Does anyone have any working instructions for Azure VM's that have Sophos installed with tamper protection enabled to be fully removed? We have been away from the MSP that installed these for 2 years now and they are unable to provide any assistance outside of the following steps that did not work for us:
- Open the Windows Registry and click HKEY_LOCAL_MACHINE.
- Click File and select Load Hive.
- Open the database file that contains the Registry HKEY_LOCAL_MACHINE\SYSTEM registry hive: Get stuck here as the System file is in use by other resources. When we try to kill this through Resource Manager or CMD we get an error that access is denied even on admin access.
e.g. F:\Windows\system32\config\SYSTEM
Note: The path above should contain the drive letter for the disk you are making changes to. You may also need to select to view all files within this location to see SYSTEM. - Save the loaded Hive with the name Recovery.
- Make the necessary changes to recover either Sophos Endpoint Defense or Server Lockdown:
Note: The required changes must be made to HKEY_LOCAL_MACHINE\Recovery\ControlSet001\ rather than the default path of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet.
- Sophos Endpoint Defense:
- Go to HKEY_LOCAL_MACHINE\Recovery\ControlSet001\Services\Sophos MCS Agentand set the Value data of Start to 0x00000004.
- Go to HKEY_LOCAL_MACHINE\Recovery\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Configand set the Value data of SEDEnabled to 0.
- Sophos Central Server Lockdown (May not be needed):
- Go to HKEY_LOCAL_MACHINE\Recovery\ControlSet001\Services\SLDand set the Value data of Start to 0x00000004.
- Go to HKEY_LOCAL_MACHINE\Recovery\ControlSet001\Services\SLDSvcand set the Value data of Start to 0x00000004.
Then we will need to uninstall or run SOPHOS ZAP from the following article.
SophosZap: Frequently asked questions
This thread was automatically locked due to age.
