Unable to disable Tamper Protection

Hi Boon, 

Thanks for reaching out to us. 

If the Sophos UI is showing that Tamper Protection is disabled once you have selected override for 4 hours, could you run the following command to verify?
- C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe -status

It would also be a good idea to check the Sophos Endpoint Self Help tool, to ensure all of the installed components are in a good state. 

sedcli.exe is not found in the folder.

Override is activated but nothing can be slide.

Hi Boon,

Also unable to edit registry to set SEDEnabled to 0.

-> are you doing this in safemode? as this needs to be done in safemode.

Can you try to start the machine via command prompt only or safemode with command prompt? as doing this should run CMD as admin.

Then use this to edit the SEDEnabled registry:

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f

IF its successful, then reboot back in normal mode then try to uninstall sophos again.

Regards,

Fernan Tutor

If this post solves your question, please use the "Verify Answer" button.

Do you know if these settings are disabled in Sophos Central? Generally, the sliders will be blue in color and turn grey when each of the functions is turned off. 

If the policy in Sophos Central is defined to have these scanning functions disabled, the UI will show as displayed in your screenshot. 

Do you know if these settings are disabled in Sophos Central? Generally, the sliders will be blue in color and turn grey when each of the functions is turned off. 

If the policy in Sophos Central is defined to have these scanning functions disabled, the UI will show as displayed in your screenshot. 

No. These settings are not disabled in Sophos Central. I tried the other server in the same group and only a few turn grey, not all.