This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remove Sophos Central without tamper protection password

It would be extremely difficult to remove sophos central from within the operating system where it is installed,  However, by either plugging the affected drive into another computer -OR- working from recovery - command prompt,  the SOPHOS folders can be removed from program files and program files (x86) on the affected hard drive partition.  All hitmanpro files should all be removed.

Then on rebooting the OS - run iobit uninstaller, or delete remaining sophos files and folders to CLEAN UP.

               Have fun,    Steve K.



This thread was automatically locked due to age.
Parents
  • Hello Steve,

    You can either follow the steps on this vid https://techvids.sophos.com/watch/BCRVKNsqy67fwPvdg7vZu8 or either the steps on this KB article https://support.sophos.com/support/s/article/KB-000036125?language=en_US so you don't need to slave the device hard drive to another system.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi Glenn,

          Those articles show elaborate steps within the operating system, BUT THEY DO NOT WORK.

    Sophos prevents regedit from modifying sophos keys and also blocks the other methods... (scripts don't run))

    I tried them - did you?      Steve

  • Yes, we tried it most of the time and it works, and for cleaning up the endpoint on the system we use Sophos ZAP. Which method/steps have you tried but didn't get the expected result? The Steps on the KB article are widely used by our customers globally which have solved most of their queries related to tamper protection. If steps have been applied but still not able to proceed, I would suggest reaching out to our support team. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi Glen,

           SophosZap is very helpful to clean up AFTER SOPHOS CENTRAL is disabled, but WILL NOT RUN as long as Sophos central is still alive.  (YES, I tried that too).

    SophosZap will sometimes not even run when there are left over remnants from sophos home.

    I DID reach out to your support team earlier (Karthikkeyan B) - DID NOT GET ME THERE...

    It is a REAL PLUS that sophos home can be uninstalled so much more easily.

    Lots of folks lost the admin passwords for central.      Steve

  • That is right, since having tamper protection "Enabled" on the system will prevent the actions which ZAP will execute. 
    In the knowledge base article, multiple steps were introduced, and you can try each of them. The Idea you've shared is a good initiative, though this can only be applied when you have multiple systems in your environment. Most home users may not have the luxury of doing it. Also, on behalf of Sophos support, we apologize for not being able to meet the expectation. I do hope that your case has been solved by now. Sophos Home Users can always reach our dedicated support team through Sophos Home Support Portal 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi Glen,

             THANKS for responses to my concerns with sophos central.  I really appreciate the advice and feedback.  SophosZap is very helpful, but tamper protection has to be stopped first.  LOOKS LIKE renaming SophosED.sys followed by using system.msc to disable startup of as many Sophos services and hitmanr as you can may allow regedit edit to change the TamperProtection keys from 1 to 0.  When running SophosZap - look at the log files for more hints.  I will be interested to know what you find and CAN YOU use regedit on sophos keys with central present?  I can not.

    Best,   Steve K.

Reply
  • Hi Glen,

             THANKS for responses to my concerns with sophos central.  I really appreciate the advice and feedback.  SophosZap is very helpful, but tamper protection has to be stopped first.  LOOKS LIKE renaming SophosED.sys followed by using system.msc to disable startup of as many Sophos services and hitmanr as you can may allow regedit edit to change the TamperProtection keys from 1 to 0.  When running SophosZap - look at the log files for more hints.  I will be interested to know what you find and CAN YOU use regedit on sophos keys with central present?  I can not.

    Best,   Steve K.

Children
No Data