HOW TO: Remove System Extensions

RichardP over 3 years ago

Please create a new post in the Discussions section for any questions or comments.

In some instances you may need to manually remove the System Extensions. There are two ways available:

Reinstall and drag extension hosting software to trash
- Reinstall using the “Sophos Installer”
- Drag the “/Applications/Sophos/SophosWebNetworkExtension” to the trash
- A dialog is displayed that says
  - “The application “SophosWebNetworkExtension” is hosting
  - system extensions. These extensions will be removed if you
  - continue”
- Click on continue
- Authenticate as requested
- Right click on “/Applications/Sophos/Sophos Scan” and choose “Show Package Contents”
- Navigate to Contents/MacOS and drag “SophosScanD” to the trash
- A dialog is displayed that says
  - “The application “SophosScanD” is hosting system extensions.
  - These extensions will be removed if you continue.”
  - Click on continue
- Authenticate as requested
- Run “/Applications/Sophos/Remove Sophos Endpoint”
- Restart the Mac
Disable SIP, use systemextensionctl to unload the extensions, and reenable SIP
- Disable SIP:
  - Reboot into the recovery partition by holding the command (⌘) key and (R) key down while rebooting
  - Select the volume that contains your copy of Big Sur
  - Enter credentials as requested
  - In the “Recovery” application that comes up, choose the menu item “Utilities | Terminal”
  - Enter the command: “csrutil disable”
  - Restart the Mac and log in
- Open the Terminal application
  - Enter the command “systemextensionsctl uninstall - com.sophos.endpoint.networkextension”
  - Enter credentials to the dialog that says “systemextensionctl is trying to modify a System Extension”
  - Enter the command “uninstall - com.sophos.endpoint.scanextension”
  - Enter credentials to the dialog that says “systemextensionctl is trying to modify a System Extension”
- Enable SIP:
  - Reboot into the recovery partition by holding the command (⌘) key and (R) key down while rebooting
  - Select the volume that contains your copy of Big Sur
  - Enter credentials as requested
  - In the “Recovery” application that comes up, choose the menu item “Utilities | Terminal”
  - Enter the command: “csrutil enable”
  - Restart the Mac

Either of these methods should remove the System Extensions from the target machine.

If you encounter problem after following these steps - please reply below.

.
[edited by: Florentino Sanchez at 8:15 PM (GMT -8) on 8 Mar 2021]

Top Replies

Adisor19 over 2 years ago +2

Please tell me there is another way to do this.. I uninstalled 10.0.3 as it made me reboot my mac multiple times a day and now I noticed com.sophos.endpoint.scanextension is still loading after a reboot…

Adisor19 over 2 years ago

Please tell me there is another way to do this.. I uninstalled 10.0.3 as it made me reboot my mac multiple times a day and now I noticed com.sophos.endpoint.scanextension is still loading after a reboot.

This is the behaviour of a rootkit to be honest..
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel