This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

need a way to locally disable tamper protection

Systems removed from the cloud console are orphaned and the only way for us to uninstall Sophos endpoint protection is to re-image the machine. Old workarounds like stopping services no longer work. Is there a registry setting we can change or a file we can put somewhere? Please advise.

-Gary

This thread was automatically locked due to age.

TheChaves over 9 years ago

The new enhanced tamper protection will safeguard the services even in safe mode. Care needs to be taken not to delete systems from Central admin until the software has been removed first.

please use the following steps to uninstall the Endpoint Client:

1. Boot into Windows safe mode
2. Set HKLM\SOFTWARE\Sophos\SAVService\TamperProtection to 0 (on 64bit systems: HKLM\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection)
3. In HKLM\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\TamperProtection\Config set both SEDEnabled and IgnoreSAV to 0
4. Run C:\Program Files\Sophos\Endpoint Defense\uninstall.exe to uninstall tamper protection.
5. Boot Windows in normal mode and remove "Sophos Endpoint Agent"
- AK over 9 years ago in reply to TheChaves
  
  Correct, this is covered in KB: https://community.sophos.com/kb/en-US/124377