Sophos SAVAdminService and SavService being removed and re-installed

HI,

In "\Windows\temp\", SAV keeps it's install logs of which there are 2 for each update (timestamps are the same):

1. Sophos Anti-Virus Install Log_[timestamp].txt
2. Sophos Anti-Virus CustomActions Log_[timestamp]txt

Are you able to make the contents of those available, this might help determine the state.

Regards,

Jak

One of them is about 2Mib can you suggest a way of making it available, the other is :

Sophos Anti-Virus CustomActions Log_120514_081238.txt

2012-05-14 09:12:38 Starting competitor detection...
2012-05-14 09:13:05 Setting class filter present property to: 1
2012-05-14 09:13:05 PROCESSOR_ARCHITECTURE environment variable is: x86
2012-05-14 09:13:42 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update
2012-05-14 09:13:49 WaitForSAVService: Walking system processes...
2012-05-14 09:13:49 WaitForSAVService: Finished walking system processes.
2012-05-14 09:13:49 IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess control. Returning false.
2012-05-14 09:13:49 IsServiceInstalled: Unable to get a handle to requested service SAVOnAccess filter. Returning false.
2012-05-14 09:13:59 CopyOtherFiles custom action - Copying other driver files
2012-05-14 09:13:59 Copying class filter source: C:\Program Files\Sophos\AutoUpdate\cache\savxp\classfilterdrivers\i386\SDCFILTER.INF, target: C:\Program Files\Sophos\Sophos Anti-Virus\
2012-05-14 09:14:00 GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll detoured exists, proceeding to rename it & mark for delete.
2012-05-14 09:14:00 PROCESSOR_ARCHITECTURE environment variable is: x86
2012-05-14 09:14:00 BopsUnregister: could not get short path to DLL. It will not be unregistered.
2012-05-14 09:14:00 GetRidOfExistingDetoured - C:\Program Files\Sophos\Sophos Anti-Virus\detoured.dll does not exist, no further action.
2012-05-14 09:14:00 BOPS path already exists
2012-05-14 09:14:00 PROCESSOR_ARCHITECTURE environment variable is: x86
2012-05-14 09:14:00 IsServiceRunning: Unable to get a handle to requested service SAVOnAccess control. Returning false.
2012-05-14 09:15:35 Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

That certainly looks like a full update.  Maybe Pastebin, splitting the file over a coule as needed.

As a stab in the dark, does the file: "savsync.upd " exist in "C:\Program Files\Sophos\Sophos Anti-Virus \"?

Jak

Ok, I suppose that as AutoUpdate (SAU) isn't or shouldn't be downloading new updates every 30 minutes, it might be worth looking at the AutoUpdate trace logs, to see if it's kicking off an update of SAV at every update regardless.

Are you able to make the last one of these:

C:\ProgramData\Sophos\AutoUpdate\Logs \ALUpdate[timestamp].log

available which spans a couple of updates?  Maybe use Pastebin for example.

The start of an update can be seen with the line containing:

ALUpdate started:

If SAU is going to install SAV, you should see the line:

SetupAction::Execute: Creating thread to install product SAVXP

If no update is required you would see:

ALUpdate(Action.Skipped): SAVXP

So do you always see the line to install?  If so, it suggests the problem is more with why SAU is initiating an install at each scheduled update check.  Is it pulling down files?  

Regards,

Jak 

HI,

That shows that SAV is failing to install, which explains what you report, SAU keeps trying to install it every 30 minutes and it fails each time.

The lines of interest are:

MSI (s) (DC:08) [06:45:41:429]: Executing op: FileCopy(SourceName=TAMPER~1.DLL|TamperProtectionControl.dll,SourceCabKey=tamperprotectioncontrol.dll,DestName=TamperProtectionControl.dll,Attributes=8192,FileSize=44784,PerTick=32768,,VerifyMedia=1,,,,,CheckCRC=0,Version=9.5.0.9530,Language=1033,InstallMode=126091264,,,,,,,)
MSI (s) (DC:08) [06:45:41:429]: File: C:\Program Files\Sophos\Sophos Anti-Virus\TamperProtectionControl.dll;	Won't Overwrite;	Won't patch;	Existing file is of an equal version
MSI (s) (DC:08) [06:45:41:429]: Executing op: FileCopy(SourceName=TAMPER~2.DLL|TamperProtectionManagement.dll,SourceCabKey=tamperprotectionmanagement.d,DestName=TamperProtectionManagement.dll,Attributes=8192,FileSize=110832,PerTick=32768,,VerifyMedia=1,,,,,CheckCRC=0,Version=9.5.0.9530,Language=1033,InstallMode=126091264,,,,,,,)
MSI (s) (DC:08) [06:45:56:163]: File: C:\Program Files\Sophos\Sophos Anti-Virus\TamperProtectionManagement.dll;	To be installed;	Won't patch;	No existing file
MSI (s) (DC:08) [06:45:56:163]: Source for file 'TamperProtectionManagement.dll' is uncompressed, at 'C:\Program Files\Sophos\AutoUpdate\cache\savxp\program files\Sophos\Sophos Anti-Virus\'.
MSI (s) (DC:08) [06:46:45:211]: Note: 1: 2318 2: C:\Program Files\Sophos\Sophos Anti-Virus\TamperProtectionManagement.dll 
MSI (s) (DC:08) [06:47:14:618]: Note: 1: 1310 2: 23 3: C:\Program Files\Sophos\Sophos Anti-Virus\TamperProtectionManagement.dll 
MSI (s) (DC:08) [06:47:14:633]: Product: Sophos Anti-Virus -- Error 1310.Error writing to file: C:\Program Files\Sophos\Sophos Anti-Virus\TamperProtectionManagement.dll.  System error 23.  Verify that you have access to that directory.

 Can you try renaming the file referenced (C:\Program Files\Sophos\Sophos Anti-Virus\TamperProtectionManagement.dll ) and force another update?  Do you get a problem with the same file in the next log file generated?

I also notice, you're installing 9.5, which is a bit old.  There was 9.7 and now SAV 10.  So it might be worth uninstalling and starting again on the latest but try the above first.  It may trip up on another file of course but the next log should reveal all.

Regards,

Jak

Thanks for bearing with me, I renamed the file, it still doesn't work and the log files are a lot shorter :

2012-05-22 14:41:11 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update
2012-05-22 14:41:11 About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
2012-05-22 14:41:11 Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__ReadyForUpdate
2012-05-22 14:41:11 DataUpdateRequest signalled
2012-05-22 14:41:11 About to wait for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
2012-05-22 14:41:11 Successfully waited for event Global\!$_SAVI_!$$!_EVENT_$!__Suspended
2012-05-22 14:41:26 SAVI dll was installed successfully
2012-05-22 14:41:26 Policy files unchanged - ConfigureSAV will not be called
2012-05-22 14:41:57 Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

2012-05-22 14:40:40 Info: Logging started: installing/upgrading Sophos Anti-Virus
2012-05-22 14:40:40 Info: InstallFromPath is: C:\Program Files\Sophos\AutoUpdate\cache\savxp2012-05-22 14:40:40 Info: InstallToPath is: 
2012-05-22 14:40:40 Detected version of SAV has major version number: 9
2012-05-22 14:40:40 Detected version of SAV has minor version number: 5
2012-05-22 14:40:40 Info: registryInstallTo [overriding InstallToPath] is: C:\Program Files\Sophos\Sophos Anti-Virus2012-05-22 14:40:40 Info: SetupPlugin: updateProps.m_MajorUpdate = 0
2012-05-22 14:40:40 Info: SetupPlugin: updateProps.m_DataOnlyUpdate = 1
2012-05-22 14:40:40 Info: SetupPlugin: updateProps.m_OnAccessDriverUpdate = 0
2012-05-22 14:40:40 Info: SetupPlugin: updateProps.m_BootDriverUpdate = 0
2012-05-22 14:40:40 Info: SetupPlugin: updateProps.m_ClassFilterUpdate = 0
2012-05-22 14:40:40 Info: SetupPlugin: updateProps.m_RemoveWebScanning = 0
2012-05-22 14:40:40 Info: Installing sav only: 0
2012-05-22 14:40:40 Managed install
2012-05-22 14:40:40 Info: MSXML6 is installed
2012-05-22 14:40:40 Info: Logging started: performing minor update to Sophos Anti-Virus.
2012-05-22 14:40:40 Info: Beginning Shared Custom Actions. Logging will appear in Custom Action log.
2012-05-22 14:40:40 Info: Running SetUpdateBegin shared custom action.
2012-05-22 14:41:11 Info: Return Value from SetUpdateBegin: 0
2012-05-22 14:41:11 Info: Running DeleteRuleFiles(IDEs) shared custom action.
2012-05-22 14:41:11 Info: Return Value from DeleteRuleFiles(IDEs): 0
2012-05-22 14:41:11 Info: Running DeleteRuleFiles(HIPSConfig) shared custom action.
2012-05-22 14:41:11 Info: Return Value from DeleteRuleFiles(HIPSConfig): 0
2012-05-22 14:41:11 Info: Running DeleteRuleFiles(bdls) shared custom action.
2012-05-22 14:41:11 Info: Return Value from DeleteRuleFiles(bdls): 0
2012-05-22 14:41:11 Info: Running CopyHotUpdateFiles shared custom action.
2012-05-22 14:41:11 Info: Return Value from CopyHotUpdateFiles: 0
2012-05-22 14:41:11 Info: Running UpdateSAVI shared custom action.
2012-05-22 14:41:26 Info: Return Value from UpdateSAVI: 0
2012-05-22 14:41:26 Info: Running SetSavAdminUpdateComplete shared custom action.
2012-05-22 14:41:26 Info: Return Value from SetSavAdminUpdateComplete: 0
2012-05-22 14:41:26 Info: Running ConfigureSAV shared custom action.
2012-05-22 14:41:26 Info: Return Value from ConfigureSAV: 0
2012-05-22 14:41:26 Info: Running CopySAVSyncFile shared custom action.
2012-05-22 14:41:26 Info: Return Value from CopySAVSyncFile: 0
2012-05-22 14:41:26 Info: Running SetUpdateFinished shared custom action.
2012-05-22 14:41:57 Info: Return Value from SetUpdateFinished: 0
2012-05-22 14:41:57 Info: Running RunAfterScripts shared custom action.
2012-05-22 14:41:57 Info: Return Value from RunAfterScripts: 0
2012-05-22 14:41:57 Info: Shared custom actions succeeded.
2012-05-22 14:41:57 Info: Update to Sophos Anti-Virus succeeded.

 I am afraid I don't know how to install the version 10 ( I assumed it would be automatic), could you tell me and I'll try that.?

When you say it doesn't work, does that mean it keeps reinistalling as before?  This log file wouldn't sugest that.

Can you launch the main interface?

Either by running:.

C:\program files\sophos\sophos anti-virus\savmain.exe

or double click on the shield in the notification area.
 

Does it report on-access scanning is enabled?

As for the verison, it really depends on where you are updating from, i.e., is it Sophos, a UNC path, another web server?

Who manages your Sophos? They might be best placed to advise on getting the latest version as they may control it.

Regards,

Jak