This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Ultimate Sophos Removal" for Managed Service Providers (MSPs) and mid-sized or larger organizations

Hello all!

First and foremost, this script is for...

  • Businesses with dozens if not hundreds or more machines with Sophos
  • Managed Service Providers (MSP)

This script is NOT for...

  • Non-business/consumer/home/personal flavors and end-users of Sophos products

Other notes:

  • This script a DEVELOPER release, meaning it has not thoroughly passed through testing and may result in system instability or a Windows OS that might not boot
  • Make system backups before running this script.
  • Usage of this script is at YOUR OWN RISK. If your system fails to boot or experiences some issue as a result of this script, restore from backups / fix the problem and post the solution / update the script and post about it
  • This script was developed with the intent to specifically remove Sophos Anti-Virus (SAV)

The reason this script was created was because of how incredibly stubborn, resistant, and problematic Sophos business products are for removal through normal and proper means (i.e. removal through Programs and Features). There are cases where following the normal methods of removal are unsuccessful and result in entries from Programs & Features disappearing while leaving remnants if not fully active Sophos installations on systems. When this scenario is encountered and dozens/hundreds of machines are involved it becomes a nightmare for technician labor time (time = $$$) without having any means of automation to aide with removal of Sophos products from client machines (hence the existence of this script).

The reason for release of this script is because of the necessity to involve and receive further development on this script from and by the community.

In my testing of this script on machines that I do not have physical access to I have found that a little more than 50% do not come back online after running this script and rebooting those machines (I do not know why and would appreciate finding out how to overcome this).

For machines that do come back online Sophos is 99-100% gone. In successful removals: (1) in some cases may be a few folders remaining on the system (particularly with some Web Intelligence DLLs and a SAV Temp folder), and (2) WinSock providers may still be present (even if the files no longer exist on the system), this can be verified with the "netsh winsock show catalog" command. Since my focus has been specifically on removal of Sophos Anti-Virus (SAV) I do not expect this script to be 99-100% for other Sophos products, but this script was designed to allow for further development to expand the scope to other Sophos products (and serve as an 'ultimate Sophos removal' script) and improve its reliability in removal.

The script is a single batch script file. To run it, it must be run with elevation (right-click > Run as Administrator).

7Z Archive (password: SOPHOS)

** Content removed **

TXT file (save with .bat extension instead of .txt)

** Content removed **

For courtesy, feel free to scan the script and these URLs with virustotal.com - they are clean.



This thread was automatically locked due to age.
Parents
  • Hi

    We would like to appreciate your sincere efforts in churning out a script in order to remove the endpoints and also extend our apologies for removing the same from here owing to support issues as the usage of the script might end up in un-supported scenarios.  However, we would like to encourage your participation in bringing up solutions via scripts in our community. At this point of time, the scripts have been reviewed by our Global Escalation team and they have confirmed that they will very soon be coming up with an alternate script that should help us with the same goal of uninstallation of the endpoint. We thank you again for your kind suggestion and efforts in penning the script for our community users.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply
  • Hi

    We would like to appreciate your sincere efforts in churning out a script in order to remove the endpoints and also extend our apologies for removing the same from here owing to support issues as the usage of the script might end up in un-supported scenarios.  However, we would like to encourage your participation in bringing up solutions via scripts in our community. At this point of time, the scripts have been reviewed by our Global Escalation team and they have confirmed that they will very soon be coming up with an alternate script that should help us with the same goal of uninstallation of the endpoint. We thank you again for your kind suggestion and efforts in penning the script for our community users.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Children
  • Gowtham,

     

    Is there an ETA from the GE team.  We're starting to migrate from Sophos on-prem to Central and are starting to find issues with the migration process.

    We've been told that Support have a script they can run, but are unable to provide it outside of their support teams.

    Having to remote into each machine and manually go through all of the possible scenarios takes time.  I did one machine today it took an hour to finally get it working.  Based on the current failures that's 17hours before we continue the migration.  Have to tell you I'm not looking forward to this.

  • Hi  

    As of now, it's still in the development phase and unfortunately, I do not have an ETA on when this will be publically available. I would request you to contact our support team during the migration process so that they can help you with it.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.