By . Published on May 2, 2018
Manual Remove Sophos Software
Removing Sophos Antivirus from Mac OS X –
Sophos SafeGuard Disk Encryption. To uninstall Sophos security software when tamper protection is enabled: On the Home page, under Tamper protection, click Authenticate user. For information about the Home page, see About the Home page. In the Tamper Protection Authentication dialog box, enter the tamper protection password and click OK. Prepare scripts to remove Sophos Endpoint. Create group policy. Configuration 3.1 Create a share folder on Windows Server. The first step we need to do is to create a share folder to contain the scripts file that can be used to remove the sophos endpoint so that workstations can access to execute the scripts file. Click Uninstall and wait for the process to finish. Remove this computer from the dashboard to free up the consumed device-count / be able to download and re-install Sophos Home on the computer. Note: Sophos Home will auto remove the computer from the dashboard if the uninstallation is performed while connected to the internet. Go to Programs and Features and uninstall the Sophos components in the following order: Notes: If the component is not listed, it may not be installed. Proceed with the next component. A prompt to restart the computer will appear after uninstalling Sophos Exploit Prevention. Sophos Remote Management System; Sophos Network Threat Protection. In this video Jelan from Sophos Support shows you how to use the Sophos ZAP tool to remove Sophos Endpoint or Server Protection Software from a Windows Devic.
- Access your Applications folder
- Double-Click on the Remove Sophos Endpoint* application
- Click on the Continue button
- If prompted, enter your Username and Password
- Click on the OK button
- OnThe removal was successful window, click on the Close button
- The Sophos Antivirus Shield will also be removed from the menu bar indicating a successful uninstall
- Reboot your computer when finished
*If you are not able to locate the Remove Sophos Endpoint application, you may need to download and run the Sophos Anti-Virus for Mac: Removal Tool.
Feedback?
Instructions if you are unable to uninstall Sophos because of Tamper Protection needs to be turned off or the tamper protection password is lost and the client cannot receive a new policy without a known password.
Manually Remove Sophos Home
To recover a tamper protected system, you must disable Enhanced Tamper Protection.
NOTE: Do a backup of your registry before you attempt this procedure.
Applies to the following Sophos products and versions
Sophos Endpoint Security and Control 10.6.4
Sophos Cloud Managed Endpoint
Manually Remove Sophos Endpoint
2 Steps total
Step 1: Sophos Enterprise Console managed client
1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig
5. Set the following DWORD values to 0: SAVEnabled and SEDEnabled
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.
Step 2: Sophos Central managed client
1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos MCS Agent and set the REG_DWORD Start to 0x00000004
5. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.
Enhanced Tamper Protection is now disabled.
You should now be able to uninstall Sophos Protection.
References
- Sophos Endpoint Defense: How to recover a tamper protected system
2 Comments
- Jalapenojimarnold Aug 2, 2019 at 01:08pm
There might be an easier way:
If you log into the admin portal for Sophos, then go to Logs & Reports, there is a report under the 'Endpoint & Server Protection' category called 'Recover Tamper Protection Passwords'
If you run this report, it allows you to search for the deleted computer name and provides you with the tamper protection password for that computer. This allows you then to 'login' on the client software to override the policy and turn off tamper protection for 4 hours. This should be enough time to uninstall.
I found myself cursing the Sophos portal until I discovered this little nudget of gold!
- Pimientospicehead-3jrws Aug 10, 2021 at 03:56am
What do I need to do if I go to the safe mode to change the computer's registry as indicated above but the registry does not allow me to modify the values on it?