Simplified Tamper Protection Recovery for Non-Technical Users (Windows Endpoint)

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

Enabled Tamper protection makes it impossible to uninstall Sophos. In some cases, where the Tamper protection is stuck in the enabled state (eg. if the machine was deleted from Sophos Central account more than 90 days ago), the recovery process needs to be followed.

This is a simplified guide for folks who are not as technical and might not have the understanding of command prompt, registry, Windows recovery boot. 

Full technical details are in the article: support.sophos.com/.../KB-000036125

Tamper Protection Recovery

1. Press Windows key (on screen or keyboard) -> type “Settings” in the search bar:

2. On Windows 10:  On the left side please find “Recovery” and then on the right side, under “Advanced Start-up” press “Restart Now”.

Or on Windows 11 it will look like so:

If you do not see “Recovery” option, then either please scroll down or use the search bar at the very top left corner and type Recovery into it. Same as for Windows 10  -> press “restart now”.

3. After rebooting You will see a menu like below:  

Press on Troubleshoot -> Advanced Options -> Command Prompt

4. Select a Windows user who has full administrative rights -> enter password you created (if prompted)

5. In the Command prompt type       C:     and press Enter. You should see a window like so:

6. Type:       cd Windows\System32\drivers       and press Enter

7. Type:      ren SophosED.sys SophosED.sys.old         and press Enter.

If at step #7 you didn’t get any errors -> go to step 8.

If you get this message:

Type      D:      and press ENTER

Type:       cd Windows\System32\drivers       and press Enter

Type:      ren SophosED.sys SophosED.sys.old         and press Enter

8. Type    EXIT -> click Continue

9. The computer would boot back into normal Windows -> press Windows key and type     regEdit      -> click on Run as administrator on the right side

10. In the Registry Editor window that opened please click on FILE at the top left -> Export -> select folder where we will be backing up the registry and enter the file name

 

At this point there are 2 ways to do the further steps:

A faster way is by running a batch of commands that can be copy\pasted:

A. Press Windows key -> enter CMD in the search bar -> select Run as administrator

B. Copy the following into the clipboard (all commands at once):

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SEDEnabled /t REG_DWORD /d 0 /f

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /v Start /t REG_DWORD /d 4 /f

REG ADD "HKLM\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection" /v Enabled /t REG_DWORD /d 0 /f

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService" /t REG_DWORD /v Start /d 0x00000004 /f

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f

C)   Paste what you copied in the command prompt:

D) Press ENTER to run all those commands at once -> reboot the computer 

You can now uninstall normally.

If Steps A-D are not clear, here is the manual slower steps (this does the same as the copy\pasting\running commands above):
note: If some folders\registry keys are missing on your machine -> skip them and go on to the next step.

11. In our Registry editor window that we had opened since the backup, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent\

Once you click on Sophos MCS Agent on the right side you will see the window like below -> double click on Start  (3rd from the bottom)  and change the value from 2 to 4. Press Ok.

12. On the left side now please go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service\

Change the value field data of Start to 4 as well, like in the previous step. If there is no such folder (Sophos AutoUpdate Service on the left – please go to the next step)

13. Please go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\

Please go to every sub-folder of TamperProtection\Services\   where you will file the row with Protected   RED_DWORD  0x00000001  -> Double click on it and change it’s value to 0

Repeat for the rest of the elements until sophosztnatap

14. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config\  

Double click on SEDEnabled -> Change the value to 0

15. Reboot the computer to finalize the process of turning off Sophos Tamper protection -> At this point it would be possible to run the uninstall.

 

The same steps are located on the page: https://support.sophos.com/support/s/article/KB-000036125?language=en_US#Windows_10 which also contains a short instruction video.

Sophos Zap

If uninstall fails for whatever reason, please use SophosZap uninstaller tool. Here is the article with the steps:
https://support.sophos.com/support/s/article/KB-000038989?language=en_US

 

Here are the same steps from the article:

1. Download SophosZap from the link below:

https://download.sophos.com/tools/SophosZap.exe

Before downloading you will be asked to fill out this form:

 

2. Move the downloaded file to a folder that would be easy to locate in the command prompt – like in the root of disk C:\

3. Open an Administrative command prompt (same as in step A - Press Windows key -> enter CMD in the search bar -> select Run as administrator)  and navigate to the file location of SophosZap.exe   

If you copied it to c:\ drive then the command will look like so:

 CD C:\   -> press enter

4. Enter the command:

SophosZap --confirm

Once it finishes running, you will get a window like so:

Please restart and run it again, then restart once more before reinstalling (running x2, rebooting x2 total).

After the 1st restart, you will need to repeat the steps with the administrative command prompt,

cd c:\

SophosZap --confirm

After the 2nd restart, you may reinstall Sophos endpoint.

Thank you for reading!



Updated advanced options image
[edited by: Qoosh at 9:16 PM (GMT -8) on 6 Feb 2024]