How to Run the Sophos ZAP Tool

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Hi Community, 

In this video Jelan from Sophos Support shows you how to use the Sophos ZAP tool to remove Sophos Endpoint or Server Protection Software from a Windows Device.

More videos available on Sophos Techvids!
 
Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your feedback! https://community.sophos.com/community-chat/f/user-assistance-feedback


Added Disclaimer
[edited by: GlennSen at 4:02 PM (GMT -7) on 5 Apr 2023]
  • I did follow the video on the YouTube channel and this is the result

    Microsoft Windows [Version 10.0.19041.572]
    (c) 2020 Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>cd c:\Sophoszap

    c:\SophosZap>sophoszap --confirm
    Sophos Zap v1.0 - Uninstall Sophos Endpoint software
    Copyright 2019 Sophos Limited. All rights reserved.

    Extracting to temporary folder: C:\Users\lmrei\AppData\Local\Temp\SophosZap-673788389
    Logging to 'C:\Users\lmrei\AppData\Local\Temp\Sophos Windows Endpoint Zap log.txt'
    An error occurred. See log file for errors.

    c:\SophosZap>

  • I went to check out the log file and this is the information on that file

    Went to 'C:\Users\lmrei\AppData\Local\Temp\Sophos Windows Endpoint Zap log.txt'

     

    The Sophos windows endpoint logs I found stated

     

    2020-12-06T22:00:11.321Z 4708 INFO : ==== Started C:\\Users\\lmrei\\AppData\\Local\\Temp\\SophosZap-673788389\\SophosZapHelper.exe ====

    2020-12-06T22:00:11.322Z 4708 INFO : Running version 1.0.1853.0

    2020-12-06T22:00:11.330Z 4708 INFO : Parent process ID: 6372

    2020-12-06T22:00:11.330Z 4708 INFO : Running Zap functionality on 64 bit operating system

    2020-12-06T22:00:11.331Z 4708 INFO : Intialising COM subsystem.

    2020-12-06T22:00:11.334Z 4708 INFO : Performing prerequisite checks.

    2020-12-06T22:00:11.337Z 4708 INFO : Checking for presence of incompatible software: Sophos SafeGuard

    2020-12-06T22:00:11.340Z 4708 INFO : Checking for presence of incompatible software: AD Sync

    2020-12-06T22:00:11.341Z 4708 INFO : Checking for presence of incompatible software: SAV NetApp

    2020-12-06T22:00:11.341Z 4708 INFO : Checking for presence of incompatible software: Sophos PureMessage for Exchange

    2020-12-06T22:00:11.342Z 4708 INFO : Checking for presence of incompatible software: Sophos for Microsoft SharePoint

    2020-12-06T22:00:11.343Z 4708 INFO : Checking for presence of incompatible software: SAVDI

    2020-12-06T22:00:11.343Z 4708 INFO : Checking for presence of incompatible software: Sophos Enterprise Console

    2020-12-06T22:00:11.344Z 4708 INFO : Checking for presence of incompatible software: Sophos Transparent Authentication Suite

    2020-12-06T22:00:11.344Z 4708 INFO : Checking for presence of incompatible software: Sophos IPsec Client

    2020-12-06T22:00:11.345Z 4708 INFO : Checking for presence of incompatible software: Sophos Connect

    2020-12-06T22:00:11.345Z 4708 INFO : Checking for presence of incompatible software: Sophos Connect Admin

    2020-12-06T22:00:11.345Z 4708 INFO : Checking for presence of incompatible software: Sophos Update Manager

    2020-12-06T22:00:11.346Z 4708 INFO : Checking for presence of incompatible software: Invincea

    2020-12-06T22:00:11.346Z 4708 INFO : Checking for presence of incompatible software: Sophos Network Access Control

    2020-12-06T22:00:11.347Z 4708 INFO : Checking for presence of incompatible RMS Server

    2020-12-06T22:00:11.347Z 4708 INFO : Sophos Endpoint Defense is installed.

    2020-12-06T22:00:11.348Z 4708 INFO : Value 'SEDEnabled' under key 'SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\\TamperProtection\\Config' is set to 1.

    2020-12-06T22:00:11.348Z 4708 INFO : Value 'IgnoreSAV' under key 'SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\\TamperProtection\\Config' is set to 1.

    2020-12-06T22:00:11.349Z 4708 INFO : Tamper-protected by SED.

    2020-12-06T22:00:11.349Z 4708 ERROR : Zapper does not run with tamper protection on

    2020-12-06T22:00:11.349Z 4708 INFO : Outcome error flag: 1

    2020-12-06T22:00:11.350Z 4708 INFO : Outcome reboot required: 0

    2020-12-06T22:00:11.350Z 4708 INFO : Summary of errors, see above for details:

    2020-12-06T22:00:11.351Z 4708 INFO : Failure reason: Zapper does not run with tamper protection on

    I am running Sophos Home free edition and I can not find any way to disable the tamper protection from the information that I have found so far.  There is no option that I can find.

  • Hey ,

    The error you are getting is due to tamper protection which is currently enabled on your endpoint. Before running ZAP, ensure to disable tamper protection first. You may refer to this Article on how to disable tamper protection and once succeeded, you may now proceed on running sophos ZAP.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • ZAP has been a very handy tool! Much more efficient than cleaning everything up manually.

  • Yes, Zap is really a handy tool which was provided to me by Sophos Support lately to cleanup a failed Endpoint Protection installation. But... the tool removes also any other Sophos software, i. e. SSL VPN client and Sophos Safeguard which makes it, well, kinda risky. Is there any way to tell the tool to only remove specific Sophos software and not all of it? That would be very helpful.

  • Thank you for your feedback, we'll follow up with our team to share this.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi


    Got advice from our team that this tool was designed as to how it currently functions right now and no further plan on changing the way how it runs on the system. We can use this tool as a last resort if the manual removal of the endpoint did not work. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi ,

    thank you for clarifying this. Not what I wanted to hear of course but thanks anyway. Slight smile

  • ZAP has been a very good tool. Very easy to operate and hassle free to uninstall Sophos endpoints from Windows client and server OS with ease.

    -----------------------

    Thank & Regards,

    Nilesh Mojidra

    If a post solves your question, use the 'Verify Answer' link.

  • Same here, I had very much confusion, Thank you for clarifying this for me as well.