This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstall Sophos endpoint security and control

My PC (Windows XP) has been running Sophos endpoint security and control for many years i a domain environment.

When I retired the PC was disconnected from the domain and the updates are not running any longer.

I still have the PC and need to uninstall this software.

In Add or Remove programs three Sophos entries:

Sophos Anti-Virus

Sophos AutoUpdate

Sophos Remote Management System

How should I do?

:33387


This thread was automatically locked due to age.
Parents
  • I am also trying to uninstall Sophos Endpoint from an XP Pro (SR3) computer too.  I have disabled Tamper Protection and been able (through Control Panel - Remove Programs) to remove the SOPHOS AUTO-UPDATING.

    I then tried to remove the FIREWALL program but got ERROR 1324. The path My Pictures contains an invalid character.

    How do I proceed?

    Paul

  • Hello Paul,

    could you show the corresponding log?

    Christian

  • OK- Done that.  It now looks like sophos1 attached.

    I noticed today that there is a sub-line under User Shell Folders of New that shows the properties shown in sophos 2 attached.  Is this OK or should they be deleted entirely or changed to [REG_EXPAND_SZ]?

    Paul

  • Hello Paul,

    this New key (who- or whatever created it) will be ignored and you can safely delete it with its contents.

    Christian

  • Dare I say it Christian - it looks to have worked???

    Thank you a thousand times over.  I will now have another go with installing the alternate firewall and AV.  It is a pity that SOPHOS stopped supporting XP-Pro for AV otherwise I would not have moved providers but I have a couple of older machines that provide invaluable services and that are running happily on XP-Pro.

    Really appreciate your time in following through with this one.

     

    Paul

  • Hi Christian

     

    Me again.  This time I am on the second (of three) XP machines to remove Sophos Endpoint from it.

    I ran exactly the same sophos.bat removal file as before and was able to remove the registry entries and all but 4 of the folders namely:

    1. C:\Documents and Settings\All Users\Application Data
    2. C:\Documents and Settings\All Users\Application Data\Sophos
    3. C:\Program Files and
    4. C:\Program Files\Sophos

    Despite several reboots I still cannot get rid of these folders as the Laptop says they are in use and indeed the Sophos APP does pop up in the SYSTRAY.

    What did I miss or what is different please about this UNINSTALL?  All other folders are now gone!  I note that there still appear to be some references to SOPHOS in the Registry (running REGEDIT).  Should I delete those, reboot and then be able to remove the remaining folders?

    Thanks

    Paul

  • Hello Paul,

    you wouldn't want to remove 1. and 3.
    Which folder(s) under C:\Program Files\Sophos\ are still there? the Sophos APP does pop up in the SYSTRAY - if the Sophos icon is still there it suggests that AutoUpdate hasn't been uninstalled correctly. Is it gone from Add/Remove Programs?

    Christian

  • Hi Christian

    I will try and remove them via Add/remove programs as you said ... they are still there!  Add/remove seems to have worked for the Auto Update.  I forgot to use that and it has taken the Auto update out of the systray.  The SAV though failed to uninstall via Add/Remove programs.

     

    Paul

  • Hello Paul,

    if Add/Remove fails (did it pop up an error?) please retry with msiexec.exe requesting a log. This should tell more.

    Christian

  • Hi Christian

    Yes the error on uninstalling Sophos Anti Virus is Fatal error during installation.

    The error log show:

    === Verbose logging started: 12/4/2017  17:47:34  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\windows\system32\msiexec.exe ===
    MSI (c) (EC:B0) [17:47:34:815]: Resetting cached policy values
    MSI (c) (EC:B0) [17:47:34:815]: Machine policy value 'Debug' is 0
    MSI (c) (EC:B0) [17:47:34:815]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (EC:B0) [17:47:34:815]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (EC:B0) [17:47:34:815]: Grabbed execution mutex.
    MSI (c) (EC:B0) [17:47:34:875]: Cloaking enabled.
    MSI (c) (EC:B0) [17:47:34:875]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (EC:B0) [17:47:34:885]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (F8:A8) [17:47:34:905]: Grabbed execution mutex.
    MSI (s) (F8:9C) [17:47:34:905]: Resetting cached policy values
    MSI (s) (F8:9C) [17:47:34:905]: Machine policy value 'Debug' is 0
    MSI (s) (F8:9C) [17:47:34:905]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (F8:9C) [17:47:34:905]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (F8:9C) [17:47:34:905]: MainEngineThread is returning 1605
    MSI (c) (EC:B0) [17:47:34:905]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (EC:B0) [17:47:34:905]: MainEngineThread is returning 1605
    === Verbose logging stopped: 12/4/2017  17:47:34 ===

    Paul

  • Hello Paul,

    somewhat strange - 1605 is ERROR_UNKNOWN_PRODUCT This action is only valid for products that are currently installed. Is it still in Add/Remove, if so - please check both HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\. There should be an UninstallString in one of these locations (might or might not name 09863DA9-... as the product). Retry the msiexec.exe with this product code as before but omit the /qn switch.

    Christian

  • It is on an XP Pro 32 bit system Christian so there are only HKEY_ registry entries nothing like what you describe above.

    Paul

Reply Children
  • Hello Paul,

    sorry, thought that everybody is aware of the HKLM and HKCU shorthands for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.

    Christian

  • My bad then!

    My Registry has neither entry Christian.

    Paul

  • Hello Paul,

    and SAV is still in Add/Remove? Similar data is under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\ (in case of User type installs under the user's SID), if you can't find the ProductID you should find at least the DisplayName (Sophos Anti-Virus).

    Christian

  • Thanks Christian.

    There is nothing at that location either and yes SAV is still is showing in Add/Remove Programs.  Pushing the Remove it gathers all the information etc. then rolls back and Fails with the Fatal error during installation still.

     

    Paul

  • Hello Paul,

    strange that Add/Remove and the Installer disagree in this manner (usually it's the other way round, not in Add/Remove but the Installer considers it installed). Please search the registry for 09863DA9-7A9B-4430-9561-E04D178D7017 and 9AD36890B9A7034459160ED471D80771.

    Apart from it being listed in Add/Remove - is SAV installed (e.g. the Sophos Anti-Virus service still present and running)? You want to remove Sophos because you are considering another and still supported AV product? You still have a thirds XP machine with Sophos 10.6.3 installed? If so do not uninstall.

    Christian

  • Hi Christian

    I searched on both 09863DA9-7A9B-4430-9561-E04D178D7017 and 9AD36890B9A7034459160ED471D80771 and came up with nothing.

    Yes, because Sophos no longer supports AV for XP-Pro (and AVAST do) I am migrating all our network to AVAST.  Installing AVAST while there are any remnants of SOPHOS around causes issues.  After this current XP machine I still have one further machine on XP and then one on Windows 10 to go.

    Am I correct in thinking (given the timing of your replies) that you are in the UK?  I am very pleased that we are making some progress - one machine done and 3 to go - but it is slow progress!!  Thank you for hanging in with this.

    Paul

  • Christian

    Well having played around a bit with msconfig and regedit I have got rid of everything now except SavShellExt.dll in C:\Program Files\Sophos\Sophos Anti-Virus.

    When I try to delete this file I get the message

    Cannot delete SavShellExt.dll Access is denied

    Presumably because the file is still getting loaded somehow or other.

    How do I proceed please?

    Thanks

  • Hello Paul,

    not U.K., Austria, Vienna.

    SavShellExt.dll is a shell extension (there are several references in the registry), loaded by Explorer when you right-click to get the context menu. You can delete it after the login provided you don't open the context menu. The Sysinternals MoveFile utility lets you schedule the deletion.  

    Christian

  • Well thank you anyway Christian and Guten Tag!

    Am trying the Move and rebooting.

  • SO I wrote the following bat file:
    C:\Documents_and_Settings\Paul\My_Documents\Downloads\pendmoves.exe C:\Program_Files\Sophos\Sophos_Anti-Virus\SavShellExt.dll DELETE

    and ran it and i got the reply from CMD The system cannot find the path specified.

    What did I do wrong please?  Microsoft webpage was not helpful.

    Paul