We'd love to hear about it! Click here to go to the product suggestion community
Hi Guys,
Have an issue with an endpoint now showing up in Sophos, tried running an update but the machine is not showing up.
I cannot re-install the agent as tamper protection has gone through already to the device, but because I cannot see it in the portal this cannot be disabled.
I have tried booting up with it on power, I have tried running update but no luck.
Kind regards
Lee
Does the computer have an identity yet?
If you look under the 'persist' folder at the client (\programdata\sophos\management communication system\endpoint\persist\ there is an endpointidentity text file which has the unique ID of the endpoint.
If you look at the Computers view in Central, i.e. https://cloud.sophos.com/manage/devices/computers/all/computers, when you click on a computer, the URL changes to something like:https://cloud.sophos.com/manage/devices/computers/fe573325-47a5-f489-aa1e-65776c2158ac/summary: The unique ID part should be the same as the endpoint. You could just log in and construct the URL as above based on the identity ID at the client if it has one.
Beyond that, the mcsclient log (\programdata\sophos\management communication system\endpoint\logs\) would be the best place to start looking for errors as it's the mcsclient.exe process that talks to Central. You should see the registration take place and the http requests.
Regards,
Jak
HI Lee,
Any Update on this issue ?
Thanks and Regards
Aditya Patel
I'm having the same issue. You can't even get to the EndPoint folder because the security permissions are locked down (i.e. access denied to this folder) until you disable tamper protection. So how are we expected to get these types of issues complete if we can't access anything to do so?
Tried this and it worked for me:
PHASE1:
To recover a tamper protected system, you must disable Enhanced Tamper Protection.
Do the following:
Boot the system into Safe Mode.
Click Start > Run and type regedit and then click OK.
Go to the following location in the registry editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
Set the following DWORD values to 0: SAVEnabled and SEDEnabled
Reboot the system in normal mode.
Taken from Article 124377
PHASE 2
Then I went to uninstall and got an uninstall error so I created a batch file with the following:
net stop "Sophos Anti-Virus"net stop "Sophos AutoUpdate Service":Sophos AutoUpdateMsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppressMsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppressMsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress:Sophos Anti-Virus (Endpoint)MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppressMsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress:Sophos Anti-Virus (Server)MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress:Sophos System ProtectionMsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress:Sophos Network Threat ProtectionMsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress:Sophos HealthMsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppressMsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress:SDU (1.x)MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress:HeartbeatMsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress:Sophos Management Communications SystemMsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppressMsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppressMsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppressMsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress
Run that
PHASE 3:
It was still showing up in the Control Panel/Uninstall Programs which prevented installation again. Run Microsoft's fix it:
https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed
Choose Sophos and uninstall.
In reply to Kyle Bigelow:
HI Kyle,
Thank you for posting such a detailed steps to remove Endpoint from your Windows system
Aditya Patel| Network and security Engineer.
I managed to find the following fi x
1:open services.msc
2: stop Sophos Anti-Virus
3: open notepass as admin
4: open C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml
5:Find the below and change xxxxxxxxx to E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73
</DeviceControlManager> <TamperProtectionManagement><settings> <password>xxxxxxxxx</password><enabled>true</enabled></settings> </TamperProtectionManagement>
6: start Sophos Anti-Virus
7:open sophos and the password will be password