Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 9 subscribers
  • Views 2517 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUpdate -> AVRemoveW hung

jamesharper

I am doing a Sophos Central Endpoint Protection rollout, and have one computer causing issues.

The installation completes, but with Anti-Virus and a few other components missing.

When I try and do an update, I see that SophosUpdate.exe starts, then launches AVRemoveW.exe, which hangs for a while (30 minutes?) then finally ends and the update reports as failed.

When I drill down using Process Explorer, I see that AVRemoveW.exe has invoked a MessageBox and is waiting for user input. Unfortunately the MessageBox is not visible, so I cant do anything with it or see what it is trying to tell me.

When I run avremove.exe by itself it tells me there are no competitor products installed, so it is only bugging out when run from sophosupdate.exe

Any ideas?

thanks

James



This thread was automatically locked due to age.
  • 0

    Further to the above, this gets logged to avremovew.exe.log (when tamper protection is disabled):

    Traceback (most recent call last):
      File "AVRemoveW.py", line 9, in <module>
      File "ntpath.pyo", line 65, in join
      File "ntpath.pyo", line 115, in splitdrive
    TypeError: object of type 'NoneType' has no len()

    Which at a guess is going to be the contents of the MessageBox. So maybe there is a path in the registry of the SYSTEM user that is causing an issue?

    I've looked and can't find anything though.

    James

  • 0 in reply to jamesharper

    If it's something to do with paths, presumably file based on "splitdrive", I wonder if Process Monitor could hint at to what path is being operated on.  Have you tried capturing a PML file?

    Also, from the PML, can you look at the process tree view, and paste a screenshot, ideally showing the command line column.

    Regards,
    Jak

  • +1 in reply to jak

    Process monitor is how I figured out that it was stuck at a MessageBox.

    Nothing else shows up though - no attempts to access paths or read registry keys containing paths. It bails out very early on.

    Comparing with a working system, I noticed that the TEMP environment variable wasn't defined (in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment or something like that). Once I defined that, it worked just fine. I think user accounts define their own TEMP environment variable which is why it worked as a logged in just, just not for the SYSTEM account.

  • 0 in reply to jamesharper

    Interesting, I guess if you set up a filter in Process Monitor for "Operation" "is" "Process Start", on the computer and launch a process as system (maybe just restart a Windows service running as local system) and a launch a process as the logged on user... When looking at the properties of these 2 events, the environment section for the process running as system wouldn't have TEMP or TMP set where as the logged on user would have.

    Regards,

    Jak

Unfiltered HTML