This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV Auto-update getting blocked, leading to Sophos disappearing/uninstalling??

Hello everybody,

I have Sophos Endpoint Control and also an anti-spyware/keylogger software installed. Both have worked well so far until yesterday. My Anti-Sypware software blocked Sohpos auto-update activities (false positive). Specifically it blocked ALsvc.exe, ssp.exe, SophosBootDriver.sys, stnp.sys and SntpService.exe. Thereafter I could not find the Sophos tray icon. After having a closer look in Program Files, I noticed that the Sophos folder was nearly empty (just an empty Web Intelligence folder)!. I tried installing Sophos again and naturally it went for an update again. The exact same sequence mentioned above happened all over.

Could Sophos disappearing have something to do with the fact that the Auto Update Service was blocked after it started and could not finish?

Any positive response would be greatly appreciated!



This thread was automatically locked due to age.
Parents
  • I am experiencing something similar which may be related.  I noticed that Sophos had been uninstalled from a machine where it had previously been installed.  When I went to re-install I encountered an error "error 997 overlapped i/o operation is in progress".  After some research I determined this was caused by a Windows Update and I was able to get around it with registry changes.  Issue is described here: https://support.microsoft.com/en-us/kb/2918614

    I was able to get the msi product codes for the Sophos installers and add them as described in the MS KB and install.  The installer I had was 10.3.  Immediately upon install the product downloads and attempts to install 10.6.  The first thing it does is uninstall 10.3 and then fails to continue the installation of 10.6 without a visible error leaving the machine without AV.

    I am downloading the 10.6 installer directly and will attempt to install that on the machine in question. 

  • So indeed it appears that the 10.6 installer is failing for the same reason that the 10.3 installer was.  However when it fails while initiated from autoupdate there is no onscreen error indications.  The Windows application log error is also unfortunately generic.  It says:

    "The description for Event ID 10997 from source MsiInstaller cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

    Running the installer directly will yield the error mentioned above, "error 997 overlapped i/o operation is in progress" followed by, "the installation of sophos antivirus has failed (error 0x80041f08)"

    A workaround is to create registry entries to exempt the various msi files from the authorization checking that the OS is doing per the MS KB above.

    1) Create a text file

    2) add this:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
    "SecureRepairPolicy"=dword:00000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\SecureRepairWhitelist]
    "{09863DA9-7A9B-4430-9561-E04D178D7017}"=""
    "{196467F1-C11F-4F76-858B-5812ADC83B94}"=""
    "{BCF53039-A7FC-4C79-A3E3-437AE28FD918}"=""
    "{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}"=""
    "{A805FB2A-A844-4CBA-8088-CA64087D59E1}"=""

    3) change the text file extension from .txt to .reg

    4) right click it and select merge

    NOTE: The product codes listed above are for the msi files contained in the 10.6 installation package.  Most of them changed from the 10.3 package so if you are not using 10.6 this registry merge won't help with the above errors.  You will need to get the product codes for the package you are using (but if you are reading this then you are probably already having the issue I am where a previous version will immediately download 10.6, remove itself, and then fail to install the new version).

    I sincerely hope that the team at Sophos will have a look at this and figure out something so that the next version update doesn't do this again.

  • Hey PBJ_Family, thanks for the reply! I too have the 10.3 version. I'll try installing the 10.6 directly but don't know if it'll work. The version of Sophos I have is provided to students free of cost by my uni. So there were no product codes involved. So it seems the installation is failing for different reasons in our cases, but the problem remains that 10.3 uninstalls itself. I hope somebody from Sophos is reading this and can offer a workaround.

  • The product codes are contained in the MSI files included in the installation package.  These are not like installation codes that you have to type in or anything like that.  The MS KB page describes it.  If your computers are like the one I am dealing with then it was a Windows update that caused the computer to change the way it deals with MSI files which in this case causes the installation of 10.6 to fail.  Since 10.3 is automatically downloading 10.6, and since the process removes 10.3 before trying (and then failing) to install 10.6, it might be the same issue.

Reply
  • The product codes are contained in the MSI files included in the installation package.  These are not like installation codes that you have to type in or anything like that.  The MS KB page describes it.  If your computers are like the one I am dealing with then it was a Windows update that caused the computer to change the way it deals with MSI files which in this case causes the installation of 10.6 to fail.  Since 10.3 is automatically downloading 10.6, and since the process removes 10.3 before trying (and then failing) to install 10.6, it might be the same issue.

Children
No Data