Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 13 subscribers
  • Views 6689 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

please improve Lockdown uninstall approach

LHerzog

We have decided to uninstall SLD from all servers where it was installed but unlocked.

What a strange behaviour, that it installs itself back some time after you remove and reinstall the Sophos endpoint software completely.

Then you find, you need to uninstall it manually using msiexec

https://support.sophos.com/support/s/article/KB-000035355?language=en_US#anchor10

MsiExec.exe /X{77F92E90-ED4F-4CFF-8F60-3E3E4AEB705C}

Then the server asks you to reboot. Fine, what do you find after reboot showing on the Endpoint Dashboard? Lockdown, unlocked.

Fine. So there is no SLD service anymore, if you now try the msiexec to remove, it tells, it is not installed. In Central the server is now also shown as with no Lockdown installed. But the client continues to show that Lockdown is installed, unlocked.

just another abandoned feature



This thread was automatically locked due to age.
  • +1 in reply to LHerzog

    Hello LHerzog,

    Thank you for reaching out with your concerns regarding the behavior of Sophos Lockdown (SLD) on your servers. I understand that despite uninstalling SLD, it continues to appear as "unlocked" on the Endpoint after a reboot, even though it's not detected by the uninstaller and is also seen in Sophos Central.

    I've carefully tested and replicated your process:

    1. Installed Lockdown.
    2. Noticed the status in the agent and in Central.
    3. Unlocked via Central.
    4. Uninstalled SLD.
    5. Restarted the server.

    The below Table illustrates the test with screenshots showing the date and time. 

    Installing Lockdown

    Status in Agent: Preparing for Lockdown

    SLD Status Locked in Agent

    SLD Status Locked in Central
    Unlocking via central
    Unlock in progress
    SLD Status Unlocked in Central

    SLD Status Unlocked in Agent

    Uninstalling SLD
    Restarting Server
    After Restart
    SLD Status Uninstalled in Central

    SLD Not seen in Agent

    Based on your description, it appears that the SLD component is still being shown on the client's side even after you have successfully uninstalled it. This is contrary to our test results as seen above, where SLD was completely removed and accurately reflected in both the agent and the Central Dashboard.

    This discrepancy might be due to a few reasons:

    1. Caching Issues: Sometimes, the client interface might display outdated information due to caching. A simple restart of the client machine might resolve this.

    2. Synchronization Delay: There could be a delay in synchronization between the client and the Sophos Central Dashboard. Waiting for a certain period or forcing a synchronization via MCS could help update the status correctly.

    3. Residual Files or Registry Entries: Occasionally, uninstallation processes might leave behind residual files or registry entries, which could cause the software to be incorrectly detected as still installed. A thorough check for any such remnants might be necessary.

    To resolve the issue of Sophos Lockdown (SLD) still appearing on the client despite being uninstalled, I recommend the following troubleshooting steps.

    1. Trigger Update from Sophos Central: Initiate an update from Sophos Central. This action ensures that the endpoint is updated and synchronizes its current status with Sophos Central. This step is crucial for ensuring that all components are up-to-date and status indicators are accurate.

    2. Restart MCS Services:

      • Disable Tamper Protection temporarily.
      • Restart the MCS Agent and MCS Client services. This can often resolve issues related to service synchronization and status reporting.

    3. Check and Modify Registry Entries:

      • Since you've already attempted to remove SLD using the uninstall string, the next step is to check the Windows Registry for any SLD entries.
      • If you find an SLD registry entry, carefully delete the entire key. Please ensure to backup the registry before making any changes, as incorrect modifications can affect system stability.

    4. Restart the Server: After completing the above steps, restart the server. This will allow all changes to take effect and potentially resolve any lingering issues.

    If the above steps do not resolve the issue:

    1. Re-install Sophos Agent Using Sophos ZAP:

      • As a final resort, use Sophos ZAP to completely remove and then reinstall the Sophos agent. Sophos ZAP is a tool designed to cleanly uninstall Sophos components, which can be helpful in situations where standard uninstallation procedures do not work as expected.

    2. Contact Sophos Support: If the issue persists, it suggests a more complex problem that may require additional investigation. Contact Sophos Support for a detailed examination. They can provide specialized tools or guidance for a complete resolution.

    Please proceed with these steps and inform us of the outcome.

    Hope this helps

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • 0 in reply to IsmailJaweed

    Thank you Ismail for taking your time to validate the SLD uninstall steps.

    I can see in your screenshots that all went fine. You could see on mine, that it wasn't on our side.

    Probably the Endpoint shows on the local Sophos dashboard what is synced from Central.

    So probably temporary synchronization delays. But these confuse you when you want to finish the job to uninstall SLD.

    Today for the server from my screenshot, all is fine now.

    I found there is an extra status for the servers that had SLD installed and now uninstalled. Compared to those it was never installed on.

    that is good.

Unfiltered HTML