SAV Auto-update getting blocked, leading to Sophos disappearing/uninstalling??

Hello everybody,

I have Sophos Endpoint Control and also an anti-spyware/keylogger software installed. Both have worked well so far until yesterday. My Anti-Sypware software blocked Sohpos auto-update activities (false positive). Specifically it blocked ALsvc.exe, ssp.exe, SophosBootDriver.sys, stnp.sys and SntpService.exe. Thereafter I could not find the Sophos tray icon. After having a closer look in Program Files, I noticed that the Sophos folder was nearly empty (just an empty Web Intelligence folder)!. I tried installing Sophos again and naturally it went for an update again. The exact same sequence mentioned above happened all over.

Could Sophos disappearing have something to do with the fact that the Auto Update Service was blocked after it started and could not finish?

Any positive response would be greatly appreciated!

  • I am experiencing something similar which may be related.  I noticed that Sophos had been uninstalled from a machine where it had previously been installed.  When I went to re-install I encountered an error "error 997 overlapped i/o operation is in progress".  After some research I determined this was caused by a Windows Update and I was able to get around it with registry changes.  Issue is described here: https://support.microsoft.com/en-us/kb/2918614

    I was able to get the msi product codes for the Sophos installers and add them as described in the MS KB and install.  The installer I had was 10.3.  Immediately upon install the product downloads and attempts to install 10.6.  The first thing it does is uninstall 10.3 and then fails to continue the installation of 10.6 without a visible error leaving the machine without AV.

    I am downloading the 10.6 installer directly and will attempt to install that on the machine in question. 

  • In reply to PBJ_Family:

    So indeed it appears that the 10.6 installer is failing for the same reason that the 10.3 installer was.  However when it fails while initiated from autoupdate there is no onscreen error indications.  The Windows application log error is also unfortunately generic.  It says:

    "The description for Event ID 10997 from source MsiInstaller cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

    Running the installer directly will yield the error mentioned above, "error 997 overlapped i/o operation is in progress" followed by, "the installation of sophos antivirus has failed (error 0x80041f08)"

    A workaround is to create registry entries to exempt the various msi files from the authorization checking that the OS is doing per the MS KB above.

    1) Create a text file

    2) add this:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
    "SecureRepairPolicy"=dword:00000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\SecureRepairWhitelist]
    "{09863DA9-7A9B-4430-9561-E04D178D7017}"=""
    "{196467F1-C11F-4F76-858B-5812ADC83B94}"=""
    "{BCF53039-A7FC-4C79-A3E3-437AE28FD918}"=""
    "{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}"=""
    "{A805FB2A-A844-4CBA-8088-CA64087D59E1}"=""

    3) change the text file extension from .txt to .reg

    4) right click it and select merge

    NOTE: The product codes listed above are for the msi files contained in the 10.6 installation package.  Most of them changed from the 10.3 package so if you are not using 10.6 this registry merge won't help with the above errors.  You will need to get the product codes for the package you are using (but if you are reading this then you are probably already having the issue I am where a previous version will immediately download 10.6, remove itself, and then fail to install the new version).

    I sincerely hope that the team at Sophos will have a look at this and figure out something so that the next version update doesn't do this again.

  • In reply to PBJ_Family:

    Hey PBJ_Family, thanks for the reply! I too have the 10.3 version. I'll try installing the 10.6 directly but don't know if it'll work. The version of Sophos I have is provided to students free of cost by my uni. So there were no product codes involved. So it seems the installation is failing for different reasons in our cases, but the problem remains that 10.3 uninstalls itself. I hope somebody from Sophos is reading this and can offer a workaround.

  • In reply to FlurFleckens:

    The product codes are contained in the MSI files included in the installation package.  These are not like installation codes that you have to type in or anything like that.  The MS KB page describes it.  If your computers are like the one I am dealing with then it was a Windows update that caused the computer to change the way it deals with MSI files which in this case causes the installation of 10.6 to fail.  Since 10.3 is automatically downloading 10.6, and since the process removes 10.3 before trying (and then failing) to install 10.6, it might be the same issue.

  • I have a similar problem.  A stand alone PC (on a network for internet access) has Sophos.  Running Windows 8.1.  This morning I noticed that a red cross was on the icon tray - I therefore clicked 'update now' and it went into the initial phase of updating.   

    The update box then closed, and the icon had vanished.

    It was still showing in my processes as running, but no way of checking if it had updated.   

    I then tried opening endpoint control to look at the log, only to find that all references to updates have vanished.   I have a screenshot but not sure how to display that!

    I have uninstalled and re-installed sophos but it keeps failing with an error message saying that the feature you are trying to use is on a network resource that is unavailable.  I am not using the network!

    I have undertaken a system restore to see if updates had caused the issue but still exactly the same so currently without protection!

    Would appreciate some straightforward help!

  • Which other software are you using? That would be helpful. It sounds like the 3rd party software is detecting falsely on Sophos AV. Please PM this info.

  • In reply to CraigJones:

    I am not using any other software - apart from Windows defender which is turned off.

  • In reply to JakiFairbrother:

    Sorry my reply was for !

  • In reply to CraigJones:

    No worries.   But I am fed up with paying for a service that is simply taking up all my time with errors!

  • In reply to JakiFairbrother:

    I'm sorry it been a bad experience so far, let me help turn that around.

    Are you using Cloud or On-premise?

    From the machine affected can you PM me the Alupdate.log from C:\ProgramData\Sophos\AutoUpdate\Logs

  • In reply to CraigJones:

    I am trying to.   Sorry - I wasn't sure this was then for me!