Sophos Competitor Removal Tool: significant files and information

  • Article ID: 117835
  • Rating:
  • 5 customers rated this article 3.6 out of 6
  • Updated: 25 Nov 2013

This article provides information on the Sophos Competitor Removal Tool (CRT).

The CRT is a small program that runs during deployment/installation of Sophos Endpoint Security and Control that detects, but also can remove third-party security software.  Removal of third-party software is optional, though enabled by default, and removes non-Sophos software only when the check box for third-party security software detection is selected (either in the local installer or during the 'Protect Computers Wizard' in the console).

The CRT is available in two versions:

  1. A 'standalone' version only available and supported by our Sales Engineering or Professional Services team.
  2. An integrated version available in both in the managed and standalone versions of Sophos Endpoint Security and Control.

Note: This article only covers the integrated version of the tool.

Known to apply to the following Sophos product(s) and version(s)

Competitor Removal Tool (CRT)

Locating the tool

The files belonging to the CRT are located in the 'crt' folder inside the distribution folder.  Example:

\\[serverName]\SophosUpdate\CIDs\S000\SAVSCFXP\crt\

Significant files

The main files used by the program are listed below.

Item Description
AVRemoveW.exe Process that is called by the main Setup.exe program to detect/remove third-party security software.
AVRemove.exe Process that can be called by a user to manually run the CRT.
library.zip
Contains the main files for the CRT program.
data.zip Contains data on third-party products.
CRT.cfg Configuration file that can be used to alter the behavior of the CRT.  By default it is located inside the data.zip file.  See the Configuration options section below for more information.
AVRemove.log Log file created on the endpoint computer detailing the CRT's actions.  Located in the temporary folder of the user running the tool (e.g., the account used to deploy endpoint software when using the console).
From the local computer: Start | Run | Type: %temp% | Press return. From the console browse to: \\[endpoint-hostname]\C$\ and browse to the temporary folder of the account used to deploy the software.

Determining version of tool

The list of third-party software detected and removed is updated and expanded with each new version of the tool.  If there are any problems when removing third-party security software it is important to confirm the exact version of the CRT being run.

To determine the version of the tool:

  1. Open a command prompt (Start | Run | Type: cmd.exe | Press return).
  2. Type the path to the crt folder and show the usage options of the AVRemove.exe program.  Example:
    \\[serverName]\SophosUpdate\CIDs\S000\SAVSCFXP\crt\AVRemove.exe --help

The first line of the usage options shows the version.  Example:

Sophos Anti-Virus software detector - Version 2.10.0.5

Note: Alternatively you can copy the crt folder to the Desktop of the endpoint computer and browse to the local folder in the command prompt.

List what competitor products are covered

When considering if your existing security software can be removed by the CRT you will end up falling into one of three scenarios:

  1. No detection of the third-party product.
  2. Detection of the third-party product but no removal ability.
  3. Detection and removal of the third-party product.

To see what competitor software can be detected and removed (or only detected) see article 112662.  To further check your product is listed in the version of the CRT available in the distribution folder run:

\\[serverName]\SophosUpdate\CIDs\S000\SAVSCFXP\crt\AVRemove.exe --listproducts > C:\SophosCRTOut.txt

...and open the SophosCRTOut.txt file in a text editor.  You can then search the text file for the product you are attempting to remove.

Configuration options

The CRT uses a configuration file that controls its behavior.  It is possible to change the configuration file to override the tool’s default settings.  Note: Reasons for changing the default settings will be suggested in other articles when necessary.

To configure the tool, find the data.zip file within the crt folder (see section 'Locating the tool' above). Extract the CRT.cfg file from the data.zip into the main crt folder and edit this extracted file with a text editor.  You can change the options as detailed in the table below.

Note:

  • Do not place the modified file CRT.cfg file back inside the data.zip file.  Keep it in the same directory as data.zip and the tool will automatically use your customized CRT.cfg file instead of the default file.
  • If you move the modified CRT.cfg file into the data.zip file the changes will still be implemented but it is not recommended for ease of troubleshooting or resetting the file to default options.

The file contains the following options:

Option Description
DetectOnly Default: DetectOnly=0

This tells the tool whether to run in detect-only mode or not. In default mode, the tool will attempt to remove any anti-virus or firewall software it finds. DetectOnly=0 can be overridden on the command line with the -d option.

DetectOnly=1
means the tool will not attempt to remove any third-party security software it detects.

DetectOnly overrides any potentially conflicting options, such as RemoveSuites. Regardless of the RemoveSuites setting, if DetectOnly is on, the tool will only detect and will not remove the software.
RemoveFirewalls Default: RemoveFirewalls=0

Note: This option can be overridden in the user interface when deploying Sophos products. If you are installing Sophos Client Firewall and you have selected to remove third-party security software, any supported firewalls will be removed regardless of the option set in this file.

This tells the tool whether to detect or remove firewalls. In the default mode, the tool will not detect or remove any firewalls. RemoveFirewalls=0 can be overridden on the command line with the -f option.
RemoveFirewalls=1 means the tool will detect and attempt to remove any third-party firewalls it detects.

Note:
This option also means any product suites detected will be removed. Setting this option overrides the RemoveSuites option.
RemoveSuites Default: RemoveSuites=0

Note: This option can be overridden in the user interface when deploying Sophos products. If you are installing Sophos Client Firewall and you have selected to remove third-party security software, any supported firewalls will be removed regardless of the option set in this file.

This tells the tool whether to remove product suites. Product suites are products that contain an anti-virus and firewall component. In the default mode, the tool will not remove any product suites it detects.

RemoveSuites=1
means the tool will detect and attempt to remove any third-party product suites it detects.

Note:
Product suites, because they contain an anti-virus product, are always detected by default. This option allows you to configure whether they are removed or merely detected.
RemoveUpdateTools Default: RemoveUpdateTools=0

This tells the tool whether to detect or remove third-party security software update tools. In the default mode, the tool will not detect or remove any update tools.

RemoveUpdateTools=1 means the tool will detect and attempt to remove any update tools it detects.
RunOnServers
Default: RunOnServers=1

This tells the tool whether to run on server platforms. In the default mode, the tool will successfully run on server platforms.

RunOnServers=0 means the tool will return an error if it is run on a server platform.
TraceLogging
Default: TraceLogging=1

This tells the tool to log all information, including debug entries and information. In the default mode, the tool will enable all logging.

TraceLogging=0 means that only errors will be logged by the tool.
ProductCatalog
ProductCatalog is only available in the standalone ('non-standard') version of the CRT and hence not detailed further in this article.
LogFilePath
This option tells the tool where to create the log file.

The default setting is LogFilePath= which means the log file is created in the user’s TEMP directory. To change this, simply enter the directory you would like the logfile created in, e.g., LogFilePath=C:\LoggingCRT

Requesting updates to the CRT

You can request new third-party security software is added to the CRT or that detect-only functionality is expanded to automatically remove the software.  The required steps are:

  1. Run the Sophos Diagnostic Utility on the endpoint computer (to gather third-party software information).
  2. Use our Support Query web form to open a support case:
    1. Attach the SDU output file from the endpoint computer.
    2. Clearly state that you are requesting an additional detection be added to the CRT.

Important: The CRT update may take several weeks to complete.  If there is an urgent need to add detection you can contact your Sales Account Manager and discuss a bespoke solution using the 'standalone' version of the CRT (see introduction to this article for details).

Troubleshooting the CRT

...from the console

Removal of third-party software may fail for a number of reasons:

Common issue Explanation
CRT does not remove third-party software
Removal of third-party software is available with only the latest version of the CRT and the version being run is not the latest.

You need to ensure your Sophos Update Manager (SUM) subscription is configured for the latest software and that the distribution folder is up to date.
CRT has only detection ability and will not remove version.

Error 0x0000004a is shown in the console.

See article 59644
Third-party software is not covered by any version of the tool and has yet to be added.
Sophos Endpoint Security and Control may install along side existing third-party software.
Error 0x00000049 is shown in the console Third-party software detected is part of a 'security suite'.

See article 40754.
Error 0x00000042 is shown in the console...
Various causes which include:
• Third-party product detected even though no product shows in Add/Remove Programs.  CRT is detecting leftover components (registry key, service, etc.) on the endpoint computer.
• Third-party product is detected but removal has failed because of corrupt installation.
• Third-party product has its installation protected and blocks the uninstallation.
• crt folder cannot be copied to endpoint computer's temporary folder (permissions related).

See article 35340.

...from the endpoint computer

When a failure occurs an error is only returned to the console if the endpoint was deployed to via the console. If you run the Setup.exe program on the endpoint no error will be returned to the console.

If you are installing Sophos endpoint software locally (or any method other than via the console protection wizard) you can still troubleshoot problems.  You should check the AVRemove.log file (see the table above for its location).  Open the file in a text editor (e.g., Notepad.exe).

Note:

  • The log file is added to each time the CRT is run and will grow in size if a number of attempts to install are made.
  • The most recent information is at the bottom of the log file.  Either:
    • Scroll to the bottom of the log file, click into the file at the last line and work upwards while searching from a problem.
    • Delete the current AVRemove.log file and try to install again - this will create a fresh log file.
  • The lines of interest include the terms:
    • Info:
    • Failure:
    • Info: Detected
    • was found
  • You can search for the terms (exactly as they appear above) using the Find option of your text editor (Ctrl+F) - make sure search direction it 'Up' from the bottom of the log.

If the tool failed the last lines of the file will be similar to these:

[TIMPSTAMP] Info: Competitor Removal Tool exit code [a number]
[TIMPSTAMP] Info: AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\...\avremove.log
Sophos Anti-Virus software detector - Version 2.10.0.5
Copyright (C) 2003-2012 Sophos Limited. All rights reserved.
Running OS: Microsoft Windows [version of Windows]
Removing detected products...
AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\...\avremove.log

In the example above the last line of the file shows that one product has been found and zero products have been removed.  Note: In this example the term 'product found' does not necessarily mean third-party security software will be shown in Add/Remove Programs (or Programs and Features for Vista+).  The term means one or more components (services, registry key, etc.) have been detected.

Once you have found an issue reported in the AVRemove.log file search the knowledgebase for further information.  If you cannot find further information run the Sophos Diagnostic Utility on the endpoint computer and forward to Technical Support.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments