This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstall Sophos endpoint security and control

My PC (Windows XP) has been running Sophos endpoint security and control for many years i a domain environment.

When I retired the PC was disconnected from the domain and the updates are not running any longer.

I still have the PC and need to uninstall this software.

In Add or Remove programs three Sophos entries:

Sophos Anti-Virus

Sophos AutoUpdate

Sophos Remote Management System

How should I do?

:33387


This thread was automatically locked due to age.
Parents
  • I am also trying to uninstall Sophos Endpoint from an XP Pro (SR3) computer too.  I have disabled Tamper Protection and been able (through Control Panel - Remove Programs) to remove the SOPHOS AUTO-UPDATING.

    I then tried to remove the FIREWALL program but got ERROR 1324. The path My Pictures contains an invalid character.

    How do I proceed?

    Paul

  • Hello Paul,

    could you show the corresponding log?

    Christian

  • Hi Christian

     

    Me again.  This time I am on the second (of three) XP machines to remove Sophos Endpoint from it.

    I ran exactly the same sophos.bat removal file as before and was able to remove the registry entries and all but 4 of the folders namely:

    1. C:\Documents and Settings\All Users\Application Data
    2. C:\Documents and Settings\All Users\Application Data\Sophos
    3. C:\Program Files and
    4. C:\Program Files\Sophos

    Despite several reboots I still cannot get rid of these folders as the Laptop says they are in use and indeed the Sophos APP does pop up in the SYSTRAY.

    What did I miss or what is different please about this UNINSTALL?  All other folders are now gone!  I note that there still appear to be some references to SOPHOS in the Registry (running REGEDIT).  Should I delete those, reboot and then be able to remove the remaining folders?

    Thanks

    Paul

  • Hello Paul,

    you wouldn't want to remove 1. and 3.
    Which folder(s) under C:\Program Files\Sophos\ are still there? the Sophos APP does pop up in the SYSTRAY - if the Sophos icon is still there it suggests that AutoUpdate hasn't been uninstalled correctly. Is it gone from Add/Remove Programs?

    Christian

  • Hi Christian

    I will try and remove them via Add/remove programs as you said ... they are still there!  Add/remove seems to have worked for the Auto Update.  I forgot to use that and it has taken the Auto update out of the systray.  The SAV though failed to uninstall via Add/Remove programs.

     

    Paul

  • Hello Paul,

    if Add/Remove fails (did it pop up an error?) please retry with msiexec.exe requesting a log. This should tell more.

    Christian

  • Hi Christian

    Yes the error on uninstalling Sophos Anti Virus is Fatal error during installation.

    The error log show:

    === Verbose logging started: 12/4/2017  17:47:34  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\windows\system32\msiexec.exe ===
    MSI (c) (EC:B0) [17:47:34:815]: Resetting cached policy values
    MSI (c) (EC:B0) [17:47:34:815]: Machine policy value 'Debug' is 0
    MSI (c) (EC:B0) [17:47:34:815]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (c) (EC:B0) [17:47:34:815]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (EC:B0) [17:47:34:815]: Grabbed execution mutex.
    MSI (c) (EC:B0) [17:47:34:875]: Cloaking enabled.
    MSI (c) (EC:B0) [17:47:34:875]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (EC:B0) [17:47:34:885]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (F8:A8) [17:47:34:905]: Grabbed execution mutex.
    MSI (s) (F8:9C) [17:47:34:905]: Resetting cached policy values
    MSI (s) (F8:9C) [17:47:34:905]: Machine policy value 'Debug' is 0
    MSI (s) (F8:9C) [17:47:34:905]: ******* RunEngine:
               ******* Product: {09863DA9-7A9B-4430-9561-E04D178D7017}
               ******* Action:
               ******* CommandLine: **********
    MSI (s) (F8:9C) [17:47:34:905]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (F8:9C) [17:47:34:905]: MainEngineThread is returning 1605
    MSI (c) (EC:B0) [17:47:34:905]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (EC:B0) [17:47:34:905]: MainEngineThread is returning 1605
    === Verbose logging stopped: 12/4/2017  17:47:34 ===

    Paul

  • Hello Paul,

    somewhat strange - 1605 is ERROR_UNKNOWN_PRODUCT This action is only valid for products that are currently installed. Is it still in Add/Remove, if so - please check both HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\. There should be an UninstallString in one of these locations (might or might not name 09863DA9-... as the product). Retry the msiexec.exe with this product code as before but omit the /qn switch.

    Christian

  • It is on an XP Pro 32 bit system Christian so there are only HKEY_ registry entries nothing like what you describe above.

    Paul

  • Hello Paul,

    sorry, thought that everybody is aware of the HKLM and HKCU shorthands for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.

    Christian

  • My bad then!

    My Registry has neither entry Christian.

    Paul

  • Hello Paul,

    and SAV is still in Add/Remove? Similar data is under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\ (in case of User type installs under the user's SID), if you can't find the ProductID you should find at least the DisplayName (Sophos Anti-Virus).

    Christian

Reply
  • Hello Paul,

    and SAV is still in Add/Remove? Similar data is under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\ (in case of User type installs under the user's SID), if you can't find the ProductID you should find at least the DisplayName (Sophos Anti-Virus).

    Christian

Children
  • Thanks Christian.

    There is nothing at that location either and yes SAV is still is showing in Add/Remove Programs.  Pushing the Remove it gathers all the information etc. then rolls back and Fails with the Fatal error during installation still.

     

    Paul

  • Hello Paul,

    strange that Add/Remove and the Installer disagree in this manner (usually it's the other way round, not in Add/Remove but the Installer considers it installed). Please search the registry for 09863DA9-7A9B-4430-9561-E04D178D7017 and 9AD36890B9A7034459160ED471D80771.

    Apart from it being listed in Add/Remove - is SAV installed (e.g. the Sophos Anti-Virus service still present and running)? You want to remove Sophos because you are considering another and still supported AV product? You still have a thirds XP machine with Sophos 10.6.3 installed? If so do not uninstall.

    Christian

  • Hi Christian

    I searched on both 09863DA9-7A9B-4430-9561-E04D178D7017 and 9AD36890B9A7034459160ED471D80771 and came up with nothing.

    Yes, because Sophos no longer supports AV for XP-Pro (and AVAST do) I am migrating all our network to AVAST.  Installing AVAST while there are any remnants of SOPHOS around causes issues.  After this current XP machine I still have one further machine on XP and then one on Windows 10 to go.

    Am I correct in thinking (given the timing of your replies) that you are in the UK?  I am very pleased that we are making some progress - one machine done and 3 to go - but it is slow progress!!  Thank you for hanging in with this.

    Paul

  • Christian

    Well having played around a bit with msconfig and regedit I have got rid of everything now except SavShellExt.dll in C:\Program Files\Sophos\Sophos Anti-Virus.

    When I try to delete this file I get the message

    Cannot delete SavShellExt.dll Access is denied

    Presumably because the file is still getting loaded somehow or other.

    How do I proceed please?

    Thanks

  • Hello Paul,

    not U.K., Austria, Vienna.

    SavShellExt.dll is a shell extension (there are several references in the registry), loaded by Explorer when you right-click to get the context menu. You can delete it after the login provided you don't open the context menu. The Sysinternals MoveFile utility lets you schedule the deletion.  

    Christian

  • Well thank you anyway Christian and Guten Tag!

    Am trying the Move and rebooting.

  • SO I wrote the following bat file:
    C:\Documents_and_Settings\Paul\My_Documents\Downloads\pendmoves.exe C:\Program_Files\Sophos\Sophos_Anti-Virus\SavShellExt.dll DELETE

    and ran it and i got the reply from CMD The system cannot find the path specified.

    What did I do wrong please?  Microsoft webpage was not helpful.

    Paul

  • Hello Paul,

    did you indeed use underscores? Normally you'd put a path with special characters like blank between double quotes like this: "C:\Documents and Settings\Paul\My Documents\Downloads\pendmoves.exe". Same for the DLL of course.

    Christian 

  • I removed the underscores and reran it and got back C: Documents is not recognized as an internal or external command.

    I used the " " and got The system cannot finf the path specified.

  • Hello Paul,

    with blanks in both the command's and the target's path it's "\path to\command.exe" "\path to\the target" parameter. Cannot find the path suggests that either you didn't put quotes around the full path of the DLL or it isn't there.

    Christian