Update failing with Failed to install savxp: uninstalling an older product failed.

David Coombe,

doesn't look like the RebootYesNo property is actually used.
Normally the log contains at least a hint why the .msi thinks a reboot is required. Please search for the string Return value 3 (might be more than one occurrence), the significant messages are in the lines above.

Christian

Hi Christian, 

Thanks for the quick reply. I found two instances of Return value 3. The first instance is related to the Web Intelligence service,which makes sense, as this PC is having issues with that service. I've tried following the instructions found here https://community.sophos.com/kb/en-us/121905, but haven't had any luck restarting or manually  re-registering the service. I'm not sure what my next steps should be.   

MSI (s) (C8:84) [13:14:16:496]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI157B.tmp, Entrypoint: UninstallService
MSI (s) (C8:74) [13:14:16:512]: Executing op: ActionStart(Name=SwiCalloutUninstall.11DACB83_28A7_4FA6_AF5B_C006E340C101,,)
CustomAction SwiFilterUninstall.11DACB83_28A7_4FA6_AF5B_C006E340C101 returned actual error code 1603 but will be translated to success due to continue marking
MSI (s) (C8:74) [13:14:16:512]: Executing op: CustomActionSchedule(Action=SwiCalloutUninstall.11DACB83_28A7_4FA6_AF5B_C006E340C101,ActionType=3137,Source=BinaryData,Target=CAQuietExec,CustomActionData="C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_di.exe" -r "C:\WINDOWS\TEMP\SwiRebootRequired.txt" /u "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_callout.inf")
MSI (s) (C8:AC) [13:14:16:512]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI158C.tmp, Entrypoint: CAQuietExec
CAQuietExec: driverInstaller
CAQuietExec:
CAQuietExec: Uninstallation error: Unknown error code: 0xe0000302
CAQuietExec: error:1
CAQuietExec: Error 0x80070001: Command line returned an error.
CAQuietExec: Error 0x80070001: CAQuietExec Failed
MSI (s) (C8:74) [13:14:16:918]: Executing op: ActionStart(Name=ForceStopSAVService,,)
CustomAction SwiCalloutUninstall.11DACB83_28A7_4FA6_AF5B_C006E340C101 returned actual error code 1603 but will be translated to success due to continue marking
MSI (s) (C8:74) [13:14:16:934]: Executing op: CustomActionSchedule(Action=ForceStopSAVService,ActionType=1025,Source=BinaryData,Target=ForceStopSAVService,)
MSI (s) (C8:E8) [13:14:16:934]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI1732.tmp, Entrypoint: ForceStopSAVService
MSI (s) (C8:74) [13:14:17:012]: Executing op: ActionStart(Name=WaitForSAVService,,)
MSI (s) (C8:74) [13:14:17:012]: Executing op: CustomActionSchedule(Action=WaitForSAVService,ActionType=1025,Source=BinaryData,Target=WaitForSAVService,)
MSI (s) (C8:24) [13:14:17:012]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI1782.tmp, Entrypoint: WaitForSAVService
MSI (s) (C8:74) [13:14:17:059]: Executing op: ActionStart(Name=CleanUpSsspUserAccountRollback,,)
MSI (s) (C8:74) [13:14:17:059]: Executing op: CustomActionSchedule(Action=CleanUpSsspUserAccountRollback,ActionType=1281,Source=BinaryData,Target=SetupSspUserAccount,CustomActionData=NT SERVICE\SAVService)
MSI (s) (C8:74) [13:14:17:059]: Executing op: ActionStart(Name=CleanUpSsspUserAccount,,)
MSI (s) (C8:74) [13:14:17:059]: Executing op: CustomActionSchedule(Action=CleanUpSsspUserAccount,ActionType=1025,Source=BinaryData,Target=CleanUpSsspUserAccount,CustomActionData=NT SERVICE\SAVService)
MSI (s) (C8:D4) [13:14:17:059]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI17B1.tmp, Entrypoint: CleanUpSsspUserAccount
MSI (s) (C8:74) [13:14:17:074]: Executing op: ActionStart(Name=RemoveSIPSSubmitterUserAccount,,)
CleanUpSsspUserAccount: Initialized.
MSI (s) (C8:74) [13:14:17:074]: Executing op: CustomActionSchedule(Action=RemoveSIPSSubmitterUserAccount,ActionType=1025,Source=BinaryData,Target=RemoveSIPSManagementUser,CustomActionData=NT SERVICE\SAVService)
MSI (s) (C8:F4) [13:14:17:090]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI17C2.tmp, Entrypoint: RemoveSIPSManagementUser
RemoveSIPSManagementUser Enter (290)
Failed to delete value from the registry (319)
CustomAction RemoveSIPSSubmitterUserAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (C8:74) [13:14:17:121]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (C8:74) [13:14:17:121]: User policy value 'DisableRollback' is 0
MSI (s) (C8:74) [13:14:17:121]: Machine policy value 'DisableRollback' is 0
Action ended 13:14:17: InstallFinalize. Return value 3.

David Coombe,

Try this:

1. Stop all Sophos services.

2. Download Microsoft uninstall tool to uninstall the Sophos components:

"https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed"

3. Reboot the computer and reinstall End point.

Thanks Zhi, I'll give this a try. 

Thanks Zhi. That did the trick. 

Good to know.

Hello,

just a word of caution: The Fix-It shouldn't be your first choice tool (whether with Sophos or some other software). When a product (in Installer terms) is installed with Windows Installer certain information is stored in the so-called Installer Database. Part of it is solely for the use by the product, other parts record information used by Windows (e.g. what you see under Programs and Features), dependencies, and changes that might affect other products and Windows components. Normally some changes can only be reverted by the product and obviously the product needs the information from the database to perform the necessary changes.
What the Fix-It does is removing all information related to a product - it neither uninstalls nor does it otherwise roll back changes made by the install. Ideally its use should be followed by an install - and this even if you want to remove the product - which brings the product to the same state (version, patches, and so on) that (should have) existed before the failed uninstall, if desired followed by a (now hopefully successful) uninstall.
After using the Fix-It it looks (to the Installer) like the product has not been installed before, the logic executed is the one for a first-time install. This doesn't guarantee though that the install will succeed - e.g. the logic might check whether a certain file or folder that is to be created ny the install already exists and subsequently abort the installation. 

There's no general rule when it is safe to digress, if you do so there's a good chance that there will be left-overs. These might (immediately or at a later time) or might not cause issues. Thus it should always be considered as a last resort.

Christian

I found that this Microsoft application works great for ripping a failed or corrupted Sophos endpoint install.

Then is searched the registry and deleted.

C:\ProgramData\Sophos\AutoUpdate\cache\savxp\

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos

And a few other location that had the name sophos.

Searched programData, both Program Files folders and delete any folder with Sophos.

Also found that sometimes you have to disabled all Sohpos services to get all folder deleted.

Even had to change the name of a Sophos folder to get it deleted.

And lots of restarts.

Then I pushed from the SEC.  And sometimes it installs and other times no and the PC just has to be reimaged.

Hello Navar Holmes,

I daresay virtually the only case in which you have to resort to the Fix-It is when the update fails because the previous version of a component (e.g. SAVXP) can't be uninstalled due to a missing cached .msi and you don't have an appropriate .msi (in the example Sophos Anti-Virus.msi). Most other cases can be resolved after you've determined the exact cause for an install or uninstall failure.

Christian

Here are a few tail tail signs that I have identified that will cause sophos endpoint to either fail to install, upgrade or update.

This all applies to domain controlled PCs.

If the PC is ever giving a Windows Installer error.  Re-image or re-install OS.

Never restart or power off the PC while sophos is updating or installing.  sophos doesn't recover from this sometimes.

If there is duplicate DNS entries for the PC sophos fail or act weird.  This happens when DNS scavenging is not enabled so a PC name can have more than one IP listed in DNS.

Windows firewall if enabled and exclusions are not set.  Or it is not disabled.

UAC is set to default.  which is level three if top is 4.  Disabling also good for doing the install.

Sophos was installed manually before the PC was joined to the domain.  This always requires an uninstall or ripping sophos out with a third party tool like the Microsoft tool.  Or you can waste a few hours trying to get it work.

Why?  Sophos clones three of the local security groups, Administrators to (SophosAdministrators), Power Users to (SophosPowerUser) and User to (SophosUser).  Sophos will not update these groups when the PC is joined to the domain or if you try a re-install.

Beware of weather changes.

If doing a manual install copy the installer to a root folder in the C drive.  The installer likes to be in a common location.  Don't copy to your desktop.

Always right-click and run as administrator.

Once Sophos AV is installed it is normal for it to say “Update Failed”.  Normally this just means that a restart is needed.  You can verify this by opening Sophos.  Open the “View Updating Log”.  You should see “WARNING: Restart needed for update to take effect”.  If you don’t see this right-click the ‘S” shield and Update Now.  Once the update is finished check for WARNING again.  Either way restart PC.  If after a restart Sophos is still giving “Update Failed” the wind might have changed direction while you were installing.  Re-verify the firewall and UAC are still disabled if not disabled and try “Update Now” again.

Note:  Sophos will always give an failed message if the PC is still in the default Computer OU but only if the default Computer OU is excluded from the AD sync.

If you check the updating logs and it is blank.  Uninstall or rip out sophos.  Or waste a few hours trying to fix sophos but I my time better spent uninstall or ripping sophos out.

sophos doesn't support netted security groups when you are trying to uninstall sophos.  You will need to add your administrator account to the SophosAdministrators local security group first.