"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article provides information on the Sophos Competitor Removal Tool (CRT).
The CRT is a small program that runs during deployment/installation of Sophos Endpoint Security and Control that detects, but also can remove third-party security software. Removal of third-party software is optional, though enabled by default, and removes non-Sophos software only when the check box for third-party security software detection is selected (either in the local installer or during the 'Protect Computers Wizard' in the console).
The CRT is available in two versions:
Note: This article only covers the integrated version of the tool.
Known to apply to the following Sophos product(s) and version(s) Competitor Removal Tool (CRT)
The files belonging to the CRT are located in the 'crt' folder inside the distribution folder. Example:
The main files used by the program are listed below.
The list of third-party software detected and removed is updated and expanded with each new version of the tool. If there are any problems when removing third-party security software it is important to confirm the exact version of the CRT being run.
To determine the version of the tool:
The first line of the usage options shows the version. Example:
Sophos Anti-Virus software detector - Version 220.127.116.11
Note: Alternatively you can copy the crt folder to the Desktop of the endpoint computer and browse to the local folder in the command prompt.
When considering if your existing security software can be removed by the CRT you will end up falling into one of three scenarios:
To see what competitor software can be detected and removed (or only detected) see article 112662. To further check your product is listed in the version of the CRT available in the distribution folder run:
\\[serverName]\SophosUpdate\CIDs\S000\SAVSCFXP\crt\AVRemove.exe --listproducts > C:\SophosCRTOut.txt
...and open the SophosCRTOut.txt file in a text editor. You can then search the text file for the product you are attempting to remove.
The CRT uses a configuration file that controls its behavior. It is possible to change the configuration file to override the tool’s default settings. Note: Reasons for changing the default settings will be suggested in other articles when necessary.
To configure the tool, find the data.zip file within the crt folder (see section 'Locating the tool' above). Extract the CRT.cfg file from the data.zip into the main crt folder and edit this extracted file with a text editor. You can change the options as detailed in the table below.
The file contains the following options:
You can request new third-party security software is added to the CRT or that detect-only functionality is expanded to automatically remove the software. The required steps are:
Important: The CRT update may take several weeks to complete. If there is an urgent need to add detection you can contact your Sales Account Manager and discuss a bespoke solution using the 'standalone' version of the CRT (see introduction to this article for details).
Removal of third-party software may fail for a number of reasons:
When a failure occurs an error is only returned to the console if the endpoint was deployed to via the console. If you run the Setup.exe program on the endpoint no error will be returned to the console.
If you are installing Sophos endpoint software locally (or any method other than via the console protection wizard) you can still troubleshoot problems. You should check the AVRemove.log file (see the table above for its location). Open the file in a text editor (e.g., Notepad.exe).
If the tool failed the last lines of the file will be similar to these:
[TIMPSTAMP] Info: Competitor Removal Tool exit code [a number] [TIMPSTAMP] Info: AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\...\avremove.log Sophos Anti-Virus software detector - Version 18.104.22.168 Copyright (C) 2003-2012 Sophos Limited. All rights reserved. Running OS: Microsoft Windows [version of Windows] Removing detected products... AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\...\avremove.log
In the example above the last line of the file shows that one product has been found and zero products have been removed. Note: In this example the term 'product found' does not necessarily mean third-party security software will be shown in Add/Remove Programs (or Programs and Features for Vista+). The term means one or more components (services, registry key, etc.) have been detected.
Once you have found an issue reported in the AVRemove.log file search the knowledgebase for further information. If you cannot find further information run the Sophos Diagnostic Utility on the endpoint computer and forward to Technical Support.
Jeder hier hinterlassene Kommentar wird von einem Mitarbeiter gelesen, wir antworten jedoch nicht auf spezifische technische Fragen. Wenn Sie technischen Support benötigen, posten Sie bitte eine Frage in unserer Community. Alternativ können Sie für lizenzierte Produkte auch ein Support-Ticket öffnen.