Enabled Tamper protection makes it impossible to uninstall Sophos. In some cases, where the Tamper protection is stuck in the enabled state (eg. if the machine was deleted from Sophos Central account more than 90 days ago), the recovery process needs to be followed.
This is a simplified guide for folks who are not as technical and might not have the understanding of command prompt, registry, Windows recovery boot.
Full technical details are in the article: support.sophos.com/.../KB-000036125
Tamper Protection Recovery
1. Press Windows key (on screen or keyboard) -> type “Settings” in the search bar:
2. On Windows 10: On the left side please find “Recovery” and then on the right side, under “Advanced Start-up” press “Restart Now”.
Or on Windows 11 it will look like so:
If you do not see “Recovery” option, then either please scroll down or use the search bar at the very top left corner and type Recovery into it. Same as for Windows 10 -> press “restart now”.
3. After rebooting You will see a menu like below:
Press on Troubleshoot -> Advanced Options -> Command Prompt
4. Select a Windows user who has full administrative rights -> enter password you created (if prompted)
5. In the Command prompt type C: and press Enter. You should see a window like so:
6. Type: cd Windows\System32\drivers and press Enter
7. Type: ren SophosED.sys SophosED.sys.old and press Enter.
If at step #7 you didn’t get any errors -> go to step 8.
If you get this message:
Type D: and press ENTER
Type: cd Windows\System32\drivers and press Enter
Type: ren SophosED.sys SophosED.sys.old and press Enter
8. Type EXIT -> click Continue
9. The computer would boot back into normal Windows -> press Windows key and type regEdit -> click on Run as administrator on the right side
10. In the Registry Editor window that opened please click on FILE at the top left -> Export -> select folder where we will be backing up the registry and enter the file name
At this point there are 2 ways to do the further steps:
A faster way is by running a batch of commands that can be copy\pasted:
A. Press Windows key -> enter CMD in the search bar -> select Run as administrator
B. Copy the following into the clipboard (all commands at once):
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SEDEnabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /v Start /t REG_DWORD /d 4 /f
REG ADD "HKLM\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService" /t REG_DWORD /v Start /d 0x00000004 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f
C) Paste what you copied in the command prompt:
D) Press ENTER to run all those commands at once -> reboot the computer
You can now uninstall normally.
If Steps A-D are not clear, here is the manual slower steps (this does the same as the copy\pasting\running commands above):note: If some folders\registry keys are missing on your machine -> skip them and go on to the next step.
11. In our Registry editor window that we had opened since the backup, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent\
Once you click on Sophos MCS Agent on the right side you will see the window like below -> double click on Start (3rd from the bottom) and change the value from 2 to 4. Press Ok.
12. On the left side now please go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service\
Change the value field data of Start to 4 as well, like in the previous step. If there is no such folder (Sophos AutoUpdate Service on the left – please go to the next step)
13. Please go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\
Please go to every sub-folder of TamperProtection\Services\ where you will file the row with Protected RED_DWORD 0x00000001 -> Double click on it and change it’s value to 0
Repeat for the rest of the elements until sophosztnatap
14. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config\
Double click on SEDEnabled -> Change the value to 0
15. Reboot the computer to finalize the process of turning off Sophos Tamper protection -> At this point it would be possible to run the uninstall.
The same steps are located on the page: https://support.sophos.com/support/s/article/KB-000036125?language=en_US#Windows_10 which also contains a short instruction video.
If uninstall fails for whatever reason, please use SophosZap uninstaller tool. Here is the article with the steps:https://support.sophos.com/support/s/article/KB-000038989?language=en_US
Here are the same steps from the article:
1. Download SophosZap from the link below:
Before downloading you will be asked to fill out this form:
2. Move the downloaded file to a folder that would be easy to locate in the command prompt – like in the root of disk C:\
3. Open an Administrative command prompt (same as in step A - Press Windows key -> enter CMD in the search bar -> select Run as administrator) and navigate to the file location of SophosZap.exe
If you copied it to c:\ drive then the command will look like so:
CD C:\ -> press enter
4. Enter the command:
Once it finishes running, you will get a window like so:
Please restart and run it again, then restart once more before reinstalling (running x2, rebooting x2 total).
After the 1st restart, you will need to repeat the steps with the administrative command prompt,
After the 2nd restart, you may reinstall Sophos endpoint.
Thank you for reading!
Great documentation. still, most normal users will fail to finish but it is also very good readable and straight to follow for helpdesk supporters. Will recommend and link it internally. Your guide should be made available in the official documentation also.