My computer tried to run an update and now I have this. It will not update anymore. My computer is no longer listed in Sophos Central either. I can't uninstall because of tamper protection. What to do?
Diagnostic tool says error on Management Communication and Update. On last communication it says Failed with error 401 unauthorized
It sounds like it was deleted from Central. Maybe checking the audit log could show this was the case.
If this is true then I believe, the MCS Client log will show 401 unauthorized as you see, so MCS messaging will break down.
The quickest fix from here is to follow:
https://community.sophos.com/kb/en-us/124377
at the client and then re-deploy sophosinstall.exe.
Regards,
Jak
Thanks, I followed that and not now i get "UnInstallation failed. unable to locate sophos anti-virus msi" Trying to just run the install without uninstall it fails immediately. Here is that log file:
8/26/2017,9:39:40 PM,Information,------------------ Beginning installation of Sophos Anti-Virus and AutoUpdate ------------------,
8/26/2017,9:39:40 PM,Information,Setup version 3.3.2.316,
8/26/2017,9:39:40 PM,Information,Command line: c:\users\\appdata\local\temp\sophos_bootstrap\setup.exe -server mcs-cloudstation-eu-central-1.prod.hydra.sophos.com -token ***************** -edxtimestamp 20170827T013055Z,
8/26/2017,9:39:40 PM,Information,Process security set successfully,
8/26/2017,9:39:40 PM,Information,Setup program was run from C:\Users\\AppData\Local\Temp\sophos_bootstrap,
8/26/2017,9:39:40 PM,Information,Checking system TMP paths.,
8/26/2017,9:39:40 PM,Information,Checking TMP...,
8/26/2017,9:39:40 PM,Information,Temp path for System found: 'C:\WINDOWS\TEMP'.,
8/26/2017,9:39:40 PM,Information,Sophos Endpoint Defense is not installed,
8/26/2017,9:39:40 PM,Information,Migration: 0,
8/26/2017,9:39:40 PM,Information,Migration ID: ,
8/26/2017,9:39:40 PM,Information,Migration Job: 0,
8/26/2017,9:39:40 PM,Information,SEC initiated: 0,
8/26/2017,9:39:40 PM,Information,SEC-initiated migration: 0,
8/26/2017,9:39:40 PM,Information,Checking if Sophos Anti-Virus or Sophos AutoUpdate are installed...,
8/26/2017,9:39:40 PM,Information,Sophos Anti-Virus is already installed on your computer.,
8/26/2017,9:39:40 PM,Information,Starting wizard to collect information from user...,
8/26/2017,9:39:42 PM,Information,Checking for internet connectivity...,
8/26/2017,9:39:42 PM,Success,Successfully connected to the URL http://dci.sophosupd.com/.,
8/26/2017,9:39:42 PM,Information,Checking for internet connectivity...,
8/26/2017,9:39:43 PM,Success,Successfully connected to the URL mcs-cloudstation-eu-central-1.prod.hydra.sophos.com/.../ep.,
8/26/2017,9:39:48 PM,Information,Starting the install sequence.,
8/26/2017,9:39:48 PM,Information,Checking for local third-party software...,
8/26/2017,9:39:48 PM,Information,Sending data back to Sophos...,
8/26/2017,9:39:48 PM,Success,Successfully connected to the URL d1.sophosupd.com/.../x.xml.,
8/26/2017,9:39:48 PM,Information,Sending data back to Sophos...,
8/26/2017,9:39:48 PM,Success,Successfully connected to the URL d1.sophosupd.com/.../x.xml.,
8/26/2017,9:39:48 PM,Information,Done.,
8/26/2017,9:39:48 PM,Information,Installing MSI...,
8/26/2017,9:39:48 PM,Information,Remove old SAV...,
8/26/2017,9:39:48 PM,Information,SAV tamper-protection registry value already disabled,
8/26/2017,9:39:48 PM,Information,Uninstallation of Sophos Anti-Virus returned exitcode: 1603,
8/26/2017,9:39:48 PM,ERROR,The uninstallation of Sophos Anti-Virus failed. Installation of Sophos Endpoint Security and Control has failed.,
8/26/2017,9:39:52 PM,Information,Sending EBS feedback to Sophos...,
8/26/2017,9:39:52 PM,Information,Sending data back to Sophos...,
8/26/2017,9:39:53 PM,Success,Successfully connected to the URL d1.sophosupd.com/.../x.xml.,
8/26/2017,9:39:53 PM,Information,------------------ Found errors during installation: 145 ------------------,
8/26/2017,9:39:53 PM,Information,------------------ Installation program finishing with code 145 ------------------,
There should me a full MSI log where it tried to remove SAV:
8/26/2017,9:39:48 PM,Information,Uninstallation of Sophos Anti-Virus returned exitcode: 1603,
8/26/2017,9:39:48 PM,ERROR,The uninstallation of Sophos Anti-Virus failed. Installation of Sophos Endpoint Security and Control has failed.,
As you ran the installer, I think it should be in your temp, i.e. %temp%. If AutoUpdate performs installs/uninstalls it would be under \windows\temp.
Either way, we would need to see the uninstall log.
Regards,
Jak
P.S. To always get an MSI log you can follow:
https://support.microsoft.com/en-gb/help/223300/how-to-enable-windows-installer-logging
Here are 2 sophos logs in my temp.
Started C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe
2017-08-27T14:00:51Z, ERROR : Uninstall_IsRebootPending failed. QueryMultiStringValue returned 2
2017-08-27T14:00:51Z, INFO : Machine ID: fc391af0-cc36-5297-9f54-e5df6fbc2913
2017-08-27T14:00:51Z, INFO : Customer ID: 14d830371e3f04a95b1d88553ea69236
2017-08-27T14:00:51Z, INFO : Endpoint ID: 095142ca-3272-2470-3ba0-ec661c8a7705
2017-08-27T14:00:51Z, INFO : Beginning command definition.
2017-08-27T14:00:51Z, INFO : Checking if service is installed: Sophos AutoUpdate Service
2017-08-27T14:00:51Z, WARNING : Failed to open Sophos AutoUpdate Service : Error code 1060 Service does not exist.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of SAV.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of HMPA.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of Sophos Clean.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of EFW.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of SSP.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of MTD.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of ESH.
2017-08-27T14:00:51Z, INFO : Adding command to remove existing installation of SDU.
2017-08-27T14:00:51Z, INFO : Adding command to clean up any remaining registry keys.
2017-08-27T14:00:51Z, INFO : Adding command to clean up any remaining files.
2017-08-27T14:00:51Z, INFO : Command definition complete.
2017-08-27T14:00:51Z, INFO : OS version: 10.0.15063.
2017-08-27T14:00:51Z, INFO : Service pack: 0.0.
2017-08-27T14:00:51Z, INFO : System Language: 1033.
2017-08-27T14:00:51Z, INFO : User Language: 1033.
2017-08-27T14:00:51Z, INFO : 64 bit: yes.
2017-08-27T14:00:53Z, INFO : Starting uninstallation process.
2017-08-27T14:00:53Z, INFO : Starting Sophos Anti-Virus uninstall command.
2017-08-27T14:00:53Z, INFO : Detected MSI version: 5.0.10011
2017-08-27T14:00:53Z, INFO : About to Uninstall Sophos Anti-Virus
2017-08-27T14:00:53Z, INFO : Processing INSTALLMESSAGE_ERROR or INSTALLMESSAGE_FATALEXIT message from MSI
2017-08-27T14:00:53Z, INFO : Processing INSTALLMESSAGE_TERMINATE message from MSI
2017-08-27T14:00:53Z, INFO : Uninstallation of Sophos Anti-Virus failed with error code: 643
2017-08-27T14:00:53Z, INFO : Ended uninstalling Sophos Anti-Virus
2017-08-27T14:00:53Z, ERROR : Sophos uninstall command failed.
2017-08-27T14:00:53Z, INFO : Command completed: success 0, reboot required: 0.
2017-08-27T14:00:53Z, ERROR : Uninstallation failed.
2017-08-27T14:00:53Z, ERROR : Failed to open registry key. Error : 183
2017-08-27T14:00:53Z, WARNING : WinHttpGetProxyForUrl returned: 2f94
2017-08-27T14:00:53Z, INFO : Json to send: {"timestamp":"2017-08-27T14:00:51.571000Z","customerId":"14d830371e3f04a95b1d88553ea69236","machineId":"fc391af0-cc36-5297-9f54-e5df6fbc2913","endpointId":"095142ca-3272-2470-3ba0-ec661c8a7705","uninstaller":{"application_started":"2017-08-27T14:00:51.581000Z","system_info":{"version":"10.0.15063","service_pack":"0.0","product_type":1,"system_language":1033,"user_language":1033,"64bit":true},"uninstall_started":"2017-08-27T14:00:53.045000Z","uninstall_finished":"2017-08-27T14:00:53.355000Z","commands":{"Uninstall Sophos Anti-Virus":{"ran":true,"success":false,"reboot_required":false,"error_message":"Unable to locate Sophos Anti-Virus MSI.","start_time":"2017-08-27T14:00:53.045000Z","end_time":"2017-08-27T14:00:53.355000Z","command_type":".msi"},"Uninstall Sophos HitmanPro Alert":{"ran":false},"Uninstall Sophos Clean":{"ran":false},"Uninstall Sophos Endpoint Firewall":{"ran":false},"Uninstall Sophos System Protection":{"ran":false},"Uninstall Sophos Network Threat Protection":{"ran":false},"Uninstall Sophos Endpoint Self Help":{"ran":false},"Uninstall Sophos Diagnostic Utility":{"ran":false},"Registry Clean Up":{"ran":false},"File Clean Up":{"ran":false}},"UninstallResult":0,"RebootRequired":0,"uninstaller_type":"Business"}} to: t1.sophosupd.com
2017-08-27T14:00:53Z, INFO : Sending HTTP PUT request to: prod/2017-08-27T14:00:51.571000Z-fc391af0-cc36-5297-9f54-e5df6fbc2913.json
=== Verbose logging started: 8/27/2017 10:00:53 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe ===
MSI (c) (58:6C) [10:00:53:052]: Resetting cached policy values
MSI (c) (58:6C) [10:00:53:052]: Machine policy value 'Debug' is 0
MSI (c) (58:6C) [10:00:53:052]: ******* RunEngine:
******* Product: {CA524364-D9C5-4804-92DE-2800BDAC1AA4}
******* Action:
******* CommandLine: **********
MSI (c) (58:6C) [10:00:53:053]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (58:6C) [10:00:53:053]: Grabbed execution mutex.
MSI (c) (58:6C) [10:00:53:128]: Cloaking enabled.
MSI (c) (58:6C) [10:00:53:128]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (58:6C) [10:00:53:129]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (7C:90) [10:00:53:137]: Running installation inside multi-package transaction {CA524364-D9C5-4804-92DE-2800BDAC1AA4}
MSI (s) (7C:90) [10:00:53:137]: Grabbed execution mutex.
MSI (s) (7C:98) [10:00:53:139]: Resetting cached policy values
MSI (s) (7C:98) [10:00:53:139]: Machine policy value 'Debug' is 0
MSI (s) (7C:98) [10:00:53:139]: ******* RunEngine:
******* Product: {CA524364-D9C5-4804-92DE-2800BDAC1AA4}
******* Action:
******* CommandLine: **********
MSI (s) (7C:98) [10:00:53:139]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (7C:98) [10:00:53:142]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (7C:98) [10:00:53:148]: SRSetRestorePoint skipped for this transaction.
MSI (s) (7C:98) [10:00:53:150]: MSCOREE not loaded loading copy from system32
MSI (s) (7C:98) [10:00:53:157]: End dialog not enabled
MSI (s) (7C:98) [10:00:53:157]: Original package ==> C:\WINDOWS\Installer\57766.msi
MSI (s) (7C:98) [10:00:53:157]: Package we're running from ==> C:\WINDOWS\Installer\57766.msi
MSI (s) (7C:98) [10:00:53:162]: APPCOMPAT: Uninstall Flags override found.
MSI (s) (7C:98) [10:00:53:162]: APPCOMPAT: Uninstall VersionNT override found.
MSI (s) (7C:98) [10:00:53:162]: APPCOMPAT: Uninstall ServicePackLevel override found.
MSI (s) (7C:98) [10:00:53:162]: APPCOMPAT: looking for appcompat database entry with ProductCode '{CA524364-D9C5-4804-92DE-2800BDAC1AA4}'.
MSI (s) (7C:98) [10:00:53:162]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (7C:98) [10:00:53:171]: Machine policy value 'DisablePatch' is 0
MSI (s) (7C:98) [10:00:53:171]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (7C:98) [10:00:53:171]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (7C:98) [10:00:53:171]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (7C:98) [10:00:53:171]: APPCOMPAT: looking for appcompat database entry with ProductCode '{CA524364-D9C5-4804-92DE-2800BDAC1AA4}'.
MSI (s) (7C:98) [10:00:53:171]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (7C:98) [10:00:53:171]: Transforms are not secure.
MSI (s) (7C:98) [10:00:53:172]: Note: 1: 2205 2: 3: Control
MSI (s) (7C:98) [10:00:53:172]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\"\AppData\Local\Temp\\Sophos Anti-Virus Uninstall 2017_08_27_14_00_53Z.log'.
MSI (s) (7C:98) [10:00:53:172]: Command Line: REBOOT=ReallySuppress REMOVE=ALL CURRENTDIRECTORY=C:\WINDOWS\system32 CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=14936
MSI (s) (7C:98) [10:00:53:172]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{7C0B110E-CAB1-4F11-BFA1-627DE8741BA6}'.
MSI (s) (7C:98) [10:00:53:172]: Product Code passed to Engine.Initialize: '{CA524364-D9C5-4804-92DE-2800BDAC1AA4}'
MSI (s) (7C:98) [10:00:53:172]: Product Code from property table before transforms: '{CA524364-D9C5-4804-92DE-2800BDAC1AA4}'
MSI (s) (7C:98) [10:00:53:172]: Product Code from property table after transforms: '{CA524364-D9C5-4804-92DE-2800BDAC1AA4}'
MSI (s) (7C:98) [10:00:53:172]: Product registered: entering maintenance mode
MSI (s) (7C:98) [10:00:53:172]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
MSI (s) (7C:98) [10:00:53:172]: Product {CA524364-D9C5-4804-92DE-2800BDAC1AA4} is admin assigned: LocalSystem owns the publish key.
MSI (s) (7C:98) [10:00:53:172]: Product {CA524364-D9C5-4804-92DE-2800BDAC1AA4} is managed.
MSI (s) (7C:98) [10:00:53:172]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (7C:98) [10:00:53:172]: PROPERTY CHANGE: Adding ProductState property. Its value is '5'.
MSI (s) (7C:98) [10:00:53:172]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
MSI (s) (7C:98) [10:00:53:172]: Package name retrieved from configuration data: 'Sophos Anti-Virus.msi'
MSI (s) (7C:98) [10:00:53:174]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (7C:98) [10:00:53:174]: Machine policy value 'DisableMsi' is 0
MSI (s) (7C:98) [10:00:53:174]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (7C:98) [10:00:53:174]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (7C:98) [10:00:53:174]: Product {CA524364-D9C5-4804-92DE-2800BDAC1AA4} is admin assigned: LocalSystem owns the publish key.
MSI (s) (7C:98) [10:00:53:174]: Product {CA524364-D9C5-4804-92DE-2800BDAC1AA4} is managed.
MSI (s) (7C:98) [10:00:53:174]: Running product '{CA524364-D9C5-4804-92DE-2800BDAC1AA4}' with elevated privileges: Product is assigned.
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding REMOVE property. Its value is 'ALL'.
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\WINDOWS\system32'.
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '14936'.
MSI (s) (7C:98) [10:00:53:174]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (7C:98) [10:00:53:174]: RESTART MANAGER: Disabled by MSIRESTARTMANAGERCONTROL property; Windows Installer will use the built-in FilesInUse functionality.
MSI (s) (7C:98) [10:00:53:174]: TRANSFORMS property is now:
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. Its value is '1033'.
MSI (s) (7C:98) [10:00:53:174]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (7C:98) [10:00:53:175]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming
MSI (s) (7C:98) [10:00:53:176]: SHELL32::SHGetFolderPath returned: C:\Users\"\Favorites
MSI (s) (7C:98) [10:00:53:177]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (7C:98) [10:00:53:178]: SHELL32::SHGetFolderPath returned: C:\Users\"\Documents
MSI (s) (7C:98) [10:00:53:178]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (7C:98) [10:00:53:179]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (7C:98) [10:00:53:180]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (7C:98) [10:00:53:181]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (7C:98) [10:00:53:181]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (7C:98) [10:00:53:182]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Local
MSI (s) (7C:98) [10:00:53:182]: SHELL32::SHGetFolderPath returned: C:\Users\"\Pictures
MSI (s) (7C:98) [10:00:53:184]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (7C:98) [10:00:53:185]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (7C:98) [10:00:53:186]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (7C:98) [10:00:53:187]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (7C:98) [10:00:53:188]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (7C:98) [10:00:53:189]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (7C:98) [10:00:53:190]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (7C:98) [10:00:53:191]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (7C:98) [10:00:53:192]: SHELL32::SHGetFolderPath returned: C:\Users\"\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (7C:98) [10:00:53:193]: SHELL32::SHGetFolderPath returned: C:\Users\"\Desktop
MSI (s) (7C:98) [10:00:53:194]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (7C:98) [10:00:53:194]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts
MSI (s) (7C:98) [10:00:53:195]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (7C:98) [10:00:53:201]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (7C:98) [10:00:53:201]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (7C:98) [10:00:53:201]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (7C:98) [10:00:53:201]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (7C:98) [10:00:53:201]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'itadmin'.
MSI (s) (7C:98) [10:00:53:201]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (7C:98) [10:00:53:201]: PROPERTY CHANGE: Adding Installed property. Its value is '00:00:00'.
MSI (s) (7C:98) [10:00:53:201]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\WINDOWS\Installer\57766.msi'.
MSI (s) (7C:98) [10:00:53:201]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\WINDOWS\Installer\57766.msi'.
MSI (s) (7C:98) [10:00:53:201]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (7C:98) [10:00:53:201]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (s) (7C:98) [10:00:53:201]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (7C:98) [10:00:53:202]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (7C:98) [10:00:53:202]: Machine policy value 'DisableRollback' is 0
MSI (s) (7C:98) [10:00:53:202]: User policy value 'DisableRollback' is 0
MSI (s) (7C:98) [10:00:53:202]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
=== Logging started: 8/27/2017 10:00:53 ===
MSI (s) (7C:98) [10:00:53:202]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (7C:98) [10:00:53:202]: PROPERTY CHANGE: Adding Preselected property. Its value is '1'.
MSI (s) (7C:98) [10:00:53:202]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (s) (7C:98) [10:00:53:204]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (7C:98) [10:00:53:204]: Doing action: INSTALL
Action start 10:00:53: INSTALL.
MSI (s) (7C:98) [10:00:53:205]: Running ExecuteSequence
MSI (s) (7C:98) [10:00:53:206]: Doing action: AppSearch
Action start 10:00:53: AppSearch.
MSI (s) (7C:98) [10:00:53:207]: Note: 1: 2262 2: Signature 3: -2147287038
MSI (s) (7C:98) [10:00:53:207]: PROPERTY CHANGE: Adding SWCSERVICEFILEEXISTS.92A5750A_B99C_4D18_8E96_314353D4097A property. Its value is 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\'.
MSI (s) (7C:98) [10:00:53:208]: Doing action: LaunchConditions
Action ended 10:00:53: AppSearch. Return value 1.
Action start 10:00:53: LaunchConditions.
MSI (s) (7C:98) [10:00:53:209]: Doing action: CheckUserIsSophosAdmin
Action ended 10:00:53: LaunchConditions. Return value 1.
MSI (s) (7C:9C) [10:00:53:214]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6049.tmp, Entrypoint: CheckUserIsSophosAdmin
MSI (s) (7C:A0) [10:00:53:215]: Generating random cookie.
MSI (s) (7C:A0) [10:00:53:246]: Created Custom Action Server with PID 15012 (0x3AA4).
MSI (s) (7C:8C) [10:00:53:291]: Running as a service.
MSI (s) (7C:8C) [10:00:53:295]: Hello, I'm your 32bit Impersonated custom action server.
Action start 10:00:53: CheckUserIsSophosAdmin.
MSI (s) (7C!BC) [10:00:53:316]: Product: Sophos Anti-Virus -- Error 3005.Sophos Anti-Virus can only be uninstalled by users that are members of the SophosAdministrator user group.
CustomAction CheckUserIsSophosAdmin returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 10:00:53: CheckUserIsSophosAdmin. Return value 3.
Action ended 10:00:53: INSTALL. Return value 3.
Property(S): DiskPrompt = [1]
Property(S): MsiAMD64 = 6
Property(S): VersionNT64 = 603
Property(S): BootDriverStartup = 0
Property(S): DeleteBDLs = 0
Property(S): DeleteIDEs = 0
Property(S): ALLUSERS = 1
Property(S): System64Folder = C:\WINDOWS\system32\
Property(S): SystemFolder = C:\WINDOWS\SysWOW64\
Property(S): RemoveSAVI = INSTALLDIR
Property(S): RollbackOtherFiles = 0
Property(S): RollbackSavi = 0
Property(S): SetAdminGroupDescription = SophosAdministrators may run Sophos Anti-Virus with complete access
Property(S): UPDATEDRIVERS = 1
Property(S): SetOnAccessGroupDescription = Contains accounts used by Sophos Anti-Virus when it performs threat scanning and cleanup functions
Property(S): SetPowerGroupDescription = SophosPowerUsers may run Sophos Anti-Virus with the access that SophosUsers have, plus greater access to cleanup
Property(S): UpdateSAVI = 0
Property(S): SetUserGroupDescription = SophosUsers may run Sophos Anti-Virus with limited access to scanning configuration and cleanup
Property(S): Preselected = 1
Property(S): EventType = BEGIN_SYSTEM_CHANGE
Property(S): SAVSERVICEUSER = NT SERVICE\SavService
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FavoritesFolder = C:\Users\"\Favorites\
Property(S): FontsFolder = C:\WINDOWS\Fonts\
Property(S): LocalAppDataFolder = C:\Users\"\AppData\Local\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): SendToFolder = C:\Users\"\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): TempFolder = C:\Users\"\AppData\Local\Temp\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): WindowsFolder = C:\WINDOWS\
Property(S): WindowsVolume = C:\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): VersionNT = 603
Property(S): Installed = 00:00:00
Property(S): AdminUser = 1
Property(S): Manufacturer = Sophos Limited
Property(S): ProductCode = {CA524364-D9C5-4804-92DE-2800BDAC1AA4}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Sophos Anti-Virus
Property(S): ProductVersion = 10.7.3.120
Property(S): UpgradeCode = {597B239E-3032-491A-A322-817737925E8A}
Property(S): _IsMaintenance = Change
Property(S): _IsSetupTypeMin = Typical
Property(S): AFTERREBOOT = 0
Property(S): AgreeToLicense = No
Property(S): ApplicationUsers = AllUsers
Property(S): APPLYCLASSICCONFIG = 0
Property(S): ARPCOMMENTS = Protects your computer and network from threats
Property(S): ARPCONTACT = Sophos Technical Support
Property(S): ARPHELPLINK = http://www.sophos.com/support
Property(S): ARPHELPTELEPHONE =
Property(S): ARPNOMODIFY = 1
Property(S): ARPNOREPAIR = 1
Property(S): ARPPRODUCTICON = ARPPRODUCTICON.exe
Property(S): ARPURLINFOABOUT = http://www.sophos.com
Property(S): ARPURLUPDATEINFO = www.sophos.com/.../updates
Property(S): BOOTDRIVERSIGNED = 0
Property(S): CHECKFORCOMPETITORS = 1
Property(S): CHECKFORSCF = 1
Property(S): CLASSFILTERPRESENT = 0
Property(S): CopyBDLs = 0
Property(S): CopyIDEs = 0
Property(S): DATACONTROL = 0
Property(S): DefaultUIFont = Tahoma8
Property(S): DEVICECONTROL = 0
Property(S): DialogCaption = Sophos Installer
Property(S): DISABLEONACCESS = 0
Property(S): Display_IsBitmapDlg = 1
Property(S): DisplayNameCustom = Custom
Property(S): DisplayNameMinimal = Minimal
Property(S): DisplayNameTypical = Typical
Property(S): DRIVERVERSION = 0
Property(S): FIRST_INSTALL_DATE = 0
Property(S): IDEONLY = 0
Property(S): InstallChoice = AR
Property(S): INSTALLLEVEL = 100
Property(S): IS_COMPLUS_PROGRESSTEXT_COST = Costing COM+ application: [1]
Property(S): IS_COMPLUS_PROGRESSTEXT_INSTALL = Installing COM+ application: [1]
Property(S): IS_COMPLUS_PROGRESSTEXT_UNINSTALL = Uninstalling COM+ application: [1]
Property(S): IS_PROGMSG_XML_COSTING = Costing XML files...
Property(S): IS_PROGMSG_XML_CREATE_FILE = Creating XML file %s...
Property(S): IS_PROGMSG_XML_FILES = Performing XML file changes...
Property(S): IS_PROGMSG_XML_REMOVE_FILE = Removing XML file %s...
Property(S): IS_PROGMSG_XML_ROLLBACK_FILES = Rolling back XML file changes...
Property(S): IS_PROGMSG_XML_UPDATE_FILE = Updating XML file %s...
Property(S): IS_SQLSERVER_AUTHENTICATION = 0
Property(S): IS_SQLSERVER_USERNAME = sa
Property(S): ISReleaseFlags = SAV
Property(S): ISVROOT_PORT_NO = 0
Property(S): MAJORUPGRADE = 0
Property(S): MANAGED = 1
Property(S): MSIRESTARTMANAGERCONTROL = Disable
Property(S): NEEDREBOOT = 0
Property(S): PIDTemplate = 12345<###-%%%%%%%>@@@@@
Property(S): PRODUCTTYPE = 0
Property(S): PROCESSOR_NX_ENABLED = 0
Property(S): PROGMSG_IIS_CREATEAPPPOOL = Creating application pool %s
Property(S): PROGMSG_IIS_CREATEAPPPOOLS = Creating application Pools...
Property(S): PROGMSG_IIS_CREATEVROOT = Creating IIS virtual directory %s
Property(S): PROGMSG_IIS_CREATEVROOTS = Creating IIS virtual directories...
Property(S): PROGMSG_IIS_CREATEWEBSERVICEEXTENSION = Creating web service extension
Property(S): PROGMSG_IIS_CREATEWEBSERVICEEXTENSIONS = Creating web service extensions...
Property(S): PROGMSG_IIS_EXTRACT = Extracting information for IIS virtual directories...
Property(S): PROGMSG_IIS_EXTRACTDONE = Extracted information for IIS virtual directories...
Property(S): PROGMSG_IIS_REMOVEAPPPOOL = Removing application pool
Property(S): PROGMSG_IIS_REMOVEAPPPOOLS = Removing application pools...
Property(S): PROGMSG_IIS_REMOVESITE = Removing web site at port %d
Property(S): PROGMSG_IIS_REMOVEVROOT = Removing IIS virtual directory %s
Property(S): PROGMSG_IIS_REMOVEVROOTS = Removing IIS virtual directories...
Property(S): PROGMSG_IIS_REMOVEWEBSERVICEEXTENSION = Removing web service extension
Property(S): PROGMSG_IIS_REMOVEWEBSERVICEEXTENSIONS = Removing web service extensions...
Property(S): PROGMSG_IIS_ROLLBACKAPPPOOLS = Rolling back application pools...
Property(S): PROGMSG_IIS_ROLLBACKVROOTS = Rolling back virtual directory and web site changes...
Property(S): PROGMSG_IIS_ROLLBACKWEBSERVICEEXTENSIONS = Rolling back web service extensions...
Property(S): ProgressType0 = install
Property(S): ProgressType1 = Installing
Property(S): ProgressType2 = installed
Property(S): ProgressType3 = installs
Property(S): RebootYesNo = Yes
Property(S): Registration = No
Property(S): ReinstallModeText = omus
Property(S): SAVIONLY = 0
Property(S): SCRIPTDIR = [SOURCEDIR]
Property(S): SequenceNumber = 0
Property(S): SetupType = Typical
Property(S): UITYPE = full
Property(S): UNINSTALLBOOTDRIVERS = 1
Property(S): UNINSTALLCLASSFILTER = 1
Property(S): UNINSTALLDRIVERS = 1
Property(S): UNINSTALLERROR = An older version of Sophos Anti-Virus has not been fully removed from your machine. Please reboot your machine before attempting to install Sophos Anti-Virus.
Property(S): UNINSTALLKMSDRIVERS = 1
Property(S): UPDATEBOOTDRIVERS = 1
Property(S): UPDATECLASSFILTER = 0
Property(S): VIRUSDATAUPDATE = 0
Property(S): SecureCustomProperties = EXCLUDEDPROCESSES;INSTALLINGVERSION;MAJORUPGRADE;WEBCONTROL
Property(S): SWCSERVICEFILEEXISTS.92A5750A_B99C_4D18_8E96_314353D4097A = C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\
Property(S): REBOOTREQUIREDFILE.11DACB83_28A7_4FA6_AF5B_C006E340C101 = SwiRebootRequired.txt
Property(S): MsiLogFileLocation = C:\Users\"\AppData\Local\Temp\\Sophos Anti-Virus Uninstall 2017_08_27_14_00_53Z.log
Property(S): PackageCode = {7C0B110E-CAB1-4F11-BFA1-627DE8741BA6}
Property(S): ProductState = 5
Property(S): ProductToBeRegistered = 1
Property(S): REBOOT = ReallySuppress
Property(S): REMOVE = ALL
Property(S): CURRENTDIRECTORY = C:\WINDOWS\system32
Property(S): CLIENTUILEVEL = 3
Property(S): MSICLIENTUSESEXTERNALUI = 1
Property(S): CLIENTPROCESSID = 14936
Property(S): PRODUCTLANGUAGE = 1033
Property(S): VersionDatabase = 200
Property(S): VersionMsi = 5.00
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 1
Property(S): RemoteAdminTS = 1
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): AppDataFolder = C:\Users\"\AppData\Roaming\
Property(S): NetHoodFolder = C:\Users\"\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\"\Documents\
Property(S): PrintHoodFolder = C:\Users\"\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\"\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): MyPicturesFolder = C:\Users\"\Pictures\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 32593
Property(S): VirtualMemory = 29782
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = "
Property(S): UserSID = S-1-5-21-406149214-528381104-3600610840-2272
Property(S): UserLanguageID = 1033
Property(S): ComputerName = MISLAP1116
Property(S): SystemLanguageID = 1033
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 23
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 10:00:53
Property(S): Date = 8/27/2017
Property(S): MsiNetAssemblySupport = 4.7.2046.0
Property(S): MsiWin32AssemblySupport = 6.3.15063.0
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): Privileged = 1
Property(S): USERNAME = itadmin
Property(S): DATABASE = C:\WINDOWS\Installer\57766.msi
Property(S): OriginalDatabase = C:\WINDOWS\Installer\57766.msi
Property(S): UILevel = 2
Property(S): ACTION = INSTALL
MSI (s) (7C:98) [10:00:53:340]: Note: 1: 1725
MSI (s) (7C:98) [10:00:53:340]: Product: Sophos Anti-Virus -- Removal failed.
MSI (s) (7C:98) [10:00:53:341]: Windows Installer removed the product. Product Name: Sophos Anti-Virus. Product Version: 10.7.3.120. Product Language: 1033. Manufacturer: Sophos Limited. Removal success or error status: 1603.
MSI (s) (7C:98) [10:00:53:343]: Deferring clean up of packages/files, if any exist
MSI (s) (7C:98) [10:00:53:343]: MainEngineThread is returning 1603
MSI (s) (7C:90) [10:00:53:343]: No System Restore sequence number for this installation.
=== Logging stopped: 8/27/2017 10:00:53 ===
MSI (s) (7C:90) [10:00:53:344]: User policy value 'DisableRollback' is 0
MSI (s) (7C:90) [10:00:53:344]: Machine policy value 'DisableRollback' is 0
MSI (s) (7C:90) [10:00:53:345]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (7C:90) [10:00:53:345]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (7C:90) [10:00:53:345]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (7C:90) [10:00:53:345]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (7C:90) [10:00:53:346]: Destroying RemoteAPI object.
MSI (s) (7C:A0) [10:00:53:346]: Custom Action Manager thread ending.
MSI (c) (58:6C) [10:00:53:347]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (58:6C) [10:00:53:348]: MainEngineThread is returning 1603
=== Verbose logging stopped: 8/27/2017 10:00:53 ===
This is your error:
CheckUserIsSophosAdmin.
MSI (s) (7C!BC) [10:00:53:316]: Product: Sophos Anti-Virus -- Error 3005.Sophos Anti-Virus can only be uninstalled by users that are members of the SophosAdministrator user group.
CustomAction CheckUserIsSophosAdmin returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 10:00:53: CheckUserIsSophosAdmin. Return value 3.
Action ended 10:00:53: INSTALL. Return value 3.
and the reason the SAV MSI is failing to uninstall?
You are logged on as the account: itadmin, is this a member of the local SophosAdministrator group? If not can you add it?
Worse case scenario, you can find the UninstallString for the SAV product from the uninstall hive of the registry. If you run this command as the System user. Easiest way is to use
psexec -s -i cmd
That will also work but ensuring the uninstalling user is a member of the SophosAdministrator group is the easiest. See: https://community.sophos.com/kb/en-us/110534
Regards,
Jak
This is your error:
CheckUserIsSophosAdmin.
MSI (s) (7C!BC) [10:00:53:316]: Product: Sophos Anti-Virus -- Error 3005.Sophos Anti-Virus can only be uninstalled by users that are members of the SophosAdministrator user group.
CustomAction CheckUserIsSophosAdmin returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 10:00:53: CheckUserIsSophosAdmin. Return value 3.
Action ended 10:00:53: INSTALL. Return value 3.
and the reason the SAV MSI is failing to uninstall?
You are logged on as the account: itadmin, is this a member of the local SophosAdministrator group? If not can you add it?
Worse case scenario, you can find the UninstallString for the SAV product from the uninstall hive of the registry. If you run this command as the System user. Easiest way is to use
psexec -s -i cmd
That will also work but ensuring the uninstalling user is a member of the SophosAdministrator group is the easiest. See: https://community.sophos.com/kb/en-us/110534
Regards,
Jak
I wasn't using that itadmin account, that was a domain based account used to install the software. Even though my user account was part of that SophosAdmin group I couldn't uninstall it. I had to log into the itadmin account then it uninstalled just fine.
