Unable to disable Tamper Protection

Hi Boon, 

Thanks for reaching out to us. 

If the Sophos UI is showing that Tamper Protection is disabled once you have selected override for 4 hours, could you run the following command to verify?
- C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe -status

It would also be a good idea to check the Sophos Endpoint Self Help tool, to ensure all of the installed components are in a good state. 

sedcli.exe is not found in the folder.

Override is activated but nothing can be slide.

Hi Boon,

Also unable to edit registry to set SEDEnabled to 0.

-> are you doing this in safemode? as this needs to be done in safemode.

Can you try to start the machine via command prompt only or safemode with command prompt? as doing this should run CMD as admin.

Then use this to edit the SEDEnabled registry:

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f

IF its successful, then reboot back in normal mode then try to uninstall sophos again.

Regards,

Fernan Tutor

If this post solves your question, please use the "Verify Answer" button.

Hi Boon,

Also unable to edit registry to set SEDEnabled to 0.

-> are you doing this in safemode? as this needs to be done in safemode.

Can you try to start the machine via command prompt only or safemode with command prompt? as doing this should run CMD as admin.

Then use this to edit the SEDEnabled registry:

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f

IF its successful, then reboot back in normal mode then try to uninstall sophos again.

Regards,

Fernan Tutor

If this post solves your question, please use the "Verify Answer" button.

Thanks for the suggestion. I didn't manage to try this out as the tamper protection was disabled by itself the following day. No idea why the long delay.