Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 47135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstall Sophos Endpoint from a Windows PC without having a Password for disabling Tamper Protection

Fred Lind

Hello,

there are  many Articles about this problem  but none is working.... 

I tried this

  • Following the restart, select an administrative account to continue and enter the password.
  • Open Command Prompt.
  • Type C: and press Enter.
    • Note: Your Boot drive may differ from C. If so, use a command such as DiskPart and list volume to show the available volumes.
  • Type cd Windows\System32\drivers and press Enter.
  • Type ren SophosED.sys SophosED.sys.old and press EnterDoes not work , Access denied ! So nonre-name possible
  • Type exit and press Enter.
  • Click Continue.
  • Once back in Windows, open Registry Editor.
  • Back up the registry.
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Agent  and set the Value data of Start to 0x00000004.  This works
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVService  and set the Value data of Start to 0x00000004.Access denied
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service  and set the Value data of Start to 0x00000004.
  • Also access denied, cannot be changed
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services and under every subkey in this location set the Value data of Protected to 0 . Also access denied, cannot be changed
    • Example:
      • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\SAVService and set the Value data of Protected to 0.
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0. Also access denied, cannot be changed
  • Set the Value data of Enabled to 0 in the following:
    • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection Also access denied, cannot be changed
    • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection Also access denied, cannot be changed
  • Restart the endpoint or server to turn off tamper protection completely.

So all thes Articles are not working as described, any ideas how to overcome these problems ?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Fred Lind,

    that you get an Access denied when trying the ren SophosED.sys suggests you aren't in Troubleshoot mode (previously called Safe mode). Endpoint Defence and TP are active and consequently these commands fail.
    Which Windows version, BTW?

    Christian

  • 0 in reply to QC

    Hello Christian , it was in troubleshoot mode (previously called Safe mode). ! Dis everything as discribed, Windows Version is 8.1

  • 0 in reply to Fred Lind

    Hello Fred Lind,

    I don't have 8.1 so I can't check how it behaves. The command
    Driverquery.exe /fo csv /v |findstr SophosED
    should show you whether Endpoint Defence is running
    "Sophos Endpoint Defense",[...],"File System ","Boot","Running","OK",...
    and if it is this would explain the Access denied. The question would then be why you're not in troubleshooting mode.

    Christian

Reply
  • 0 in reply to Fred Lind

    Hello Fred Lind,

    I don't have 8.1 so I can't check how it behaves. The command
    Driverquery.exe /fo csv /v |findstr SophosED
    should show you whether Endpoint Defence is running
    "Sophos Endpoint Defense",[...],"File System ","Boot","Running","OK",...
    and if it is this would explain the Access denied. The question would then be why you're not in troubleshooting mode.

    Christian

Children
Unfiltered HTML