Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Need to uninstall Sophos on my client/server machines

Hi There , 

So , i'm trying to remove sophos by using a batch script like below : 

MsiExec.exe /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /qn

MsiExec.exe /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} /qn

MsiExec.exe /X {9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn

MsiExec.exe /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} /qn

MsiExec.exe /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /qn

MsiExec.exe /X{C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB} /qn

MsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn

the script works correctly on my machine but not on the others machine , after verification i found that the uninstall string is not unique it differs from one system version to another .

and , i'm just wondering if there a KB or uninstaller MSI that i can use to delete it on the machines 

Thank you for help 

  • Interested in that one too ...

    PJR

  • Hello all,

    as the scripted uninstall for SESC article suggests you should gather the current applicable uninstall strings (that not necessarily are solely msiexec) and use them to build the script. This is recommended especially for SESC as many versions are available to an SESC customer. Central is stricter but taking controlled updates and Early Access programs into account you can still have more than two versions of a component.

    Heard that Sophos is working on a flexible tool that assesses the installed components and gathers the correct uninstall strings. Until then the mentioned method is your best option. Please note that the product codes might change without notice.
    An article that lists all potential components is IMO simply not feasible - and furthermore you'd have to consult it right before using the script, last week's codes might be outdated.

    Christian

  • In reply to QC:

    Hello QC , 

    So , is there other option than msiexec ? the only way is do a script that run the uninstall string code ? if so , it's impossible to get all of the msiexec codes on the machines client

  • In reply to AyoubSEFYAOUI:

    Hello AyoubSEFYAOUI,

    other option than msiexec
    the UninstallString contains whatever command performs the uninstall, it's up to the application what it puts there. For products installed with the Windows Installer it's msiexec.exe. Of the Sophos components e.g. Intercept X (HitmanPro.Alert, Clean) and Endpoint Defense have their own uninstall programs.
    If by other option you mean an alternative command to an msiexec.exe that's in the UninstallString then no.

    it's impossible to get all of the msiexec codes
    admittedly there's a number of them, dunno for Central but for SESC it's five to ten or so. Normally you endpoints would use more or less the same versions but even if not it's still not something I'd call impossible. OTOH a complete list of potential codes provided in an article likely has to contain four or five times the number of codes you actually need. And the definite drawback of such a list is that someone might store it locally "for convenience" and not check for a new version before using it at a later time. There's a recommended order of uninstalling, a component that's higher up on the list skipped can result in issues that might be hard to resolve.

    Christian

  • Although you would have to do some testing and add a specific line for each different aspect installed this would more than likely work as long as you did not have tamper protection enabled.

     

    wmic product where "name like 'Sophos%%'" call uninstall /nointeractive

    Or something else similar, like I said you would have to test it and you may need to run multiple lines of it to completely uninstall but once you had it you could just rinse and repeat on each computer.


  • In reply to badrobot:

    This is an age old problem with sohpos and problem that so far sohpos has not been able to solve.

    Servers are a problem because if something goes wrong you have other problems.

    For workstations

    IMPORTANT:  We are not using sohpos central.  We are using on premise sohpos enterprise central (SEC).

    Make sure your admin account that you are using is a member of the local administrators group.  The last i checked sohpos doesn't support nested groups for administrating sohpos endpoint.

    I have yet to figure out a good order for ripping out sohpos av.

    disabled firewall

    set UAC to lowest level.

    If you are using Group Policies then i recommend that you move the PC to the default computer OU as this is OU normally has little to no Group Policies applied.

    restart PC.

    from an administrative command prompt run gpupdate /force.  This should clear out any applied Group Policies.  should..

    restart PC.

    uninstall and much of sohpos as you can.

    restart PC.

    run the scripts as administrator

    restart PC

    Go to Microsoft and download and run the force uninstall utility against sohpos av.

    restart PC.

    Search the registry for the different part of sohpos.  Search words: RMS, SAVXP, Sophos, and try shortened path names for sohpos.

    Delete these keys.  Like always use caution when deleting any registry key.

    restart PC.

    Last search the windows file structure for any left over sohpos folders.  remember to look in the hidden folders also.

    restart PC.

    Now you should be ready to attempt a re-install of sohpos if that was your goal after ripping sohpos av out.

    I would leave the PC in the default computer OU.  If you are doing AD sync with your SEC then force a re-sync so SEC knows what OU the PC is now in.  If you have not setup AD with your default computer OU, which can be a normal configuration, move the PC to non-AD synced folder (group) in SEC which has polices assigned.  This can be important as sohpos can get confused when it can't apply a policy that has the path to the update folder.

    I have ran these steps many times and have gotten lucky more time than not. But way your time and decide if it is just better to re-image or rebuild.

    If you are using imaging make sure you never include sohpos in the image.

    If you have created a custom installer for sohpos av then copy it to the PC and as administrator.

    If you get a good install of sohpos av and a green light in SEC then move the PC back to it's correct OU and do a grupdate /force, restart PC, and then force sohpos av to the PC.

    Good luck and hope this helps.

    Lasty make the wind is not blowing out side as this can affect the process.