Failed Upgrade 9.5 to 9.7 - error 00000067 (and 80041f02)

Thank you, ruckus, for looking into this case and updating the article (to which perhaps some explanation could be added).

---

ruckus wrote:
I've also (tried) to read through your support case (the english parts :smileywink:) and can see that the cause is somewhat unexplained.

---

Feel free to ask for a translation of the customer's input by the author :smileywink:

---

ruckus wrote:
I mention this only to highlight that it is possible to install two anti-virus products side-by-side *if* the second one isn't on the look out for existing AV software. [...]
My thoughts on how the issue occurred:  (1) McAfee was installed after Sophos and the two have been running for a while before the 9.7 upgrade occurred or (2) The CRT did not run on these computers or (3) We added a new detection into the CRT to remove the currently installed version of McAfee or (4) The Sophos AutoUpdate check was manually bypassed (as can be done with a couple of registry keys).

---

 I can rule out (2) and (4):

For (2) it is very unlikely that the users fiddled with the installer or ran setup.exe directly from the share and unchecked CRT in the GUI. If they did so they'd also have to set the correct value for the -G flag (which we use) - otherwise the computers would have appeared in the Unassigned group.

If they'd used the registry keys to bypass CRT they'd have to remove them afterwards as they are not present in the SDU logs.

For a number of computers (1) is indeed the case. Now according to the Uninstall keys of one of these McAfee has been installed 2010-03-26 - as 9.5 has been released mid-2010 9.0 was installed at this time.

For a large group (where I've initially detected this issue) even (1) doesn't apply. According to the uninstall keys the "offending" product has been installed early 2007 (and it was OEM pre-installed) and obviously quite a number of Sophos versions didn't complain.

---

ruckus wrote:
Since Sophos AutoUpdate doesn't want to degrade the machine's performance by letting two anti-virus products run on the same computer we designed our installer to error out

---

Apart from the cases where indeed (1) applies it's (3) for the rest. While I agree with the approach I have some reservations with the actual implementation:

(a) It is understandable that some time passes from introduction of a new product to inclusion in the CRT lists (both the explicit CRT and the SAV installer internal). But I think they should be updated more frequently than with major version changes (especially the "internal" detect-only).

(b) Nowadays the ("internal") SAV installer check is almost forgotten - it should be made clearer that it still exists and is important (that's what I'd like to see at least added to 33554, but maybe it should also mentioned in the UG)

(c) It looks like some generic or catch-all keys have been added in 9.7 which cause the existence of ancient products (or product "shells") to get bemoaned. If these keys have been introduced to "pro-actively" detect also newer version this is a significant change to the logic - but maybe it is just a side-effect. That's why I asked for an explanation (and if I understand you correctly you too think is has not yet been given).

Again, thanks

Christian

Thank you, ruckus, for looking into this case and updating the article (to which perhaps some explanation could be added).

---

ruckus wrote:
I've also (tried) to read through your support case (the english parts :smileywink:) and can see that the cause is somewhat unexplained.

---

Feel free to ask for a translation of the customer's input by the author :smileywink:

---

ruckus wrote:
I mention this only to highlight that it is possible to install two anti-virus products side-by-side *if* the second one isn't on the look out for existing AV software. [...]
My thoughts on how the issue occurred:  (1) McAfee was installed after Sophos and the two have been running for a while before the 9.7 upgrade occurred or (2) The CRT did not run on these computers or (3) We added a new detection into the CRT to remove the currently installed version of McAfee or (4) The Sophos AutoUpdate check was manually bypassed (as can be done with a couple of registry keys).

---

 I can rule out (2) and (4):

For (2) it is very unlikely that the users fiddled with the installer or ran setup.exe directly from the share and unchecked CRT in the GUI. If they did so they'd also have to set the correct value for the -G flag (which we use) - otherwise the computers would have appeared in the Unassigned group.

If they'd used the registry keys to bypass CRT they'd have to remove them afterwards as they are not present in the SDU logs.

For a number of computers (1) is indeed the case. Now according to the Uninstall keys of one of these McAfee has been installed 2010-03-26 - as 9.5 has been released mid-2010 9.0 was installed at this time.

For a large group (where I've initially detected this issue) even (1) doesn't apply. According to the uninstall keys the "offending" product has been installed early 2007 (and it was OEM pre-installed) and obviously quite a number of Sophos versions didn't complain.

---

ruckus wrote:
Since Sophos AutoUpdate doesn't want to degrade the machine's performance by letting two anti-virus products run on the same computer we designed our installer to error out

---

Apart from the cases where indeed (1) applies it's (3) for the rest. While I agree with the approach I have some reservations with the actual implementation:

(a) It is understandable that some time passes from introduction of a new product to inclusion in the CRT lists (both the explicit CRT and the SAV installer internal). But I think they should be updated more frequently than with major version changes (especially the "internal" detect-only).

(b) Nowadays the ("internal") SAV installer check is almost forgotten - it should be made clearer that it still exists and is important (that's what I'd like to see at least added to 33554, but maybe it should also mentioned in the UG)

(c) It looks like some generic or catch-all keys have been added in 9.7 which cause the existence of ancient products (or product "shells") to get bemoaned. If these keys have been introduced to "pro-actively" detect also newer version this is a significant change to the logic - but maybe it is just a side-effect. That's why I asked for an explanation (and if I understand you correctly you too think is has not yet been given).

Again, thanks

Christian