This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint cant be uninstalled

Hello everyone,

 

we are currently facing an issue that we somehow cannot solve. We had some trouble with our Update Manger from the Enterprise Console and after we solved it we are now facing an issue that only 1 client is part of.

 

So since the Client wasnt updating / upgrading properly we tried to uninstall sophos completely and reinstall it afterwards and thats where the problems began.

We werent able to uninstall the Sophos Anti Virus in the first place because it somehow got rid of the local Sophos Administrator group. After we added it back and added the user to it we tried again and it worked for another step. The next problem is that it cannot be uninstalled because there is a problem with the "windows installer package". (Tamper protection is disabled)

Since there is no error code or any specific identification for that problem i cant figure it out.

 

Anyone knows how to resolve that?



This thread was automatically locked due to age.
  • Hello syscap1337,

    it cannot be uninstalled
    it
    is SAV, isn't it? Which version?
    Please run the uninstall from the command line requesting a log:
    MsiExec.exe /X{productcode} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\SAV_Uninstall_Log.txt
    where productcode is C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB for SAV 10.8.2 or 6654537D-935E-41C0-A18A-C55C2BF77B7E for 10.8.1. The log should contain a more detailed error information.

    Christian

  • Hey,

     

    thanks for your fast reply theres the logfile!

     

    === Verbose logging started: 28.09.2018  13:40:50  Build type: SHIP UNICODE 5.00.10011.00  Calling process: C:\windows\system32\msiexec.exe ===
    MSI (c) (08:B8) [13:40:50:590]: Resetting cached policy values
    MSI (c) (08:B8) [13:40:50:590]: Machine policy value 'Debug' is 0
    MSI (c) (08:B8) [13:40:50:590]: ******* RunEngine:
               ******* Product: {C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (08:B8) [13:40:50:590]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (08:B8) [13:40:53:590]: Failed to grab execution mutex. System error 258.
    MSI (c) (08:B8) [13:40:53:590]: Cloaking enabled.
    MSI (c) (08:B8) [13:40:53:590]: Attempting to enable all disabled privileges before calling Install on Server
    MSI (c) (08:B8) [13:40:53:590]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (c) (08:B8) [13:40:53:590]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (08:B8) [13:40:53:590]: MainEngineThread is returning 1618
    === Verbose logging stopped: 28.09.2018  13:40:53 ===

    MSI (s) (D8:04) [13:41:55:378]: User policy value 'DisableRollback' is 0
    MSI (s) (D8:04) [13:41:55:378]: Machine policy value 'DisableRollback' is 0
    MSI (s) (D8:04) [13:41:55:378]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (D8:04) [13:41:55:378]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
    MSI (s) (D8:04) [13:41:55:378]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
    MSI (s) (D8:04) [13:41:55:378]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (s) (D8:04) [13:41:55:378]: Destroying RemoteAPI object.
    MSI (s) (D8:D8) [13:41:55:378]: Custom Action Manager thread ending.

  • Hello syscap1337,

    thanks, analysis is a no-brainer: 1618 - Another installation is already in progress.

    Unlikely that it's a "healthy" install or uninstall that will finish sooner or later. Likely a stuck installation, if you did already reboot and encountered also the 1618 it could ne a Windows update. The Task Manager shows at least two msiexec.exe processes. As the (un)install is stuck and has been forcibly closed with the reboot killing (end process tree) these processes should do no (additional) harm. Subsequently you should be able to uninstall.

    You'll have to find out what this (un)install is that apparently starts after boot. 

    Christian

  • Hey QC,

     

    this Problem is now resolved. To be honest i have no Idea why it was being uninstalled properly or what caused it in the first place. It definitely wasnt the Windows Installer instance which was just bad timing cause updates have run prior that day.

     

    Thank you anyway for your quick responses.

     

    Have a great day!

     

    syscap