Sophos XG and AP/APX users may experience issues registering to Sophos Central. More info available here: XG Firewall - Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
Sophos antivirus endpoint solution was installed successfully in dozens of machines, except in two.
On those machines, the log firstly complained about third party software, the previous antivirus was Microsoft Windows antivirus.
All malware tools were removed. The Windows antivirus was even turned-off manually.
Nevertheless, the installation error remains (see image in attachment). The installation now comes to an end but there is some sort of malfunction in the software.
Thank you for your help.
Under \windows\temp\ you will find the MSI install log of Sophos Anti-Virus and the associated custom action log file - The timestamp in the filename will reveal the pair.
Can you make them available?
In reply to jak:
In reply to Aditya Patel:
This should help:https://community.sophos.com/kb/en-us/125402
Hi. I'll try the guideline following the instructions you sent further on . Menawhile, here is the log of a failed installation (I don´t see the avremove.log) :
20-10-2016,09:24:01,Information,------------------ Beginning installation of Sophos Anti-Virus and AutoUpdate ------------------,20-10-2016,09:24:01,Information,Setup version 220.127.116.11,20-10-2016,09:24:01,Information,Command line: c:\users\manuel~1\appdata\local\temp\sophos_bootstrap\setup.exe -server dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com -token ***************** -edxtimestamp 20161003T151508Z,20-10-2016,09:24:01,Information,Process security set successfully,20-10-2016,09:24:01,Information,Setup program was run from C:\Users\MANUEL~1\AppData\Local\Temp\sophos_bootstrap,20-10-2016,09:24:02,Information,Checking system TMP paths.,20-10-2016,09:24:02,Information,Checking TMP...,20-10-2016,09:24:02,Information,Temp path for System found: 'C:\WINDOWS\TEMP'.,20-10-2016,09:24:02,Information,Tamper protection not installed,20-10-2016,09:24:02,Information,Checking if Sophos Anti-Virus or Sophos AutoUpdate are installed...,20-10-2016,09:24:02,Information,Starting wizard to collect information from user...,20-10-2016,09:24:15,Information,Checking for internet connectivity...,20-10-2016,09:24:15,Success,Successfully connected to the URL http://dci.sophosupd.com/.,20-10-2016,09:24:15,Information,Checking for internet connectivity...,20-10-2016,09:24:16,Success,Successfully connected to the URL https://dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com/sophos/management/ep.,20-10-2016,09:24:25,Information,Starting the install sequence.,20-10-2016,09:24:25,Information,Checking for local third-party software...,20-10-2016,09:24:25,Information,Sending data back to Sophos...,20-10-2016,09:24:25,Success,Successfully connected to the URL http://d1.sophosupd.com/ebs/18.104.22.168/zCR+v6sQV504Nlkq+azBPCnsttY=/ezg4MDc0OEZFLTg4QjctNDkyMi04RDAzLUFBQkI2NkEyODIwQX0=/6.3.9600/1/e0Q2OEREQzNBLTgzMUYtNGZhZS05RTQ0LURBMTMyQzFBQ0Y0Nn0=/V2luZG93cyBEZWZlbmRlcg==/JVByb2dyYW1GaWxlcyVcV2luZG93cyBEZWZlbmRlclxNU0FTQ3VpLmV4ZQ==/JVByb2dyYW1GaWxlcyVcV2luZG93cyBEZWZlbmRlclxNc01wZW5nLmV4ZQ==/62100/x.xml.,20-10-2016,09:24:25,Information,Done.,20-10-2016,09:24:25,Information,Searching for third-party security software.,20-10-2016,09:29:33,Information,Return Code 16 from third-party security software removal tool.,20-10-2016,09:29:33,ERROR,A problem was encountered when running the third-party software removal tool. Details: Cancelled installation because existing third-party security software could not be uninstalled.,20-10-2016,09:29:38,Information,Sending EBS feedback to Sophos...,20-10-2016,09:29:38,Information,Sending data back to Sophos...,20-10-2016,09:29:39,Success,Successfully connected to the URL http://d1.sophosupd.com/ebs/22.214.171.124/zCR+v6sQV504Nlkq+azBPCnsttY=/ezg4MDc0OEZFLTg4QjctNDkyMi04RDAzLUFBQkI2NkEyODIwQX0=/6.3.9600/2/118/336/3/ZHpyLW1jcy1hbXpuLWV1LXdlc3QtMS05YWY3LnVwZS5wLmhtci5zb3Bob3MuY29t/16/126.96.36.199//x.xml.,20-10-2016,09:29:39,Information,------------------ Found errors during installation: 118 ------------------,20-10-2016,09:29:39,Information,------------------ Installation program finishing with code 118 ------------------,
In reply to MarcoTeixeira:
I have here a log of avremove.log.
I think the issue I've been having with some machines where the installtion fails, has something to do with the removal of the Microsoft antivirus that fails. See the end of the log
Avremove.log should be under %temp% (the installing users temp) if the CRT was run in the context of the installing user.
Only when the setup plugin of SAV runs the CRT at install, which is on a next-gen endpoint would it be under \windows\temp as it's being run as the System user.
I am receiving the same error. the avremove.txt file is stating it was unable to uninstall Vipre 7.x, however that AV is currently not installed.
Here is the log: https://pastebin.com/WW4WFCHQ
In reply to Mike Baum:
Hello Mike Baum,
are you using Central or SESC? AFAIK you don't have many options for the former as opposed to the on-premise version. Apparently TraceLogging was not enabled, it might have told why it thinks removal failed.It did run the command in UninstallString (the line with Creating new process) but this returned in less than a second so unlikely that actual removal was attempted by this command. Not clear if AgentUninstallPassword.exe writes a log, if then I assume it'd be in \Windows\Temp.
that AV is currently not installedyou mean it's not in Programs and Features, or no trace of it on the disk? CRT does detect it and as far as I can see from the CRT data it's found in HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall (you should find it by searching for AgentUninstallPassword.exe). If you run the UninstallString command in an elevated cmd window it might tell why it refuses to uninstall.
In reply to QC:
I am using Central for all my deployments. Oddly enough, I could not find AgentUninstallPassword.exe in regedit. There are a lot of instances of Vipre, but the program is removed in Add/Remove programs and I do not see any services running.
according to Sophos Central: Endpoint installer and the detection of other security software under A third party product is detected that has already been removed the log should be verbose. The one you've posted is not. If the \crt folder containing the AVRemove.exe isn't left behind as the article suggests you should be able to extract it from a full installer. Extract and modify CRT.cfg to enable TraceLogging - this should tell you what caused the Vipre detection.
It's also possible to tell the installer to ignore third-party products but this option should be used with caution.
Got it figured out, turns out someone also installed Webroot on the machine. Thank you!