Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 28336 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to start Sophos Anti-Virus service and the on-access scanning is disabled

knotslanding

Hello,

I am writing for some help. I have some issues which may be related. In summary, I am unable to start the Sophos Anti-Virus service and the on-access scanning is disabled. This just recently started maybe about a week ago. Before that, it was working great.

Before I begin, I am using product version  10.0 that is listed on the left side of the screen in the status section of the Sophos Endpoint Security and Control. I also have Windows XP with the latest service pack.

Ironically, I was able to do scan last week but somehow something must have happened when I used the registry cleaner called CCleaner and it must have missed up the registry. Believing this may have been the problem I then tried to restore my system to an earlier date but the problem still persisted so I undid the system restore back.  I am guessing there must be something else that has changed or something else has gone wrong. I am just not sure.

If anyone can help, any help is most appreciated.

I also prefer to not uninstall and reinstall Sophos.

1. On-Access Scanning is disabled in the Sophos Endpoint Security and Control.  Everything is grayed out except for the following:

-- in the Firewall section: Configure Firewall, View Firewall

-- in the Updating section: Configuring Updating, View Updating Log

2.  All buttons on the toolbar at the top of the screen are grayed out or disabled except the help button. The back, forward, and home buttons are disabled.

3. I also tried to re-register the savi.dll and rebooting but again I was unable to start the Sophos Anti-Virus service. This was a suggestion by another user but it didn't work.

4. In services.msc, I tried to manually start the Sophos Anti-Virus service but it failed with the generic error:

Could not start the Sophos anti-virus service on local computer.  Error 0x80004005

5. On my task bar, the blue shield Sophos icon has the tooltip Sophos Protection and has a red cross.

Anti-virus and HIPS: service failure

Last checked for updates: 2/10/14

6. Since Sophos was working a few weeks ago, I don't believe this is a permission issue. I was always able to run a scan without problems, but now I can't for some reason.  (I checked the log on tab  (services.msc -> right click the Sophos Anti-Virus service and select the log on tab) and the user is NT Authority\LocalService which has not changed. It has always been this.  I don't want to change it to local system account as that was not how it was set up and I don't recall the password either.  This is probably a moot point.)

So at this moment, it looks like my system is not being protected which has me worried.

7. Based on another user's suggestion, I also checked for the following registry key and it was found. See attached jpg picture that shows this registry key.

[HKEY_CLASSES_ROOT\CLSID\{91C4C540-9FDD-11D2-AFAA-00105A305A2B}]

@="Sophos SAV Interface"

"AppID"="{91C4C540-9FDD-11D2-AFAA-00105A305A2B}"

[HKEY_CLASSES_ROOT\CLSID\{91C4C540-9FDD-11D2-AFAA-00105A305A2B}\InProcServer32]

@="C:\\program files\\sophos\\sophos anti-virus\\savi.dll"

"ThreadingModel"="Both"

[HKEY_CLASSES_ROOT\CLSID\{91C4C540-9FDD-11D2-AFAA-00105A305A2B}\ProgID]

@="SAVI.SAVI.3"

[HKEY_CLASSES_ROOT\CLSID\{91C4C540-9FDD-11D2-AFAA-00105A305A2B}\VersionIndependentProgID]

@="SAVI.SAVI"

Thanks in advance. Any help is most appreciated.

I have attached screen shots to show you what I am seeing just in case I am not clear.

:47177


This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    I want to thank you for your suggested solution.  However, I am not completely clear on what I should do or the steps to follow.  Thanks in advance.

    If I understand you correctly, I need to check the permissions for the file SavService.exe file located in the folder C:\Program Files\Sophos\Sophos Anti-Virus. Please note that I am using Windows XP.

    To do this, I right clicked the file and selected properties from the popup context menu.   Then I selected the Security Tab that lists the users and permissions.

    What should the correct permissions be? I don’’’’t remember changing the permissions for this file. At the folder level, the possible permission choices are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.   I am guessing it should probably be Read & Execute to prevent it from being deleted or changed but I am not sure.

    See the attached jpg pictures of what I am seeing for the SavService.exe properties. It appears there are more than one user on my computer but I am not sure which one I should use.  (I basically log onto my computer (not on a domain).)

    Once the file permissions are set correctly, then what is the next step to determine if I have any bad files like the FakeAV file you had.  I just need to be able to start the Sophos Anti-Virus Service in order to allow me to run a scan. It is presently grayed out and disabled. See my earlier message for more details.  Thanks.

    I suspect, but I could be completely wrong, that I have a virus or some malware or spyware on my system. I just don't know for sure.  But, the last time I was able to successfully run a virus scan was at the end of January.  The good news was that Sophos found no problems at that time. But now, I can't start the Sophos Anti-Virus service in order to run a scan.  So at least until the end of January no problems were found.

    I also tried the solution as suggested by another user: If you open up task manager and kill the Almon.exe process and then re-launch it by running:

    \Program Files (x86)\Sophos\AutoUpdate\ALMon.exe

    or

    \Program Files\Sophos\AutoUpdate\ALMon.exe

    This did not resolve the problem and the Sophos Anti-Virus Service can't be started and the options in the Sophos Endpoint security and Control are still disabled.

    Continuing with your suggestion, here are some follow-up questions:

    1. What drivers should I check and how do I go about doing this?  I am kind of weary of deleting or messing things up.
    2. How do you determine what or if any driver is causing the problem? 
    3. And what tool did you use to identify the bad driver or file?
    4. And how do you know if a file is truly bad? Possibly I can use the same steps you followed to determine my problem.  I am just not clear on the steps you did. 
    5. How do you disable a driver or does that mean you just delete the file?
    6. How do you determine if a hidden component is registered as a service like the FakeAV file you refer to?

    Again, sorry but I seem to be lost and not clear on the steps you did.

    In any case, can you provide additional steps or instructions on what I should do or what the exact steps you did in order to resolve the problem? And what permissions and for what users should I set. To be safe, I could (as a guess) just set the permissions for all the listed users in the jpg picture as I am not completely sure.  Any help is most appreciated.  Thanks so much for your time and I appreciate it.

    :47495
Reply
  • 0

    Hello,

    I want to thank you for your suggested solution.  However, I am not completely clear on what I should do or the steps to follow.  Thanks in advance.

    If I understand you correctly, I need to check the permissions for the file SavService.exe file located in the folder C:\Program Files\Sophos\Sophos Anti-Virus. Please note that I am using Windows XP.

    To do this, I right clicked the file and selected properties from the popup context menu.   Then I selected the Security Tab that lists the users and permissions.

    What should the correct permissions be? I don’’’’t remember changing the permissions for this file. At the folder level, the possible permission choices are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.   I am guessing it should probably be Read & Execute to prevent it from being deleted or changed but I am not sure.

    See the attached jpg pictures of what I am seeing for the SavService.exe properties. It appears there are more than one user on my computer but I am not sure which one I should use.  (I basically log onto my computer (not on a domain).)

    Once the file permissions are set correctly, then what is the next step to determine if I have any bad files like the FakeAV file you had.  I just need to be able to start the Sophos Anti-Virus Service in order to allow me to run a scan. It is presently grayed out and disabled. See my earlier message for more details.  Thanks.

    I suspect, but I could be completely wrong, that I have a virus or some malware or spyware on my system. I just don't know for sure.  But, the last time I was able to successfully run a virus scan was at the end of January.  The good news was that Sophos found no problems at that time. But now, I can't start the Sophos Anti-Virus service in order to run a scan.  So at least until the end of January no problems were found.

    I also tried the solution as suggested by another user: If you open up task manager and kill the Almon.exe process and then re-launch it by running:

    \Program Files (x86)\Sophos\AutoUpdate\ALMon.exe

    or

    \Program Files\Sophos\AutoUpdate\ALMon.exe

    This did not resolve the problem and the Sophos Anti-Virus Service can't be started and the options in the Sophos Endpoint security and Control are still disabled.

    Continuing with your suggestion, here are some follow-up questions:

    1. What drivers should I check and how do I go about doing this?  I am kind of weary of deleting or messing things up.
    2. How do you determine what or if any driver is causing the problem? 
    3. And what tool did you use to identify the bad driver or file?
    4. And how do you know if a file is truly bad? Possibly I can use the same steps you followed to determine my problem.  I am just not clear on the steps you did. 
    5. How do you disable a driver or does that mean you just delete the file?
    6. How do you determine if a hidden component is registered as a service like the FakeAV file you refer to?

    Again, sorry but I seem to be lost and not clear on the steps you did.

    In any case, can you provide additional steps or instructions on what I should do or what the exact steps you did in order to resolve the problem? And what permissions and for what users should I set. To be safe, I could (as a guess) just set the permissions for all the listed users in the jpg picture as I am not completely sure.  Any help is most appreciated.  Thanks so much for your time and I appreciate it.

    :47495
Children
No Data