Error 0x00000042 when protecting an endpoint computer

  • Article ID: 35340
  • Rating:
  • 19 customers rated this article 1.6 out of 6
  • Updated: 07 Jan 2014

Issue

After protecting an endpoint computer from the console the following is shown in the 'Install errors' column on the 'Alert and Error Details' tab of the console:

Failed to uninstall third-party security software. [0x00000042]

In the computer details windows, the following is shown:

00000042 Cancelled Sophos installation because existing third-party security software could not be uninstalled.

When you run setup.exe manually on the endpoint computer you see:

Cancelled installation because existing third-party security software could not be uninstalled.
If you do not click 'OK', this message box will close automatically after 60 seconds.

At the bottom of the AVRemove.log (found in %temp%) the following is shown:

[DATE] [TIME] Failure: Removal of [Product detected] failed.
[DATE] [TIME] Failure: Return code 0
[DATE] [TIME] Info: Competitor Removal Tool exit code 16

Note: If you cannot see an AVRemove.log file check the Sophos ES setup.log file for an error (e.g., Failed to copy CRT directory to local machine).

First seen in

Sophos Endpoint Security and Control
Enterprise Console

Cause

This error is returned for several specific reasons and is also returned if the failure was unknown.  Common causes are:

  • The third-party software has tamper protection enabled and is blocking the automatic uninstall by the Sophos Competitor Removal Tool (CRT).  Tamper protection actively monitors the files and services installed by the third-party security software and prevents them from being removed, edited or shut down.
  • Third-party product is detected but removal has failed because of a corrupt installation.
  • Third-party software has been removed prior to protecting the endpoint with Sophos Endpoint Security and Control however the CRT is detecting leftover components (registry key, service, etc.).

What To Do

Check if third-party security software is listed in Add/Remove Programs (Programs and Features for Vista+) and follow one of the sections below.

Third-party software is installed

If third-party security software is listed in Add/Remove Programs (Programs and Features for Vista+) the problem is either:

  • the software has tamper protection enabled
  • the software installation is corrupt.

Attempt to remove the software and if you are prompted for a password/code/phrase, enter the required details and confirm the uninstall completes.  If the uninstall completes, this shows that tamper protection on the third-party software needs to be removed before re-protecting the endpoint computer with Sophos Endpoint Security and Control.  For details of how to disable tamper protection for the currently installed software, contact the vendor or consult their documentation/knowledgebase.

If the installation fails to uninstall (with or without a prompt for a password/code/phrase) then the installation may be corrupt.  We recommend you contact the vendor or consult their documentation/knowledgebase for information on how to resolve the problem before re-protecting the endpoint computer with Sophos Endpoint Security and Control.

Note: If you cannot locate what third-party security product is being detected following instructions below regarding looking in the avremove.log and locate the product name which should be mentioned in the log (the string beings Info: Starting removal of).

Third-party software is not installed

If third-party security software is not listed in Add/Remove Programs (Programs and Features for Vista+) then the CRT is most likely detecting a leftover component or fragment of the previously installed software.

Check in the AVRemove.log (found in %temp%) for what item is causing the detection.  Open the log with a text editor and search the log from the bottom upwards for the string Info: Removing detected products and check what items are mentioned immediately beneath that text.  The registry key(s) mentioned below the text is causing the detected and are most likely left over from an previously uninstalled third-party security product.

The key(s) mentioned in that section of the log needs to be manually remove from the computer's registry.  Warning: See article 10388 before editing/deleting the computer's registry.

In the screenshot below the registry key {C78D3032-9DFD-41D0-9DE9-58EAE750CBA4} has been detected beneath the Uninstall branch and needs to be removed before the CRT will allow the installation to complete.

You can open the registry editor on the local computer (Start | Run | Type: regedit.exe | Press return), search ('Edit' | 'Find') for the string mentioned in the log (in the example above it would be C78D3032-9DFD-41D0-9DE9-58EAE750CBA4), then backup (export) the key(s) and then delete it.  After this you can re-run the Sophos installer.  If the problem persists check the avremove.log for any further detections.

Note: You may be able connect to an endpoint computer's registry remotely from your local computer's registry editor and avoid having to move to the remote computer.  Example:





 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments