchedule(Action=UpdateSavAdapterDll,ActionType=1025,Source=BinaryData,Target=UpdateSavAdapterDll,)
    MSI (s) (BC:10) [16:00:42:453]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2CF.tmp, Entrypoint: UpdateSavAdapterDll
    MSI (s) (BC:88) [16:00:52:484]: Executing op: ActionStart(Name=CopyOtherFiles,,)
    MSI (s) (BC:88) [16:00:52:484]: Executing op: CustomActionSchedule(Action=CopyOtherFiles,ActionType=1025,Source=BinaryData,Target=CopyOtherFiles,CustomActionData="C:\Program Files\Sophos\Sophos Anti-Virus\""C:\Program Files\Sophos\AutoUpdate\cache\savxp\""XP")
    MSI (s) (BC:EC) [16:00:52:500]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2D0.tmp, Entrypoint: CopyOtherFiles
    MSI (s) (BC:88) [16:00:52:546]: Executing op: ActionStart(Name=RegisterBufferOverflowProtection,,)
    MSI (s) (BC:88) [16:00:52:546]: Executing op: CustomActionSchedule(Action=RegisterBufferOverflowProtection,ActionType=1025,Source=BinaryData,Target=RegisterBufferOverflowProtection,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:D8) [16:00:52:562]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2D1.tmp, Entrypoint: RegisterBufferOverflowProtection
    MSI (s) (BC:88) [16:00:52:625]: Executing op: ActionStart(Name=InstallDriverFilesXP,,)
    MSI (s) (BC:88) [16:00:52:625]: Executing op: CustomActionSchedule(Action=InstallDriverFilesXP,ActionType=1058,Source=C:\WINDOWS\system32\,Target=RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\Sophos\AutoUpdate\cache\savxp\WinXP_i386\SAVONACCESSDRIV.INF,)
    MSI (s) (BC:88) [16:00:53:562]: Executing op: ActionStart(Name=InstallBootDriverXP,,)
    MSI (s) (BC:88) [16:00:53:562]: Executing op: CustomActionSchedule(Action=InstallBootDriverXP,ActionType=1058,Source=C:\WINDOWS\system32\,Target=RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\Sophos\AutoUpdate\cache\savxp\WinXP_i386\SOPHOSBOOTDRIVER.INF,)
    MSI (s) (BC:88) [16:00:54:296]: Executing op: ActionStart(Name=InstallClassFilter,,)
    MSI (s) (BC:88) [16:00:54:296]: Executing op: CustomActionSchedule(Action=InstallClassFilter,ActionType=1058,Source=C:\WINDOWS\system32\,Target=RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\Sophos\AutoUpdate\cache\savxp\ClassFilterDrivers\i386\SDCFILTER.INF,)
    MSI (s) (BC:88) [16:00:55:046]: Executing op: ActionStart(Name=StartDriverServices,,)
    MSI (s) (BC:88) [16:00:55:046]: Executing op: CustomActionSchedule(Action=StartDriverServices,ActionType=1025,Source=BinaryData,Target=StartDriverServices,CustomActionData=XP)
    MSI (s) (BC:10) [16:00:55:046]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2DA.tmp, Entrypoint: StartDriverServices
    MSI (s) (BC:88) [16:00:55:078]: Executing op: ActionStart(Name=InstallFiles,Description=Copying new files,Template=File: [1],  Directory: [9],  Size: [6])
    MSI (s) (BC:88) [16:00:55:078]: Executing op: InstallProtectedFiles(AllowUI=0)
    MSI (s) (BC:88) [16:00:55:078]: Executing op: ActionStart(Name=CreateUserGroups,,)
    MSI (s) (BC:88) [16:00:55:078]: Executing op: CustomActionSchedule(Action=CreateUserGroups,ActionType=1025,Source=BinaryData,Target=CreateUserGroups,CustomActionData=C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config)
    MSI (s) (BC:44) [16:00:55:093]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2DB.tmp, Entrypoint: CreateUserGroups
    MSI (s) (BC:88) [16:00:55:312]: Executing op: ActionStart(Name=AddDomainGroups,,)
    MSI (s) (BC:88) [16:00:55:312]: Executing op: CustomActionSchedule(Action=AddDomainGroups,ActionType=1025,Source=BinaryData,Target=AddDomainGroups,)
    MSI (s) (BC:BC) [16:00:55:328]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2DC.tmp, Entrypoint: AddDomainGroups
    MSI (s) (BC:88) [16:00:55:359]: Executing op: ActionStart(Name=SwiConfig_upgrade.11DACB83_28A7_4FA6_AF5B_C006E340C101,,)
    MSI (s) (BC:88) [16:00:55:359]: Executing op: CustomActionSchedule(Action=SwiConfig_upgrade.11DACB83_28A7_4FA6_AF5B_C006E340C101,ActionType=1058,Source=C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\,Target="C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_config.exe" /update,)
    MSI (s) (BC:88) [16:01:10:390]: Executing op: ActionStart(Name=UpdateSAVI,,)
    MSI (s) (BC:88) [16:01:10:390]: Executing op: CustomActionSchedule(Action=UpdateSAVI,ActionType=1025,Source=BinaryData,Target=UpdateSAVI,CustomActionData="C:\Program Files\Sophos\Sophos Anti-Virus\""C:\Program Files\Sophos\AutoUpdate\cache\savxp\")
    MSI (s) (BC:5C) [16:01:10:421]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2DD.tmp, Entrypoint: UpdateSAVI
    MSI (s) (BC:88) [16:01:12:968]: Executing op: ActionStart(Name=SetFolderPermissions,,)
    MSI (s) (BC:88) [16:01:12:968]: Executing op: CustomActionSchedule(Action=SetFolderPermissions,ActionType=1025,Source=BinaryData,Target=SetFolderPermissions,CustomActionData=C:\Program Files\Sophos\Sophos Anti-Virus\)
    MSI (s) (BC:D0) [16:01:12:984]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2DE.tmp, Entrypoint: SetFolderPermissions
    MSI (s) (BC:88) [16:01:14:312]: Executing op: ActionStart(Name=SetServiceXP,,)
    MSI (s) (BC:88) [16:01:14:312]: Executing op: CustomActionSchedule(Action=SetServiceXP,ActionType=1025,Source=BinaryData,Target=SetServiceXP,)
    MSI (s) (BC:78) [16:01:14:328]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI2DF.tmp, Entrypoint: SetServiceXP
    MSI (s) (BC:88) [16:01:14:406]: User policy value 'DisableRollback' is 0
    MSI (s) (BC:88) [16:01:14:406]: Machine policy value 'DisableRollback' is 0
    Action ended 16:01:14: InstallFinalize. Return value 3.

    and Custom

    2011-02-21 15:59:51 Starting competitor detection...
    2011-02-21 15:59:53 Boot driver: disabled
    2011-02-21 15:59:54 Setting class filter present property to: 1
    2011-02-21 15:59:54 PROCESSOR_ARCHITECTURE environment variable is: x86
    2011-02-21 16:00:12 WaitForSAVService: Walking system processes...
    2011-02-21 16:00:12 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:15 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:18 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:21 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:24 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:27 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:30 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:33 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:36 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:39 WaitForSAVService: Found process named SAVService.exe, waiting...
    2011-02-21 16:00:42 WaitForSAVService: Finished walking system processes.
    2011-02-21 16:00:42 IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess control. Returning false.
    2011-02-21 16:00:42 IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess filter. Returning false.
    2011-02-21 16:00:52 CopyOtherFiles custom action - Copying other driver files
    2011-02-21 16:00:52 Copying class filter source: C:\Program Files\Sophos\AutoUpdate\cache\savxp\classfilterdrivers\i386\SDCFILTER.INF, target: C:\Program Files\Sophos\Sophos Anti-Virus\
    2011-02-21 16:00:52 GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll detoured exists, proceeding to rename it & mark for delete.
    2011-02-21 16:00:52 PROCESSOR_ARCHITECTURE environment variable is: x86
    2011-02-21 16:00:52 BopsUnregister: could not get short path to DLL. It will not be unregistered.
    2011-02-21 16:00:52 GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.
    2011-02-21 16:00:52 BOPS path already exists
    2011-02-21 16:00:52 PROCESSOR_ARCHITECTURE environment variable is: x86
    2011-02-21 16:00:55 IsServiceRunning: Unable to get a handle to requested service SAVOnAccess control. Returning false.
    2011-02-21 16:00:55 Local name of well-known group Administrators is
    2011-02-21 16:00:55 Administrators
    2011-02-21 16:00:55 Local name of well-known group PowerUsers is
    2011-02-21 16:00:55 Power Users
    2011-02-21 16:00:55 Local name of well-known group Users is
    2011-02-21 16:00:55 Users
    2011-02-21 16:00:55 SophosUser already exists - skipped adding members
    2011-02-21 16:00:55 SophosPowerUser already exists - skipped adding members
    2011-02-21 16:00:55 SophosAdministrator already exists - skipped adding members
    2011-02-21 16:00:55 LocalSystem already member of the SophosAdministrator group
    2011-02-21 16:00:55 No need to restart Sophos Agent service
    2011-02-21 16:00:55 Successfully added/created all groups - function is now returning
    2011-02-21 16:01:10 About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
    2011-02-21 16:01:10 Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
    2011-02-21 16:01:10 UpdateRequest signalled
    2011-02-21 16:01:10 About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
    2011-02-21 16:01:10 Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
    2011-02-21 16:01:12 SAVI dll was installed successfully
    2011-02-21 16:01:14 We are running on XP or higher - adding LocalService to permissions on config files
    2011-02-21 16:01:14 We are running on XP or higher - adding LocalService to permissions on config files
    2011-02-21 16:01:14 Unable to add set access permissions on the Device Control Log directory
    2011-02-21 16:01:14 Unable to add set access permissions on the Data Control Log directory
    2011-02-21 16:01:14 Unable to get a handle to the Sophos Anti-Virus Service, error returned: 5

    regards

    Degs

    :9361
  • 0

    HI,

    Thanks for the logs.  It looks like the custom action "SetServiceXP" failed and this is backed up by the error:

    "Unable to get a handle to the Sophos Anti-Virus Service, error returned: 5" 

    In the custom action log.  The times all match up as well which is good.

    I think from looking at logs of mine that this custom action is responsible for setting the SAV Service to run as "Local Service".

    I would think that it is getting an access denied error (error 5) trying to get a hangle to the SAV Service via the Service Control Manager to change this property.

    This is odd though as Alupdate.exe should be installing the SAV msi as local system, so I would have thought this custom action would be running as local system, in which case why would it get access denied when getting a handle to the service?

    I hope this points you in the right direction.  Maybe a call in to Support with the information we have so far, they might recognise the problem.

    Regards,

    Jak

    :9365
  • 0

    I've been dealing with this exact same issue all week. After upgrading to 9.5 we have had a handful of systems with 7.6 that will not uninstall Sophos. When a manual uninstall is attempted it asks for the "sophos anti-virus.msi" file and then rejects the one that is supplied.

    Anyone have a fix for this yet?

    :9979
Unfiltered HTML