HitmanPro (Sophos) found on my system without a Sophos install. How can I get rid of it?

Hello Dennis, 

Thank you for reaching out to the Sophos Community. 

Regarding the setup email, some of our back-end environment does integrate with Microsoft for authentication purposes. 

If you're looking to find out how "HitmanPro" got onto your device, I recommend checking the Control Panel to see if you can find an "Installed On" date next to HitmanPro. Typing in "appwiz.cpl" from a "Run" window or in the Windows Start Menu will bring you directly to the add/remove programs and features control panel item.  

Let me know what you see present, if this refers to "Sophos Endpoint Agent" or if this shows the "Stand Alone" HitmanPro application installed. 

None of Hitman, HitmanPro, Sophos or any of those preceded by "Microsoft" appears in Control Panel's Add/remove menu.

PS. I am running Win 10 PRO, if that matters and have preformed ALL settings, including TPM, that make my system ready for Windows 11 (which I am currently running in Hyper-V as an Insider).

Hello Dennis, 

Could you try attaching a screenshot of what you’re seeing on the device? 

Thank you,

Here's the screen shot. See the 4th custom view

Here's the screen shot. See the 4th custom view

When Sophos Windows endpoint installs it has multiple components on of which is HitmanPro (expolit prevention).  To save users having to uninstall each one and know the order, Sophos creates one entry in Programs and Features which is for the unified uninstaller.

The other components are marked as a "SystemComponent" = 1 so they don't show in Programs and Features (AppWiz.cpl). For example, on my computer running the Sophos Central managed client which included HitmanPro:

Note the SystemComponent DWORD set to 1.

When Hitman pro installs, it does create a custom event log entry to filter to 911 events which is what you are seeing.

Other markers of it being installed are:

1. In Services.msc, there is an entry for HitmanPro.Alert service

2. Running fltmc.exe in an admin prompt will list the driver hmpalert

I would look through the uninstall keys for the reference to it.

MS would not have installed it.

since neither the hitman.alert nor the hmpalert entries appeared, can I assume that the Event Viewer may have been there from a previous run of Sophos trial I once used to check for a rootkit? And I can just delete the entry?

Yes, it's just a custom view of the event log, i.e. a filter that looks like this:

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[Provider[@Name='HitmanPro.Alert'] and (EventID=911 or EventID=800)]]</Select>
</Query>
</QueryList>

that can be deleted.

Thanks. I deleted it. And thanks for the sample XML. I might use it as a template for a custom event filter myself.