Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 85090 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Update - Failed to install SAVXP: A previous version could not...

LorenAnuszewski

Hi...

I'm receving the following in SEC  "00000067 Failed to install SAVXP. A previous version could not be uninstalled"

and in the Sophos Antivirus uninstall log

CustomAction UninstallDriverFiles64Vista returned actual error code -1079 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (38:30) [10:10:19:389]: Product: Sophos Anti-Virus -- Error 1722.There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action UninstallDriverFiles64Vista, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"

I read a post recommeding copying NATIVE.EXE from the CIDS directory because it was not there, however I receive the same results.

Any insight would be much appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    Oh Crap Sorry!

    [Edit by QC] I've deleted the large post with the complete Sophos Anti-Virus Uninstall log.txt and instead posted the relevant lines here

    MSI (s) (10:40) [09:42:28:114]: Executing op: ActionStart(Name=UninstallDriverFiles64Vista,,)
    MSI (s) (10:40) [09:42:28:115]: Executing op: CustomActionSchedule(Action=UninstallDriverFiles64Vista,ActionType=1058,Source=C:\Windows\SysWOW64\,Target="C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF",)
    MSI (s) (10:40) [09:42:28:115]: Note: 1: 1721 2: UninstallDriverFiles64Vista 3: C:\Windows\SysWOW64\ 4: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"
    MSI (s) (10:40) [09:42:28:115]: Product: Sophos Anti-Virus -- Error 1721.There is a problem with this Windows Installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor. Action: UninstallDriverFiles64Vista, location: C:\Windows\SysWOW64\, command: "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\NATIVE.EXE" /lhu "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVONACCESSDRIV.INF"

    MSI (s) (10:40) [09:42:28:119]: User policy value 'DisableRollback' is 0
    MSI (s) (10:40) [09:42:28:119]: Machine policy value 'DisableRollback' is 0
    Action ended 9:42:28: InstallFinalize. Return value 3.

    [/Edit]

  • 0 in reply to BillFolger

    Hello BillFolger,

    guess the C:\Program Files (x86)\Sophos\Sophos Anti-Virus\ folder does exist but is pretty empty, isn't it?

    The following has helped in similar situations (coincidentally I had one case last week)

    • stop the Sophos AutopUpdate Service so that it won't interfere
    • copy native.exe from C:\ProgramData\Sophos\AutoUpdate\Cache\savxp\native\amd64\ to the above mentioned folder
    • do the same for the files in the ...\Cache\savxp\drivers\onaccess\win7_amd64\, ...\drivers\boottasks\, and ...\drivers\sdcfilter\win7_amd64\ folders (note: all files go to ...\Sophos Anti-Virus\ not to subfolders)
    • either uninstall Sophos Anti-Virus from the Control Panel's Programs and Features or simply start the AutoUpdate service, wait for or force an update which should then succeed

    Ideally you should use the files belonging to the installed version (BTW: the logs suggest it's 10.3.11 which is about a year old) but usually it works

    Christian

  • 0 in reply to QC

    YES!

     

    It's up and working with 10.6.

     

    Thank You Christian!

  • 0 in reply to QC

    Hi,

    Had a similar problem on a machine today. Followed you instructions as above and all okay (Thank you!), SAVXP error message disappeared but has now created a new error:

    Event Decode Unavailable (Event Number: "-2147024891" Message Code" "SAVXP.2147942405" Inserts: "Access is denied.","","","","" [0x80070005]

    I came across this link

    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/3934/event-decode-unavailable-event-number--2147024891-message-code-savxp-2147942404

    The version on the SEC is 10.7.2.46 and the one on the client is 10.7.2.49

    We are on SEC 5.5 and have over 4900 happy machines, so I am reluctant to role back the DLL on the SEC?

    Would I be better of uninstalling again and then copy the files above from a known working machine?

    Thanks

  • 0 in reply to pdturbo80

    Hello pdturbo80,

    what's the corresponding event on the endpoint?
    As far as I can see the event number is not contained in SavRes.dll - neither 10.7.2.46 nor 10.7.2.49 (the message tables are identical so you don't have to copy anything). The message is just that, Access denied, the numbers are simply the int, uint, and hex representation of the same value.

    Christian

  • 0 in reply to QC

    Hi Christian,

     

    Thanks for the reply. Looks like after I acknowledge the event as an error and leaving it over night, it has not appeared. So good news, thanks for the original post. Looks like I have to do this fix on a number of machines. Any reason why this sometimes happens?

    Thanks

    Peter

Reply
  • 0 in reply to QC

    Hi Christian,

     

    Thanks for the reply. Looks like after I acknowledge the event as an error and leaving it over night, it has not appeared. So good news, thanks for the original post. Looks like I have to do this fix on a number of machines. Any reason why this sometimes happens?

    Thanks

    Peter

Children
  • 0 in reply to pdturbo80

    Hello Peter,

    I've also seen it on a small percentage of machines. Problem is to find the log from when "it" happened, if you can find it the question is whether the event is in the log, and then whether you can prevent it happening again.
    It might be that the install sequence isn't absolutely watertight and rollbacks aren't complete when there's an interruption (e.g. due to a shutdown) at an unfortunate moment.

    Christian

Unfiltered HTML