This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with Sophos Endpoint Protection

Hi everyone, I am new to the forum and this is my first question. I am sorry if i am not following some forum rules you might have.

So here is the problem.

We have a customer using Sophos endpoint protection on the desktops and Server protection for the servers. The software was not installed by our company, it is legacy form the previous IT service provider. We have also access to Sophos central admin panel. The point is that the subscription is about to expire and we decided to deploy another AV software we used for the last ten years without any problems.

The problem started when we try to uninstall Sophos from the client computers. We have disabled the temper protection service as the software requested and every time we tried to uninstall it it ask for restart first. We did this cycle about 5 time and we decided to use revo ininstaller. However after uninstalling Sophos we found out that there a lot of leftovers remaining on the system as well as bunch of Sophos services still running. Then we manually deleted all Sophos folders located in Program Files, Program files(x86) and PragramData folder. There are two DLLs we cannot remove from the ProgramData\Sophos\Web Intelligence. File names are swi_ifslsp.dll and swi_ifslsp_64.dll. We tried to delete them from safe mode but it did not work. It says that the files are open by another process or application. Then we tried to rename the folder and this was applied with no problems. However there was a big consequences afterwards. The computer lost its connectivity outside of the LAN. All IP configuration was correct, but no communication apart within the LAN. We could not even ping google.com for example. However renaming the Sophos folder back to its original name solved the problem.

My question is how to safely uninstall Sophos software from our customer computers as it seams it is not very straight forward process. Can it be done from the Central Admin panel?

Regards

Mladen

This thread was automatically locked due to age.

Parents

0 jak over 6 years ago
With Tamper Protection (Endpoint Defense component) disabled on a client, the standard uninstaller should work. Either the UI version of CLI version found under:

C:\Program Files\Sophos\Sophos Endpoint Agent\

Notes:

Any requests to reboot are driven by the PendingFileRenameOperations registry key being present: https://technet.microsoft.com/en-us/library/cc960241.aspx.

Endpoint Defense is implemented by the driver "\windows\system32\drivers\Sophosed.sys"

That said, the files you had left over are part of web intelligence/web control feature. They only exist on Windows 7/2008. Windows 8.1+ doesn't use a LSP to implement web features.

The LSP is removed from the Winsock Catalog on reboot when configured to do so by the Sophos Web Intelligence Service.

The command:
netsh winsock show catalog > cat.txt

...will show if the Sophos LSP is registered in Winsock.

It is the Sophos Web Intelligence Update Service that starts up and reads a "swiupdateaction" registry DWORD value under:
HKEY_LOCAL_MACHINE\SOFTWARE\[WOW6432Node]\Sophos\Web Intelligence\.

Note: This value can be a 3 if it's just to disable the web feature and unload the LSP on next start or 8 (I think) if it's a removal. By default it's not present unless there is work scheduled for the service to perform and boot.

This value tells the Sophos Web Intelligence Update Service, which starts starts early on at boot to either unload the LSP from Winsock, if you are just disabling the Web protection and web Control features or if on uninstall of Sophos Anti-Virus, the service removes the LSP from the Winsock catalog and goes on to remove itself.

Of course, the swi update service still starts after some services that make winsock calls, so there is a chance that the DLL can't be removed until 2 reboots, as on the second reboot the catalog entry doesn't reference the LSP dll and therefore it's not loaded by any process.

You can reset the winsock catalog (netsh winsock reset) to remove references to all LSPs but this would remove all LSPs not that there are typically many on most machines.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jak over 6 years ago
With Tamper Protection (Endpoint Defense component) disabled on a client, the standard uninstaller should work. Either the UI version of CLI version found under:

C:\Program Files\Sophos\Sophos Endpoint Agent\

Notes:

Any requests to reboot are driven by the PendingFileRenameOperations registry key being present: https://technet.microsoft.com/en-us/library/cc960241.aspx.

Endpoint Defense is implemented by the driver "\windows\system32\drivers\Sophosed.sys"

That said, the files you had left over are part of web intelligence/web control feature. They only exist on Windows 7/2008. Windows 8.1+ doesn't use a LSP to implement web features.

The LSP is removed from the Winsock Catalog on reboot when configured to do so by the Sophos Web Intelligence Service.

The command:
netsh winsock show catalog > cat.txt

...will show if the Sophos LSP is registered in Winsock.

It is the Sophos Web Intelligence Update Service that starts up and reads a "swiupdateaction" registry DWORD value under:
HKEY_LOCAL_MACHINE\SOFTWARE\[WOW6432Node]\Sophos\Web Intelligence\.

Note: This value can be a 3 if it's just to disable the web feature and unload the LSP on next start or 8 (I think) if it's a removal. By default it's not present unless there is work scheduled for the service to perform and boot.

This value tells the Sophos Web Intelligence Update Service, which starts starts early on at boot to either unload the LSP from Winsock, if you are just disabling the Web protection and web Control features or if on uninstall of Sophos Anti-Virus, the service removes the LSP from the Winsock catalog and goes on to remove itself.

Of course, the swi update service still starts after some services that make winsock calls, so there is a chance that the DLL can't be removed until 2 reboots, as on the second reboot the catalog entry doesn't reference the LSP dll and therefore it's not loaded by any process.

You can reset the winsock catalog (netsh winsock reset) to remove references to all LSPs but this would remove all LSPs not that there are typically many on most machines.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Mladen Ivanov over 6 years ago in reply to jak

Hi Jak and thanks for the reply.

When I try to use uninstall option from the control panel is either ask for restart or it says that .msi installer is not found. Is there Sophos removal tool as some other vendors have? I tried to search myself but I did not find anything.

Below is a screenshot of my winsock entry for Sophos. The PC was restarted more than 10 times and this entry is still there.

This is the registry location you mention at your reply. Do I need to do anything here, can I safely delete the Sophos record from the registry?

We have to remove this product for 4 servers and I am quite skeptical now how this will go. There should be solution as I see that other people has similar issues either after installation or removal of the software.

Thanks

Mladen
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 6 years ago in reply to Mladen Ivanov

When you try an uninstall from Programs and Features you mention this message:
".msi installer is not found. "

This could be a misleading error message if it's relating to the Sophos Anti-Virus component. It could be that the uninstall of SAV is actually failing.

There should be a MSI uninstal log under %temp%. When I have seen this, it's because the uninstalling user is not a member of the SophosAdministrator local group. Can you add your account to the local sophosadministrator group and try an uninstall again? The MSI log will confirm it but this is my hunch.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 Mladen Ivanov over 6 years ago in reply to jak

As I am using Local or Domain Administrator accounts I thought that I have all permissions to uninstall the software. I add my account to Sophos Administrators group as per your recommendation. Now the system ask again for restart every time I try to run the uninstaller. I know you mention that this is because some files are pending for renaming. Are these files Sophos files or they can be any files? Is this because I did not do something correctly or because there is some problem with the windows itself. How can I solve this problem?

Thanks

Mladen
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 6 years ago in reply to Mladen Ivanov

The pendingfilerename operations is a system wide setting. Any application can pend a file for removal or rename at startup.

When the computer starts the Session Manager, the smss.exe process reads the key and either removes or deletes the files refernced. There is a \Windows\PFRO.log log file but it is only created or appended to if an operation fails.

Entries in the key with a blank line beneath are be to removed. 2 consecutive lines in the key are a rename from one to the other.

It is possible you could be unlucky that it keeps getting populated but it's quite easy to evaluate the values in it to know if you can just rename/delete the key given the entries in it.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 Mladen Ivanov over 6 years ago in reply to jak

I have manage to successfully uninstall Sophos Endpoint agent software following your steps. After the removal process and the PC restart there are some Sophos leftovers but I can delete them easily without affecting my system.

I am planing product removal on my server next weekend. Hopefully it will be a smooth operation.

Thank you Jak for your time and effort.

Regards

Mladen
Cancel
Vote Up 0 Vote Down

Cancel