This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Anti-Virus service will not start since moving to version 10.6.3

Hi,

Since moving our Win7SP1x64 machines to version 10.6.3 we found that the Anti-Virus service does not start. It returns the error code -2147467259 from the Services MMC window and an entry is also posted to the Application event log with an ID 0 and message CInfrastructureModule::PreMessageLoop.

I've searched various KB Articles and Forum posts and tried/checked out the follow solutions:

The end of the C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Sophos Anti-Virus Start Log_yymmdd_hhmmss.txt file has the following lines:

2016-06-09 14:03:29 CStartupManager::RegisterComponents: Starting RegisterYourself on WebScanningProcessorFactory
2016-06-09 14:03:29 CStartupManager::RegisterComponents: Completed RegisterYourself on WebScanningProcessorFactory
2016-06-09 14:03:29 Entering CStartupManager::ConfigureComponentManager
2016-06-09 14:03:29 Leaving CStartupManager::ConfigureComponentManager
2016-06-09 14:03:29 Entering CStartupManager::BeginComponentManager
2016-06-09 14:03:44 CStartupManager::BeginComponentManager: m_CompMan->BeginProcessing() returned 0x80004005
2016-06-09 14:03:44 Leaving CStartupManager::BeginComponentManager
2016-06-09 14:03:44 Leaving CStartupManager::Start
2016-06-09 14:03:44 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80004005
2016-06-09 14:03:44 Exception caught in CInfrastructureModule::PreMessageLoop
2016-06-09 14:03:44 Leaving CInfrastructureModule::PreMessageLoop
2016-06-09 14:03:54 Leaving CInfrastructureModule::ServiceMain
2016-06-09 14:03:54 Leaving wWinMain

Thanks in advance :-)

Hugo



This thread was automatically locked due to age.
Parents
  • Hi,

    If you look under the registry key:

    64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\Components\SystemInformation

    32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Components\SystemInformation

    Do you have a DWORD called EarlyStart?

    If so, you can delete it and then start the service.  

    Regards,

    Jak

  • Hi Jak,

    This has solved the problem :-)

    Don't know where you've found this but its a simple fix for a problem that I've spent a couple of days trying to solve.

    Many thanks,

    Hugo

  • Glad it did the trick.  I'd be really interested to know how this could happen though.

    During the update from 10.3.15 to 10.6.3, msiexec.exe, which would have been running as System, should have deleted the key.

    During the upgrade, 10.3.15 would have been uninstalled (as it's a major update). As a result, in the log file '\windows\temp\Sophos Anti-Virus Uninstall log.txt' you should see something like:

    MSI (s) (44:D0) [14:55:00:298]: Executing op: RegRemoveValue(,,)
    MSI (s) (44:D0) [14:55:00:298]: Executing op: RegRemoveValue(Name=ProgID,Value=SystemInformation.InfoProvider.1,)
    MSI (s) (44:D0) [14:55:00:298]: Executing op: RegRemoveValue(Name=Name,Value=SystemInformation,)
    MSI (s) (44:D0) [14:55:00:298]: Executing op: RegRemoveValue(Name=Level,Value=#1,)
    MSI (s) (44:D0) [14:55:00:298]: Executing op: RegRemoveValue(Name=EarlyStart,Value=#1,)

    The install of 10.6.3 wouldn't have added it back, as it's not in the registry table of the MSI.

    Out of interest, do you have the file '\windows\temp\Sophos Anti-Virus Uninstall log.txt'?  

    If so, can you search for the line:
    Executing op: RegRemoveValue(Name=ProgID,Value=SystemInformation.InfoProvider.1,)

    Are there any errors around that time?

    A Process Monitor log of the upgrade when it breaks would reveal all I suppose.

    I can't understand how a process running as system would be unable to delete the key, unless the permissions were really bizarre.

    Many thanks for the feedback.

    Regards,

    Jak

  • Hi Jak,

    Sorry for the delay in my reply. Your comments above have explained why we have encountered the problem and I suspect very few others have!

    We run Citrix XenClient on our computers. I update the master image and move Sophos to the new update point. Once all the updates have been competed and policies synchronised, all Sophos services are then disabled ready for the image to be packaged for deployment. Our XenClient Policy for the Sophos Software Registry Keys are set to merge changes so that any specific machine information is kept when the base image is updated. XenClient enables all of the Sophos services once the update has been installed. Clearly in this scenario a Registry value which was to be deleted has not been removed on the client machines when the update has been deployed and has caused this problem.

    As part of creating the image, Disk Cleanup is run to reduce the size of the update. I don't have the '\windows\temp\Sophos Anti-Virus Uninstall log.txt' file to check through. However I can confirm that the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\Components\SystemInformation\EarlyStart DWORD is not present on the master image. I can only conclude from this that the Sophos installation has performed as designed.

    I will have to review the XenClient policy for Sophos and change it so at least the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\Components key is set to use Server Changes, i.e. that any changes in the master image are entirely reflected on the client machine and changes locally are lost on each shutdown of the client OS. Without fully understanding what each value in the keys below HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos do and which values are machine specific this would hopefully prevent this type of problem in the future! 

    Many thanks for your help with this,

    Hugo

Reply
  • Hi Jak,

    Sorry for the delay in my reply. Your comments above have explained why we have encountered the problem and I suspect very few others have!

    We run Citrix XenClient on our computers. I update the master image and move Sophos to the new update point. Once all the updates have been competed and policies synchronised, all Sophos services are then disabled ready for the image to be packaged for deployment. Our XenClient Policy for the Sophos Software Registry Keys are set to merge changes so that any specific machine information is kept when the base image is updated. XenClient enables all of the Sophos services once the update has been installed. Clearly in this scenario a Registry value which was to be deleted has not been removed on the client machines when the update has been deployed and has caused this problem.

    As part of creating the image, Disk Cleanup is run to reduce the size of the update. I don't have the '\windows\temp\Sophos Anti-Virus Uninstall log.txt' file to check through. However I can confirm that the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\Components\SystemInformation\EarlyStart DWORD is not present on the master image. I can only conclude from this that the Sophos installation has performed as designed.

    I will have to review the XenClient policy for Sophos and change it so at least the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\Components key is set to use Server Changes, i.e. that any changes in the master image are entirely reflected on the client machine and changes locally are lost on each shutdown of the client OS. Without fully understanding what each value in the keys below HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos do and which values are machine specific this would hopefully prevent this type of problem in the future! 

    Many thanks for your help with this,

    Hugo

Children
No Data