SOPHOS Endpoint Agent cannot be uninstalled on a specific computer.
When I try to uninstall, it is blocked
Message
'AmsiRegistrationProtection' exploit blocked in Admin Application Authorization UI
Uninstalling other apps and executing commands are also blocked.
Please tell me how to uninstall.
Hi のりこ 石川 ,
Thank you for reaching out to the Sophos Community forum.
Regarding the endpoint uninstallation, may I know how you’re uninstalling the endpoint, and what is the error message you're getting? Can you share a screenshot, please? To uninstall the agent, make sure that the Tamper Protection is off.
You also mentioned that uninstalling other apps and executing commands are also blocked. Can you share more context on this, please? What applications are affected? Do you see any detections or logs of these events in Sophos Central?
Thank you for your reply.
1.How to uninstall
Uninstall with the app after turning off tamper protection
Error message
2.Event detection log
3.Supplementary matter
Conflict "DeepInstinct" is installed.
Hi のりこ 石川 ,
Thank you for sharing the details.
For the uninstallation, the error message you shared is in another language, do you mind sharing with us what the error message means? You may also copy and paste the error message here, so we can translate it.
If you've already turned off the Tamper Protection, but still unable to uninstall the agent, you may also try using the SophosZap.
Regarding the detections you shared, may I know if this is only happening on one specific device? When you go to Threat Analysis Center > Threat Graphs, do you see anything in the graph details relevant to these detections?
Hi のりこ 石川 ,
Let us know how it goes with SophosZap.
Regarding the detections, it appears that an exploit is being detected on these applications. If you are unsure of the legitimacy of these files and applications, I highly suggest raising a support case so our Support teams can assist you in further investigating these detections.
You can log a case on our Support Portal or call the numbers listed under "For Critical Cases" if immediate assistance is required.
Hi Gladys
Thank you for your reply.
>how it goes with SophosZap
SophosZap failed to run.
When I try to open Command Prompt with admin privilege, I get the message
[file system error(-1073740768)
Then I got a message on Sophos
"AmsiRegistrationProtection" Malicious Behavior in Admin App Authorization UI Blocked
Hi Gladys
Thank you for your reply.
>how it goes with SophosZap
SophosZap failed to run.
When I try to open Command Prompt with admin privilege, I get the message
[file system error(-1073740768)
Then I got a message on Sophos
"AmsiRegistrationProtection" Malicious Behavior in Admin App Authorization UI Blocked
Hi のりこ 石川 ,
I have followed up with you via Private Message to further look into this. Thank you.