This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HitmanPro (Sophos) found on my system without a Sophos install. How can I get rid of it?

I was looking at my event viewer and under Custom Views, I spotted "HitmanPro". I never installed Sophos. When I requested a Sophos account, the verification email came form Microsoft. I can't find anything about it or Sophos in Control Panel. I'm using latest Windows 10. Did MS install it for me? I own the machine and have full admin rights (if that i nfo is relevant)..



This thread was automatically locked due to age.
Parents Reply Children
  • When Sophos Windows endpoint installs it has multiple components on of which is HitmanPro (expolit prevention).  To save users having to uninstall each one and know the order, Sophos creates one entry in Programs and Features which is for the unified uninstaller.

    The other components are marked as a "SystemComponent" = 1 so they don't show in Programs and Features (AppWiz.cpl). For example, on my computer running the Sophos Central managed client which included HitmanPro:

    Note the SystemComponent DWORD set to 1.

    When Hitman pro installs, it does create a custom event log entry to filter to 911 events which is what you are seeing.

    Other markers of it being installed are:

    1. In Services.msc, there is an entry for HitmanPro.Alert service

    2. Running fltmc.exe in an admin prompt will list the driver hmpalert

    I would look through the uninstall keys for the reference to it.

    MS would not have installed it.

  • since neither the hitman.alert nor the hmpalert entries appeared, can I assume that the Event Viewer may have been there from a previous run of Sophos trial I once used to check for a rootkit? And I can just delete the entry?

  • Yes, it's just a custom view of the event log, i.e. a filter that looks like this:

    <QueryList>
    <Query Id="0" Path="Application">
    <Select Path="Application">*[System[Provider[@Name='HitmanPro.Alert'] and (EventID=911 or EventID=800)]]</Select>
    </Query>
    </QueryList>

    that can be deleted.

  • Thanks. I deleted it. And thanks for the sample XML. I might use it as a template for a custom event filter myself.