Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 3217 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to Ininstall Sophos Endpoint Client on Server 2012 R2

okta admin

Hi. We have several Windows Server 2012 R2 servers that have a last active date of August 2020 on the Sophos Central Console. I have tried the following in order to uninstall then reinstall the client:

  1. Tried to disable tamper protection both on the servers themselves and on Sophos Central - I get an incorrect password error
  2. Tried to disable tamper protection from within the Windows Registry - I get an error saying I cannot do that
  3. Tried to reset the MCS Agent service but there is no option to either start/stop/delete
  4. Rebooting the server as it said to do on the Endpoint client - no luck

I'm not sure what to try next. I've seen recommendations for signing into safe mode but this doesn't appear to work either.

Any advice much appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    Since the Tamper protection password doesn't work, then the only way to bypass tamper protection is through the steps below:

    -----------------------------------------
    Title: Sophos Endpoint Defense: How to recover a tamper protected system
    -----------------------------------------
    Here is a Youtube video from our channel explaining how to do it: https://youtu.be/icH7sIAiuKU
    The same steps can be done in a faster way:
    Boot the system into Safe Mode.
    Open an Administrative Command Prompt and run the following commands (you can copy\paste them all at once):
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService" /t REG_DWORD /v Start /d 0x00000004 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /t REG_DWORD /v Start /d 0x00000004 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /t REG_DWORD /v Enabled /d 0 /f
    Reboot the system in normal mode.
    After the steps above are followed you should be ok to boot back in normal mode and uninstall\reinstall the endpoint software. If uninstall fails for any reason, we do recommend using SophosZap uninstall tool. The steps for running it are below:

    -Disable Tamper Protection (the steps above should accomplish this part)
    -Download SophosZap from the link below:
    www.sophos.com/.../DownloadRedirect.aspx
    - Open an Administrative command prompt and navigate to the file location of SophosZap.exe
    - Start the application with the following command:
    SophosZap --confirm
    - Once it finishes running, please reboot and run it again, then reboot again (2nd time) when done, before reinstalling

    More details with screenshots are in the article below:

    -----------------------------------------
    Title: SophosZap: Frequently asked questions (FAQ)
    URL: https://support.sophos.com/support/s/article/KB-000038989 
    -----------------------------------------

    Hope that helps and please let me know if you have any further questions!
Reply
  • 0

    Since the Tamper protection password doesn't work, then the only way to bypass tamper protection is through the steps below:

    -----------------------------------------
    Title: Sophos Endpoint Defense: How to recover a tamper protected system
    -----------------------------------------
    Here is a Youtube video from our channel explaining how to do it: https://youtu.be/icH7sIAiuKU
    The same steps can be done in a faster way:
    Boot the system into Safe Mode.
    Open an Administrative Command Prompt and run the following commands (you can copy\paste them all at once):
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService" /t REG_DWORD /v Start /d 0x00000004 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /t REG_DWORD /v Start /d 0x00000004 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /t REG_DWORD /v Enabled /d 0 /f
    Reboot the system in normal mode.
    After the steps above are followed you should be ok to boot back in normal mode and uninstall\reinstall the endpoint software. If uninstall fails for any reason, we do recommend using SophosZap uninstall tool. The steps for running it are below:

    -Disable Tamper Protection (the steps above should accomplish this part)
    -Download SophosZap from the link below:
    www.sophos.com/.../DownloadRedirect.aspx
    - Open an Administrative command prompt and navigate to the file location of SophosZap.exe
    - Start the application with the following command:
    SophosZap --confirm
    - Once it finishes running, please reboot and run it again, then reboot again (2nd time) when done, before reinstalling

    More details with screenshots are in the article below:

    -----------------------------------------
    Title: SophosZap: Frequently asked questions (FAQ)
    URL: https://support.sophos.com/support/s/article/KB-000038989 
    -----------------------------------------

    Hope that helps and please let me know if you have any further questions!
Children
No Data
Unfiltered HTML