Endpoint Agent Failing on Windows Server 2003

Question

Hi, 
 We have an issue with an installation of Sophos Endpoint Security And Control on one of our servers. 
 
 The Sophos Anti-Virus service is not running and will not start (results in Error 1053) 
 There are a large number of repeating errors in the Windows Event Log (EventID 13 - ICManager is in a failure state) 
 The Endpoint software update fails when run 
 
 We have other Server 2003 servers running the Endpoint software without issue. 
 We would like to avoid rebooting the server, if possible, so I'm hoping someone may be able to suggest a course of action? 
 Many thanks, 
 Adam.

QC · Accepted Answer

Hello Adam, 
 first of all, like XP Server 2003 has been retired as supported platform. 
 update fails because of an installation error for SAVXP? Or? The install, uninstall, CustomAction in %windir%\Temp\ should provide some details. Could be that the update fails because service control can't start SAVService.exe (is it actually stopped or stopping?) It might or might not be possible to solve the problem without a reboot. 
 But anyway, 2003 is no longer supported, updates will cease to work any time now. 
 Christian

QC · Answer

Hello Adam, 
 10.3.15 is quite old, it might still be available as fixed package (at least I see this version in SEC/SUM). 
 As for the paths it works like this: The Windows Installer can be told to cache an MSI, this location is recorded together with location of the original package. When 10.3 was installed AutoUpdate's cache was still under ProgramFiles, so the original location is pointing there The cache has moved since and the 10.6/10.7 package is in the new InstallFromPath. The updating logic says that if a previous version of SAVXP is found it must be uninstalled. So the Installer first looks for the cached package, for whatever reason it is gone for good. It's then trying to find the original source - at the old path which is no longer there. Trying to locate the original source can basically have one of three outcomes - the package isn't found (path wrong or .msi not there), the package is found but it is not the correct one (e.g. for SAVXP it's always called Sophos Anti-Virus.msi but obviously it must have different contents and/or logic for different versions) also causing the Uninstall to fail, the package is found and its version is acceptable. Thus copying the current .msi to the either the Installer or the "old" AU cache won't work. 
 You'd need the 10.3.15 .msi, I'd put it in the Installer cache as 39119dc1.msi . That's still no guaranty that the Uninstall will succeed but you should try this first. 
 Christian

QC · Answer

Hello Adam, 
 if you don't have a "spare" subscription/CID you have to add a new one. You just have to name the subscription and select a package version. SUM takes care of creating and naming the CID (the \S000\ is changed to some other value). You don't have to create another updating policy (or let the server update from this CID), you just want the .msi . 
 Christian

QC · Answer

Hello Adam, 
 succeeded but IsSAVInstalled is true always found this rather ... strange. failing with a 1603 - the actual error is either somewhere in the Uninstall log or the CustomActions log. Don't think a reboot will help unless the log tells that a missing reboot is the cause of the failure. I have seen some endpoints "stuck" on 10.3.15 (or even earlier), didn't have much in common but all could be recovered. 
 Christian

QC · Answer

Hello Adam, 
 there must be some other location in the Uninstall log with an error that mentions or near a UninstallBootDriverFromInf . This part is "just" a rollback error. 
 Anyway, I knew I have seen the SetupOpenInfFile() before (at least two typos in my post). Found another post and it seems that there's not really a solution apart from the mentioned Fix-It. Guess the .inf files are still there. 
 Christian

QC · Answer

Hello Adam, 
 the .inf file is missing in this case please copy the .inf files (from the \wxp_i386\ subdirectories) to the Program directory and try again. I'm not sure if this will resolve the issue - normally a missing file results in a different error message but who knows. 
 As for the Fix-It, can't say if it will refuse to install or run. Technically it doesn't matter whether a desktop or server OS. It does no harm to try - you get a prompt to select the products for which to remove the Installer information before it modifies something. 
 Christian

QC · Answer

Hello Adam, 
 does the key perhaps exist in one of the previous ControlSets? Is the SAVOnAccess driver loaded ( driverquery /v | find /i "SAVOnAccess" and fltmc instances | find /i "SAVOnAccess" )? 
 Christian

QC · Answer

Hello Adam, 
 so it's uninstall &rarr; reboot &rarr; install. Hopefully this will resolve the issues. Do not forget to stop at least the AutoUpdate service before you uninstall. Make sure it doesn't start until after the reboot. 
 Christian