Unable to Remove Sophos AV for Mac

When trying to remove Sophos from my mac, something called "usr/bin/sweep" is preventing the removal process from completing sucessfully. Here is my install.log from Console.app:


Dec 20 18:07:53 Mario Sophos Installer[588]: [SMEInstallController.m:217] Force removing (null) version (null)
Dec 20 18:07:53 Mario Sophos Installer[588]: [SMEInstallController.m:530] The detected "damaged-installation" product will be force removed.
Dec 20 18:07:53 Mario Sophos Installer[588]: [SMEProcessStopStrategy.m:190] Service Manager failed while stopping managed daemons (
        "com.sophos.devicecontrol",
        "com.sophos.configuration",
        "com.sophos.sxld",
        "com.sophos.mcs",
        "com.sophos.scan",
        "com.sophos.webd",
        "com.sophos.notification",
        "com.sophos.intercheck",
        "com.sophos.autoupdate",
        "com.sophos.managementagent",
        "com.sophos.messagerouter"
    ).
Dec 20 18:07:54 Mario Sophos Installer[588]: [SMEAggregateInstallStrategy.m:71] "forceRemove.productRemoval.stopProcesses" success: YES
Dec 20 18:07:54 Mario Sophos Installer[588]: [SMERemoveFilesStrategy.m:281] Unable to remove /usr/bin/sweep. Error Domain=NSCocoaErrorDomain Code=513 "“sweep” couldn’t be removed because you don’t have permission to access it." UserInfo={NSFilePath=/usr/bin/sweep, NSUserStringVariant=(
        Remove
    ), NSUnderlyingError=0x7f8bd8f21290 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}
Dec 20 18:07:54 Mario Sophos Installer[588]: [SMEAggregateInstallStrategy.m:71] "forceRemove.productRemoval.removeComponents" success: NO
Dec 20 18:07:54 Mario Sophos Installer[588]: [SMEInstallController.m:562] "forceRemove" success: NO

Any ideas? I've tried dropping down to Single-user mode and running the removal process from the command line to no avail. I am running Mac OS 10.11.3. I probably should have removed Sophos prior to upgrading, but it's a bit late for that now.


My ultimate goal is to install the latest version of Sophos, which I can't do.

  • Sophos Anti-Virus for Macintosh Home Edition was updated to version 9.4 before El Capitan was released to accommodate the System Integrity Protection (AKA rootless) feature of El Capitan which does not allow non-Apple files in /usr/bin.

    In that update the sweep utility and its man page were moved from /usr/bin/sweep and /usr/share/man/man1/sweep.1 to /usr/local/bin/sweep and /usr/local/share/man/man1/sweep.1

    It appears that your Mac was upgraded to El Capitan with a version prior to 9.4.

    To fix this you will need to disable System Integrity Protection, delete the sweep executable and its man page and then re-enable System Integrity Protection. Enabling and disabling System Integrity Protection requires booting into recovery mode.

    The detailed steps to do this are:

    1. Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.

    2. In the OSX Utilities application, select the "Utilities -> Terminal" menu item.

    3. In the Terminal window, type "csrutil disable" (without the quotes) and press Enter.

    4. Restart your Mac.

    5. Open the /Applications/Utilities/Terminal application

    6. type "sudo rm /usr/bin/sweep" (without quotes) and press Enter. Type your administrator password at the prompt and press Enter.

    7. type "sudo rm /usr/share/man/man1/sweep.1" (without quotes) and press Enter.

    8. Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.

    9. In the OSX Utilities application, select the "Utilities -> Terminal" menu item.

    10. In the Terminal window, type "csrutil enable" (without the quotes) and press Enter.

    11. Restart your Mac.

    12. Run the latest Sophos Anti-Virus for Macintosh Home Edition installer.

    This will leave you with the latest version of Sophos Anti-Virus for Macintosh Home Edition installed.

    The Apple page describing System Integrity Protection can be found at: support.apple.com/.../HT204899

  • In reply to WillVoth:

    This did not work. I still have Sophos extension in my Finder menu and am constantly getting the attached message. 

     

    I can only at this point assume this software is a scam and now need to reformat my computer to remove Sophos entirely. 

     

    I should also mention Sophos has resulted in Apple Mail crashing multiple times.

     

     

  • In reply to T Reade:

    Did you use the "Remove Sophos Endpoint" application in the "Applications" folder?

    Do you still have a copy of the "Remove Sophos Endpoint" application?

    Do you have a the "/Library/Sophos Anti-Virus" directory on your Mac?  You can find this by opening the Finder and pressing the key combination "command-shift-G" and then typing "/Library" into the "Go to the folder:" sheet in the Finder.

    This following page has a link to the removal tool and instructions on how to use it. It also has additional instructions if you continue to have problems.

    community.sophos.com/.../121206