sophos not completely removed on mac

I uninstalled Sophos with "remove Sophos Endpoint", but every minute I get:

(system) <Warning>: failed lookup: name = com.sophos.xpc.broker, flags = 0x8, requestor = com.sophos.endp[320], error = 3: No such process

in the launchd.log on my MacOS Monterey

Seems to be the same problem as:

https://community.sophos.com/intercept-x-endpoint/f/discussions/131695/error-message

and:

https://community.sophos.com/intercept-x-endpoint/f/discussions/131114/error-message-in-launchd-log

But no working solution

Also I see that there are still sophos files in /Library/SystemExtensions related to

com.sophos.endpoint.networkextension and com.sophos.endpoint.scanextension

I tried this:

https://community.sophos.com/intercept-x-endpoint/big-sur-eap/f/recommended-reads/124391/how-to-remove-system-extensions

But also didn't help.

How do I completely remove sophos?

Thanks



Added tags
[edited by: Gladys at 4:05 PM (GMT -7) on 15 Sep 2022]
  • Hi Sholia,

    Thank you for reaching out via community. 

    You could try manually removing all the components by running the following commands.

    sudo rm -r /Library/Sophos\ Anti-Virus
    sudo rm -r /Library/LaunchDaemons/com.sophos.*
    sudo rm -r /Library/LaunchAgents/com.sophos.*
    sudo rm -r /Library/Preferences/com.sophos.*
    sudo rm -r /Library/Logs/Sophos\ Anti-Virus.log
    sudo rm -r /Library/Application\ Support/Sophos/
    sudo rm -r /Applications/Sophos\ Endpoint.app
    sudo rm -r /Applications/Remove\ Sophos\ Endpoint.app
    sudo rm -r /Applications/Sophos\ Endpoint\ Self\ Help.app
    sudo rm -r /Library/Extensions/Sophos*
    sudo rm -r /Library/Frameworks/SAVI-pyexec.framework
    sudo rm -r /Library/Frameworks/SAVI.framework
    sudo rm -r /Library/Frameworks/SophosGenericsCommon.framework
    sudo rm -r /Library/Frameworks/SophosGenericsCore.framework

    Hope this helps.

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • Hi Ismail, thanks for trying to help. From your list, there was only a file in /Library/Logs/Sophos\ Anti-Virus.log. All the other files are already removed. I removed the Anti-Virus.log as well, but didn't change anything at the problem

  • I am also getting this kind of stuff in the launchd.log:

    2022-09-11 12:43:30.122170 (2H5GFH3774.com.sophos.endpoint.scanextension) <Notice>: This service is defined to be constantly running and is inherently inefficient.
    2022-09-11 12:43:30.122192 (system/2H5GFH3774.com.sophos.endpoint.scanextension) <Notice>: internal event: WILL_SPAWN, code = 0
    2022-09-11 12:43:30.122195 (system/2H5GFH3774.com.sophos.endpoint.scanextension) <Notice>: service state: spawn scheduled
    2022-09-11 12:43:30.122197 (system/2H5GFH3774.com.sophos.endpoint.scanextension) <Notice>: service state: spawning
    2022-09-11 12:43:30.122234 (system/2H5GFH3774.com.sophos.endpoint.scanextension) <Notice>: launching: speculative
    2022-09-11 12:43:30.122559 (system/2H5GFH3774.com.sophos.endpoint.scanextension [314]) <Notice>: xpcproxy spawned with pid 314
    2022-09-11 12:43:30.122570 (system/2H5GFH3774.com.sophos.endpoint.scanextension [314]) <Notice>: internal event: SPAWNED, code = 0
    2022-09-11 12:43:30.122572 (system/2H5GFH3774.com.sophos.endpoint.scanextension [314]) <Notice>: service state: xpcproxy
    2022-09-11 12:43:30.122648 (system/2H5GFH3774.com.sophos.endpoint.scanextension [314]) <Notice>: internal event: SOURCE_ATTACH, code = 0

  • Thank you for the logs Sholia, 

    Would you be able to provide the output of the below command please ? 

    sudo systemextensionsctl list

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • 3 extension(s)
    --- com.apple.system_extension.network_extension
    enabled    active    teamID    bundleID (version)    name    [state]
    *    *    2H5GFH3774    com.sophos.endpoint.networkextension (10.0.4/221867)    networkextension    [activated enabled]
    --- com.apple.system_extension.endpoint_security
    enabled    active    teamID    bundleID (version)    name    [state]
    *    *    2H5GFH3774    com.sophos.endpoint.scanextension (10.0.4/221861)    com.sophos.endpoint.scanextension    [activated enabled]

    (and a 3rd extention that is unrelated to sophos)

  • Thanks, Sholia.

    The Sophos network extension and the scan extension are not removed from the system completely. 
    From the output, It's very clear that both the extensions are activated and enabled. Will have to find a way to remove that. 
    I am checking this internally. I will reply to this in a few minutes

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • Ok, I think it worked! I used

    https://community.sophos.com/intercept-x-endpoint/big-sur-eap/f/recommended-reads/124391/how-to-remove-system-extensions

    with

    systemextensionsctl uninstall 2H5GFH3774 com.sophos.endpoint.scanextension

    and

    systemextensionsctl uninstall 2H5GFH3774 com.sophos.endpoint.networkextension

    Thanks a lot for your help!

  • I didn't realize that there is a teamID in those extensions. Now running sudo systemextensionsctl list doesn't show sophos.

    Thank you!

  • That is fantastic. We are glad it worked. :) 

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer