Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 13 subscribers
  • Views 2043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 IoT Enterprise LTSC uwfmgr write filter

Alan Hueck

Hi

We have a standard Windows 10 IoT Enterprise LTSC image installed with Sophos Intercept X client installed. 

The image uses the uwfmgr write filter and when we enable it some of the Sophos services fail to start. Any advise please and is there any other Exclusions I may need to add?

We have added the following Exclusions

"C:\ProgramData\HitmanPro.Alert"

"C:\ProgramData\Sophos"

"C:\Program Files (x86)\HitmanPro.Alert"

"C:\Program Files (x86)\Sophos"

"C:\Program Files\Sophos"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos ELAM"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos File Scanner Service"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Health Service"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Live Query"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Client"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos System Protection Service"
"HKEY_LOCAL_MACHINE\SOFTWARE\Sophos"
"HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos"

windows defender is disabled

I have attached the sophos log file that is located "C:\Programdata\Sophos\Logs

Many Thanks

Alan

Fullscreen SophosUnifiedSupport.log Download 
2024-02-02T11:47:25.803Z [ 4664: 1976] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T11:47:25.822Z [ 4664: 1976] I [SSP] Config version changed: 61A9F58AC3C10CC98BC9CA6434A7EA37927A4C6DF3E9C018759CBC83EBC12C4F
2024-02-02T11:47:25.822Z [ 4664: 1976] I [SSP] SXL4 enabled set to: 1
2024-02-02T11:47:34.605Z [ 4664: 1976] A [CSR] Tamper protection disabled
2024-02-02T11:47:41.636Z [ 2052: 4420] A [MCS Agent] Started version 4.19.561
2024-02-02T11:47:41.725Z [ 2052: 5108] I [MCS Agent] Updated namespace Updating. Latest tag: 20240202114741721342
2024-02-02T11:47:41.754Z [ 2052: 5108] I [MCS Agent] Updated namespace Authority. Latest tag: 20240202114741752937
2024-02-02T11:47:41.762Z [ 2052: 5108] I [MCS Agent] Updated namespace Communication. Latest tag: 20240202114741761304
2024-02-02T11:47:41.844Z [ 2052: 5108] I [MCS Agent] Updated namespace ThreatProtection. Latest tag: 20240202114741843005
2024-02-02T11:47:42.948Z [ 3140: 3004] A [MCS Client] Started version 4.19.561
2024-02-02T11:47:46.853Z [ 3140: 5544] I [MCS Client] Policy with tag CORC37 persisted successfully
2024-02-02T11:47:46.961Z [ 2052: 5000] I [MCS Agent] Updated namespace ApplicationControl. Latest tag: 20240202114746959766
2024-02-02T11:47:46.972Z [ 2052: 5000] I [MCS Agent] Updated namespace Monitoring. Latest tag: 20240202114746971512
2024-02-02T11:47:46.984Z [ 2052: 5000] I [MCS Agent] Updated namespace ThreatProtection. Latest tag: 20240202114746980530
2024-02-02T11:47:46.986Z [ 4664: 1732] I [SSP] Config version changed: A90C8E2CFC1AA607E703D487534089D29435FAC2CA062DBED63A78F8C7FF5560
2024-02-02T11:47:46.988Z [ 4664: 1732] I [SSP] SXL4 enabled set to: 1
2024-02-02T11:47:47.060Z [ 3140: 5544] I [MCS Client] Policy with tag CORE36 persisted successfully
2024-02-02T11:47:47.181Z [ 2052: 5000] I [MCS Agent] Updated namespace ApplicationControl. Latest tag: 20240202114747178801
2024-02-02T11:47:47.189Z [ 2052: 5000] I [MCS Agent] Updated namespace Driver. Latest tag: 20240202114747187845
2024-02-02T11:47:47.196Z [ 2052: 5000] I [MCS Agent] Updated namespace ExtensionPoints. Latest tag: 20240202114747194723
2024-02-02T11:47:47.204Z [ 4664: 1976] A [CSR] Tamper protection enabled
2024-02-02T11:47:47.205Z [ 4664: 1732] I [SSP] Config version changed: 1E3CD26FC1A32CBCEE625CCACE739756CB26EF4FF9497E8156F4D3A4FA838B73
2024-02-02T11:47:47.206Z [ 4664: 1732] I [SSP] SXL4 enabled set to: 1
2024-02-02T11:47:47.211Z [ 2052: 5000] I [MCS Agent] Updated namespace Monitoring. Latest tag: 20240202114747202377
2024-02-02T11:47:47.218Z [ 2052: 5000] I [MCS Agent] Updated namespace NetworkPerimeter. Latest tag: 20240202114747216868
2024-02-02T11:47:47.223Z [ 4664: 1732] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T11:47:47.223Z [ 4664: 1732] I [SSP] SXL4 enabled set to: 1
2024-02-02T11:47:47.224Z [ 4664: 1732] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T11:47:47.224Z [ 4664: 1732] I [SSP] SXL4 enabled set to: 1
2024-02-02T11:47:47.237Z [ 2052: 5000] I [MCS Agent] Updated namespace ThreatProtection. Latest tag: 20240202114747231205
2024-02-02T11:47:47.250Z [ 2052: 5000] I [MCS Agent] Updated namespace UserInterface. Latest tag: 20240202114747242273
2024-02-02T11:47:47.520Z [ 3140: 5544] I [MCS Client] Policy with tag HBT27 persisted successfully
2024-02-02T11:47:47.657Z [ 2052: 5000] I [MCS Agent] Updated namespace NetworkPerimeter. Latest tag: 20240202114747637321
2024-02-02T11:47:47.737Z [ 3140: 5544] I [MCS Client] Policy with tag HBT27 persisted successfully
2024-02-02T11:47:47.862Z [ 2052: 5000] I [MCS Agent] Updated namespace NetworkPerimeter. Latest tag: 20240202114747856665
2024-02-02T11:47:47.921Z [ 3140: 5544] I [MCS Client] Policy with tag HMPA30 persisted successfully
2024-02-02T11:47:48.040Z [ 2052: 5000] I [MCS Agent] Updated namespace ExploitPrevention. Latest tag: 20240202114747967550
2024-02-02T11:47:48.139Z [ 3140: 5544] I [MCS Client] Policy with tag LiveQuery56 persisted successfully
2024-02-02T11:47:48.209Z [ 2052: 5000] I [MCS Agent] Updated namespace Monitoring. Latest tag: 20240202114748203069
2024-02-02T11:47:48.370Z [ 3140: 5544] I [MCS Client] Policy with tag MCS25 persisted successfully
2024-02-02T11:47:48.409Z [ 2052: 5000] I [MCS Agent] Updated namespace Authority. Latest tag: 20240202114748405925
2024-02-02T11:47:48.420Z [ 2052: 5000] I [MCS Agent] Updated namespace Communication. Latest tag: 20240202114748415625
2024-02-02T11:47:48.588Z [ 3140: 5544] I [MCS Client] Policy with tag MCS25 persisted successfully
2024-02-02T11:47:48.630Z [ 2052: 5000] I [MCS Agent] Updated namespace Authority. Latest tag: 20240202114748626454
2024-02-02T11:47:48.642Z [ 2052: 5000] I [MCS Agent] Updated namespace Communication. Latest tag: 20240202114748636969
2024-02-02T11:47:48.793Z [ 3140: 5544] I [MCS Client] Policy with tag NTP24 persisted successfully
2024-02-02T11:47:48.867Z [ 2052: 5000] I [MCS Agent] Updated namespace NetworkPerimeter. Latest tag: 20240202114748858253
2024-02-02T11:47:48.963Z [ 3140: 5544] I [MCS Client] Policy with tag NTP24 persisted successfully
2024-02-02T11:47:49.088Z [ 2052: 5000] I [MCS Agent] Updated namespace NetworkPerimeter. Latest tag: 20240202114749078804
2024-02-02T11:47:49.725Z [ 3140: 5544] I [MCS Client] Policy with tag SAV15 persisted successfully
2024-02-02T11:47:49.835Z [ 2052: 5000] I [MCS Agent] Updated namespace DataControl. Latest tag: 20240202114749830702
2024-02-02T11:47:49.851Z [ 2052: 5000] I [MCS Agent] Updated namespace ExtensionPoints. Latest tag: 20240202114749846395
2024-02-02T11:47:49.894Z [ 3140: 5544] I [MCS Client] Policy with tag SAV2 persisted successfully
2024-02-02T11:47:49.978Z [ 2052: 5000] I [MCS Agent] Updated namespace ThreatProtection. Latest tag: 20240202114749961813
2024-02-02T11:47:50.071Z [ 3140: 5544] I [MCS Client] Policy with tag SAV19 persisted successfully
2024-02-02T11:47:50.163Z [ 2052: 5000] I [MCS Agent] Updated namespace Legacy. Latest tag: 20240202114750161263
2024-02-02T11:47:50.234Z [ 3140: 5544] I [MCS Client] Policy with tag SAV7 persisted successfully
2024-02-02T11:47:50.274Z [ 2052: 5000] I [MCS Agent] Updated namespace Legacy. Latest tag: 20240202114750272048
2024-02-02T11:47:50.884Z [ 3140: 5544] I [MCS Client] Policy with tag SAV16 persisted successfully
2024-02-02T11:47:50.998Z [ 2052: 5000] I [MCS Agent] Updated namespace DeviceControl. Latest tag: 20240202114750987654
2024-02-02T11:47:51.325Z [ 3140: 5544] I [MCS Client] Policy with tag SWC22 persisted successfully
2024-02-02T11:47:51.451Z [ 2052: 5000] I [MCS Agent] Updated namespace WebControl. Latest tag: 20240202114751441304
2024-02-02T11:47:51.512Z [ 3140: 5544] I [MCS Client] Policy with tag UI32 persisted successfully
2024-02-02T11:47:51.664Z [ 2052: 5000] I [MCS Agent] Updated namespace UserInterface. Latest tag: 20240202114751656445
2024-02-02T11:47:52.846Z [ 3140: 5544] I [MCS Client] Policy with tag HBT27 persisted successfully
2024-02-02T11:47:53.015Z [ 3140: 5544] I [MCS Client] Policy with tag HMPA30 persisted successfully
2024-02-02T11:47:53.161Z [ 3140: 5544] I [MCS Client] Policy with tag LiveQuery56 persisted successfully
2024-02-02T11:47:53.333Z [ 3140: 5544] I [MCS Client] Policy with tag MCS25 persisted successfully
2024-02-02T11:47:53.538Z [ 3140: 5544] I [MCS Client] Policy with tag UI32 persisted successfully
2024-02-02T11:47:53.770Z [ 3140: 5544] I [MCS Client] Policy with tag NTP24 persisted successfully
2024-02-02T11:47:53.923Z [ 3140: 5544] I [MCS Client] Policy with tag SAV2 persisted successfully
2024-02-02T11:47:54.068Z [ 3140: 5544] I [MCS Client] Policy with tag SAV7 persisted successfully
2024-02-02T11:47:54.213Z [ 3140: 5544] I [MCS Client] Policy with tag SAV19 persisted successfully
2024-02-02T11:47:54.383Z [ 3140: 5544] I [MCS Client] Policy with tag SAV16 persisted successfully
2024-02-02T11:47:54.498Z [ 3140: 5544] I [MCS Client] Policy with tag SAV15 persisted successfully
2024-02-02T11:47:54.631Z [ 3140: 5544] I [MCS Client] Policy with tag SWC22 persisted successfully
2024-02-02T11:48:08.100Z [ 4272: 3268] A [SophosHealth] Started version 2.12.883
2024-02-02T11:49:58.327Z [ 4272: 3268] A [SophosHealth] Shutdown version 2.12.883
2024-02-02T11:49:58.359Z [ 4664: 1976] A [SSP] Stopping SSP service
2024-02-02T11:49:58.414Z [ 3140: 3004] A [MCS Client] Shutdown version 4.19.561
2024-02-02T11:49:58.603Z [ 2052: 4420] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T11:50:33.685Z [ 3636: 3876] A [SophosHealth] Started version 2.12.883
2024-02-02T11:50:33.664Z [ 3628: 3632] A [MCS Agent] Started version 4.19.561
2024-02-02T11:50:33.666Z [ 3664: 3668] A [MCS Client] Started version 4.19.561
2024-02-02T11:50:33.742Z [ 3684: 3936] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T11:50:33.887Z [ 3684: 3936] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T11:50:33.894Z [ 3684: 3936] I [SSP] SXL4 enabled set to: 1
2024-02-02T11:50:39.480Z [ 3664: 4376] I [MCS Client] Policy with tag ALC1 persisted successfully
2024-02-02T11:50:39.850Z [ 3664: 4376] I [MCS Client] Policy with tag EFW33 persisted successfully
2024-02-02T11:50:52.901Z [ 3684: 3936] A [CSR] Tamper protection enabled
2024-02-02T11:51:00.131Z [ 5272: 5276] I [SAU] Successfully uninstalled product 2B5BCA43-F85C-4C43-8C6B-30E7A5794439 (CRTSETUP) 0.1.25
2024-02-02T12:54:36.050Z [ 3636: 3876] A [SophosHealth] Shutdown version 2.12.883
2024-02-02T12:54:36.092Z [ 3684: 3936] A [SSP] Stopping SSP service
2024-02-02T12:54:36.178Z [ 3664: 3668] A [MCS Client] Shutdown version 4.19.561
2024-02-02T12:54:36.358Z [ 3628: 3632] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T12:55:15.452Z [ 3972: 2120] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T12:55:15.605Z [ 3972: 2120] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T12:55:15.607Z [ 3972: 2120] E [SSP] Exception occurred (Failed to set scanning policy): RegSetValueExW failed. Error: 5. Value name='corc_revision_id'.
2024-02-02T12:55:15.608Z [ 3972: 2120] I [SSP] SXL4 enabled set to: 1
2024-02-02T12:55:15.819Z [ 3836: 3840] A [MCS Client] Started version 4.19.561
2024-02-02T12:55:15.826Z [ 3828: 3832] A [MCS Agent] Started version 4.19.561
2024-02-02T12:55:15.947Z [ 3820: 4132] A [SophosHealth] Started version 2.12.883
2024-02-02T12:55:16.329Z [ 3972: 2120] E [SSP] SSP service failed to start: Failed to initialize async comm library
2024-02-02T12:55:17.147Z [ 3828: 3832] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T13:03:46.214Z [ 3836: 3840] A [MCS Client] Shutdown version 4.19.561
2024-02-02T13:04:20.352Z [ 3956: 4076] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T13:04:20.476Z [ 3956: 4076] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T13:04:20.477Z [ 3956: 4076] I [SSP] SXL4 enabled set to: 1
2024-02-02T13:04:20.483Z [ 3812: 3816] A [MCS Client] Started version 4.19.561
2024-02-02T13:04:20.499Z [ 3780: 3784] A [MCS Agent] Started version 4.19.561
2024-02-02T13:04:20.759Z [ 3828: 4112] A [SophosHealth] Started version 2.12.883
2024-02-02T13:04:21.586Z [ 3956: 4076] E [SSP] SSP service failed to start: Failed to initialize async comm library
2024-02-02T13:04:22.164Z [ 3780: 3784] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T13:09:15.233Z [ 3828: 4112] A [SophosHealth] Shutdown version 2.12.883
2024-02-02T13:09:15.387Z [ 3812: 3816] A [MCS Client] Shutdown version 4.19.561
2024-02-02T13:09:46.978Z [ 3808: 3812] A [MCS Client] Started version 4.19.561
2024-02-02T13:09:46.997Z [ 3708: 3712] A [MCS Agent] Started version 4.19.561
2024-02-02T13:09:47.106Z [ 3760: 3460] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T13:09:47.153Z [ 3680: 4104] A [SophosHealth] Started version 2.12.883
2024-02-02T13:09:47.210Z [ 3760: 3460] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T13:09:47.213Z [ 3760: 3460] I [SSP] SXL4 enabled set to: 1
2024-02-02T13:10:05.807Z [ 3760: 3460] A [CSR] Tamper protection enabled
2024-02-02T13:11:54.148Z [ 3680: 4104] A [SophosHealth] Shutdown version 2.12.883
2024-02-02T13:11:54.161Z [ 3760: 3460] A [SSP] Stopping SSP service
2024-02-02T13:11:54.346Z [ 3808: 3812] A [MCS Client] Shutdown version 4.19.561
2024-02-02T13:11:54.473Z [ 3708: 3712] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T13:12:30.589Z [ 3788: 4004] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T13:12:30.696Z [ 3788: 4004] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T13:12:30.698Z [ 3788: 4004] I [SSP] SXL4 enabled set to: 1
2024-02-02T13:12:30.968Z [ 3724: 3728] A [MCS Agent] Started version 4.19.561
2024-02-02T13:12:30.730Z [ 3764: 3768] A [MCS Client] Started version 4.19.561
2024-02-02T13:12:31.152Z [ 3716: 4320] A [SophosHealth] Started version 2.12.883
2024-02-02T13:12:47.942Z [ 3788: 4004] A [CSR] Tamper protection enabled
2024-02-02T13:13:25.164Z [ 3716: 4320] A [SophosHealth] Shutdown version 2.12.883
2024-02-02T13:13:25.214Z [ 3788: 4004] A [SSP] Stopping SSP service
2024-02-02T13:13:25.278Z [ 3764: 3768] A [MCS Client] Shutdown version 4.19.561
2024-02-02T13:13:25.436Z [ 3724: 3728] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T13:14:04.080Z [ 3980: 3692] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T13:14:04.174Z [ 3980: 3692] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T13:14:04.175Z [ 3980: 3692] I [SSP] SXL4 enabled set to: 1
2024-02-02T13:14:04.230Z [ 3856: 3860] A [MCS Client] Started version 4.19.561
2024-02-02T13:14:04.281Z [ 3772: 3776] A [MCS Agent] Started version 4.19.561
2024-02-02T13:14:04.475Z [ 3828: 4124] A [SophosHealth] Started version 2.12.883
2024-02-02T13:14:04.840Z [ 3980: 3692] E [SSP] SSP service failed to start: Failed to initialize async comm library
2024-02-02T13:14:05.123Z [ 3772: 3776] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T13:18:23.348Z [ 4396: 4876] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T13:18:23.383Z [ 4396: 4876] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T13:18:23.384Z [ 4396: 4876] I [SSP] SXL4 enabled set to: 1
2024-02-02T13:18:23.473Z [ 4396: 4876] E [SSP] SSP service failed to start: Failed to initialize async comm library
2024-02-02T14:07:03.717Z [ 2056: 1120] A [MCS Agent] Started version 4.19.561
2024-02-02T14:07:04.575Z [ 2056: 1120] A [MCS Agent] Shutdown version 4.19.561
2024-02-02T14:07:10.251Z [ 1060: 5656] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T14:07:10.290Z [ 1060: 5656] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T14:07:10.291Z [ 1060: 5656] I [SSP] SXL4 enabled set to: 1
2024-02-02T14:07:10.338Z [ 1060: 5656] E [SSP] SSP service failed to start: Failed to initialize async comm library
2024-02-02T14:38:51.999Z [ 5972: 7092] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T14:38:52.022Z [ 5972: 7092] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T14:38:52.023Z [ 5972: 7092] I [SSP] SXL4 enabled set to: 1
2024-02-02T14:38:52.055Z [ 5972: 7092] E [SSP] SSP service failed to start: Failed to initialize async comm library
2024-02-02T15:40:22.082Z [ 3828: 4124] A [SophosHealth] Shutdown version 2.12.883
2024-02-02T15:40:22.143Z [ 3856: 3860] A [MCS Client] Shutdown version 4.19.561
2024-02-02T15:40:57.906Z [ 3708: 3924] A [SSP] Starting SSP service (Version: 6.1.0.686)
2024-02-02T15:40:57.980Z [ 3708: 3924] I [SSP] Config version changed: 48D88F6D2942386D382C3F272AEC1497F9EE0C615D32C7ED47B82990B0D9A17B
2024-02-02T15:40:57.986Z [ 3708: 3924] I [SSP] SXL4 enabled set to: 1
2024-02-02T15:40:58.019Z [ 3672: 3676] A [MCS Agent] Started version 4.19.561
2024-02-02T15:40:58.221Z [ 3736: 3740] A [MCS Client] Started version 4.19.561
2024-02-02T15:40:58.308Z [ 3724: 4172] A [SophosHealth] Started version 2.12.883
2024-02-02T15:41:15.319Z [ 3708: 3924] A [CSR] Tamper protection enabled
2024-02-02T15:46:27.107Z [ 7152: 2688] I [SAU] Successfully installed product 1FE3E7DF-EFFA-408A-A1B0-89F15BA61F31 (SAUXG) 6.15.1417



This thread was automatically locked due to age.
  • 0

    Hi Alan,

    Thanks for reaching out to the Sophos Community Forum. 

    I couldn't locate any documentation specific to your request, however it is possible to generate logs which may help with this task. 

    I'd suggest installing Sophos on a test device that does not have restrictions. Once installed, you can use "Sophos Zap" to perform a complete removal. The logs generated from Sophos Zap will record each of the file/folder and registry locations where components/remnants of the installation are removed. Logs will be found in the following directory: 
    - C:\Users\<USERNAME>\AppData\Local\Temp\SophosZap log.txt'

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Unfiltered HTML