After protecting an endpoint computer from the console the following is shown in the 'Install errors' column on the 'Alert and Error Details' tab of the console:
Failed to uninstall third-party security software. [0x00000042]
In the computer details windows, the following is shown:
00000042 Cancelled Sophos installation because existing third-party security software could not be uninstalled.
When you run setup.exe manually on the endpoint computer you see:
Cancelled installation because existing third-party security software could not be uninstalled.
If you do not click 'OK', this message box will close automatically after 60 seconds.
At the bottom of the AVRemove.log (found in
%temp%) the following is shown:
[DATE] [TIME] Failure: Removal of [Product detected] failed.
[DATE] [TIME] Failure: Return code 0
[DATE] [TIME] Info: Competitor Removal Tool exit code 16
Note: If you cannot see an AVRemove.log file check the Sophos ES setup.log file for an error (e.g., Failed to copy CRT directory to local machine).
First seen in
Sophos Endpoint Security and Control
This error is returned for several specific reasons and is also returned if the failure was unknown. Common causes are:
- The third-party software has tamper protection enabled and is blocking the automatic uninstall by the Sophos Competitor Removal Tool (CRT). Tamper protection actively monitors the files and services installed by the third-party security software and prevents them from being removed, edited or shut down.
- Third-party product is detected but removal has failed because of a corrupt installation.
- Third-party software has been removed prior to protecting the endpoint with Sophos Endpoint Security and Control however the CRT is detecting leftover components (registry key, service, etc.).
What To Do
Check if third-party security software is listed in Add/Remove Programs (Programs and Features for Vista+) and follow one of the sections below.
Third-party software is installed
If third-party security software is listed in Add/Remove Programs (Programs and Features for Vista+) the problem is either:
- the software has tamper protection enabled
- the software installation is corrupt.
Attempt to remove the software and if you are prompted for a password/code/phrase, enter the required details and confirm the uninstall completes. If the uninstall completes, this shows that tamper protection on the third-party software needs to be removed before re-protecting the endpoint computer with Sophos Endpoint Security and Control. For details of how to disable tamper protection for the currently installed software, contact the vendor or consult their documentation/knowledgebase.
If the installation fails to uninstall (with or without a prompt for a password/code/phrase) then the installation may be corrupt. We recommend you contact the vendor or consult their documentation/knowledgebase for information on how to resolve the problem before re-protecting the endpoint computer with Sophos Endpoint Security and Control.
Third-party software is not installed
If third-party security software is not listed in Add/Remove Programs (Programs and Features for Vista+) then the CRT is most likely detecting a leftover component or fragment of the previously installed software.
Check in the AVRemove.log (found in
%temp%) for what item is causing the detection. Open the log with a text editor and search the log from the bottom upwards for the string
Info: Removing detected products and check what items are mentioned immediately beneath that text.