This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Agent Failing on Windows Server 2003

Hi,

We have an issue with an installation of Sophos Endpoint Security And Control on one of our servers.

  1. The Sophos Anti-Virus service is not running and will not start (results in Error 1053)
  2. There are a large number of repeating errors in the Windows Event Log (EventID 13 - ICManager is in a failure state)
  3. The Endpoint software update fails when run

We have other Server 2003 servers running the Endpoint software without issue.

We would like to avoid rebooting the server, if possible, so I'm hoping someone may be able to suggest a course of action?

Many thanks,

Adam.



This thread was automatically locked due to age.
Parents
  • Hello Adam,

    first of all, like XP Server 2003 has been retired as supported platform.

    update fails
    because of an installation error for SAVXP? Or? The install, uninstall, CustomAction in %windir%\Temp\ should provide some details. Could be that the update fails because service control can't start SAVService.exe (is it actually stopped or stopping?)
    It might or might not be possible to solve the problem without a reboot.

    But anyway, 2003 is no longer supported, updates will cease to work any time now.

    Christian

  • Thanks for the quick reply Christian.

    I know about the impending retirement of support for Server 2003 and we are in the process of migrating to a new server but I'm hoping to keep SAV running on the old one for just a little while longer.

    It appears that the current installation is damaged (the following is an excerpt from the Major Install log):

    2017-07-03 15:26:47 Checking the integrity of the extant SAV installation (noUI is 0)
    2017-07-03 15:26:47 The file \WSCClient.exe does not exist(2)
    2017-07-03 15:26:47 The file \SavService.exe does not exist(2)
    2017-07-03 15:26:47 The file \SavAdminService.exe does not exist(2)
    2017-07-03 15:26:47 The file \BackgroundScanClient.exe does not exist(2)
    2017-07-03 15:26:47 The file \ComponentManager.dll does not exist(2)
    2017-07-03 15:26:47 The file \ICAdapter.dll does not exist(2)
    2017-07-03 15:26:47 The file \ICManagement.dll does not exist(2)
    2017-07-03 15:26:47 The file \ICProcessors.dll does not exist(2)
    2017-07-03 15:26:47 The file \ThreatDetection.dll does not exist(2)
    2017-07-03 15:26:47 The file \VirusDetection.dll does not exist(2)
    2017-07-03 15:26:47 The file \SavControl.dll does not exist(2)
    2017-07-03 15:26:47 The file \SavMain.exe does not exist(2)
    2017-07-03 15:26:47 The file \SavProgress.exe does not exist(2)
    2017-07-03 15:26:47 The file \DesktopMessaging.dll does not exist(2)
    2017-07-03 15:26:47 The file \SavShellExt.dll does not exist(2)
    2017-07-03 15:26:47 There is an incomplete SAV installation, forcing a Major Update to recover
    ...
    2017-07-03 15:27:17 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update (0x80080005)
    ...
    2017-07-03 15:26:47 ERROR: GetVersion - Unable to load the new Factory file, path = C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Factory.xml

    And this from the Uninstall log:

    MSI (s) (14:8C) [15:45:41:164]: SOURCEMGMT: Trying source C:\Program Files\Sophos\AutoUpdate\cache\savxp\.
    MSI (s) (14:8C) [15:45:41:164]: Note: 1: 2203 2: C:\Program Files\Sophos\AutoUpdate\cache\savxp\Sophos Anti-Virus.msi 3: -2147287037
    MSI (s) (14:8C) [15:45:41:164]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.

    I'm puzzled as to why the uninstaller is using the Program Files path, the msi is actually in C:\Documents and Settings\All Users\Application Data\Sophos\AutoUpdate\Cache\savxp

    The service is in the Stopped state and will not start.

    If a reboot is necessary it is an option but if the major update failed to uninstall the software I'm guessing that a manual uninstall is also likely to fail?

    Adam.

  • "That file is also missing from C:\Program Files\Sophos\Sophos Anti-Virus\"

    NB: The folder itself exists (and contains other files) but the .inf file is missing.

  • Hello Adam,

    the .inf file is missing
    in this case please copy the .inf files (from the \wxp_i386\ subdirectories) to the Program directory and try again. I'm not sure if this will resolve the issue - normally a missing file results in a different error message but who knows.

    As for the Fix-It, can't say if it will refuse to install or run. Technically it doesn't matter whether a desktop or server OS. It does no harm to try - you get a prompt to select the products for which to remove the Installer information before it modifies something.

    Christian

  • Hi Christian

    I've copied the .inf files as suggested and that seems to have resolved that particular error but the uninstall process is still failing with error 1603. The only error I can find in the log files is this one (in the Uninstall log):

    MSI (s) (58:E8) Note: 1: 1402 2: UNKNOWN\Products\5B3B929D6C65CC643B3A1A7A48BC8B4E\Usage 3: 6
    MSI (s) (58:E8) Error in rollback skipped.    Return: 3
    Info 1402.Could not open key: UNKNOWN\Products\5B3B929D6C65CC643B3A1A7A48BC8B4E\Usage.  System error 6.  Verify that you have sufficient access to that key, or contact your support personnel.

    I had the same thought as you with regards to the Fix-It but it appears that the Server 2003 OS does not recognise the .diagcab extension.

    Adam.

  • Hello Adam,

    the only error
    as "last time" this is the rollback error, there should be somewhere "farther up" a Return value 3 following the actual error. I know, a tedious process.

    Christian

  • Hi Christian

    We finally have success!

    I'd missed a couple of .inf files when I transferred the SOPHOSBOOTDRIVER.INF earlier. After transferring these missing files the AutoUpdate routine successfully removed version 10.3.15 and installed 10.7.2.49. I just need to reboot the server tonight as the updating log (alc.log) shows a restart is now needed before a 'normal' AutoUpdate can be run.

    Thank you so much for your patience and help with this, your guidance has been invaluable.

    Kind regards,

    Adam

  • Hello Adam,

    good to hear it works.
    a restart is now needed
    not immediately, but as new components have been installed and some replaced, full functionality is only given after a reboot. A simple example: Assume there's a DLL which is loaded by certain or all processes and this DLL is replaced with a new version. Already running processes will continue to use the old one. In order to have them use the updated version you have to restart these processes. To be sure all processes are using the new version a reboot is the best option. 

    You should eventually reboot but it will continue to update the 10.7.2 (if it stops updating then because 2003 has been retired). If up- and downgraded (several times in succession) endpoints that had the reboot required without a reboot in between. Very rarely I've seen the AutoUpdate refuses to upgrade to a higher version - detection data updates always work (well, perhaps not for years but definitely for months).
    Thus if reboot would be a pain set it aside for now.

    Christian

  • Hi Christian

    Thanks for the explanation. An out-of-hours reboot shouldn't be an issue now but it's good to know that there is an option to postpone it if needed. It seems a slight shame to have achieved victory when support is due to end so soon but the learning process has definitely been worthwhile.

    Adam

  • Hi Christian

    I may have celebrated slightly prematurely.

    I rebooted the server last night and, although AutoUpdate is working correctly, on-access scanning is now showing a status of 'Unknown' (it was working before the reboot) and the following error has appeared in the Event Log:

    Failed to connect to the on-access driver (0x80070002)

    I found this article but the registry keys it mentions do not exist and running the Virus Removal Tool doesn't find anything.

    Sorry to bother you again but do you have any suggestions (other than uninstalling and re-installing the SAV)?

    Adam

  • Hello Adam,

    the registry keys it mentions do not exist
    HKLM\SYSTEM\CurrentControlSet\Services\SAVOnAccessControl
    ? 0x80070002 is a not found, did you also get the mentioned Event ID 43?

    Sophos Anti-Virus has seemingly been successfully installed? I fear there is no workaround, won't suggest anything I can't test (no more 2003 or XP at hand), especially with a server.

    Christian

  • Hi Christian

    HKLM\SYSTEM\CurrentControlSet\Services\SAVOnAccessControl?

    Correct, the only SAV... keys in that location are SAVAdminService, SAVRKBootTasks and SAVService. There is no corresponding EventID 43 in the Event Log.

    Sophos Anti-Virus has seemingly been successfully installed?

    It would appear so. Everything apart from on-access scanning seems to be working (I can manually scan files, for example).

    won't suggest anything I can't test

    That sounds wise to me, thanks for taking the time to reply anyway. I think the best option may now be to remove the software and reinstall manually (at least the prior work should now allow an uninstall so wasn't wasted effort).

    Adam.

Reply
  • Hi Christian

    HKLM\SYSTEM\CurrentControlSet\Services\SAVOnAccessControl?

    Correct, the only SAV... keys in that location are SAVAdminService, SAVRKBootTasks and SAVService. There is no corresponding EventID 43 in the Event Log.

    Sophos Anti-Virus has seemingly been successfully installed?

    It would appear so. Everything apart from on-access scanning seems to be working (I can manually scan files, for example).

    won't suggest anything I can't test

    That sounds wise to me, thanks for taking the time to reply anyway. I think the best option may now be to remove the software and reinstall manually (at least the prior work should now allow an uninstall so wasn't wasted effort).

    Adam.

Children
  • Hello Adam,

    does the key perhaps exist in one of the previous ControlSets? Is the SAVOnAccess driver loaded (driverquery /v | find /i "SAVOnAccess" and fltmc instances | find /i "SAVOnAccess")?

    Christian

  • Hi Christian

    It does appear in a few other areas:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAVONACCESSCONTROL

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\SAVOnAccessControl

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SAVONACCESSCONTROL

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\SAVOnAccessControl

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAVONACCESSCONTROL

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\SAVOnAccessControl

    Both driver searches return nothing.

    Adam

  • Hello Adam,

    so it's uninstall → reboot → install. Hopefully this will resolve the issues.
    Do not forget to stop at least the AutoUpdate service before you uninstall. Make sure it doesn't start until after the reboot.

    Christian

  • Hi Christian

    That did the trick, thank you. Sophos is now back up-and-running with on-access scanning working as normal.

    Many thanks again for all your help.

    Adam