Update failing with Failed to install savxp: uninstalling an older product failed.

David Coombe,

Try this:

1. Stop all Sophos services.

2. Download Microsoft uninstall tool to uninstall the Sophos components:

"https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed"

3. Reboot the computer and reinstall End point.

Thanks Zhi. That did the trick. 

Good to know.

Hello,

just a word of caution: The Fix-It shouldn't be your first choice tool (whether with Sophos or some other software). When a product (in Installer terms) is installed with Windows Installer certain information is stored in the so-called Installer Database. Part of it is solely for the use by the product, other parts record information used by Windows (e.g. what you see under Programs and Features), dependencies, and changes that might affect other products and Windows components. Normally some changes can only be reverted by the product and obviously the product needs the information from the database to perform the necessary changes.
What the Fix-It does is removing all information related to a product - it neither uninstalls nor does it otherwise roll back changes made by the install. Ideally its use should be followed by an install - and this even if you want to remove the product - which brings the product to the same state (version, patches, and so on) that (should have) existed before the failed uninstall, if desired followed by a (now hopefully successful) uninstall.
After using the Fix-It it looks (to the Installer) like the product has not been installed before, the logic executed is the one for a first-time install. This doesn't guarantee though that the install will succeed - e.g. the logic might check whether a certain file or folder that is to be created ny the install already exists and subsequently abort the installation. 

There's no general rule when it is safe to digress, if you do so there's a good chance that there will be left-overs. These might (immediately or at a later time) or might not cause issues. Thus it should always be considered as a last resort.

Christian

Hello,

just a word of caution: The Fix-It shouldn't be your first choice tool (whether with Sophos or some other software). When a product (in Installer terms) is installed with Windows Installer certain information is stored in the so-called Installer Database. Part of it is solely for the use by the product, other parts record information used by Windows (e.g. what you see under Programs and Features), dependencies, and changes that might affect other products and Windows components. Normally some changes can only be reverted by the product and obviously the product needs the information from the database to perform the necessary changes.
What the Fix-It does is removing all information related to a product - it neither uninstalls nor does it otherwise roll back changes made by the install. Ideally its use should be followed by an install - and this even if you want to remove the product - which brings the product to the same state (version, patches, and so on) that (should have) existed before the failed uninstall, if desired followed by a (now hopefully successful) uninstall.
After using the Fix-It it looks (to the Installer) like the product has not been installed before, the logic executed is the one for a first-time install. This doesn't guarantee though that the install will succeed - e.g. the logic might check whether a certain file or folder that is to be created ny the install already exists and subsequently abort the installation. 

There's no general rule when it is safe to digress, if you do so there's a good chance that there will be left-overs. These might (immediately or at a later time) or might not cause issues. Thus it should always be considered as a last resort.

Christian

I found that this Microsoft application works great for ripping a failed or corrupted Sophos endpoint install.

Then is searched the registry and deleted.

C:\ProgramData\Sophos\AutoUpdate\cache\savxp\

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos

And a few other location that had the name sophos.

Searched programData, both Program Files folders and delete any folder with Sophos.

Also found that sometimes you have to disabled all Sohpos services to get all folder deleted.

Even had to change the name of a Sophos folder to get it deleted.

And lots of restarts.

Then I pushed from the SEC.  And sometimes it installs and other times no and the PC just has to be reimaged.

Hello Navar Holmes,

I daresay virtually the only case in which you have to resort to the Fix-It is when the update fails because the previous version of a component (e.g. SAVXP) can't be uninstalled due to a missing cached .msi and you don't have an appropriate .msi (in the example Sophos Anti-Virus.msi). Most other cases can be resolved after you've determined the exact cause for an install or uninstall failure.

Christian

Here are a few tail tail signs that I have identified that will cause sophos endpoint to either fail to install, upgrade or update.

This all applies to domain controlled PCs.

If the PC is ever giving a Windows Installer error.  Re-image or re-install OS.

Never restart or power off the PC while sophos is updating or installing.  sophos doesn't recover from this sometimes.

If there is duplicate DNS entries for the PC sophos fail or act weird.  This happens when DNS scavenging is not enabled so a PC name can have more than one IP listed in DNS.

Windows firewall if enabled and exclusions are not set.  Or it is not disabled.

UAC is set to default.  which is level three if top is 4.  Disabling also good for doing the install.

Sophos was installed manually before the PC was joined to the domain.  This always requires an uninstall or ripping sophos out with a third party tool like the Microsoft tool.  Or you can waste a few hours trying to get it work.

Why?  Sophos clones three of the local security groups, Administrators to (SophosAdministrators), Power Users to (SophosPowerUser) and User to (SophosUser).  Sophos will not update these groups when the PC is joined to the domain or if you try a re-install.

Beware of weather changes.

If doing a manual install copy the installer to a root folder in the C drive.  The installer likes to be in a common location.  Don't copy to your desktop.

Always right-click and run as administrator.

Once Sophos AV is installed it is normal for it to say “Update Failed”.  Normally this just means that a restart is needed.  You can verify this by opening Sophos.  Open the “View Updating Log”.  You should see “WARNING: Restart needed for update to take effect”.  If you don’t see this right-click the ‘S” shield and Update Now.  Once the update is finished check for WARNING again.  Either way restart PC.  If after a restart Sophos is still giving “Update Failed” the wind might have changed direction while you were installing.  Re-verify the firewall and UAC are still disabled if not disabled and try “Update Now” again.

Note:  Sophos will always give an failed message if the PC is still in the default Computer OU but only if the default Computer OU is excluded from the AD sync.

If you check the updating logs and it is blank.  Uninstall or rip out sophos.  Or waste a few hours trying to fix sophos but I my time better spent uninstall or ripping sophos out.

sophos doesn't support netted security groups when you are trying to uninstall sophos.  You will need to add your administrator account to the SophosAdministrators local security group first.

Hello Navar Holmes,

quite a lot of things, IMHO some of the conclusions (and suggested actions) aren't absolutely correct though.

Windows Installer error
most can easily be corrected. In some environments re-imaging is a cinch and SOP so learning to understand MSI logs might not be justified. Nevertheless there are mainly only a few different cases.

• Installer fails with 1618 - Another Installation already in progress. Often the other installation is a Windows update or some other software install that starts right after boot but for whatever reason does not complete - neither successful nor with a failure. Not really the fault of the product that can't acquire the mutex. Killing the msiexec.exe that holds the mutex permits subsequent Installer runs, for a permanent solution it's necessary to identify the install that automatically commences but gets stuck. Again, this is not an issue of the Install that gets blocked.
• An update/upgrade can't be performed because the required uninstall fails with 1612 - The installation source for this product is not available. The cached MSI (xxxxxx.msi) has "disappeared" from %windir%\Installer\. Management of the cached packages is the responsibility of the Installer, a software can request that a package that is no longer needed is removed (normally when it has been used for Uninstall and the uninstall succeeded). Either it's some obscure defect in the Installer that results in premature removal of a package - can't say - or someone/something else "cleaned" the cache. Normally an "old" package with the appropriate product-code is available and can be put in place of the missing one.
• Failed CustomAction - required .INF files or the native.exe for driver replacement no longer in the Sophos Anti-Virus program directory. Might be caused by an interrupted install/uninstall. Copying the needed files form the AutoUpdate cache solves the problem. Similar for missing or corrupt registry keys (SSP is known to be affected).
• For Endpoint Defense I have seen cases where AutoUpdate's cache for SED was corrupt. AutoUpdate could be more thorough when checking the cache consistency, but simply clearing the cache causes a redownload and results in a successful update. 

You're perhaps correct that a shutdown at an unfortunate moment (i.e. when an install is in progress) might leave the computer in a broken state. This is, I assume, an Installer limitation (why do Windows Updates tell you to not turn off the computer?). Just because it's easy to correct the errors as stated above doesn't mean the software can do it - introspection only goes so far.

Why and how should some software be able to deal with a polluted DNS?

firewall - sorry, more than a few customers will complain if some software automatically fiddles with the (I assume you're talking about the local) firewall. The required settings are documented.

UAC, common locations, run as administrator - AV software has to integrate with the system. It's not your average end-user application or some portable program.

installed manually before the PC was joined to the domain - admittedly it should be noted that (if you intend to use AD Sync) the install should be performed after joining the domain.

[after install] it is normal for it to say “Update Failed” - AFAIK the only component that causes a subsequent update failed is HitmanPro.Alert. For all other components the warning is in the log but updates don't fail and aren't shown as failed.

the default Computer OU should have nothing to do with the endpoint installing or updating. And all AD Sync does w.r.t. updating is that an endpoint will receive the appropriate policy. Normally the endpoint should have a working updating policy after install - only if you install locally from a copy of the CID or a package and the computer appears in the Unassigned group it will not have a working policy. 

nested security groups
it is documented how the Sophos groups are populated and used. In a non-domain environment only users and built-in security principals can be added. In a domain environment it works with groups. But if your administrator is a local administrator that has been added after Sophos has been installed it is as you described. It's a Windows restriction.

Christian