Re-install Sophos Anti-Virus on Windows 7

Hi,

The best thing would be to check the install logs and see why the anti-virus component is failing to install.  There are 2 logs created:

1. Sophos Anti-Virus Install Log_[TIMESTAMP].txt
2. Sophos Anti-Virus CustomActions Log_[TIMESTAMP].txt

Where the timestamps match as they are a pair.  Depending on the type of install, the logs will be in either:

• %temp%
• \windows\temp\

Where %temp% is the installing users temp if you are installing Sophos from the standalone installer or the system temp if you are performing a managed install where AutoUpdate installs SAV as the System account.

I would start by opening the file: "Sophos Anti-Virus Install Log_[TIMESTAMP].txt" and then navigating to the bottom of the file and search up for "value 3" (no quotes).  This should put you near a custom action that might have failed.  Hopefully the name of it will put you in the right area and you can cross reference it will the other log file (Sophos Anti-Virus CustomActions Log_[TIMESTAMP].txt) based on time stamp in the log.

The other approach would be to, remove everything Sophos (I assume this is just a client so you can remove everything).  

To do so:

1. Run the uninstallers from "Add or remove programs" or "Programs and Features" and then reboot the machine.

2. On start-up delete the following if they exist, some will not depending on platform/components installed:

Directories:

"\Program Files (x86)\Sophos\"

"\Program Files\Sophos\"

"\documents and settings\all users\application data\Sophos\"

"\programdata\Sophos\"

Files

"\Windows\System32\drivers\savonaccess.sys" 

"\Windows\System32\drivers\savonaccesscontrol.sys"

"\Windows\System32\drivers\savonaccessfilter.sys"

"\Windows\System32\drivers\sdcfilter.sys"

"\Windows\System32\drivers\skmscan.sys"

"\Windows\System32\drivers\SophosBootDriver.sys"

"\Windows\System32\SophosBootTasks.exe"

"\Windows\System32\sdccoinstaller.dll"

Registry

"HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\"

"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVAdminService\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVOnAccess\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Device Control Service\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SophosBootDriver\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService\"

"HKEY_CURRENT_USER\Software\Sophos\"

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs"

Is also worthwhile considering for clean-up before reinstalling. This string value can have multiple entries separated by spaces or commas, one of which will be a path to the Sophos detored dll for the platform.  Detoured is covered in more detail here: http://www.sophos.com/support/knowledgebase/article/112099.html. Because it can be a space separated list; files are references using the short file path.  Depending on what other applications are installed there could be multiple entries in this key, so just remove the path to the Sophos dll, leaving any other paths intact.  More information on this key can be found here: http://support.microsoft.com/kb/197571.

It would probably be sensible to take an export of the registry before removing anything but that probably depends on confidence levels :)

I would probably also remove as much as possible from:

%temp%

"\windows\temp\"

The only other keys which would be quite tedious to remove would be all the class registrations for Sophos in 

"\HKEY_CLASSES_ROOT\"

This would involve highlighting the above key and searching through it for the word "Sophos" for example.  I would probably stop short of doing this on the first reinstall attempt.  Removing the above hopefully will be enough.

I might be then tempted to kick off another install with Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645) running in the background:

Should the install fail again, a combination of the latest install logs mentioned above and the Process Monitor log (you can save the log to .pml) from the same time would give yourself or Support the best chance on understanding why the install is failing.  

You might like to search the Process Monitor log around the time of the latest failure in the msi log.  A quick entire search of the Process Monitor log for "Access denied" is also a good first check in a process monitor log.

I hope this gives you something to try and at least provides you with some good information to submit to Support.  If you do end up speaking to Support an SDU log from the machine would also be a good idea.

http://www.sophos.com/support/knowledgebase/article/33533.html

As this will get the above logs but also events logs, registry exports, system nfo file etc..

Regards,

Jak

Hi,

The best thing would be to check the install logs and see why the anti-virus component is failing to install.  There are 2 logs created:

1. Sophos Anti-Virus Install Log_[TIMESTAMP].txt
2. Sophos Anti-Virus CustomActions Log_[TIMESTAMP].txt

Where the timestamps match as they are a pair.  Depending on the type of install, the logs will be in either:

• %temp%
• \windows\temp\

Where %temp% is the installing users temp if you are installing Sophos from the standalone installer or the system temp if you are performing a managed install where AutoUpdate installs SAV as the System account.

I would start by opening the file: "Sophos Anti-Virus Install Log_[TIMESTAMP].txt" and then navigating to the bottom of the file and search up for "value 3" (no quotes).  This should put you near a custom action that might have failed.  Hopefully the name of it will put you in the right area and you can cross reference it will the other log file (Sophos Anti-Virus CustomActions Log_[TIMESTAMP].txt) based on time stamp in the log.

The other approach would be to, remove everything Sophos (I assume this is just a client so you can remove everything).  

To do so:

1. Run the uninstallers from "Add or remove programs" or "Programs and Features" and then reboot the machine.

2. On start-up delete the following if they exist, some will not depending on platform/components installed:

Directories:

"\Program Files (x86)\Sophos\"

"\Program Files\Sophos\"

"\documents and settings\all users\application data\Sophos\"

"\programdata\Sophos\"

Files

"\Windows\System32\drivers\savonaccess.sys" 

"\Windows\System32\drivers\savonaccesscontrol.sys"

"\Windows\System32\drivers\savonaccessfilter.sys"

"\Windows\System32\drivers\sdcfilter.sys"

"\Windows\System32\drivers\skmscan.sys"

"\Windows\System32\drivers\SophosBootDriver.sys"

"\Windows\System32\SophosBootTasks.exe"

"\Windows\System32\sdccoinstaller.dll"

Registry

"HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\"

"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVAdminService\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVOnAccess\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Device Control Service\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SophosBootDriver\"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService\"

"HKEY_CURRENT_USER\Software\Sophos\"

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs"

Is also worthwhile considering for clean-up before reinstalling. This string value can have multiple entries separated by spaces or commas, one of which will be a path to the Sophos detored dll for the platform.  Detoured is covered in more detail here: http://www.sophos.com/support/knowledgebase/article/112099.html. Because it can be a space separated list; files are references using the short file path.  Depending on what other applications are installed there could be multiple entries in this key, so just remove the path to the Sophos dll, leaving any other paths intact.  More information on this key can be found here: http://support.microsoft.com/kb/197571.

It would probably be sensible to take an export of the registry before removing anything but that probably depends on confidence levels :)

I would probably also remove as much as possible from:

%temp%

"\windows\temp\"

The only other keys which would be quite tedious to remove would be all the class registrations for Sophos in 

"\HKEY_CLASSES_ROOT\"

This would involve highlighting the above key and searching through it for the word "Sophos" for example.  I would probably stop short of doing this on the first reinstall attempt.  Removing the above hopefully will be enough.

I might be then tempted to kick off another install with Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645) running in the background:

Should the install fail again, a combination of the latest install logs mentioned above and the Process Monitor log (you can save the log to .pml) from the same time would give yourself or Support the best chance on understanding why the install is failing.  

You might like to search the Process Monitor log around the time of the latest failure in the msi log.  A quick entire search of the Process Monitor log for "Access denied" is also a good first check in a process monitor log.

I hope this gives you something to try and at least provides you with some good information to submit to Support.  If you do end up speaking to Support an SDU log from the machine would also be a good idea.

http://www.sophos.com/support/knowledgebase/article/33533.html

As this will get the above logs but also events logs, registry exports, system nfo file etc..

Regards,

Jak