Third party software removal failing after 10.6.3 upgrade

Hello Russel,

I'd be surprised that removal instructions would be removed (forgive the bad pun), according to Sophos Competitor Removal Tool: significant files and information the list is updated and expanded. Does it fail, not attempt to remove, or not detect the product at all?

Christian

Hi

This is what I'm seeing in the logs and Yes, I had selected the removal option :-)

19/04/2016,14:36:08,Information,Process security set successfully,

19/04/2016,14:36:14,Information,Verified that contents of CID C match the manifest file,

19/04/2016,14:36:15,Information,Searching for third-party security software.,

19/04/2016,14:36:34,Information,Return Code 13 from third-party security software removal tool.,

19/04/2016,14:36:34,ERROR,Detected third-party security software. To remove it, run this installer again and select the removal option. If you have already done so, contact Sophos for additional assistance.,

Having looked at the Sophos KB article regarding which products they can uninstall it seems to be missing any reference to system center endpoint protection 4.xxx but this worked fine 2 weeks ago.

Thanks

Hello Russel,

this worked fine 2 weeks ago
didn't find a reference to SCE in CRT 2.10.11.4 (SESC 10.3.15 69). Guess you have to contact Support. Do you happen to have an AVRemove.log from when it still worked? Also the current log should tell which third-party security software has been detected.

Christian

Hi,

This morning I created a new subscription and pointed it to 'previous recommended' so it pulled down the last Sophos version. From the endpoint I ran SAVSCFXP\setup.exe and the install removed Microsoft security essentials and completed the Sophos install. This was the key point from avremove.log

21 Apr 2016 09:44:26 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client
21 Apr 2016 09:44:26 Debug: Opening key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client (64-bit)
21 Apr 2016 09:44:26 Debug: Key Microsoft Security Client was found
21 Apr 2016 09:44:26 Debug: Product in key Microsoft Security Client not a Windows Installer package, treating as a standard uninstall
21 Apr 2016 09:44:26 Info: Starting removal of Microsoft Security Essentials version 1.x, 2.x
21 Apr 2016 09:44:26 Debug: Removing Microsoft Security Essentials version 1.x, 2.x
21 Apr 2016 09:44:26 Debug: Removing Process Control

This was the same endpoint I tried yesterday which failed with:

19 Apr 2016 14:36:34 Failure: There were products detected, but some cannot be removed by this version of the tool
Sophos Anti-Virus software detector - Version 2.11.0.113
Copyright (C) 2003-2016 Sophos Limited. All rights reserved.
Running OS: Microsoft Windows Server 2008 R2 Service Pack 1 [Version 6.01.7601]
There was a problem running the Competitor Removal tool
There were products detected, but some cannot be removed by this version of the tool

I'd say that points to an issue with the new CRT tools? Can I merge the older CRT tools with the newer endpoint client?

Any ideas?

Hello Russel,

checking ProductCatalog.xml in the newest crt\data.zip reveals
<subproduct ProductClass="av" KeyName="Microsoft Security Client" Version="1.x, 2.x" CanRemove="0" />
whereas the previous has
<subproduct ProductClass="av" KeyName="Microsoft Security Client" Version="1.x, 2.x"
            RemoverClass="UninstallSpecProductRemover" UninstallSpec="MSSSPostRemove.xml" />
Apparently this has been set deliberately. Don't ask me why, Support should be able to tell you though.

Naturally, as the change could have been made because of potential issues, I can't recommend a workaround. AFAIK except for a custom crt.cfg you can't (permanently) modify the contents of the \crt folder. An obvious interim solution is to install from Previous Recommended (be aware that Previous Recommended lags Recommended approx. just one month) and then direct the endpoints to Recommended.

Christian

"I'd be surprised that removal instructions would be removed (forgive the bad pun), according to Sophos Competitor Removal Tool: significant files and information the list is updated and expanded."

'Suprise Thursday' it is then but at least it proves I'm not going mad [:)]

I have a case open with support so hopefully they'll come forward with a fix. I dont want to manually install Sophos on 65 servers and the idea of changing the version to previous on the OU and downgrading 25 servers which had Sophos installed 2 weeks ago, installing previous on all of them then upgrading seems messy.

Ill update here once support come back.

thanks for your help.

Hello Russel,

I don't want to manually install
how do you install now? As you've mentioned OU - do you use AD sync? I was thinking of using the Previous subscription with its own CID, install/deploy from there and then moving the servers to the intended group (with Recommended).

Christian

Confirmation from support that this functionality is no longer available :-(

"Hi Russell

Update from our DEV Team.

The CRT  can not remove the AV Software from Microsoft completely and this can cause issues on the Endpoints.

It was decided to only detect this version and as a result to remove the AV solution using the av solutions own removal process.

I am sorry I am not able to give you a more positive answer on this one for you."
 

Thanks to those who replied.

Confirmation from support that this functionality is no longer available :-(

"Hi Russell

Update from our DEV Team.

The CRT  can not remove the AV Software from Microsoft completely and this can cause issues on the Endpoints.

It was decided to only detect this version and as a result to remove the AV solution using the av solutions own removal process.

I am sorry I am not able to give you a more positive answer on this one for you."
 

Thanks to those who replied.