CRT is a program that runs during deployment/installation of Sophos Endpoint that detects and removes third-party software. Removal of third-party software is optional but enabled by default. It removes non-Sophos software only when the check box for third-party security software detection is selected (either in the local installer or during the Protect Computers Wizard in the console). This article only covers the integrated version of the tool.
The CRT is available in two versions:
Known to apply to the following Sophos product(s) and version(s) Competitor Removal Tool (CRT)
The following sections are covered:
The CRT files are located in the crt folder inside the distribution folder:
The main files used by the program are listed below.
The list of third-party software detected and removed is updated and expanded with each new version of the tool. If there are problems when removing third-party security software, it is important to confirm the exact version of the CRT being run. To determine the version of the tool:
Sophos Anti-Virus software detector - Version 184.108.40.206
Alternatively, copy the crt folder to the desktop of the endpoint computer and browse to the local folder in the command prompt.
Considering if the existing security software can be removed by the CRT, it ends up into one of three scenarios:
To see what competitor software can be detected and removed (or only detected) see Sophos Endpoint: List of third-party security software removed by Sophos Competitor Removal Tool.
To further check if the product is listed in the version of the CRT available in the distribution folder run: \\[serverName]\SophosUpdate\CIDs\S000\SAVSCFXP\crt\AVRemove.exe --listproducts > C:\SophosCRTOut.txt
\\[serverName]\SophosUpdate\CIDs\S000\SAVSCFXP\crt\AVRemove.exe --listproducts > C:\SophosCRTOut.txt
Open the SophosCRTOut.txt file in a text editor then search the text file for the product to be removed.
The CRT uses a configuration file that controls its behavior. It is possible to change the configuration file to override the tool’s default settings. Changing the default settings will be suggested in other articles when necessary.
To configure the tool, find the data.zip file within the crt folder. See Locating the tool section. Extract the CRT.cfg file from the data.zip into the main crt folder and edit this extracted file with a text editor. You can change the options as detailed in the table below:
The file contains the following options:
If a new third-party security software is added to the CRT or that detect-only functionality is expanded to automatically remove the software, you may request updates to the CRT. The required steps are:
Note: CRT update takes several weeks to complete. If there is an urgent need to add detection, then contact your Sales Account Manager and discuss a bespoke solution using the standalone version of the CRT.
Removal of third-party software may fail for a number of reasons:
When a failure occurs, an error is only returned to the console if the endpoint was deployed from the console. If the Setup.exe program is run from the endpoint, no error will be returned to the console.
If the Sophos endpoint software is installed locally (or any method other than the console protection wizard), problems can still be solved. Check the AVRemove.log file and pen the file in a text editor (e.g., Notepad.exe).
If the tool failed the last lines of the file will be similar to these:
[TIMPSTAMP] Info: Competitor Removal Tool exit code [a number] [TIMPSTAMP] Info: AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\...\avremove.log Sophos Anti-Virus software detector - Version 220.127.116.11 Copyright (C) 2003-2012 Sophos Limited. All rights reserved. Running OS: Microsoft Windows [version of Windows] Removing detected products... AVRemove finished. 1 product found, 0 products removed. Report logged to : C:\...\avremove.log
In the example above the last line of the file shows that one product has been found and zero products have been removed. The term product found does not necessarily mean third-party security software will be shown in Add/Remove Programs (or Programs and Features for Vista+) but it means one or more components (services, registry key, etc.) have been detected.
Once you have found an issue reported in the AVRemove.log file search the knowledgebase for further information. If you cannot find further information run the Sophos Diagnostic Utility on the endpoint computer and forward to Technical Support.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.