This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstall Sophos endpoint security and control

My PC (Windows XP) has been running Sophos endpoint security and control for many years i a domain environment.

When I retired the PC was disconnected from the domain and the updates are not running any longer.

I still have the PC and need to uninstall this software.

In Add or Remove programs three Sophos entries:

Sophos Anti-Virus

Sophos AutoUpdate

Sophos Remote Management System

How should I do?

:33387


This thread was automatically locked due to age.
Parents Reply Children
  • Hello Paul,

    Do you work for Sophos?
    Apparently in a certain sense. But no - I'm neither an employee nor a partner, reseller, or freelancer.

    Christian

  • Ha-ha!  Well I will run the batch command on the remaining XP machine and see where that takes me I guess.

  • So running the bat file on the last XP Pro machine I have Christian I got the following log files:

    Uninstall_SAV9-10_SophosLog1.txt

    === Verbose logging started: 13/12/2017  12:01:27  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\WINDOWS\system32\msiexec.exe ===
    MSI (c) (D0:40) [12:01:27:343]: Resetting cached policy values
    MSI (c) (D0:40) [12:01:27:343]: Machine policy value 'Debug' is 0
    MSI (c) (D0:40) [12:01:27:343]: ******* RunEngine:
               ******* Product: {A805FB2A-A844-4cba-8088-CA64087D59E1}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (D0:40) [12:01:27:343]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (D0:40) [12:01:27:343]: Grabbed execution mutex.
    MSI (c) (D0:40) [12:01:27:406]: Cloaking enabled.
    MSI (c) (D0:40) [12:01:27:406]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (D0:40) [12:01:27:421]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (E4:4C) [12:01:27:468]: Grabbed execution mutex.
    MSI (s) (E4:40) [12:01:27:468]: Resetting cached policy values
    MSI (s) (E4:40) [12:01:27:468]: Machine policy value 'Debug' is 0
    MSI (s) (E4:40) [12:01:27:468]: ******* RunEngine:
               ******* Product: {A805FB2A-A844-4cba-8088-CA64087D59E1}
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (E4:40) [12:01:27:484]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (E4:40) [12:01:27:484]: MainEngineThread is returning 1605
    MSI (c) (D0:40) [12:01:27:484]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (D0:40) [12:01:27:484]: MainEngineThread is returning 1605
    === Verbose logging stopped: 13/12/2017  12:01:27 ===

     

    And for Uninstall_SAV9-10_SophosLog2.txt

    === Verbose logging started: 13/12/2017  12:01:27  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\WINDOWS\system32\msiexec.exe ===
    MSI (c) (64:80) [12:01:27:546]: Resetting cached policy values
    MSI (c) (64:80) [12:01:27:546]: Machine policy value 'Debug' is 0
    MSI (c) (64:80) [12:01:27:546]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (64:80) [12:01:27:546]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (64:80) [12:01:27:546]: Grabbed execution mutex.
    MSI (c) (64:80) [12:01:27:546]: Cloaking enabled.
    MSI (c) (64:80) [12:01:27:546]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (64:80) [12:01:27:546]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (E4:4C) [12:01:27:562]: Grabbed execution mutex.
    MSI (s) (E4:60) [12:01:27:562]: Resetting cached policy values
    MSI (s) (E4:60) [12:01:27:562]: Machine policy value 'Debug' is 0
    MSI (s) (E4:60) [12:01:27:562]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (E4:60) [12:01:27:562]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (E4:60) [12:01:27:562]: MainEngineThread is returning 1605
    MSI (c) (64:80) [12:01:27:562]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (64:80) [12:01:27:562]: MainEngineThread is returning 1605
    === Verbose logging stopped: 13/12/2017  12:01:27 ===

    Nothing seems to have uninstalled on this machine!

    The bat file was

    MsiExec.exe /X{A805FB2A-A844-4cba-8088-CA64087D59E1} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SAV9-10_SophosLog1.txt
    MsiExec.exe /X{09863DA9-7A9B-4430-9561-E04D178D7017} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SAV9-10_SophosLog2.txt

    as before.

     

    Paul

  • Hello Paul,

    as before 1605 means that the Installer claims the product isn't installed. The product code for the firewall (SCF) hasn't changed for years - was/is it indeed installed? If not, the output would be correct.

    The other code is SAV version 10.6.3 - is this indeed the version installed?

    Christian

  • Thanks Christian.  Add/Remove Programs seemed to take care of the remnants.  I'll clean up the Registry for redundant items too.  Then we'll move onto the Windows 10 machine!!

    Paul

  • I ran "C:\Documents and Settings\Sara\My Documents\Downloads\PendMoves\movefile.exe" "C:\Documents and Settings\All Users\Application Data\Sophos\Web Intelligence\swi_ifslsp.dll" DELETE in a batch file and it scheduled it for deletion on this last XP Machine Christian and it scheduled it for deletion on reboot ... but swi_ifslsp.dll is still not deleted and is still refusing manual deletion.

    Any ideas on this please?

    Thanks

    Paul

  • Hello Paul,

    question is - why is it left behind? Admittedly Windows XP installations have a long history and thus are susceptible to fouling. Nevertheless it's not very likely that three out of three are causing troubles that can only be resolved by rather violent measures, many uninstall errors are correctable. So don't start to wield the axe at the first failure.

    Anyway, please check if the DLL is still registered with winsock - from a cmd window netsh winsock show catalog (can be long so pipe it to a file). If SAV is no longer running (and already perhaps incompletely uninstalled) so that you can disable Web protection you could try to remove the LSP (please note there can be more than one entry) from the catalog using netsh winsock remove provider <catalog ID>.

    Christian

  • Ran netsh winsock show catalog and there are two entries:

    DCAAE4DE-B769-4318-B7FA-09DC17438FF8 and

    2AC5A5CC-B821-4069-B9FF-D3B79355270B

    I found this winsock editor (https://www.technize.net/winsockservicesview-winsock-viewer/) or is there a safer way to disable these two entries please?

    Paul

  • Hello Paul,

    if uninstall is no longer available and you want to get rid of them there's not much else you can do.

    Christian

  • Oops - there was a third one - FCB06AC5-7321-4BAA-A499-FC205998D218

    The CATALOG IDs are 1107, 1108 and 1109.  I have tried netsh winsock remove provider 1107 and ... 1108 and ... 1109 but CMD said the command was not found.