Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 23300 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV Service Failure on stand-alone installation

Blood

Hi

I am testing the installation and use of the stand-alone product Sophos Endpoint Security and Control (SES&C) for our staff. We have approximately six staff who will be using this.

The machine being used is an old XP Pro machine.

When I first tried the installation it failed with error 3004. The Computer Browser and Remote Registry services were running, but the registry key permissions needed fixing. After doing this the installation succeeded. The user account used for the install has administrative priviledges. I also chose the option to remove any third-party software, although I had removed what was previously installed via Add/Remove Programs.

The problem lies with the antivirus. The firewall is working fine as is the updating element. When the machine is booted the Sophos icon in the System Tray is normal but within a minute it changes to one with a red cross. A little later a message appears over the icon with the title:

Sophos Endpoint Security and Control service failure Sophos Endpoint Security and Control is not currently protecting your computer.

When I open services.msc the Sophos Anti-Virus and Sophos Web Intelligence services are not started. All the services are set to Automatic. The Log On properties for the SAV service are 'This account' NT AUTHORITY\LocalService. When I try to start the service the following message is displayed:

Services Could not start the Sophos Anti-Virus service on Local Computer. Error 0x80004005: Unspecified error

The user account I am logged on as is a member of the SophosAdministrator and SophosUser groups.

I can start SES&C. I can open the following: Configure firewall, View firewall log, Configure updating and View updating log. The remainder are greyed out.

The updating log shows success for each update.

Can anyone help me with this, please?

Thanks!

The system Event Log contains the following (earliest first):

Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7023 Date:  21/07/2012 Time:  05:58:03 User:  N/A Computer: PAINKILLER Description: The Sophos Anti-Virus service terminated with the following error: Unspecified error

Event Type: Error Event Source: DCOM Event Category: None Event ID: 10010 Date:  21/07/2012 Time:  06:04:31 User:  NT AUTHORITY\SYSTEM Computer: PAINKILLER Description: The server {D2B7A809-15DC-40B4-A1E1-C61EA97191DB} did not register with DCOM within the required timeout.

:27205


This thread was automatically locked due to age.
  • 0

    Hi,

    Does the SAVService get as far as logging to the file: "Sophos Anti-Virus Startup Log.txt" when started?

    If it's too big to post the contents, you could rename it, then try to start the SavService to generate a new one in order to get all the messages from a fresh start of the service.

    The file on a Win 7 computer is here:

    "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Sophos Anti-Virus Startup Log.txt"

    on XP it would be:

    "C:\documents and settings\localservice\local settings\temp\Sophos Anti-Virus Startup Log.txt"

    Regards,

    Jak

    :27207
  • 0

    Hi, Jak

    Thanks for responding. The contents of the file from today are:

    2012-07-21 05:57:48 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 05:57:48 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 05:57:48 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 05:57:48 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 05:57:48 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 05:57:48 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 06:04:01 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 06:04:01 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 06:04:01 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 06:04:01 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 06:04:01 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 06:04:01 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 06:04:51 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 06:04:51 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 06:04:51 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 06:04:51 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 06:04:51 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 06:04:51 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 06:04:53 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 06:04:53 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 06:04:53 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 06:04:53 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 06:04:53 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 06:04:53 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 06:15:44 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 06:15:44 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 06:15:44 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 06:15:44 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 06:15:44 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 06:15:44 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 08:04:15 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 08:04:15 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 08:04:15 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 08:04:15 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 08:04:15 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 08:04:15 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 08:05:09 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 08:05:09 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 08:05:09 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 08:05:09 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 08:05:09 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 08:05:09 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 08:05:09 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 08:05:09 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 08:05:09 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 08:05:09 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 08:05:09 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 08:05:09 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

2012-07-21 10:15:01 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Application (null) (null)

2012-07-21 10:15:02 CStartupManager::ReadRegistryApplication: OpenKeyInto(SOFTWARE\SOPHOS\SAVService\Application) returned 0x80070005
2012-07-21 10:15:02 CEventLogger::LogEventError unable to log the following error to the EventLog: a003000b SOFTWARE\SOPHOS\SAVService\Components (null) (null)

2012-07-21 10:15:02 CMarshallingWrapper::CMarshallingWrapper: SM.Start( g_RegPath, pManager )() returned 0x80070005
2012-07-21 10:15:02 Exception caught in CInfrastructureModule::PreMessageLoop
2012-07-21 10:15:02 CEventLogger::LogEventError unable to log the following error to the EventLog: a0030000 CInfrastructureModule::PreMessageLoop (null) (null)

     Thanks

    :27209
  • 0

    HI,

    It looks like the SavService.exe process, running as "Local Service" doesn't have access to:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\

    If in Regedit, if you open up the permissions on that key, what are listed?  Maybe compare those against a working XP client.

    It would be worth checking that all keys under \Sophos\ are as they should be, as you may fix one specific key, but you might end up in a endless battle if there is a wider issue.  ProcessMonitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) can also be useful as can AccessEnum (http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx). 

    Hope it helps.

    Regards,

    Jak

    :27211
  • 0

    Hi, Jak

    The permissions for that key are set to Full Control for Administrators [PAINKILLER\Administrators] and SYSTEM

    :27213
  • 0

    HI,

    Yes, that's the problem, "local service", doesn't have access.  You could add "Users" to having "Read" access just on:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\ but I woud look at the keys aboves also: I.e.

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\

    Then
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\

    Then

    HKEY_LOCAL_MACHINE\SOFTWARE\

    See where "Users" went as you may be able to set it at a higher level and choose in the advanced options of the parent to Replace all child object permissions...

    If things are really out of wack, you could run:

    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

    To repair all registry permissions but that is probably overkill.  It is mentioned here if you want to have a read:

    http://support.microsoft.com/kb/313222

    Regards,

    Jak

    :27217
  • 0

    You are the man!

    I think I understand what happened now.

    When the installer threw up error 3004, the instructions included steps to create a Sophos key under HKLM\SOFTWARE and to make sure that Administrator and SYSTEM had Full Control. I wonder if the installer checks the Sophos key permissions to make sure that Administrator, SYSTEM and Local Service are set as they should be.

    Everything is working properly now.

    Many thanks for your help, Jak, I really appreciate it.

    :27219
  • 0

    Glad you're up and running!

    Regards,

    Jak

    :27221
  • 0
    Same problem for one of our units. We just had to remove the following keys and re-install: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos
    :35489