This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos endpoint agent fail to uninstall

Hi People,

Please help, i have tried severally to uninstall Sophos Intercept X endpoint agent from a server with the aim of reinstalling it, but the agent failed to uninstall, i tried several times then i didnt see it in my programs again but the services are still running though it is not getting updates. And the agent has been deleting certain applications despite having exempted them on Sophos Central.

I was thinking this could be as a result of issue with the update cache on the server the devices are getting updates from.

Please assist.



This thread was automatically locked due to age.
  • Hi  

    Would you please specify the error you are receiving while you are uninstalling the software? Please check this article and see if it helps to completely uninstall Sophos. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi Kayode,

    There should be a Sophos Agent Uninstall log located in %temp%.  If you scroll to the bottom of this there should be a component that failed to uninstall.  Can you share us a copy of the failed uninstall log?  It should also be located in %temp%.

  • First you need to remove the tamper protected system, you must disable Enhanced Tamper Protection.

    Do the following:

    Boot the system into Safe Mode.

    Click Start > Run and type regedit and then click OK.

    Go to the following location in the registry editor:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004

    Go to the following location in the registry editor:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

    Set the following DWORD values to 0: SAVEnabled and SEDEnabled

    Reboot the system in normal mode.

    Taken from Article 124377

     

    Then run the script-

    net stop "Sophos Anti-Virus"
    net stop "Sophos AutoUpdate Service"
    :Sophos AutoUpdate
    MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Endpoint)
    MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Server)
    MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress
    :Sophos System Protection
    MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
    :Sophos Network Threat Protection
    MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
    :Sophos Health
    MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
    :SDU (1.x)
    MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress
    :Heartbeat
    MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress
    :Sophos Management Communications System
    MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress

     

    I have had the best luck this route, occasionally you will need to still go into the control panel after the script has ran and uninstall from there as well.  Not 100% if this will work but I have to say it has worked the best for me in the past.

    Respectfully, 

     

    Badrobot

     

  • Hi  

    If your problem still persists, please try the following:

    1. provide us with log files of the uninstall process. You can find them in the %temp% directory of your corresponding server. Please create a .zip file and upload it.
    2. if the previous measures do not work, please follow these steps:
      1. Disable the tamper protection before uninstalling the Sophos endpoint.
      2. Also unlock the server if you locked it before via Sophos Central
      3. Attempt to uninstall Sophos first through Add or Remove Programs or Programs and Features or by running the uninstallcli.exe tool.
      4. Reboot the Server
      5. If nothing has changed, you can run a script / batch file
        1. On a managed computer, click the keys Windows + R.
        2. In Run, type regedit then press OK.
        3. Backup the registry.
        4. Open a Command Prompt with admin privilege and run the following commands:
          • 32-bit: REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s /f SOPHOS > C:\Sophos_Uninstall_Strings.txt
          • 64-bit: REG QUERY HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s /f SOPHOS > C:\Sophos_Uninstall_Strings.txt

            Note: On a 64-bit computer, run as well the 32-bit REG QUERY command if the information for the other Sophos components are not appearing.

        5. Note the output of the command, it will be your uninstall string 
        6. Create a .bat file but replace the uninstall strings with the ones you saved in Step 5:
          net stop "SAVService"
          net stop "Sophos AutoUpdate Service"
          "C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallcli.exe"
          :Sophos AutoUpdate XG Endpoint (6.0.457.0) Server (6.0.457.0)
          MsiExec.exe /qn /X{72E136F7-3751-422E-AC7A-1B2E46391909} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E} REBOOT=ReallySuppress
          :Sophos Anti-Virus Endpoint 10.8.3.441
          MsiExec.exe /qn /X{85F78DA7-8E8E-49C9-969F-A62D2B43C046} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{DFDA2077-95D0-4C5F-ACE7-41DA16639255} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{CA524364-D9C5-4804-92DE-2800BDAC1AA4} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{3B998572-90A5-4D61-9022-00B288DD755D} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{4BAF6F55-FFE4-4A3A-8367-CC2EBB0F11C3} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{BA8752FE-75E5-43DD-9913-23509EFEB409} REBOOT=ReallySuppress
          :Sophos Anti-Virus Server 10.8.4.227
          MsiExec.exe /qn /X{01423865-551B-4C59-B44A-CC604BC21AF3} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{2519A41E-5D7C-429B-B2DB-1E943927CB3D} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} REBOOT=ReallySuppress
          :Sophos System Protection
          MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
          :Sophos Network Threat Protection Endpoint (1.8.1555) Server (1.8.1555)
          MsiExec.exe /qn /X{604350BF-BE9A-4F79-B0EB-B1C22D889E2D} REBOOT=ReallySuppress
          :Sophos Health Endpoint (2.1.0.33) Server (2.0.6.828)
          MsiExec.exe /qn /X{80D18B7B-8DF1-4BCA-901F-BEC86BAE2774} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745} REBOOT=ReallySuppress
          :Sophos Diagnostic Utility Endpoint (1.24.0.2) Server (1.24.0.2)
          MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress
          :Heartbeat
          MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress
          :Sophos Management Communications System Endpoint (4.10.423.0) Server (4.10.423.0)
          MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress
          "C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\Uninstall.exe" /uninstall /quiet
          :Sophos Endpoint UI Endpoint (1.7.452.0) Server (1.7.452.0)
          MsiExec.exe /qn /X{D29542AE-287C-42E4-AB28-3858E13C1A3E} REBOOT=ReallySuppress
          :Sophos Endpoint Firewall Endpoint (1.1.0.0) Server (1.1.0.0)
          MsiExec.exe /qn /X{2831282D-8519-4910-B339-2302840ABEF3} REBOOT=ReallySuppress
          :Sophos Endpoint Self Help Endpoint (2.2.17.0) Server (2.2.17.0)
          MsiExec.exe /qn /X{B9C2F07D-1137-4E3D-B22B-05144293EF42} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{4EFCDD15-24A2-4D89-84A4-857D1BF68FA8} REBOOT=ReallySuppress
          MsiExec.exe /qn /X{BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8} REBOOT=ReallySuppress
          :Sophos Lockdown 7.1.2
          MsiExec.exe /qn /X{77F92E90-ED4F-4CFF-8F60-3E3E4AEB705C} REBOOT=ReallySuppress
          :Sophos Exploit Prevention Endpoint (3.7.14.40) Server (3.7.14.40)
          "C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe"
          :Sophos File Scanner Endpoint (1.5.15.0) Server (1.5.15.0)
          "C:\Program Files\Sophos\Sophos File Scanner\Uninstall.exe"
          :Sophos Standalone Engine Endpoint (1.2.24) Server (1.2.24)
          "C:\Program Files\Sophos\Sophos Standalone Engine\Uninstall.exe"
          :Sophos ML Engine Endpoint (1.2.16) Server (1.1.149)
          "C:\Program Files\Sophos\Sophos ML Engine\Uninstall.exe"
          :Sophos Endpoint Agent Endpoint (2.4.1) Server (2.2.7)
          "C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe"
          :Sophos Clean Endpoint (3.8.6.1) Server (3.8.6.1)
          "C:\Program Files (x86)\Sophos\Clean\uninstall.exe"
          :Sophos Endpoint Defense Endpoint (2.1.3.26) Server (2.1.3.44)
          "C:\Program Files\Sophos\Endpoint Defense\uninstall.exe"
          :HitmanPro.Alert 3 (managed by Sophos) Endpoint (3.7.14.40) Server (3.7.14.40)
          "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet
          :HMPA 1.0.0.699
          "C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe"
          :HMPA 3.7.14.265
          "C:\Program Files\HitmanPro\HitmanPro.exe" /uninstall /quiet
          :Sophos File Integrity Monitoring Server (1.0.1.11)
          MsiExec.exe /qn /X{425063CE-9566-43B8-AC61-F8D182828634} REBOOT=ReallySuppress
          :Sophos Managed Detection and Response Endpoint (1.0.1.44)
          "C:\Program Files\Sophos\Managed Detection and Response\SophosMDRUninstall.exe"
        7. Run this .bat file in your administrative CMD

    Otherwise, please contact Sophos support or your Sophos partner. They will be happy to help you.

    Information used: https://community.sophos.com/kb/en-us/122126https://community.sophos.com/kb/en-us/109668#Gather%20the%20uninstall%20commands

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link