This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

can't uninstall

SOPHOS Endpoint Agent cannot be uninstalled on a specific computer.
When I try to uninstall, it is blocked

Message
'AmsiRegistrationProtection' exploit blocked in Admin Application Authorization UI

Uninstalling other apps and executing commands are also blocked.

Please tell me how to uninstall.


This thread was automatically locked due to age.
Parents
  • Hi  ,

    Thank you for reaching out to the Sophos Community forum.

    Regarding the endpoint uninstallation, may I know how you’re uninstalling the endpoint, and what is the error message you're getting? Can you share a screenshot, please? To uninstall the agent, make sure that the Tamper Protection is off.

    You also mentioned that uninstalling other apps and executing commands are also blocked. Can you share more context on this, please? What applications are affected? Do you see any detections or logs of these events in Sophos Central?

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thank you for your reply.

    1.How to uninstall 

      Uninstall with the app after turning off tamper protection

      Error message



    2.Event detection log

    3.Supplementary matter

      Conflict "DeepInstinct" is installed.

  • Hi  ,

    Thank you for sharing the details.

    For the uninstallation, the error message you shared is in another language, do you mind sharing with us what the error message means? You may also copy and paste the error message here, so we can translate it.

    If you've already turned off the Tamper Protection, but still unable to uninstall the agent, you may also try using the SophosZap.

    Regarding the detections you shared, may I know if this is only happening on one specific device? When you go to Threat Analysis Center > Threat Graphs, do you see anything in the graph details relevant to these detections?

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Gladys
    Thank you for your reply.

    About error message

    「C:\Program Files\Sophos\Sophos Endpoint Agent\SophosUninstall.exe not found

     Make sure you typed the name correctly and try again」

    I will try SophosZap


    >Regarding the detections you shared, may I know if this is only happening on one specific device?
     Yes

    >When you go to Threat Analysis Center > Threat Graphs, do you see anything in the graph details relevant to these detections?

     No

  • Hi  ,

    Let us know how it goes with SophosZap.

    Regarding the detections, it appears that an exploit is being detected on these applications. If you are unsure of the legitimacy of these files and applications, I highly suggest raising a support case so our Support teams can assist you in further investigating these detections.

    You can log a case on our Support Portal or call the numbers listed under "For Critical Cases" if immediate assistance is required.

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Gladys
    Thank you for your reply.

    >how it goes with SophosZap

    SophosZap failed to run.

    When I try to open Command Prompt with admin privilege, I get the message

    [
    file system error(-1073740768)



    Then I got a message on Sophos
    "AmsiRegistrationProtection" Malicious Behavior in Admin App Authorization UI Blocked
Reply
  • Hi Gladys
    Thank you for your reply.

    >how it goes with SophosZap

    SophosZap failed to run.

    When I try to open Command Prompt with admin privilege, I get the message

    [
    file system error(-1073740768)



    Then I got a message on Sophos
    "AmsiRegistrationProtection" Malicious Behavior in Admin App Authorization UI Blocked
Children