Manually Remove Sophos Tamper Protection
Instructions if you are unable to uninstall Sophos because of Tamper Protection needs to be turned off or the tamper protection password is lost and the client cannot receive a new policy without a known password.
To recover a tamper protected system, you must disable Enhanced Tamper Protection.
NOTE: Do a backup of your registry before you attempt this procedure.
Windows 7 computers. Click on the Start button Control Panel. Click Programs and Features. Double-click on Sophos Home from the list of the installed programs. Note: In some cases, you may be prompted to restart the computer first before uninstalling Sophos Home. Simply click on Close and reboot the machine first. Applies to the following Sophos products and versions Sophos Central Windows Endpoint Intercept X What to do Perform the following steps to resolve the uninstall issue: Download the newest version of Dell Protected Workspace. Update the existing Dell Protected Workspace on the target computer by running the recently downloaded.exe file. A full Sophos Cloud Optix setup creates resources in your AWS environment to send logs to the service. These resources will be deleted using the methods described on this page. But these methods do not remove S3 buckets. You must manually remove them from your AWS environment afterward. Sc delete 'Sophos System Protection Service' Remove Registry - To delete all registry keys (that I could find anyway.) reg delete 'HKEYLOCALMACHINE SOFTWARE Microsoft Windows CurrentVersion Uninstall Sophos Clean' /f reg delete 'HKEYLOCALMACHINE SOFTWARE Microsoft Windows CurrentVersion Uninstall Sophos Endpoint Agent' /f.
Applies to the following Sophos products and versions
Sophos Endpoint Security and Control 10.6.4
Sophos Cloud Managed Endpoint
2 Steps total
:max_bytes(150000):strip_icc()/002-how-to-uninstall-sophos-from-your-mac-or-windows-pc-96936f79df6e45799aa7aecae01a3d18.jpg "Sophos")
Step 1: Sophos Enterprise Console managed client
1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig
5. Set the following DWORD values to 0: SAVEnabled and SEDEnabled
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.
Step 2: Sophos Central managed client
1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos MCS Agent and set the REG_DWORD Start to 0x00000004
5. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.
Enhanced Tamper Protection is now disabled.
You should now be able to uninstall Sophos Protection.
References
- Sophos Endpoint Defense: How to recover a tamper protected system
2 Comments
- Jalapenojimarnold Aug 2, 2019 at 01:08pm
There might be an easier way:
If you log into the admin portal for Sophos, then go to Logs & Reports, there is a report under the 'Endpoint & Server Protection' category called 'Recover Tamper Protection Passwords'
If you run this report, it allows you to search for the deleted computer name and provides you with the tamper protection password for that computer. This allows you then to 'login' on the client software to override the policy and turn off tamper protection for 4 hours. This should be enough time to uninstall.
I found myself cursing the Sophos portal until I discovered this little nudget of gold!
- Pimientospicehead-3jrws Aug 10, 2021 at 03:56am
What do I need to do if I go to the safe mode to change the computer's registry as indicated above but the registry does not allow me to modify the values on it?
By . Published on May 2, 2018
Removing Sophos Antivirus from Mac OS X –
- Access your Applications folder
- Double-Click on the Remove Sophos Endpoint* application
- Click on the Continue button
- If prompted, enter your Username and Password
- Click on the OK button
- OnThe removal was successful window, click on the Close button
- The Sophos Antivirus Shield will also be removed from the menu bar indicating a successful uninstall
- Reboot your computer when finished
*If you are not able to locate the Remove Sophos Endpoint application, you may need to download and run the Sophos Anti-Virus for Mac: Removal Tool.