Hi Community,
In this video Jelan from Sophos Support shows you how to use the Sophos ZAP tool to remove Sophos Endpoint or Server Protection Software from a Windows Device.
ZAP has been a very handy tool! Much more efficient than cleaning everything up manually.
I did follow the video on the YouTube channel and this is the result
Microsoft Windows [Version 10.0.19041.572](c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>cd c:\Sophoszap
c:\SophosZap>sophoszap --confirmSophos Zap v1.0 - Uninstall Sophos Endpoint softwareCopyright 2019 Sophos Limited. All rights reserved.
Extracting to temporary folder: C:\Users\lmrei\AppData\Local\Temp\SophosZap-673788389Logging to 'C:\Users\lmrei\AppData\Local\Temp\Sophos Windows Endpoint Zap log.txt'An error occurred. See log file for errors.
c:\SophosZap>
I went to check out the log file and this is the information on that file
Went to 'C:\Users\lmrei\AppData\Local\Temp\Sophos Windows Endpoint Zap log.txt'
The Sophos windows endpoint logs I found stated
2020-12-06T22:00:11.321Z 4708 INFO : ==== Started C:\\Users\\lmrei\\AppData\\Local\\Temp\\SophosZap-673788389\\SophosZapHelper.exe ====
2020-12-06T22:00:11.322Z 4708 INFO : Running version 1.0.1853.0
2020-12-06T22:00:11.330Z 4708 INFO : Parent process ID: 6372
2020-12-06T22:00:11.330Z 4708 INFO : Running Zap functionality on 64 bit operating system
2020-12-06T22:00:11.331Z 4708 INFO : Intialising COM subsystem.
2020-12-06T22:00:11.334Z 4708 INFO : Performing prerequisite checks.
2020-12-06T22:00:11.337Z 4708 INFO : Checking for presence of incompatible software: Sophos SafeGuard
2020-12-06T22:00:11.340Z 4708 INFO : Checking for presence of incompatible software: AD Sync
2020-12-06T22:00:11.341Z 4708 INFO : Checking for presence of incompatible software: SAV NetApp
2020-12-06T22:00:11.341Z 4708 INFO : Checking for presence of incompatible software: Sophos PureMessage for Exchange
2020-12-06T22:00:11.342Z 4708 INFO : Checking for presence of incompatible software: Sophos for Microsoft SharePoint
2020-12-06T22:00:11.343Z 4708 INFO : Checking for presence of incompatible software: SAVDI
2020-12-06T22:00:11.343Z 4708 INFO : Checking for presence of incompatible software: Sophos Enterprise Console
2020-12-06T22:00:11.344Z 4708 INFO : Checking for presence of incompatible software: Sophos Transparent Authentication Suite
2020-12-06T22:00:11.344Z 4708 INFO : Checking for presence of incompatible software: Sophos IPsec Client
2020-12-06T22:00:11.345Z 4708 INFO : Checking for presence of incompatible software: Sophos Connect
2020-12-06T22:00:11.345Z 4708 INFO : Checking for presence of incompatible software: Sophos Connect Admin
2020-12-06T22:00:11.345Z 4708 INFO : Checking for presence of incompatible software: Sophos Update Manager
2020-12-06T22:00:11.346Z 4708 INFO : Checking for presence of incompatible software: Invincea
2020-12-06T22:00:11.346Z 4708 INFO : Checking for presence of incompatible software: Sophos Network Access Control
2020-12-06T22:00:11.347Z 4708 INFO : Checking for presence of incompatible RMS Server
2020-12-06T22:00:11.347Z 4708 INFO : Sophos Endpoint Defense is installed.
2020-12-06T22:00:11.348Z 4708 INFO : Value 'SEDEnabled' under key 'SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\\TamperProtection\\Config' is set to 1.
2020-12-06T22:00:11.348Z 4708 INFO : Value 'IgnoreSAV' under key 'SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\\TamperProtection\\Config' is set to 1.
2020-12-06T22:00:11.349Z 4708 INFO : Tamper-protected by SED.
2020-12-06T22:00:11.349Z 4708 ERROR : Zapper does not run with tamper protection on
2020-12-06T22:00:11.349Z 4708 INFO : Outcome error flag: 1
2020-12-06T22:00:11.350Z 4708 INFO : Outcome reboot required: 0
2020-12-06T22:00:11.350Z 4708 INFO : Summary of errors, see above for details:
2020-12-06T22:00:11.351Z 4708 INFO : Failure reason: Zapper does not run with tamper protection on
I am running Sophos Home free edition and I can not find any way to disable the tamper protection from the information that I have found so far. There is no option that I can find.
Hey LisaHamp,
The error you are getting is due to tamper protection which is currently enabled on your endpoint. Before running ZAP, ensure to disable tamper protection first. You may refer to this Article on how to disable tamper protection and once succeeded, you may now proceed on running sophos ZAP.
Yes, Zap is really a handy tool which was provided to me by Sophos Support lately to cleanup a failed Endpoint Protection installation. But... the tool removes also any other Sophos software, i. e. SSL VPN client and Sophos Safeguard which makes it, well, kinda risky. Is there any way to tell the tool to only remove specific Sophos software and not all of it? That would be very helpful.
Thank you for your feedback, we'll follow up with our team to share this.
Hi astiadmin
Got advice from our team that this tool was designed as to how it currently functions right now and no further plan on changing the way how it runs on the system. We can use this tool as a last resort if the manual removal of the endpoint did not work.
Hi GlennSen,
thank you for clarifying this. Not what I wanted to hear of course but thanks anyway.
ZAP has been a very good tool. Very easy to operate and hassle free to uninstall Sophos endpoints from Windows client and server OS with ease.
-----------------------
Thank & Regards,
Nilesh Mojidra
If a post solves your question, use the 'Verify Answer' link.
Same here, I had very much confusion, Thank you for clarifying this for me as well.