Resolving Sophos Enterprise Console Error 00000049

Sophos Endpoint LogoInstalling or re-installing Sophos Antivirus on endpoints with error code 0x00000049.

By following this guide, I cannot be held accountable for any damage or loss caused. Do so at your own risk.

Please check Add or Remove Programs or Programs and Features to make sure all previous antivirus software is uninstalled. If you are re-installing a misconfigured or misbehaving installation of Sophos Antivirus then leave it installed as it will be replaced.

1. Protect the endpoint using the “Protect Computers” wizard.

2. Identify the error which caused the installation to fail using the “View Computer Details” option from the right click menu.

We are particularly interested in resolving the error below, however I also have some troubleshooting tips at the end of this guide if you still encounter issues;

00000049 Cancelled Sophos installation and removal of third-party security software. The software being removed may include a firewall or other component that is not being replaced. Make sure the package you are installing provides equivalent protection to the package being removed.

3. Navigate to the shared Sophos Distribution Folder;

Example: \\<SERVER-NAME>\SophosUpdate\CIDs\S000\SAVSCFXP\crt

Locate the data.zip file and open it using an archive application such as WinRAR, extract the CRT.cfg file from the archive.

Open the extracted CRT.cfg file in a text editor such as Notepad.

Change the line RemoveSuites=0 to RemoveSuites=1 and save the file. This will allow Sophos Competitor Removal Tool access to remove antivirus suites which may be preventing the installation.

Add the modified CRT.cfg file to the data.zip archive overwriting the original file if prompted to do so.

Try to re-protect the endpoint using the “Protect Computers” wizard.

Sophos Competitor Removal Tool will run and try to remove any detected competitor software (now including suites) and then continue to install Sophos Antivirus as normal if the removal was successful.

If the installation was successful do not carry out the following steps below – you’re done! however if Sophos Enterprise Console is still reporting an error that antivirus software is on the endpoint continue to follow the steps below to further diagnose and hopefully resolve.

4. We are going to perform the next steps remotely using free software called PsExec, however you can perform the following commands locally from the endpoint command prompt granted that you have the correct permissions to do so such as local administrator on the currently logged in user account.

Remote Command Prompt

Starting a remote command prompt to the endpoint is easy using PsExec, which can be downloaded from here.

PsExec is a very useful and powerful tool for remote administration of endpoints on a domain without Remote Desktop Connection or VNC. The advantage of using a remote command prompt is that all commands are non-disruptive to the currently logged in user.

Navigate to the extracted PSTools folder in a command prompt and enter the following command;

Example: C:\PSTools>psexec \\<PC-NAME or IP ADDRESS> –s cmd

The –s parameter is required as it allows the remote command prompt to be launched under the ‘SYSTEM’ user.

Be extremely careful when using command prompt with SYSTEM access, be sure to check your working directory.

You should now be connected to the endpoint and have a working remote command prompt with SYSTEM access.

If you encounter connection issues refer to the bottom of this page for troubleshooting tips.

Local Command Prompt

5. In command prompt enter the following commands consecutively;

cd %temp% – Navigates to the system “temp” folder so that we can access the Sophos Competitor Removal Tool application log named avremove.log.

DIR avremove.log – Checks to see if the log file exists, if not cd to C:\temp instead and see if the log file exists there.

TYPE avremove.log – Outputs the log contents to the console for analysis.

Note: If you are accessing the endpoint directly open Explorer and paste in to the address bar %temp% or C:\temp and locate the avremove.log file. Open it in a text editor such as Notepad.

Analyse the avremove.log output and take note of any GUID registry keys and their location for each antivirus software which was detected but unable to be removed by the Sophos Competitor Removal Tool which runs the ‘msiexec /x {GUID}’ command.

Example: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}

6. We need to delete the registry keys you identified from the avremove.log file as msiexec has reported an error during uninstallation, which is usually error code 1612 meaning it was unable to locate the previous antivirus installer/uninstaller executable file in the file system such as the applications directory in “Program Files”. It may well be that the uninstaller has simply left a registry key behind which is preventing installation.

To delete a registry key enter the following command in to command prompt;

REG DELETE HKLM\<REGISTRY KEY LOCATION>\{<GUID KEY NAME>}

Example: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}

You will receive the following confirmation message;

Permanently delete the registry key Software\Microsoft\Windows\CurrentVersion\Uninstall\{8215AC14-BFC2-4ECC-96D6-1030202F8BDF} (Y/N)?

Enter ‘Y’ to confirm deletion.

You should be presented with;

The operation completed successfully.

The key should now be deleted from the registry, to confirm try running the command again and command prompt should output;

Error:  The system was unable to find the specified registry key or value.

Carry out step 6 for each key that you identified in avremove.log.

7. Try to re-protect the endpoint using the “Protect Computers” wizard, the installation should now be successful on the endpoint. The “policy compliance” column should be “Same as policy” and the “Up to date” column should be “yes” a few minutes after the installation completed.

Further troubleshooting if the installation was unsuccessful;

8. Make sure the following services are running on the endpoint;

Task Scheduler
Windows Installer
Remote Registry

If one of the above services are not running you can start them using command prompt by typing the following command for each service;

net start “SERVICE-NAME”

Example: net start “Task Scheduler”

The services should now be started.

Try to re-protect the endpoint using the “Protect Computers” wizard.

9. If installation was still unsuccessful try running the following command in the command prompt;

msiexec /regserver

The above command will re-register Windows Installer in case it has become unregistered or corrupt.

Try to re-protect the endpoint using the “Protect Computers” wizard.

The endpoint should now be protected.

 

Troubleshooting PsExec connection errors to endpoints with Sophos Antivirus already installed but misconfigured or misbehaving.

If you were unable to connect to the endpoint check Sophos Enterprise Console to make sure that PsExec has not been blocked on the endpoint you tried to connect to.

Sophos detects PsExec as a “Hacking Tool” due to the nature of the software. You need to add an exception in your “Anti-virus and HIPS” policy which is applied to the endpoint.

To do this double click the policy to make changes. Click the “Authorization…” button.

On the “Adware and PUAs” tab select PsExec in the “Known adware and PUAs:” list and click the “Add ->” button then click “OK” you will be prompted to update all the endpoints in that policy. Click “OK” to do so.

If you have any queries leave a comment.


Ratings

Useful x 1

One thought on “Resolving Sophos Enterprise Console Error 00000049”

Leave a Reply

Your email address will not be published. Required fields are marked *