Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 3449 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

on accessing scanning disabled - update failed

g1IT

Hi, hopefully someone can help me with this.  every so often certain users keep getting this message, the only resolution i have found thus far has been to reinstall sophos with the same details and it works fine....for a while.  1 user has had the same issue 3 times in the past month.  it always goes the same way, install it and it works fine for a while, then it doesnt update, on access scanning is disabled and a reinstall works, then it just happens again.

 the log file below shows that savxp install failed but it doesnt tell me why.  ive also looked at event viewer and i cannot see anything in there at all.  i have tried clearing the temp files but it made no difference.  i know a re-install will fix the issue but i cannot keep doing this.  hopefully someone has came across this before and knows how to fix the issue/prevent it from happening in the future.

thanks

:45845


This thread was automatically locked due to age.
  • 0

    Thanks for the screenshot - makes it clear that the Sophos Anti-Virus component (SAVXP) is the one with a problem.  However the line say SAVXP failed means the next step is to look in the Sophos install logs - the update log won't say what the actual error is.

    Have a look in C:\Windows\Temp\

    Have a look for an error in there.  The latest install log should have a 'return value 3' in it (search from the top) and the 10-20 odd lines above that are what it was trying to do and failed on.

    :45857
  • 0

    thanks for the reply, the results are below

    MSI (s) (BC:60) [11:09:14:807]: Executing op: ActionStart(Name=RollbackDisableServices,,)
    MSI (s) (BC:60) [11:09:14:808]: Executing op: CustomActionSchedule(Action=RollbackDisableServices,ActionType=1281,Source=BinaryData,Target=RollbackDisableServices,)
    MSI (s) (BC:60) [11:09:14:811]: Executing op: ActionStart(Name=DisableServices,,)
    MSI (s) (BC:60) [11:09:14:812]: Executing op: CustomActionSchedule(Action=DisableServices,ActionType=1025,Source=BinaryData,Target=DisableServices,)
    MSI (s) (BC:94) [11:09:14:814]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIEC4D.tmp, Entrypoint: DisableServices
    MSI (s) (BC:60) [11:09:14:869]: Executing op: ActionStart(Name=SwiRollbackUpgrade.11DACB83_28A7_4FA6_AF5B_C006E340C101,,)
    MSI (s) (BC:60) [11:09:14:870]: Executing op: CustomActionSchedule(Action=SwiRollbackUpgrade.11DACB83_28A7_4FA6_AF5B_C006E340C101,ActionType=1281,Source=BinaryData,Target=SwiRollbackUpgrade,)
    MSI (s) (BC:60) [11:09:14:871]: Executing op: ActionStart(Name=SwiService_dereg.11DACB83_28A7_4FA6_AF5B_C006E340C101,,)
    MSI (s) (BC:60) [11:09:14:871]: Executing op: CustomActionSchedule(Action=SwiService_dereg.11DACB83_28A7_4FA6_AF5B_C006E340C101,ActionType=1122,Source=C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\,Target="C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" /unregisterService,)
    MSI (s) (BC:60) [11:09:14:941]: Executing op: ActionStart(Name=StopServices,Description=Stopping services,Template=Service: [1])
    MSI (s) (BC:60) [11:09:14:942]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
    MSI (s) (BC:60) [11:09:14:942]: Executing op: ServiceControl(,Name=Sophos Web Control Service,Action=2,Wait=1,)
    MSI (s) (BC:60) [11:09:15:943]: Executing op: ActionStart(Name=ForceStopSAVService,,)
    MSI (s) (BC:60) [11:09:15:945]: Executing op: CustomActionSchedule(Action=ForceStopSAVService,ActionType=1025,Source=BinaryData,Target=ForceStopSAVService,)
    MSI (s) (BC:40) [11:09:15:948]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIF0B1.tmp, Entrypoint: ForceStopSAVService
    CustomAction ForceStopSAVService returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (BC:60) [11:09:15:979]: User policy value 'DisableRollback' is 0
    MSI (s) (BC:60) [11:09:15:979]: Machine policy value 'DisableRollback' is 0
    Action ended 11:09:15: InstallFinalize. Return value 3.

    im guessing the error is the one i have highlighted above, not sure what to do with that information though, any ideas?

    thanks again

    :45877
  • 0

    Hello g1IT,

    this is from the Major Install log? There is also a  Major CustomActions log - looks like stopping the SAV service fails and maybe there is a more specific message in there. Anyway a reboot usually resolves this problem - afterwards the update should run fine, no need to reinstall. I've seen this issue occasionally, never got to the bottom of it - in several cases it seemed that some kind of  "unwanted change prevention" software interfered.

    Christian

    :45879
  • 0

    Hi folks, ive resolved the issue but not sure what is causing it, like i said previously we have several users with this issue, i tried a reboot but that didnt work.  i manually stopped the sophos anti-virus service and tried an update, it worked.  i am a member of the sophos administrator group so im not sure why the update wouldnt be able to stop the service.  does the sophos user details you use to install sophos need to be a member of the local sophos admin group?

    thanks

    :45881
  • 0

    Hello g1IT,

    the AutoUpdate service runs as LOCAL SYSTEM so it should be able to stop the SAV service. Neither the update account (which is used to access the share/web folder and is usually not a local account) nor the impersonation account (SophosSAU....) come into play here (and need not and shouldn't have membership of SophosAdministrator).

    There must be another reason that the installer can't stop the service.

    Christian 

    :45883
  • 0

    ok, in services as shown in the attached photo the savservice logs on as localservice and not local system account.  i just tried changing it to local system account on one user that is having this issue and it ran the update ok, but when i checked the log on afert it ran the update it was back to local system account.  also 1 person that i know of just now anyway that ISNT having this issue also has the savservice log on as localservice and not local system account

    i dont imagine it would be a permissions issue for local service as this doesnt happen with every update but im going to look into it

    thanks again

    :45885
  • 0

    Hello g1IT,

    savservice runs as Local Service (as does Device Control, all others run as Local System), this is correct. As said, in a number of cases I've suspected some third party software. Thinking about it - this applied mostly to Major Installs though (where the service is not only stopped and started but reinstalled) so ...

    Christian

    :45887