Unable to reinstall Sophos Intercept X

I have a PC that was having some issues.  I first tried to do a system restore but it would not let me because of Intercept X.  There is no easy way, that I found, to turn off Sophos for something like this.  SO, I did an uninstall of Sophos.  That then allowed me to do a system restore in Windows 10.  After the reboot it brought part of Sophos back.  I was not able to uninstall or install because of Tamper Protection.  I found in the community how to get around that issue.  That worked up to a point.  It said it uninstall Sophos.  Now I can get part way through the reinstall of the program and it will fail.  I have tried a few different things with no luck.  Any suggestions would be greatly appreciated.

 

Thanks,

Norman

  • The latest Central installer log file (C:\ProgramData\Sophos\CloudInstaller\Logs\) will help from a high level to know which component or components might be failing to install.  You can then find the install logs under %temp%.  Maybe you can attach the files here?

    Regards,
    Jak


  • In reply to jak:

    There were two different sets of logs.  There was "sophoscloudinstaller" and "Sophos_Sophos Autoupdate".  I grabbed the most recent of both.  Lets try just the Installer and see if that provides any useful info.

    SophosCloudInstaller_20190814_204340.log

    Here is the Autoupdate log file.

    Sophos_Sophos AutoUpdate 20190814_204540.log

  • Ive had a few issues with uninstalling sophos and then re-installing. Sometimes it appears that parts of Sophos get left. Try out Total Uninstaller(trial) and have it uninstall each component of Sophos. it goes pretty quick. Its been a life saver for myself. I used to love revo, but revo uninstaller doesnt seem to be able to find any sophos installation left overs like Total Uninstaller can.

  • In reply to Steve Dugger:

    OK, where is it?  I cannot seem to locate it.

    Norman

  • If you have turned off tamper protection, please try out the uninstall script here: https://sophos.com/kb/122126

    If that does not work, you can check out any HitmanPro.alert uninstall logs from %localappdata%\Temp or C:\Windows Temp, see if there are any error codes that come up (usually at the end of the log). See if you also find error codes such as error 1920, etc.

    Hope the above information helps you.

     

    Thanks,

  • In reply to DianneY:

    The Central installer is trying to remove the Sophos AutoUpdate component and failing:

    2019-08-14T20:45:43.8097498Z INFO : Uninstallation of Sophos AutoUpdate failed with error code: 1603
    2019-08-14T20:45:43.8097498Z INFO : Ended uninstalling Sophos AutoUpdate
    2019-08-14T20:45:43.8097498Z ERROR : UninstallCommand::onRun MSI error exit code 1603
    2019-08-14T20:45:43.8097498Z INFO : Command 'Uninstall' completed with failure with reboot code '0' and error message 'Could not uninstall existing Sophos software'.

    The log for this MSI uninstall of SAU shows the failure to be:

    MSI (s) (0C:34) [16:45:43:387]: Product: Sophos AutoUpdate XG -- Error 1309. Error reading from file: C:\WINDOWS\Installer\program files\Sophos\AutoUpdate\ALsvc.exe. System error 3. Verify that the file exists and that you can access it.

    MSI (s) (0C:34) [16:45:43:419]: Note: 1: 2265 2: 3: -2147287035
    MSI (s) (0C:34) [16:45:43:419]: User policy value 'DisableRollback' is 0
    MSI (s) (0C:34) [16:45:43:419]: Machine policy value 'DisableRollback' is 0
    Action ended 16:45:43: InstallFinalize. Return value 3.

    C:\WINDOWS\Installer\program files\Sophos\AutoUpdate\ALsvc.exe seems an odd path and it's not suprising it's getting error 3, which is ERROR_PATH_NOT_FOUND.

    This is the cached msi file being used for the uninstall:

    C:\WINDOWS\Installer\76719.msi

    You can try right clicking on that to uninstall SAU and I think removing SAU manually should be the focus before re-running the Central Installer.

    I think I might be tempted to take a copy of alsvc.exe from C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe (I assume it's still there?) and maybe create the path referenced, just so it finds it in that location when you run the uninstall.  Maybe run Process Monitor to confirm that is the path that is being checked for during the uninstall.

    Hopefully that helps.

    Jak

  • In reply to jak:

    Fell like I am going down hill in a hand basket (LOL).

    Went to C:\Windows\Installer and tried to run the 76719.msi. It failed.

    Went to C:\Program Files (x86)\Sophos and nothing in the Sophos folder.

    Went to C:\Program Files\Sophos and there are files there.  But, no Auto Update.

    Also tried the previous persons suggestion with running the batch file.  Nope, that did not help. Failed to uninstall.

  • In reply to NormanGoswick:

    Thanks for your update. You can try copying the C:\Program Files (x86)\Sophos folder and its contents from a working machine to this problem machine, and try uninstalling again.

    If that does not work, please raise a support case, and also include SDU logs. Support should be able to help remove Sophos via removal script.

  • Hi Norman 

    A Microsoft approved method of removing failed installations is MSIEXEC

    msiexec /x {GUID-of-product-to-uninstall} REMOVE=ALL REBOOT=R /q

    Try with tamper protection OFF

    Kind regards

    Paul

     

     

  • Some years ago as we started with Sophos we have this problem too with the uninstallation or repairing on clients.

    If we have problems now with uninstalling Sophos we use a Tool called TotalUninstaller. (This also helps if you have issues with other broken msi installers)

    https://www.martau.com/

    You can also use other Uninstaller Tools but this is the one I found first and still using over the years.

    The tool will analyse the installed program in this case Sophos, will list services, folders, registry-keys and so on and will hardly remove it. After a restart you should be able to install Sophos normally. It doesent matter if Tamper protection is still on. 

    Maybe this will help to solve to uninstall broken msi packages like the single Sophos components. If not, it was atleast a good try. 

  • In reply to jak:

    Neat Tools, I have been wondering why they did not have something like this.