This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos wont uninstall from Windows 2016 Server its not communicating with central console(tamper protection stuck)

Since past 3 days ,on one of our production server,I installed Sophos(biggest mistake of my life) ,it was showing red on central cloud console ,so I called in the support.

We got into Sophos program Intercept X 2 months back and this was the last set.The support checked and turned on tamper protection for us and asked me to restart the server after business hours to get in sync with the cloud.

I did that and nothing happened ,so I called in ,for next two days and 10 hours ,the support engineers kept trying different WIndows hack instead of Sophos hack to uninstall this stuck Sophos agent ,and ofcourse they are not Windows admin and werent able to.The asked me for the safe mode option,but thats not an option as we use private cloud and use SAAS(Software as Service),they wont do anything software related at the back end.

In our previous Antiviruses,they always had a master wipe tool which would cleanup everything regardless of tamper protection on and off ,because in real world,clients get off sync all the time and I was wondering if anyone had success in uninstall without the safe mode option.

Any help will be appreciated ,I am on the verge of rebuilding our server out of sheer desperation.



This thread was automatically locked due to age.
Parents
  • If running "sedcli.exe -status" shows that TP is enabled and you don't have the computer record in Central to get the password or in the recover tamper protection password section in Central to then run:

    sedcli -tpoff <pass>

    Then does:

    Sophos Endpoint Defense: Recovery options for servers running on AWS or Azure

    help?

  • Thank you ,I tried the commands now ,didnt work.

    I believe damage is already done ,the engineer tried removing the antivirus and its in a weird state at the moment ,doesnt show under control panel but services are running and there are 3 reg keys that cant be removed,says access denied ,also tamper protection reg key cant be turned to 0.

  • When you say you tried the commands, was that SEDCLI?

    For example, my computer has TP enabled, I can see this by running:

    "SEDCLI -status" as shown below:

    This tool essentially reads the SEDEnabled DWORD registry value under the key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

    You will not be able to change this value in the registry if TP is on as the SophosED.sys driver is preventing it which is as designed.

    You can see that the SophosED.sys driver which is a file system filter driver is loaded by running fltmc in an admin prompt:

    The only supported ways to disable TP are:

    1. Send down a policy from Central to disable TP.  This of course requires MCS to be working on the client to fetch and set the policy, etc..

    2. Obtain the password from Central then use the local UI to enter the password and then disable TP.  This of course requires the Sophos UI component and the MCSAgent has to be able to load the CORE adapter. You should be able to get this from Central either under the device page if not deleted or from the recover password for recently deleted computers section.

    I'm surprised this is not available to you.

    3. Use SEDCli.exe -tpoff [password]
    This has the fewest dependencies, as it is part of the same SED component that the SophosED.sys driver is a apart of.

    4. Be able to rename \windows\system32\drivers\sophosed.sys and reboot, such that the sophosed.sys  boot driver is not loaded at start-up, or follow the KBA that recommends doing this in safe mode.

    Anything else would be a bypass of the security.

    SophosZap, would be useful once TP is disabled if you think the install has been hacked out but of course that tool can't bypass TP otherwise TP would be insecure.

Reply
  • When you say you tried the commands, was that SEDCLI?

    For example, my computer has TP enabled, I can see this by running:

    "SEDCLI -status" as shown below:

    This tool essentially reads the SEDEnabled DWORD registry value under the key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

    You will not be able to change this value in the registry if TP is on as the SophosED.sys driver is preventing it which is as designed.

    You can see that the SophosED.sys driver which is a file system filter driver is loaded by running fltmc in an admin prompt:

    The only supported ways to disable TP are:

    1. Send down a policy from Central to disable TP.  This of course requires MCS to be working on the client to fetch and set the policy, etc..

    2. Obtain the password from Central then use the local UI to enter the password and then disable TP.  This of course requires the Sophos UI component and the MCSAgent has to be able to load the CORE adapter. You should be able to get this from Central either under the device page if not deleted or from the recover password for recently deleted computers section.

    I'm surprised this is not available to you.

    3. Use SEDCli.exe -tpoff [password]
    This has the fewest dependencies, as it is part of the same SED component that the SophosED.sys driver is a apart of.

    4. Be able to rename \windows\system32\drivers\sophosed.sys and reboot, such that the sophosed.sys  boot driver is not loaded at start-up, or follow the KBA that recommends doing this in safe mode.

    Anything else would be a bypass of the security.

    SophosZap, would be useful once TP is disabled if you think the install has been hacked out but of course that tool can't bypass TP otherwise TP would be insecure.

Children
No Data