Update - Failed to install SAVXP: A previous version could not...

Oh Crap Sorry!

[Edit by QC] I've deleted the large post with the complete Sophos Anti-Virus Uninstall log.txt and instead posted the relevant lines here

MSI (s) (10:40) [09:42:28:114]: Executing op: ActionStart(Name=UninstallDriverFiles64Vista,,)
MSI (s) (10:40) [09:42:28:115]: Executing op: CustomActionSchedule(Action=UninstallDriverFiles64Vista,ActionType=1058,Source=C:\Windows\SysWOW64\,Target="C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF",)
MSI (s) (10:40) [09:42:28:115]: Note: 1: 1721 2: UninstallDriverFiles64Vista 3: C:\Windows\SysWOW64\ 4: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"
MSI (s) (10:40) [09:42:28:115]: Product: Sophos Anti-Virus -- Error 1721.There is a problem with this Windows Installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor. Action: UninstallDriverFiles64Vista, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"

MSI (s) (10:40) [09:42:28:119]: User policy value 'DisableRollback' is 0
MSI (s) (10:40) [09:42:28:119]: Machine policy value 'DisableRollback' is 0
Action ended 9:42:28: InstallFinalize. Return value 3.

[/Edit]

Oh Crap Sorry!

[Edit by QC] I've deleted the large post with the complete Sophos Anti-Virus Uninstall log.txt and instead posted the relevant lines here

MSI (s) (10:40) [09:42:28:114]: Executing op: ActionStart(Name=UninstallDriverFiles64Vista,,)
MSI (s) (10:40) [09:42:28:115]: Executing op: CustomActionSchedule(Action=UninstallDriverFiles64Vista,ActionType=1058,Source=C:\Windows\SysWOW64\,Target="C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF",)
MSI (s) (10:40) [09:42:28:115]: Note: 1: 1721 2: UninstallDriverFiles64Vista 3: C:\Windows\SysWOW64\ 4: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"
MSI (s) (10:40) [09:42:28:115]: Product: Sophos Anti-Virus -- Error 1721.There is a problem with this Windows Installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor. Action: UninstallDriverFiles64Vista, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"

MSI (s) (10:40) [09:42:28:119]: User policy value 'DisableRollback' is 0
MSI (s) (10:40) [09:42:28:119]: Machine policy value 'DisableRollback' is 0
Action ended 9:42:28: InstallFinalize. Return value 3.

[/Edit]

Hello BillFolger,

guess the C:\Program Files (x86)\Sophos\Sophos Anti-Virus\ folder does exist but is pretty empty, isn't it?

The following has helped in similar situations (coincidentally I had one case last week)

• stop the Sophos AutopUpdate Service so that it won't interfere
• copy native.exe from C:\ProgramData\Sophos\AutoUpdate\Cache\savxp\native\amd64\ to the above mentioned folder
• do the same for the files in the ...\Cache\savxp\drivers\onaccess\win7_amd64\, ...\drivers\boottasks\, and ...\drivers\sdcfilter\win7_amd64\ folders (note: all files go to ...\Sophos Anti-Virus\ not to subfolders)
• either uninstall Sophos Anti-Virus from the Control Panel's Programs and Features or simply start the AutoUpdate service, wait for or force an update which should then succeed

Ideally you should use the files belonging to the installed version (BTW: the logs suggest it's 10.3.11 which is about a year old) but usually it works

Christian

YES!

It's up and working with 10.6.

Thank You Christian!

Hi,

Had a similar problem on a machine today. Followed you instructions as above and all okay (Thank you!), SAVXP error message disappeared but has now created a new error:

Event Decode Unavailable (Event Number: "-2147024891" Message Code" "SAVXP.2147942405" Inserts: "Access is denied.","","","","" [0x80070005]

I came across this link

https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/3934/event-decode-unavailable-event-number--2147024891-message-code-savxp-2147942404

The version on the SEC is 10.7.2.46 and the one on the client is 10.7.2.49

We are on SEC 5.5 and have over 4900 happy machines, so I am reluctant to role back the DLL on the SEC?

Would I be better of uninstalling again and then copy the files above from a known working machine?

Thanks

Hello pdturbo80,

what's the corresponding event on the endpoint?
As far as I can see the event number is not contained in SavRes.dll - neither 10.7.2.46 nor 10.7.2.49 (the message tables are identical so you don't have to copy anything). The message is just that, Access denied, the numbers are simply the int, uint, and hex representation of the same value.

Christian

Hi Christian,

Thanks for the reply. Looks like after I acknowledge the event as an error and leaving it over night, it has not appeared. So good news, thanks for the original post. Looks like I have to do this fix on a number of machines. Any reason why this sometimes happens?

Thanks

Peter

Sorry, Christian, one more on this. Do I have to copy the same files listed above into a 32 bit version of Windows 7 as I have the same issue on a a machine which is Windows 7 32 bit.

Hello Peter,

I've also seen it on a small percentage of machines. Problem is to find the log from when "it" happened, if you can find it the question is whether the event is in the log, and then whether you can prevent it happening again.
It might be that the install sequence isn't absolutely watertight and rollbacks aren't complete when there's an interruption (e.g. due to a shutdown) at an unfortunate moment.

Christian

Hello Peter,

same files but for 32bit from the _i386 directories.

Christian

Hi,

Thanks for this, I tried that and it appears to have failed:

2017-07-28 11:28:27 ERROR: GetVersion - Unable to load the new Factory file, path = C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Factory.xml
2017-07-28 11:28:27 ProductCode change detected
2017-07-28 11:28:27 Info: Added SAVService to ServicesList.
2017-07-28 11:28:27 Info: Added SAVAdminService to ServicesList.
2017-07-28 11:28:27 Info: Added Sophos Device Control Service to ServicesList.
2017-07-28 11:28:27 Info: Added SophosBootDriver to ServicesList.
2017-07-28 11:28:27 Info: Added swi_service to ServicesList.
2017-07-28 11:28:27 Info: Added swi_filter to ServicesList.
2017-07-28 11:28:27 Info: Added Sophos Web Control Service to ServicesList.
2017-07-28 11:28:27 Info: Added SAVOnAccess to ServicesList.
2017-07-28 11:28:27 Info: Added SAV to ComponentList.
2017-07-28 11:28:27 Info: component SDC is not registered - skipping.
2017-07-28 11:28:27 Info: component SCS is not registered - skipping.
2017-07-28 11:28:27 Info: Added SWI to ComponentList.
2017-07-28 11:28:27 Info: Added SWC to ComponentList.
2017-07-28 11:28:27 Info: Detected an older version of SAV, version 10.6. Doing a major update.
2017-07-28 11:28:27 Info: Set Update Begin
2017-07-28 11:28:57 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update (0x80080005)
2017-07-28 11:28:57 Info: Added SAVService to ServicesList.
2017-07-28 11:28:57 Info: Added SAVAdminService to ServicesList.
2017-07-28 11:28:57 Info: Sophos Device Control Service was found to not be installed - skipping.
2017-07-28 11:28:57 Info: SophosBootDriver was found to not be installed - skipping.
2017-07-28 11:28:57 Info: swi_service was found to not be installed - skipping.
2017-07-28 11:28:57 Info: swi_filter was found to not be installed - skipping.
2017-07-28 11:28:57 Info: Added Sophos Web Control Service to ServicesList.
2017-07-28 11:28:57 Info: All services reported they accept stop controls.
2017-07-28 11:28:57 Info: Stop SAVService
2017-07-28 11:28:57 Info: Convert boot tasks
2017-07-28 11:28:57 Info: CopyFilesToTemp
2017-07-28 11:28:57 ERROR: StoreTempFiles - failed to copy machine file - not present, hr = 0x0
2017-07-28 11:28:57 Warning: configuration will not be preserved
2017-07-28 11:28:57 Info: Reading overrides from registry
2017-07-28 11:28:57 Info: Uninstall old SAV
2017-07-28 11:28:57 Detected version of SAV with product code: {CA3CE456-B2D9-4812-8C69-17D6980432EF}
2017-07-28 11:28:57 Info: Running Uninstall of previous version using command line: msiexec.exe /x {CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress /qn UNINSTALLDRIVERS=0 UNINSTALLCLASSFILTER=0 UNINSTALLBOOTDRIVERS=1 UNINSTALLKMSDRIVERS=1 CHECKFORSCF=0 INSTALLINGVERSION="10.7.2.49" /Lvp "C:\Windows\TEMP\Sophos Anti-Virus Uninstall Log_170728_092857.txt"
2017-07-28 11:29:41 Info: Finished waiting for Uninstallation of previous version. Status returned was 0l.
2017-07-28 11:29:41 WARNING: SAV uninstall failed with error 1603
2017-07-28 11:29:41 Detected version of SAV with product code: {CA3CE456-B2D9-4812-8C69-17D6980432EF}
2017-07-28 11:29:41 Info: Detected version of SAV has major version number: 10
2017-07-28 11:29:41 Info: Detected version of SAV has minor version number: 6
2017-07-28 11:29:41 ERROR: Uninstall of SAV, version = 10.6.4, succeeded but IsSAVInstalled is true (10.6.4).
2017-07-28 11:29:41 ERROR: Upgrade failure
2017-07-28 11:29:41 Info: Added SAV to ComponentList.
2017-07-28 11:29:41 Info: Added SWI to ComponentList.
2017-07-28 11:29:41 Info: Added SWC to ComponentList.
2017-07-28 11:29:41 Info: Set Update Failed
2017-07-28 11:30:11 Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

Hello Peter,

as the uninstall failed the error is in the Uninstall log, but likely it'll tell that a CustomAction failed so the CustomActions log is the one to check.

Christian