Failed to install SAVXP. A previous version could not be uninstalled

Hello DannyHolyoake,

the .MSI of the same version
the Anti-Virus Install log suggests that the installed version is 10.3 and the uninstall fails because the appropriate MSI can't be found (it should be in the installer cache but apparently it no longer is). 10.3.15 is still available as Fixed Extended download in SEC so you should be able to obtain the necessary .MSI this way.

Christian

Hi QC, I really appreciate your response.

I edited the registry on the server to allow Enterprise Console to use Fixed Packages, but when I create a new Software Subscription, the Version dropdown only allows me to choose from 10.6.3 VE3.64.3, and 10.6.3.VE3.64.2.

According to this article, 10.3.15 should be available until September 2016, so I'm not sure why it's not appearing as an option on my console.

Many thanks for your help!

Hello DannyHolyoake,

in the console menu line click Tools, near the bottom Configure Use of Fixed Packages ..., is the box checked? And as you have edited the registry on the server - did you open the console locally or remotely? Please see the console help Fixed version software packages.

Christian

Hey,

Yes, 'Enable Use of Fixed Packages' is ticked. The console is still only showing those two options in the screenshot I attached earlier. Any idea why 10.3.15 isn't an option?

I remote into the server on which SEC is installed, and launch it locally on Windows Server.

Thanks again for your help.

Hello DannyHolyoake,

a closer look at your screenshot reveals that you have an Endpoint Business subscription. AFAIK this would correspond to Endpoint Standard in the current scheme.Furthermore, End of life for Sophos Antivirus fixed version packages suggests (fixed packages for Advanced licenses) that they might not be available with your subscription.

Support should be able to provide you the 10.3.15 MSIs - please contact them directly and refer them to this thread (I'm not Sophos so I can't tell what their answer will be but ...)

Christian 

Thanks, I have emailed support@sophos.com with my details and will await a reply.

Thanks, I have emailed support@sophos.com with my details and will await a reply.

Hi,

One thing you could try is to go to the Sophos Downloads page and go to the standalone installers.

At the moment the link will be 10.6.. E.g. http://downloads.sophos.com/inst/[token]/escw_106_sa_sfx.exe

You can observe this URL in the developer tools of the browser (F12 Chrome - Network tab), if you change this to be the escw_103_sa_sfx.exe, i.e.
http://downloads.sophos.com/inst/[token]/escw_103_sa_sfx.exe

The SAV MSI in that, once extracted will be 10.3.15.

You could copy this MSI file to be "C:\Windows\Installer\bca0a1.msi" and then re-try the uninstall.

Regards,

Jak

Hi Jak,

Thanks for your help, I was able to download the 10.3 setup exe and extract the MSI, and copied it to the Installer directory with the name you specified.

I attempted to uninstall via the MSI, and got the following error message - "Error 1721. There is a problem with this Windows Installer package. A Program required for this install to complete could not be run. Contact your support personnel or package-vendor".

I did the uninstall again with logging enabled and don't see that error code in the log. Here's where the MSI failed.

MSI (s) (B0:CC) [09:32:52:276]: Executing op: RegRemoveKey()
MSI (s) (B0:CC) [09:32:52:276]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages 3: 2 
MSI (s) (B0:CC) [09:32:52:276]: Executing op: RegOpenKey(Root=-2147483646,Key=Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5B3B929D6C65CC643B3A1A7A48BC8B4E\Transforms,,BinaryType=1,,)
MSI (s) (B0:CC) [09:32:52:276]: Executing op: RegRemoveKey()
MSI (s) (B0:CC) [09:32:52:276]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5B3B929D6C65CC643B3A1A7A48BC8B4E\Transforms 3: 2 
MSI (s) (B0:CC) [09:32:52:276]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (B0:CC) [09:32:52:276]: Error in rollback skipped. Return: 5
MSI (s) (B0:CC) [09:32:52:279]: Note: 1: 2318 2: 
MSI (s) (B0:CC) [09:32:52:279]: Calling SRSetRestorePoint API. dwRestorePtType: 13, dwEventType: 103, llSequenceNumber: 362, szDescription: "".
MSI (s) (B0:CC) [09:32:52:280]: The call to SRSetRestorePoint API succeeded. Returned status: 0.
MSI (s) (B0:CC) [09:32:52:280]: Unlocking Server
MSI (s) (B0:CC) [09:32:52:284]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 09:32:52: INSTALL. Return value 3.

From the Sophos Anti-Virus Uninstall log -

MSI (s) (E8:10) [10:01:51:150]: Executing op: SetTargetFolder(Folder=23\Sophos\Sophos Endpoint Security and Control\)
MSI (s) (E8:10) [10:01:51:151]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (E8:10) [10:01:51:151]: Executing op: ActionStart(Name=RevealMSXML4,,)
MSI (s) (E8:10) [10:01:51:151]: Executing op: CustomActionSchedule(Action=RevealMSXML4,ActionType=1025,Source=BinaryData,Target=RevealMSXML4,)
MSI (s) (E8:D8) [10:01:51:153]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIE082.tmp, Entrypoint: RevealMSXML4
MSI (s) (E8:10) [10:01:51:163]: Executing op: ActionStart(Name=UninstallBootDriver64,,)
MSI (s) (E8:10) [10:01:51:163]: Executing op: CustomActionSchedule(Action=UninstallBootDriver64,ActionType=1058,Source=C:\Windows\SysWOW64\,Target="C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /bdu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SOPHOSBOOTDRIVER.INF" 0x200,)
MSI (s) (E8:10) [10:01:51:163]: Note: 1: 1721 2: UninstallBootDriver64 3: C:\Windows\SysWOW64\ 4: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /bdu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SOPHOSBOOTDRIVER.INF" 0x200 
MSI (s) (E8:10) [10:01:51:164]: Product: Sophos Anti-Virus -- Error 1721.There is a problem with this Windows Installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor. Action: UninstallBootDriver64, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /bdu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SOPHOSBOOTDRIVER.INF" 0x200

MSI (s) (E8:10) [10:01:51:167]: User policy value 'DisableRollback' is 0
MSI (s) (E8:10) [10:01:51:167]: Machine policy value 'DisableRollback' is 0
Action ended 10:01:51: InstallFinalize. Return value 3.

Since doing this, I've been unable to start the Sophos Anti-Virus service, running into the same error as in this thread - https://community.sophos.com/products/endpoint-security-control/f/3/t/1341

Thanks.

Hello Danny,

please see the Update - Failed to install SAVXP ... thread for a possible cause and solution.

Christian

Thank you Christian.

I had seen your post last week and tried it, but it didn't work. This time, however, it worked - thanks to having the correct MSI!

The process I followed to resolve this - 

Obtained the AntiVirus .MSI for 10.3, renamed it to "bca0a1.msi" and moved it into "C:\Windows\Installer\"

I followed Christian's advice, copying certain files from the AutoUpdate cache to the SAV ProgramFiles folder, as shown here - https://community.sophos.com/products/endpoint-security-control/f/3/p/76138/299476#299476

I uninstalled all Sophos components (in the order as shown here - https://community.sophos.com/kb/en-us/109668)

Deleted the endpoint from the Enterprise Console, ran Discover Computers to detect it again and, finally, protected the endpoint via the Enterprise Console.

I will begin doing this process on all affected machines! Thank you so much for your help.

Sorry, one more question Christian, if you're able to answer.

The process of copying these files from the cache to the Program Files directory - what are these files and why does copying them over resolve uninstall issues? I'd like to better understand what this process actually accomplishes. Otherwise I'll chalk it up to an unexplainable quirk of Sophos :)

Hello Danny,

if you're able to answer
dunno [:D]. SAV needs some drivers, these are OS version and architecture specific and therefore in their own subfolders in the CID (and therefore the cache). The (un-)installation process is kept as universal as possible, thus the driver installation is run as CustomAction from the ProgramFiles folder after the necessary files have been copied from the applicable subfolder. Native.exe is required for 64bit systems. During uninstall (which is implied on version updates) the same files are needed (in the program directory) to remove the drivers.
It seems that on rare occasions an obscure error occurs which is not correctly rolled back - leaving the program directory empty and subsequently further uninstall attempts fail (in a number of cases the cached .msi also disappears). A quirk, yes, whether Sophos or the Installer I can't say. While each install has its own log there's only one Uninstall log - as the failure is only noticed at the next uninstall I've never found a log with the "original" error.

Christian