Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstalling Sophos after deleting endpoint

Robert Romig

I've got an endpoint that had Sophos installed on it and was deleted from Sophos Central.  I've followed the instructions from KB 124377 about recovering a tamper-protected endpoint, but two of the registry changes are reverted upon reboot:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection (set to 0, reverts to 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled (Set to 0, reverts to 1)

Attempting to reinstall gives an error that Tamper Protection must be disabled.  Attempting to uninstall from Programs and Features fails with an error message saying "Uninstallation failed.  Unable to locate Sophos Health MSI".

Any advice on being able to reinstall Sophos so that this endpoint reappears in the Sophos Central console would be appreciated.



This thread was automatically locked due to age.
  • 0

    Hello Robert Romig,

    [I'm not using Central so I can't test or confirm the possible cause for the revert]
    did you disable the services, in particular the MCS agent?

    Unable to locate Sophos Health MSI
    dunno if the MSI is cached as for most other components. If then the Installer should first try the cached MSI, if not found fall back to the InstallSource in AutoUpdate's cache. Did you already uninstall other components?

    Christian

    • 0

      Hi  

      Can you try rebooting the client in safe mode and follow the command line option to remove the Sophos entries as mentioned in How to uninstall using command line or batch file and let me know the status? 

      Regards,

      Gowtham Mani
      Community Support Engineer | Sophos Technical Support
      Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
      If a post solves your question use the 'This helped me' link.

      • 0 in reply to Gowtham Mani

        I have followed the instructions from that KB article, and Sophos remains installed on the endpoint.

        • 0 in reply to Robert Romig

          If you just boot into Safe mode and rename the driver:
          \windows\system32\drivers\sophosed.sys

          to 

          \windows\system32\drivers\sophosed.sys.renamed

          and then start back into Windows you should be able to do whatever.

          Regards,

          Jak

          • 0 in reply to jak

            Uninstall still failed with the same error after renaming that file.

            • 0 in reply to Robert Romig

              Having "disabled" Sophos Endpoint Defense by renaming the driver.  It could be that the message about Tamper Protection is now the original tamper protection.

              What if you stop the Sophos Anti-Virus service and set it to disabled just to ensure it is not started.

              Regards,

              Jak