Update - Failed to install SAVXP: A previous version could not...

Hi...

I'm receving the following in SEC  "00000067 Failed to install SAVXP. A previous version could not be uninstalled"

and in the Sophos Antivirus uninstall log

CustomAction UninstallDriverFiles64Vista returned actual error code -1079 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (38:30) [10:10:19:389]: Product: Sophos Anti-Virus -- Error 1722.There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UninstallDriverFiles64Vista, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"

I read a post recommeding copying NATIVE.EXE from the CIDS directory because it was not there, however I receive the same results.

Any insight would be much appreciated!

  • Does the log file: setupapi.app.log under \windows\inf\ add any more info if you can align the two logs by time?  Anything of interest in the Event logs?

    Regards,

    Jak

  • In reply to jak:

    Hi Jak,

    I don't see anything suspect in the setupapi.app.log.  And as far as the eventlog goes I see a steady stream of the following attempts and failures.

    Beginning a Windows Installer transaction

    Product: Sophos Anti-Virus -- Error 1722.There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.  Action UninstallDriverFiles64Vista, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF" 

    Product: Sophos Anti-Virus -- Removal failed.

    Windows Installer removed the product. Product Name: Sophos Anti-Virus. Product Version: 10.3.15. Product Language: 1033. Manufacturer: Sophos Limited. Removal success or error status: 1603.

    Ending a Windows Installer transaction:

    Thanks!

  • In reply to LorenAnuszewski:

    I have this problem as well.  Win 7 Ent 64bit.  This machines OS was reinstalled a year ago and it had the same problem then.

    00000067  Failed to install SAVXP: A previous version could not be uninstalled

    After reinstalling  two different ways, from the console and from the EXE, the Sophos Endpoint Security and control will no longer open.  IT will update but says downloading five  then installing one of one and that fails (disappears) after a minute.

  • In reply to BillFolger:

    Hello BillFolger,

    reinstalling
    doesn't help as you see. Part of the reinstall is an uninstall of an existing downlevel version - an attempt to reinstall with the currently installed version might succeed, an "upgrade reinstall" will fail the same way as the original upgrade attempt (and, BTW, using Protect from the console is essentially running setup.exe from the CID).

    There should be a recent Sophos Anti-Virus Major Install Log_yymmdd_hhmmss.txt in %windir%\TEMP, not far from the top there should be a line
    Info: Running Uninstall of previous version using command line: msiexec.exe /x ....
    likely followed by a message that the uninstall failed. If so, please search the  Sophos Anti-Virus Uninstall log.txt  for Return value 3, the preceding lines should have some important information, the failure could have been in a remote custom action so you should check the Sophos Anti-Virus Major CustomActions Log_yymmdd_hhmmss.txt as well. If you're not sure what to do next please post the relevant lines here.

    Christian

  • In reply to QC:

    2016-06-23 09:32:17 Info: Logging started: installing/upgrading Sophos Anti-Virus
    2016-06-23 09:32:17 Info: InstallFromPath is: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\
    2016-06-23 09:32:17 Info: InstallToPath is:
    2016-06-23 09:32:17 Info: Detected version of SAV has major version number: 10
    2016-06-23 09:32:17 Info: Detected version of SAV has minor version number: 3
    2016-06-23 09:32:17 Info: registryInstallTo [overriding InstallToPath] is: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
    2016-06-23 09:32:17 Checking for problem versions of SAVI - Install path:C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
    2016-06-23 09:32:17 Veex.dll version ''
    2016-06-23 09:32:17 INFO: Checking the validity of the VDL manifest file.
    2016-06-23 09:32:18 INFO: The manifest file has been successfully validated.
    2016-06-23 09:32:18 INFO: Checking the validity of the AppFeed manifest file.
    2016-06-23 09:32:18 INFO: The manifest file has been successfully validated.
    2016-06-23 09:32:18 Info: Error parsing catalogue file - doing a full update
    2016-06-23 09:32:18 PROCESSOR_ARCHITECTURE environment variable is: AMD64
    2016-06-23 09:32:18 Failed to load driver information from INF files
    2016-06-23 09:32:18 Failed to load driver information from INF files
    2016-06-23 09:32:18 Failed to load driver information from INF files
    2016-06-23 09:32:18 Info: Managed install (from SAU)
    2016-06-23 09:32:18 Unable to QI IProductConfig
    2016-06-23 09:32:18 Info: ProductType value not found
    2016-06-23 09:32:18 Checking the integrity of the extant SAV installation
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\WSCClient.exe does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\SavService.exe does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\SavAdminService.exe does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\BackgroundScanClient.exe does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\ComponentManager.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\ICAdapter.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\ICManagement.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\ICProcessors.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\ThreatDetection.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\VirusDetection.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\SavControl.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\SavMain.exe does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\SavProgress.exe does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\DesktopMessaging.dll does not exist(2)
    2016-06-23 09:32:18 The file C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\SavShellExt.dll does not exist(2)
    2016-06-23 09:32:18 There is an incomplete SAV installation, forcing a Major Update to recover
    2016-06-23 09:32:18 Info: Performing major update of Sophos Anti-Virus using msi.
    2016-06-23 09:32:18 Info: Update is signalled.
    2016-06-23 09:32:18 In KB2918614Workaround().
    2016-06-23 09:32:18 Leaving KB2918614Workaround().
    2016-06-23 09:32:18 Product code of SAV currently installed: {D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4}
    2016-06-23 09:32:18 Product code of SAV to be installed:     {09863DA9-7A9B-4430-9561-E04D178D7017}
    2016-06-23 09:32:18 ERROR: GetVersion - Unable to load the new Factory file, path = C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Factory.xml
    2016-06-23 09:32:18 ProductCode change detected
    2016-06-23 09:32:18 Info: Detected an older version of SAV, version 10.3. Doing a major update.
    2016-06-23 09:32:18 Info: Set Update Begin
    2016-06-23 09:32:18 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update (0x80040154)
    2016-06-23 09:32:18 Info: Stop SAVService
    2016-06-23 09:32:18 Info: Convert boot tasks
    2016-06-23 09:32:18 Info: CopyFilesToTemp
    2016-06-23 09:32:18 ERROR: StoreTempFiles - failed to copy machine file - not present, hr = 0x0
    2016-06-23 09:32:18 Warning: configuration will not be preserved
    2016-06-23 09:32:18 Info: Reading overrides from registry
    2016-06-23 09:32:18 Info: Uninstall old SAV
    2016-06-23 09:32:18 PatchInstalledSavForRemoveSAVI: SAV version '10.3.11' installed, needs patching
    2016-06-23 09:32:18 PatchInstalledSavForRemoveSAVI: Disabling the 'RemoveSAVI' custom action
    2016-06-23 09:32:18 PatchInstalledSavForRemoveSAVI: Disabling the 'DeleteOtherFiles' custom action
    2016-06-23 09:32:18 PatchInstalledSavForRemoveSAVI: Committing changes
    2016-06-23 09:32:18 PatchInstalledSavForDeleteUserGroups: SAV version '10.3.11' installed, needs patching
    2016-06-23 09:32:18 PatchInstalledSavForDeleteUserGroups: Disabling the 'DeleteUserGroups' custom action
    2016-06-23 09:32:18 PatchInstalledSavForDeleteUserGroups: Committing changes
    2016-06-23 09:32:18 Info: Running Uninstall of previous version using command line: msiexec.exe /x {D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4} REBOOT=ReallySuppress /qn  UNINSTALLDRIVERS=1 UNINSTALLCLASSFILTER=0 UNINSTALLBOOTDRIVERS=1 UNINSTALLKMSDRIVERS=1 CHECKFORSCF=0  INSTALLINGVERSION="10.6.3.537" /Lvp "C:\Windows\TEMP\Sophos Anti-Virus Uninstall log.txt"
    2016-06-23 09:32:37 Info: Finished waiting for Uninstallation of previous version. Status returned was 0l.
    2016-06-23 09:32:37 GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll does not exist, no further action.
    2016-06-23 09:32:37 PROCESSOR_ARCHITECTURE environment variable is: AMD64
    2016-06-23 09:32:37 GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll does not exist, no further action.
    2016-06-23 09:32:37 GetRidOfExistingDetoured - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.
    2016-06-23 09:32:37 Deleting config file folder
    2016-06-23 09:32:37 Failed to delete config folder, 2
    2016-06-23 09:32:37 Info: Detected version of SAV has major version number: 10
    2016-06-23 09:32:37 Info: Detected version of SAV has minor version number: 3
    2016-06-23 09:32:37 ERROR: Uninstall of SAV, version = 10.3.11, succeeded but IsSAVInstalled is true (10.3.11).
    2016-06-23 09:32:37 ERROR: Upgrade failure
    2016-06-23 09:32:37 Info: Set Update Failed
    2016-06-23 09:32:37 Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

  • Oh Crap Sorry!

    [Edit by QC] I've deleted the large post with the complete Sophos Anti-Virus Uninstall log.txt and instead posted the relevant lines here

    MSI (s) (10:40) [09:42:28:114]: Executing op: ActionStart(Name=UninstallDriverFiles64Vista,,)
    MSI (s) (10:40) [09:42:28:115]: Executing op: CustomActionSchedule(Action=UninstallDriverFiles64Vista,ActionType=1058,Source=C:\Windows\SysWOW64\,Target="C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF",)
    MSI (s) (10:40) [09:42:28:115]: Note: 1: 1721 2: UninstallDriverFiles64Vista 3: C:\Windows\SysWOW64\ 4: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"
    MSI (s) (10:40) [09:42:28:115]: Product: Sophos Anti-Virus -- Error 1721.There is a problem with this Windows Installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor. Action: UninstallDriverFiles64Vista, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"

    MSI (s) (10:40) [09:42:28:119]: User policy value 'DisableRollback' is 0
    MSI (s) (10:40) [09:42:28:119]: Machine policy value 'DisableRollback' is 0
    Action ended 9:42:28: InstallFinalize. Return value 3.

    [/Edit]

  • In reply to BillFolger:

    Hello BillFolger,

    guess the C:\Program Files (x86)\Sophos\Sophos Anti-Virus\ folder does exist but is pretty empty, isn't it?

    The following has helped in similar situations (coincidentally I had one case last week)

    • stop the Sophos AutopUpdate Service so that it won't interfere
    • copy native.exe from C:\ProgramData\Sophos\AutoUpdate\Cache\savxp\native\amd64\ to the above mentioned folder
    • do the same for the files in the ...\Cache\savxp\drivers\onaccess\win7_amd64\, ...\drivers\boottasks\, and ...\drivers\sdcfilter\win7_amd64\ folders (note: all files go to ...\Sophos Anti-Virus\ not to subfolders)
    • either uninstall Sophos Anti-Virus from the Control Panel's Programs and Features or simply start the AutoUpdate service, wait for or force an update which should then succeed

    Ideally you should use the files belonging to the installed version (BTW: the logs suggest it's 10.3.11 which is about a year old) but usually it works

    Christian

  • In reply to QC:

    YES!

     

    It's up and working with 10.6.

     

    Thank You Christian!

  • In reply to QC:

    Hi,

    Had a similar problem on a machine today. Followed you instructions as above and all okay (Thank you!), SAVXP error message disappeared but has now created a new error:

    Event Decode Unavailable (Event Number: "-2147024891" Message Code" "SAVXP.2147942405" Inserts: "Access is denied.","","","","" [0x80070005]

    I came across this link

    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/3934/event-decode-unavailable-event-number--2147024891-message-code-savxp-2147942404

    The version on the SEC is 10.7.2.46 and the one on the client is 10.7.2.49

    We are on SEC 5.5 and have over 4900 happy machines, so I am reluctant to role back the DLL on the SEC?

    Would I be better of uninstalling again and then copy the files above from a known working machine?

    Thanks

  • In reply to pdturbo80:

    Hello pdturbo80,

    what's the corresponding event on the endpoint?
    As far as I can see the event number is not contained in SavRes.dll - neither 10.7.2.46 nor 10.7.2.49 (the message tables are identical so you don't have to copy anything). The message is just that, Access denied, the numbers are simply the int, uint, and hex representation of the same value.

    Christian

  • In reply to QC:

    Hi Christian,

     

    Thanks for the reply. Looks like after I acknowledge the event as an error and leaving it over night, it has not appeared. So good news, thanks for the original post. Looks like I have to do this fix on a number of machines. Any reason why this sometimes happens?

    Thanks

    Peter

  • In reply to QC:

    Sorry, Christian, one more on this. Do I have to copy the same files listed above into a 32 bit version of Windows 7 as I have the same issue on a a machine which is Windows 7 32 bit.

  • In reply to pdturbo80:

    Hello Peter,

    I've also seen it on a small percentage of machines. Problem is to find the log from when "it" happened, if you can find it the question is whether the event is in the log, and then whether you can prevent it happening again.
    It might be that the install sequence isn't absolutely watertight and rollbacks aren't complete when there's an interruption (e.g. due to a shutdown) at an unfortunate moment.

    Christian

  • In reply to pdturbo80:

    Hello Peter,

    same files but for 32bit from the _i386 directories.

    Christian

  • In reply to QC:

    Hi,

    Thanks for this, I tried that and it appears to have failed:

     

    2017-07-28 11:28:27 ERROR: GetVersion - Unable to load the new Factory file, path = C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Factory.xml
    2017-07-28 11:28:27 ProductCode change detected
    2017-07-28 11:28:27 Info: Added SAVService to ServicesList.
    2017-07-28 11:28:27 Info: Added SAVAdminService to ServicesList.
    2017-07-28 11:28:27 Info: Added Sophos Device Control Service to ServicesList.
    2017-07-28 11:28:27 Info: Added SophosBootDriver to ServicesList.
    2017-07-28 11:28:27 Info: Added swi_service to ServicesList.
    2017-07-28 11:28:27 Info: Added swi_filter to ServicesList.
    2017-07-28 11:28:27 Info: Added Sophos Web Control Service to ServicesList.
    2017-07-28 11:28:27 Info: Added SAVOnAccess to ServicesList.
    2017-07-28 11:28:27 Info: Added SAV to ComponentList.
    2017-07-28 11:28:27 Info: component SDC is not registered - skipping.
    2017-07-28 11:28:27 Info: component SCS is not registered - skipping.
    2017-07-28 11:28:27 Info: Added SWI to ComponentList.
    2017-07-28 11:28:27 Info: Added SWC to ComponentList.
    2017-07-28 11:28:27 Info: Detected an older version of SAV, version 10.6. Doing a major update.
    2017-07-28 11:28:27 Info: Set Update Begin
    2017-07-28 11:28:57 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update (0x80080005)
    2017-07-28 11:28:57 Info: Added SAVService to ServicesList.
    2017-07-28 11:28:57 Info: Added SAVAdminService to ServicesList.
    2017-07-28 11:28:57 Info: Sophos Device Control Service was found to not be installed - skipping.
    2017-07-28 11:28:57 Info: SophosBootDriver was found to not be installed - skipping.
    2017-07-28 11:28:57 Info: swi_service was found to not be installed - skipping.
    2017-07-28 11:28:57 Info: swi_filter was found to not be installed - skipping.
    2017-07-28 11:28:57 Info: Added Sophos Web Control Service to ServicesList.
    2017-07-28 11:28:57 Info: All services reported they accept stop controls.
    2017-07-28 11:28:57 Info: Stop SAVService
    2017-07-28 11:28:57 Info: Convert boot tasks
    2017-07-28 11:28:57 Info: CopyFilesToTemp
    2017-07-28 11:28:57 ERROR: StoreTempFiles - failed to copy machine file - not present, hr = 0x0
    2017-07-28 11:28:57 Warning: configuration will not be preserved
    2017-07-28 11:28:57 Info: Reading overrides from registry
    2017-07-28 11:28:57 Info: Uninstall old SAV
    2017-07-28 11:28:57 Detected version of SAV with product code: {CA3CE456-B2D9-4812-8C69-17D6980432EF}
    2017-07-28 11:28:57 Info: Running Uninstall of previous version using command line: msiexec.exe /x {CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress /qn UNINSTALLDRIVERS=0 UNINSTALLCLASSFILTER=0 UNINSTALLBOOTDRIVERS=1 UNINSTALLKMSDRIVERS=1 CHECKFORSCF=0 INSTALLINGVERSION="10.7.2.49" /Lvp "C:\Windows\TEMP\Sophos Anti-Virus Uninstall Log_170728_092857.txt"
    2017-07-28 11:29:41 Info: Finished waiting for Uninstallation of previous version. Status returned was 0l.
    2017-07-28 11:29:41 WARNING: SAV uninstall failed with error 1603
    2017-07-28 11:29:41 Detected version of SAV with product code: {CA3CE456-B2D9-4812-8C69-17D6980432EF}
    2017-07-28 11:29:41 Info: Detected version of SAV has major version number: 10
    2017-07-28 11:29:41 Info: Detected version of SAV has minor version number: 6
    2017-07-28 11:29:41 ERROR: Uninstall of SAV, version = 10.6.4, succeeded but IsSAVInstalled is true (10.6.4).
    2017-07-28 11:29:41 ERROR: Upgrade failure
    2017-07-28 11:29:41 Info: Added SAV to ComponentList.
    2017-07-28 11:29:41 Info: Added SWI to ComponentList.
    2017-07-28 11:29:41 Info: Added SWC to ComponentList.
    2017-07-28 11:29:41 Info: Set Update Failed
    2017-07-28 11:30:11 Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update