This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstall Sophos endpoint security and control

My PC (Windows XP) has been running Sophos endpoint security and control for many years i a domain environment.

When I retired the PC was disconnected from the domain and the updates are not running any longer.

I still have the PC and need to uninstall this software.

In Add or Remove programs three Sophos entries:

Sophos Anti-Virus

Sophos AutoUpdate

Sophos Remote Management System

How should I do?

:33387


This thread was automatically locked due to age.
Parents
  • I am also trying to uninstall Sophos Endpoint from an XP Pro (SR3) computer too.  I have disabled Tamper Protection and been able (through Control Panel - Remove Programs) to remove the SOPHOS AUTO-UPDATING.

    I then tried to remove the FIREWALL program but got ERROR 1324. The path My Pictures contains an invalid character.

    How do I proceed?

    Paul

  • Hello Paul,

    could you show the corresponding log?

    Christian

  • So running the bat file on the last XP Pro machine I have Christian I got the following log files:

    Uninstall_SAV9-10_SophosLog1.txt

    === Verbose logging started: 13/12/2017  12:01:27  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\WINDOWS\system32\msiexec.exe ===
    MSI (c) (D0:40) [12:01:27:343]: Resetting cached policy values
    MSI (c) (D0:40) [12:01:27:343]: Machine policy value 'Debug' is 0
    MSI (c) (D0:40) [12:01:27:343]: ******* RunEngine:
               ******* Product: {A805FB2A-A844-4cba-8088-CA64087D59E1}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (D0:40) [12:01:27:343]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (D0:40) [12:01:27:343]: Grabbed execution mutex.
    MSI (c) (D0:40) [12:01:27:406]: Cloaking enabled.
    MSI (c) (D0:40) [12:01:27:406]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (D0:40) [12:01:27:421]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (E4:4C) [12:01:27:468]: Grabbed execution mutex.
    MSI (s) (E4:40) [12:01:27:468]: Resetting cached policy values
    MSI (s) (E4:40) [12:01:27:468]: Machine policy value 'Debug' is 0
    MSI (s) (E4:40) [12:01:27:468]: ******* RunEngine:
               ******* Product: {A805FB2A-A844-4cba-8088-CA64087D59E1}
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (E4:40) [12:01:27:484]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (E4:40) [12:01:27:484]: MainEngineThread is returning 1605
    MSI (c) (D0:40) [12:01:27:484]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (D0:40) [12:01:27:484]: MainEngineThread is returning 1605
    === Verbose logging stopped: 13/12/2017  12:01:27 ===

     

    And for Uninstall_SAV9-10_SophosLog2.txt

    === Verbose logging started: 13/12/2017  12:01:27  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\WINDOWS\system32\msiexec.exe ===
    MSI (c) (64:80) [12:01:27:546]: Resetting cached policy values
    MSI (c) (64:80) [12:01:27:546]: Machine policy value 'Debug' is 0
    MSI (c) (64:80) [12:01:27:546]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (64:80) [12:01:27:546]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (64:80) [12:01:27:546]: Grabbed execution mutex.
    MSI (c) (64:80) [12:01:27:546]: Cloaking enabled.
    MSI (c) (64:80) [12:01:27:546]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (64:80) [12:01:27:546]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (E4:4C) [12:01:27:562]: Grabbed execution mutex.
    MSI (s) (E4:60) [12:01:27:562]: Resetting cached policy values
    MSI (s) (E4:60) [12:01:27:562]: Machine policy value 'Debug' is 0
    MSI (s) (E4:60) [12:01:27:562]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (E4:60) [12:01:27:562]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (E4:60) [12:01:27:562]: MainEngineThread is returning 1605
    MSI (c) (64:80) [12:01:27:562]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (64:80) [12:01:27:562]: MainEngineThread is returning 1605
    === Verbose logging stopped: 13/12/2017  12:01:27 ===

    Nothing seems to have uninstalled on this machine!

    The bat file was

    MsiExec.exe /X{A805FB2A-A844-4cba-8088-CA64087D59E1} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SAV9-10_SophosLog1.txt
    MsiExec.exe /X{09863DA9-7A9B-4430-9561-E04D178D7017} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SAV9-10_SophosLog2.txt

    as before.

     

    Paul

  • Hello Paul,

    as before 1605 means that the Installer claims the product isn't installed. The product code for the firewall (SCF) hasn't changed for years - was/is it indeed installed? If not, the output would be correct.

    The other code is SAV version 10.6.3 - is this indeed the version installed?

    Christian

  • Thanks Christian.  Add/Remove Programs seemed to take care of the remnants.  I'll clean up the Registry for redundant items too.  Then we'll move onto the Windows 10 machine!!

    Paul

  • I ran "C:\Documents and Settings\Sara\My Documents\Downloads\PendMoves\movefile.exe" "C:\Documents and Settings\All Users\Application Data\Sophos\Web Intelligence\swi_ifslsp.dll" DELETE in a batch file and it scheduled it for deletion on this last XP Machine Christian and it scheduled it for deletion on reboot ... but swi_ifslsp.dll is still not deleted and is still refusing manual deletion.

    Any ideas on this please?

    Thanks

    Paul

  • Hello Paul,

    question is - why is it left behind? Admittedly Windows XP installations have a long history and thus are susceptible to fouling. Nevertheless it's not very likely that three out of three are causing troubles that can only be resolved by rather violent measures, many uninstall errors are correctable. So don't start to wield the axe at the first failure.

    Anyway, please check if the DLL is still registered with winsock - from a cmd window netsh winsock show catalog (can be long so pipe it to a file). If SAV is no longer running (and already perhaps incompletely uninstalled) so that you can disable Web protection you could try to remove the LSP (please note there can be more than one entry) from the catalog using netsh winsock remove provider <catalog ID>.

    Christian

  • Ran netsh winsock show catalog and there are two entries:

    DCAAE4DE-B769-4318-B7FA-09DC17438FF8 and

    2AC5A5CC-B821-4069-B9FF-D3B79355270B

    I found this winsock editor (https://www.technize.net/winsockservicesview-winsock-viewer/) or is there a safer way to disable these two entries please?

    Paul

  • Hello Paul,

    if uninstall is no longer available and you want to get rid of them there's not much else you can do.

    Christian

  • Oops - there was a third one - FCB06AC5-7321-4BAA-A499-FC205998D218

    The CATALOG IDs are 1107, 1108 and 1109.  I have tried netsh winsock remove provider 1107 and ... 1108 and ... 1109 but CMD said the command was not found.

     

  • Hello Paul,

    hm, netsh winsock was introduced with XP SP2 but remove might have come later. netsh winsock -? should tell if it's available. If not then there's just netsh winsock reset, article tell you that potentially you have to reinstall affected programs - as far as Sophos is concerned you want to uninstall it anyway.

    Christian

  • That computer is running XP Pro SR3 and if you do netsh winsock ? (or help) remove is not listed.  The options are ?, Dump, Help or Show (not even Show Catalog.

    How do you remove entries in this environment please?

Reply Children
  • Hello Paul,

    not even Show Catalog
    catalog is a subcommand of
    show, with netsh simply append -? until you no longer get a The following commands are available.  They haven't revoked winsock reset with SP3, the command should be there. The article I've linked in the previous post also mentions a method (working directly with the registry) in case reset is not available.

    Christian

  • Yes netsh winsock show catalog worked - that is how I found the Catalog IDs but I could not see how to write the screen list (not that long to scroll through) to a file and netsh winsock remove 1107 command was not recognised.

    Reset is available but I was concerned about what else may get knocked out.  If I could write it to a file I could then maybe ADD items back in.  Is there a way to export the winsock file and then use like a text editor to hack it up and then put it back?

    Paul

  • Hello Paul,

    write [...] to a file
    simply with redirection.

    Reset
    the list looks standard except for the Sophos entries so it should be back to normal after the reset. How additional LSPs are installed depends on the software, there's no backup/edit/restore mechanism.

    Christian

  • Well I couldnt get it to write to a file so I just went for the reset since you said it all looked pretty standard Christian.  Rebooted and was able to remove that last piece.

    Ran a final REGEDIT and MSCONFIG just to check there was nothing else that I could see of SOPHOS and it all looked good so thank you very much for cleaning up the 3 XP-Pro machines.

     

    What do I need to do differently to have a better success at removing it on my Windows 10 64 bit machine please? (This is the last machine now!!)

    Thank you

    Paul

  • Hello Paul,

    general recommendation is: Check that the installation is current and there aren't any updating/install errors. Uninstall from Programs and Features or with a custom script - custom meaning that you obtain the current Product IDs from the registry. In case of a failure try to determine and correct the cause (if necessary open a support ticket or post here), do not try to "remove" a product by deleting registry keys, files, and folders.

    Christian

  • HAppy Christmas Christian.

     

    You will be pleased to know that the uninstall on the WINDOWS 10 64 bit machine went fine so I am all fixed up now.  Thank you so much for your help.

    Paul