Advisory: Following an update to Sophos Anti-Virus, the Sophos Anti-Virus service fails to start for PureMessage for Microsoft Exchange and Sophos for Microsoft SharePoint

  • ID dell'articolo: 119717
  • Aggiornato: 22 ago 2013

Background

This is an issue affecting a small subset of Sophos customers who use PureMessage for Microsoft Exchange or Sophos for Microsoft SharePoint. Some customers have reported that their scanning service stopped after an update of Sophos Anti-Virus on 14 August 2013. We advise customers experiencing this issue to follow the steps below as soon as possible, to ensure that their anti-malware protection is up to date and active.

Issue

Following an update to Sophos Anti-Virus you experience the following symptoms:

  • For managed clients they appear as 'comparison failure' or 'differs from policy' in Enterprise Console.
  • When manually attempting to start the 'Sophos Anti-Virus' service, it fails with error number -2147467259.
  • The Sophos shield icon displays a cross and a tool-tip message 'Sophos Protection Anti-virus and HIPS: service failure'.
  • You see errors from Sophos Anti-Virus in the Windows Application event log relating to the failure of the Sophos Anti-Virus service.
  • If you have PureMessage for Microsoft Exchange or Sophos for Microsoft SharePoint installed, the administrator may receive (depending on configuration) an email with the message detailed below*.

The following error messages are also logged and can be used to confirm the issue:

SAV.txt

Loading SAV Interface returned the error 0xa0040223: SAV Interface must be re-initialized - the detection engine has a version later than that that the running version of SAV Interface supports.

Sophos Anti-Virus CustomActions Log_[TimeStamp].txt

WaitForSAVIEvent: Could not open memory mapped file Global\!$_SAVI_!$!_MMMF_$!__
Successfully waited for event Global\!$_SAVI_!$!_EVENT_$!__Suspended
SAVService failed to start, error=0x80004005
Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

Sophos Anti-Virus Install Log_[TimeStamp].txt

Info: Running UpdateSAVI shared custom action.
Info: Return Value from UpdateSAVI: 1359
Info: Shared custom actions failed. Running rollback actions.
Info: Running SetUpdateFailed shared custom action.
Info: Return Value from SetUpdateFailed: 0
Info: Running RunErrorScripts shared custom action.
Info: Return Value from RunErrorScripts: 0
Info: Update to Sophos Anti-Virus failed.

*You may see one of the following messages, depending on which product you have installed:

The PureMessage administrator may also receive the following application email:

PureMessage store scanning has encountered an application error and needs urgent attention.

Details: Failed to initialize Sophos Anti-Virus Interface (SAVI). Please check your Sophos Anti-Virus installation

The Sophos for Microsoft SharePoint administrator may also receive the following application email :

Sophos for Microsoft SharePoint has encountered an application error and needs urgent attention.

Details: Failed to initialize Sophos Anti-Virus Interface (SAVI). Please check your Sophos Anti-Virus installation

First seen in

Sophos Anti-Virus for Windows 2000+

Cause

The previous scanning engine was unable to terminate cleanly during the upgrade.

What To Do

Depending on the applications installed on the computer, please follow the appropriate steps below.  

Note: If you have both applications listed, stop and disable all the services mentioned before repairing the update to avoid having to duplicate steps.

PureMessage for Microsoft Exchange

  1. Stop the following service:
    • Sophos PureMessage Scanner
  2. ​Set the start-up type to 'disabled' for the following service:
    • Sophos PureMessage Scanner
  3. Delete the following file of Sophos Anti-Virus:
    • 32-bit: C:\Program Files\Sophos\Sophos Anti-Virus\savsync.upd
    • 64-bit: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savsync.upd
  4. Delete the following file of Sophos AutoUpdate:
    • Vista\7\2008\2012: 'C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml'
    • 2003/XP:  'C:\Program files\Sophos\AutoUpdate\data\status\status.xml'
  5. Perform an "Update now" - to do so right click on the Sophos shield icon in the notification tray and choose 'Update now'.
  6. Once the update has finished, check the Sophos Anti-Virus service has started.
  7. Perform a subsequent 'Update now' as above to confirm.
  8. ​Set the start-up type to 'automatic' for the following service:
    • Sophos PureMessage Scanner
  9. Start the following service:
    • Sophos PureMessage Scanner

Sophos For Microsoft SharePoint

  1. Stop the following service:
    • Sophos for Microsoft SharePoint Scanner
  2. ​Set the start-up type to 'disabled' for the following service:
    • Sophos for Microsoft SharePoint Scanner
  3. Delete the following file of Sophos Anti-Virus:
    • 32-bit: C:\Program Files\Sophos\Sophos Anti-Virus\savsync.upd
    • 64-bit: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savsync.upd
  4. Delete the following file of Sophos AutoUpdate:
    • Vista\7\2008\2012: 'C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml'
    • 2003/XP:  'C:\Program files\Sophos\AutoUpdate\data\status\status.xml'
  5. Perform an "Update now" - to do so right click on the Sophos shield icon in the notification tray and choose 'Update now'.
  6. Once the update has finished, check the Sophos Anti-Virus service has started.
  7. Perform a subsequent 'Update now' as above to confirm.
  8. ​Set the start-up type to 'automatic' for the following service:
    • Sophos for Microsoft SharePoint Scanner
  9. Start the following service:
    • Sophos for Microsoft SharePoint Scanner

If the above steps fail to correct the issue, we recommend that you uninstall and then re-install just the Sophos Anti-Virus component. To do so:

  1. Uninstall just the 'Sophos Anti-Virus' product from 'Add or Remove Programs' or 'Programs and Features'.  
    Tip: Start | Run type: appwiz.cpl then press 'Enter'.
  2. After the uninstall reboot if requested.
  3. Delete the file status.xml:
    • Vista\7\2008\2012: 'C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml'
    • 2003/XP: 'C:\Program files\Sophos\AutoUpdate\data\status\status.xml'
  4. ​Perform an "Update now" - to do so right click on the Sophos shield icon in the notification tray and choose 'Update now'.

 
Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente

Commenti