Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 5792 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint and Security Manual Uninstallation

alexstef

Hi,

I hope somebody can help me. I have a really nasty situation here.

Sophos Client Firewall installed on one of users ignores the policy which pushed from the console and blocks everything.

I pushed the program from the console, but it didn't fix the issue. So I decided to uninstall and reinstall the firewall.

When I tried to uninstall, I ended up with "Fatal Error" and Firewall couldn't be removed.

I think I have to remove the Firewall manyall,

Anybody has a list of which folders, files, dll, registry need to be cleaned.

Your help would be greatly appreceated!

:21633


This thread was automatically locked due to age.
  • 0

    HI,

    Can you make available the following logs from the uninstall attempt:

    • %temp%\Sophos Client Firewall CustomActions Log.txt
    • %temp%\Sophos Client Firewall DriverHelper Log.txt

    It sounds like it could be the driver one that will be the most use, the "Fatal Error" message is more likely to come from that part.

    Thanks,

    Jak

    :21637
  • 0
    Hello alexstef,

    even if someone had such a list I wouldn't recommend a so-called manual removal.
    Apart from this - it's not clear what worked and what not and what are your plans for this client after the removal. Likely the problems will recur once you attempt to reinstall SCF. I'd suggest you call Support as it's easier to give help if one has access to logs, settings and the like.

    Christian
    :21639
  • 0

    Hi Jak,

    Thank you very much for the response.

    The below the same entries were logged repeatedly in the both log files.

    You are right. It seems the driver causes the problem.

    Please let me know if you see anything else.

    Regards,

    - Sophos Client Firewall CustomActions Log

    2012-02-03 12:24:27 =============================================================================
    2012-02-03 12:24:27 =================== Uninstalling Sophos Client Firewall ... =================
    2012-02-03 12:24:27 =============================================================================
    2012-02-03 12:24:29 CloseClientApps: Closing client applications...
    2012-02-03 12:24:29 CloseClientApps: Global shutdown event does not exist. Trying old shutdown mechanism.
    2012-02-03 12:24:29 GetIdOfProcess: Target process does not appear to be running.
    2012-02-03 12:24:29 GetIdOfProcess: Target process does not appear to be running.
    2012-02-03 12:24:29 CloseClientApps: Return Success
    2012-02-03 12:24:29 CloseSESUI: Closing client applications...
    2012-02-03 12:24:29 CloseSESUI: Attempting to close the SES UI returned the error 2
    2012-02-03 12:24:29 CloseSESUI: Return Success
    2012-02-03 12:24:29 UnregisterSCFAdapter: Unregistering SCFAdapter...
    2012-02-03 12:24:29 UnregisterSCFAdapter: Return Success
    2012-02-03 12:24:29 UnregisterNAIPlugin: Unregistering FirewallNAIPlugin...
    2012-02-03 12:24:29 UnregisterNAIPlugin: Return Success
    2012-02-03 12:24:30 UninstallSecurityCenter: Unregistering with Microsoft Security Center...
    2012-02-03 12:24:30 UninstallUnsignedDrivers: Uninstalling driver...
    2012-02-03 12:24:30 UninstallUnsignedDrivers: Uninstall action All
    2012-02-03 12:24:30 PlatformPath: Architecture x86, running DriverHelper_Win32.exe
    2012-02-03 12:24:30 Execute: C:\DOCUME~1\TISHIB~1\LOCALS~1\Temp\{12C00~1\DRIVER~2.EXE /uninstall
    2012-02-03 12:24:30 Execute: Returned 80070002
    2012-02-03 12:24:30 UninstallUnsignedDrivers: Failed to uninstall
    2012-02-03 12:24:30 RegisterNAIPlugin: Registering NAIPlugin...
    2012-02-03 12:24:30 RegisterNAIPlugin: Return Success
    2012-02-03 12:24:30 RegisterSCFAdapter: Registering SCFAdapter...
    2012-02-03 12:24:30 RegisterSCFAdapter: Return Success
    2012-02-03 12:24:30 SetUpdateFailed: Calling UpdateRegKeyHelper( SCFUPDATE_FAILED )
    2012-02-03 12:24:30 SetUpdateFailed: Return Success

    - Sophos Client Firewall DriverHelper Log

    2012-02-03 12:24:30 Command: C:\DOCUME~1\TISHIB~1\LOCALS~1\Temp\{12C00~1\DRIVER~2.EXE /uninstall
    2012-02-03 12:24:30 Performing uninstall
    2012-02-03 12:24:30 Installing to Windows XP
    2012-02-03 12:24:30 NDISDriverInstaller: Driver scfint from wxp_i386 (infs: scfintMiniport.inf scfintProtocol.inf)
    2012-02-03 12:24:30 TDIDriverInstaller: Driver scfdriver from w2k_i386 (depends: Tcpip scfint)
    2012-02-03 12:24:30 Uninstall: scfint
    2012-02-03 12:24:30 DriverInstallerImpl::Uninstall Exception: 80070002, RecallInfFileNames: Failed to get inf names for scfint
    2012-02-03 12:24:30 MultiDriverInstaller::Uninstall: Failed on 0, hr 80070002
    2012-02-03 12:24:30 Action failed

    :21687
  • 0

    Hi,

    Well that certainly has the error.  Unfortunately, I don't have a Windows XP machine handy with SCF installed to see exactly, only Win7 but I suspect a lookup is going on to find the inf file to uninstall the driver and this can't be found.

    On these machines, do they have, under the services keys an entry for "Oeminf", for example, on my machine I have:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scfndis \OemInf

    Which has a value of: oem33.inf .  A quick search of the machine finds it in: "C:\Windows\inf\"

    So I suspect either the lookup fails because the registry value isn't there or the value has a file name but it can't be found.  As you're on a different OS, there might be more to unregister, so might be worth looking at other entries for SCF under the services key looking for SCF.

    I would think that Process Monitor would reveal all, at the point where it errors in the log.  It will show that either the key doesn't exit or the file the key points to doesn't.

    Ideally you can compare a working machine with one of these to see how they differ in this area of the registry.

    Hope this helps.  I'd be interested to know.

    Regards,

    Jak

    :21697
  • 0

    Hi Jak,

    I compared the problematic PC (A) and another PC (B) taht has the same OS and found the following:

    (A) doesn't have the OemInf , (B) has OenInf 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic​es\scfint\OemInf

    (A) has oem57.inf (scfintMiniport.inf) and oem58.inf (scfintprotocol.inf) under the %Windir%\inf folder

    I created a missing OemInf value with the string, oem57.inf,oem58.inf.

    Amazing! It worked! I was able to uninstall the firewall from Add\Remove Programs.

    Thank you so much!

    :21751
  • 0

    Glad it was as easy as that! ;)

    Jak

    :21755