Failed to install savxp 80041f19

Hi

Sophos antivirus endpoint solution was installed successfully in dozens of machines, except in two.

On those machines, the log  firstly complained about third party software,  the previous antivirus was Microsoft Windows antivirus.

All malware tools were removed. The Windows antivirus was even turned-off manually. 

Nevertheless, the installation error remains (see image in attachment). The installation now comes to an end but there is some sort of malfunction in the software. 

 

Thank you for your help. 

 

 

 

  • Hi,

    Under \windows\temp\ you will find the MSI install log of Sophos Anti-Virus and the associated custom action log file - The timestamp in the filename will reveal the pair.

    Can you make them available? 

    Regards,

    Jak

  • In reply to jak:

    Aditya 

  • In reply to jak:

    Hi. I'll try the guideline following the instructions you sent further on . Menawhile, here is the log of a failed installation (I don´t see the avremove.log) :

     

     

    20-10-2016,09:24:01,Information,------------------ Beginning installation of Sophos Anti-Virus and AutoUpdate ------------------,
    20-10-2016,09:24:01,Information,Setup version 3.3.0.79,
    20-10-2016,09:24:01,Information,Command line: c:\users\manuel~1\appdata\local\temp\sophos_bootstrap\setup.exe -server dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com -token ***************** -edxtimestamp 20161003T151508Z,
    20-10-2016,09:24:01,Information,Process security set successfully,
    20-10-2016,09:24:01,Information,Setup program was run from C:\Users\MANUEL~1\AppData\Local\Temp\sophos_bootstrap,
    20-10-2016,09:24:02,Information,Checking system TMP paths.,
    20-10-2016,09:24:02,Information,Checking TMP...,
    20-10-2016,09:24:02,Information,Temp path for System found: 'C:\WINDOWS\TEMP'.,
    20-10-2016,09:24:02,Information,Tamper protection not installed,
    20-10-2016,09:24:02,Information,Checking if Sophos Anti-Virus or Sophos AutoUpdate are installed...,
    20-10-2016,09:24:02,Information,Starting wizard to collect information from user...,
    20-10-2016,09:24:15,Information,Checking for internet connectivity...,
    20-10-2016,09:24:15,Success,Successfully connected to the URL http://dci.sophosupd.com/.,
    20-10-2016,09:24:15,Information,Checking for internet connectivity...,
    20-10-2016,09:24:16,Success,Successfully connected to the URL https://dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com/sophos/management/ep.,
    20-10-2016,09:24:25,Information,Starting the install sequence.,
    20-10-2016,09:24:25,Information,Checking for local third-party software...,
    20-10-2016,09:24:25,Information,Sending data back to Sophos...,
    20-10-2016,09:24:25,Success,Successfully connected to the URL http://d1.sophosupd.com/ebs/3.3.0.79/zCR+v6sQV504Nlkq+azBPCnsttY=/ezg4MDc0OEZFLTg4QjctNDkyMi04RDAzLUFBQkI2NkEyODIwQX0=/6.3.9600/1/e0Q2OEREQzNBLTgzMUYtNGZhZS05RTQ0LURBMTMyQzFBQ0Y0Nn0=/V2luZG93cyBEZWZlbmRlcg==/JVByb2dyYW1GaWxlcyVcV2luZG93cyBEZWZlbmRlclxNU0FTQ3VpLmV4ZQ==/JVByb2dyYW1GaWxlcyVcV2luZG93cyBEZWZlbmRlclxNc01wZW5nLmV4ZQ==/62100/x.xml.,
    20-10-2016,09:24:25,Information,Done.,
    20-10-2016,09:24:25,Information,Searching for third-party security software.,
    20-10-2016,09:29:33,Information,Return Code 16 from third-party security software removal tool.,
    20-10-2016,09:29:33,ERROR,A problem was encountered when running the third-party software removal tool. Details: Cancelled installation because existing third-party security software could not be uninstalled.,
    20-10-2016,09:29:38,Information,Sending EBS feedback to Sophos...,
    20-10-2016,09:29:38,Information,Sending data back to Sophos...,
    20-10-2016,09:29:39,Success,Successfully connected to the URL http://d1.sophosupd.com/ebs/3.3.0.79/zCR+v6sQV504Nlkq+azBPCnsttY=/ezg4MDc0OEZFLTg4QjctNDkyMi04RDAzLUFBQkI2NkEyODIwQX0=/6.3.9600/2/118/336/3/ZHpyLW1jcy1hbXpuLWV1LXdlc3QtMS05YWY3LnVwZS5wLmhtci5zb3Bob3MuY29t/16/2.11.0.113//x.xml.,
    20-10-2016,09:29:39,Information,------------------ Found errors during installation: 118 ------------------,
    20-10-2016,09:29:39,Information,------------------ Installation program finishing with code 118 ------------------,

  • In reply to MarcoTeixeira:

    I have here a log of avremove.log.

     

    I think the issue I've been having with some machines where the installtion fails, has something to do with the removal of the Microsoft antivirus that fails. See the end of the log

     

    4 Oct 2016 14:19:49 Info: Running OS: Microsoft Windows 8  [Version 6.02.9200]
    04 Oct 2016 14:19:49 Info: Current Competitor Removal Tool Settings
    04 Oct 2016 14:19:49 Info: Product Version: Version 2.12.0.38
    04 Oct 2016 14:19:49 Info: Using Product Catalog: Default
    04 Oct 2016 14:19:49 Info: Run On Servers: True
    04 Oct 2016 14:19:49 Info: Detection Only: False
    04 Oct 2016 14:19:49 Info: Remove Anti-Virus: True
    04 Oct 2016 14:19:49 Info: Remove Product Suites: True
    04 Oct 2016 14:19:49 Info: Remove Firewalls: True
    04 Oct 2016 14:19:49 Info: Remove Update Tools: False
    04 Oct 2016 14:19:49 Info: Log Tracing: True
    04 Oct 2016 14:19:49 Info: Log to C:\WINDOWS\TEMP\avremove.log
    04 Oct 2016 14:19:49 Info: Default system language: pt_PT
    04 Oct 2016 14:19:49 Info: Default character encoding: cp1252
    04 Oct 2016 14:19:49 Info: Operating system is 64-bit: True
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Installer (64-bit)
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6D3687A4-4F95-4144-9B81-6FE6DA532013}
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6D3687A4-4F95-4144-9B81-6FE6DA532013} (64-bit)
    04 Oct 2016 14:19:49 Debug: Key {6D3687A4-4F95-4144-9B81-6FE6DA532013} not found
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Installer (64-bit)
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9ACB7BC3-D4C9-40AA-983D-8555FD0D5B56}
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9ACB7BC3-D4C9-40AA-983D-8555FD0D5B56} (64-bit)
    04 Oct 2016 14:19:49 Debug: Key {9ACB7BC3-D4C9-40AA-983D-8555FD0D5B56} not found
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Installer (64-bit)
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F25DEE3-FE12-46A3-AB4C-5491E4C95C50}
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F25DEE3-FE12-46A3-AB4C-5491E4C95C50} (64-bit)
    04 Oct 2016 14:19:49 Debug: Key {9F25DEE3-FE12-46A3-AB4C-5491E4C95C50} not found
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Installer (64-bit)
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6414CC7-F215-467F-88B1-546ED863F35B}
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6414CC7-F215-467F-88B1-546ED863F35B} (64-bit)
    04 Oct 2016 14:19:49 Debug: Key {D6414CC7-F215-467F-88B1-546ED863F35B} not found
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Installer (64-bit)
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77772678-817F-4401-9301-ED1D01A8DA56}
    04 Oct 2016 14:19:49 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77772678-817F-4401-9301-ED1D01A8DA56} (64-bit)
    04 Oct 2016 14:19:49 Debug: Key {77772678-817F-4401-9301-ED1D01A8DA56} not found

    [.........................................]
     
    20 Oct 2016 14:34:58 Debug: Key {501A6723-70DE-87DF-1F83-1FB7B1A7E147} not found
    20 Oct 2016 14:34:58 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Installer (64-bit)
    20 Oct 2016 14:34:58 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE5DD172-7F42-7948-1A60-E6A720288F81}
    20 Oct 2016 14:34:58 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE5DD172-7F42-7948-1A60-E6A720288F81} (64-bit)
    20 Oct 2016 14:34:58 Debug: Key {BE5DD172-7F42-7948-1A60-E6A720288F81} not found
    20 Oct 2016 14:34:58 Info: Removing detected products...
    20 Oct 2016 14:34:58 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Installer (64-bit)
    20 Oct 2016 14:34:58 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6}
    20 Oct 2016 14:34:58 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6} (64-bit)
    20 Oct 2016 14:34:58 Debug: Key {D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6} was found
    20 Oct 2016 14:34:58 Info: Starting removal of Microsoft Security Client version 4.5.x
    20 Oct 2016 14:34:58 Debug: Removing Microsoft Security Client version 4.5.x
    20 Oct 2016 14:34:58 Info: Creating new process C:\Windows\System32\\MsiExec.exe /X {D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6} /q REBOOT=ReallySuppress
    20 Oct 2016 14:37:44 Info: Removal process ended normally: exit code 1603
    20 Oct 2016 14:37:44 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6}
    20 Oct 2016 14:37:44 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6} (64-bit)
    20 Oct 2016 14:37:44 Debug: Key {D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6} was found
    20 Oct 2016 14:37:44 Failure: Removal of Microsoft Security Client version 4.5.x failed
    20 Oct 2016 14:37:44 Failure: Return code 1603
    20 Oct 2016 14:37:44 Info: Competitor Removal Tool exit code 16
    20 Oct 2016 14:37:44 Info: AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\WINDOWS\TEMP\avremove.log
    Sophos Anti-Virus software detector - Version 2.12.0.38
    Copyright (C) 2003-2016 Sophos Limited. All rights reserved.
    Running OS: Microsoft Windows 8  [Version 6.02.9200]
    Removing detected products...
    AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\WINDOWS\TEMP\avremove.log
  • In reply to MarcoTeixeira:

    Avremove.log should be under %temp% (the installing users temp) if the CRT was run in the context of the installing user. 

    Only when the setup plugin of SAV runs the CRT at install, which is on a next-gen endpoint would it be under \windows\temp as it's being run as the System user.

    Regards

    Jak

  • I am receiving the same error. the avremove.txt file is stating it was unable to uninstall Vipre 7.x, however that AV is currently not installed.

    Here is the log: https://pastebin.com/WW4WFCHQ

  • In reply to Mike Baum:

    Hello Mike Baum,

    are you using Central or SESC? AFAIK you don't have many options for the former as opposed to the on-premise version. Apparently TraceLogging was not enabled, it might have told why it thinks removal failed.
    It did run the command in UninstallString (the line with Creating new process) but this returned in less than a second so unlikely that actual removal was attempted by this command. Not clear if AgentUninstallPassword.exe writes a log, if then I assume it'd be in \Windows\Temp

    that AV is currently not installed
    you mean it's not in Programs and Features, or no trace of it on the disk? CRT does detect it and as far as I can see from the CRT data it's found in HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall (you should find it by searching for AgentUninstallPassword.exe). If you run the UninstallString command in an elevated cmd window it might tell why it refuses to uninstall.

    Christian   

  • In reply to QC:

    I am using Central for all my deployments. Oddly enough, I could not find AgentUninstallPassword.exe in regedit. There are a lot of instances of Vipre, but the program is removed in Add/Remove programs and I do not see any services running.

  • In reply to Mike Baum:

    Hello Mike Baum,

    according to Sophos Central: Endpoint installer and the detection of other security software under A third party product is detected that has already been removed the log should be verbose. The one you've posted is not.
    If the \crt folder containing the AVRemove.exe isn't left behind as the article suggests you should be able to extract it from a full installer. Extract and modify CRT.cfg to enable TraceLogging - this should tell you what caused the Vipre detection.

    It's also possible to tell the installer to ignore third-party products but this option should be used with caution.

    Christian

  • In reply to QC:

    Got it figured out, turns out someone also installed Webroot on the machine. Thank you!