This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV Installation Error

Hi all,

we unfortunately encounter the following situtaion on several of our PCs:

in the Enterprise Console we see several PCs with Update-Error saying that SAVXP could not have been installed, the MSI could not have been executed (translated from the original German error-meesage).

The Anti Virus Major Install Log displays the following:

MSI (s) (30:88) [08:37:59:478]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIFD91.tmp, Entrypoint: UpdateSAVI
MSI (s) (30:18) [08:37:59:944]: Executing op: ActionStart(Name=SetFolderPermissions,,)
MSI (s) (30:18) [08:37:59:945]: Executing op: CustomActionSchedule(Action=SetFolderPermissions,ActionType=1025,Source=BinaryData,Target=SetFolderPermissions,CustomActionData=C:\Program Files (x86)\Sophos\Sophos Anti-Virus\)
MSI (s) (30:6C) [08:37:59:946]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIFF66.tmp, Entrypoint: SetFolderPermissions
CustomAction SetFolderPermissions returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (30:18) [08:37:59:957]: User policy value 'DisableRollback' is 0
MSI (s) (30:18) [08:37:59:957]: Machine policy value 'DisableRollback' is 0
Action ended 8:37:59: InstallFinalize. Return value 3.

The Custom Actions Log displays:

2014-03-10 08:37:59 SetFolderPermissions: Action started
2014-03-10 08:37:59 SetFolderPermissions: AddSpecifiedPermissionsToKey Unable to open registry key Software\Sophos\SAVService\PP (00000002)
2014-03-10 08:37:59 SetFolderPermissions: Add permissions to SavService\PP failed (0x80070002)
2014-03-10 08:37:59 SetFolderPermissions: Action failed

I've searched the internet a long time but couldn't find any hints.

Any help is apreciated.

BR,

Michael

:47960


This thread was automatically locked due to age.
  • Hello Michael,

    Unable to open registry key Software\Sophos\SAVService\PP (00000002)

    this means that the open fails because this key doesn't exist. It's not normal for it to disappear though - wonder if it's really missing?

    Christian

    :47972
  • It would be interesting to see more (all) of the install logs (major/custom).

    Quick search of case history shows no real path of investigation because uninstall/reinstall, when tested, became the workaround - which happen quite often.

    :47974

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello Christian,

    well, the registry-path is HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos. Below that there is NO SavService!

    Should I delete the whole Sophos-Path in the registry and try a reinstall?

    Beste regards and thanks for your help,

    Micha

    :48114
  • Hi ruckus,

    please find latest versions of both logs attached.

    Sorry to you and Christian for late reply, I visited the CeBit exibition the last days..

    Best regards and thanks for your help,

    Michael

    :48116
  • Hello Michael,

    according to the log Sophos Anti-Virus is not installed and thus uninstall (of SAVXP) is not an option. That SAVXP isn't installed suggests that it has been uninstalled at some point - did you manually uninstall it? And if, how did you attempt to reinstall? Running the main setup.exe or by requesting an update? If the log is from an update performed by AutoUpdate there should be previous but recent Major Install logs - in which case I assume that the oldest is significantly different from the following.

    The mentioned key should be written to the registry by the Installer shortly before SetFolderPermissions is executed. That the SAVService key is not there is correct if the product is not installed.

    Should I delete the whole Sophos-Path in the registry

    Generally one shouldn't do such a thing unless recommended by the vendor (especially for products installed with Microsoft Installer). And if I'm not mistaken AutoUpdate and RMS are still installed, aren't they? 

    You could check the permissions on the \Software\Wow6432Node\Sophos key, they are likely correct. As you seem to be in a domain environment - have recently changes been made to the group policies? Personally I'd use Sysinternal's Process Monitor to see what happens to and with the \SAVService\PP key. If you haven't uninstalled the other components please do and then try a full install.

    Usually you should run the diagnostic utility (SDU) before any other actions but you say that several PCs are affected so evidence should be there.

    Christian

    :48126
  • Hello Christian,

    many thanks for your input.

    The situation is, that our Infrastructure-Team is installing Software remotely via Enteo Software Distribution. It could have happened that somebody tried to install Sophos on a client on which Sophos has allready been installed and that this action lead to the malfunction, but this is just a guess.

    A sollution could be to completely uninstall Sophos, I think. Is there a clean-uninstall-tool?

    Best regards,

    Michael

    :48162
  • Hello Michael,

    I see (although I don't know what Enteo does in particular).

    Is there a clean-uninstall-tool?

    A surprisingly persisting expectation :smileyhappy:. The tool is the same which is used for install - the Microsoft Installer.

    You should first try to uninstall the other Sophos components and reboot. Afterwards run setup.exe from the CID or use any other method which does not fiddle with the install. If installing SAVXP still fails this suggests either some unexpected corruption of the installer database or interference of another component. To clean the database use the Fix-It tool from Microsoft (please see Troubleshooting and resolving problematic Sophos endpoint upgrade and uninstall issues). As SAVXP isn't installed it is not in the Programs and Features list and will also not appear in the tool's list and you'd have to use the product code which is 4320988A-7DE0-478D-A38B-CE9509BCE320 (for 10.3, as seen in the Major Install log). Note that this does not uninstall - it merely removes all the information related to the product from the Installer's database and thus the next install should work like the product has never been installed before.

    Christian

    :48170
  • Hi Christian,

    again many thanks for your input. I'll try your suggested steps the next Monday and will report afterwards.

    Have a nice weekend,

    best regards,

    Michael

    :48186
  • Hi Christian,

    the Fix-IT Tool made my day! It uninstalled SophosAV completely and afterwards I was able to reinstall Sophos Endpoint.

    Many thanks four your help,

    best regards,

    Michael

    :48216
  • Hello Michael,

    good to hear it worked.

    the Fix-IT Tool ... uninstalled SophosAV completely

    To obviate the common misconception - the tool does not uninstall. It removes the Installer information for this product.  And I deliberately refrain from saying just the Installer information. It is important that you immediately afterwards not only reinstall the (same version of the) product but also apply any service that was applied before - and if your intention was uninstall only then you can (and should be able to) do so. As the tool does not remove any items (especially files) not part of the installer database as well as potentially present DB items where the linkage has been lost because of the underlying error the system's state is inconsistent after running the tool. 

    Christian 

    :48228