I have broken install of Sophos on a DC. I can't disable tamper Protect from teh Central so need to do this locally on teh servers but there is no Admin Logon option on the Client UI.
What do i need to do to either make this appear or run the process to pop up the dialog to enter in the tamper protect password?
I can't go down the route of safe boot and disable services as this is a remote server (8000 miles away) and I have no console access to.
Hi Jeremy,
This article contains the different ways you can turn off Tamper Protection. If the computer cannot communicate with Central, you will need to follow the SafeMode steps in order to disable tamper protection.
Perhaps some remote tools may allow you to reboot a host on Safe-mode with networking, an online search may bring up further information.
However, before we go that route, can you provide more details regarding what's broken ? Are you receiving Central Alerts? Are there missing services?
If you could provide more information, we will review it and see if we can come up with additional troubleshooting steps.
Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
The server appears to be talking to Sophos Central, though the information is not accurate, it thinks all the services are missing. There appears to multiple or incorrect versions of software installed, all services appear in place but no updating is working. The only way I can get the client UI to work is to stop the MCS Agent service. Once in to UI everything works except there is no Admin Login button. With tamper protect on obviously I can't make any changes or remediate the install.
Safe mode relies on a local low tech person carrying out specific instructions which is fraught with stress and grief and requires downtime on the Domain Controller which also does DHCP.
I was hoping there was some way to force the client to offer the Admin login button or to initiate the process behind that button some other way so that I could enter the tamper password, or even put in a config file ot registry somewhere.
Hi Jeremy,
The only ways to disable tamper protection are the ones I provided on my previous response. The articles show different ways to accomplish this via Central, or via the endpoint (either via the UI -if functional- or via SafeMode).
I would recommend that you ensure the server has access to the required ports and urls to update , and try to force a Sophos update on it to see if that has any effect. Also, try disabling Tamper protection via Central as explained above.
From the what you have described, this may be a corrupted installation and you will have to follow the steps to disable tamper protection via SafeMode to proceed, but checking access and triggering an update may be worth a try.
Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
I have a machine that has the same issue. It's an 8 hour drive each way to get there. How do you suggest I put it into safe mode to fix it? Go onsite. Great Solution Sophos!
I'd really like to see Sophos do something about the difficulty Endpoints are to manage. Yesterday and the day before I had to work with a client to (macOS) disable tamper protection and remove Sophos Endpoint Security on 25 computers. They don't even want to re-install. I have a client that had 127 endpoints missing in Central. They are only 2.5 hours from my office. Could you imagine the overhead of driving onsite and going machine to machine during school hours? What a night mare, but Sophos had no solution other than put the machines in safe mode and disable tamper protection.
I already hate XGs after working on them for 3 years, but now I'm starting to hate Endpoint.
So my solution is this with Kaseya RMM. Can be done with any RMM tool I suspect. If you don't have a RMM solution, you are kind of hosed.
Two scripts.
Script 1
Verify client (or not for a generic)
Load variable and check it - looking at the file that contains Sophos Management Communications Customer Identifier (this can be skipped for a generic removal - I like the safety of it).
Execute a procedure - my second one - it writes a batch file to c:\temp on the target machine - this batch is used with Non Sucking Service Manager to create a service that runs a batch file
Copy NSSM.txt over to the computer.
Execute shell command ("c:\krmmwork\bin\nssm install SPSToken "c:\windows\system32\cmd.exe" /C C:\krmmwork\turnofftamperpro.bat","Execute as system in 64 bit shell","All OS","halt on fail")
pause 10 seconds
Write to registry service so it starts in safe mode.
Execute a safe mode reboot ON script (came from MSPBuilder)
Reboot
Batch file that is executed is the second procedure.
writes out all the items to a batch file (I did it this way because it's easier to edit and re-execute)
"Safemode on" script uses bdcedit to set safeboot network, set bootlog yes, set sos on, set quietboot on.
I've pasted the XML from my Kaseya scripts below. I cannot share the one from MSPBuilder as it is theirs, but it's pretty easy to do.
<?xml version="1.0" encoding="utf-8"?>
<ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">
<Procedure name="1 - Disable Tamper Protection on mismatch" treePres="3" id="841540452" folderId="700047816801838" treeFullPath="InfoSys Procedures.Endpoint Protection.Generic Sophos Endpoint - Safe Mode Disable Tamper Protection">
<Body description="">
<Statement description="David Sain
Check the Machine Group to ensure it's Sheridan Workstations" name="GetVariable" continueOnFail="false">
<Parameter xsi:type="EnumParameter" name="VariableType" value="MachineGroupID" />
<Parameter xsi:type="StringParameter" name="SourceContent" value="" />
<Parameter xsi:type="StringParameter" name="VariableName" value="MGID" />
</Statement>
<If description="">
<Condition name="CheckVariable">
<Parameter xsi:type="StringParameter" name="VariableName" value="#MGID#" />
<Parameter xsi:type="EnumParameter" name="Condition" value="Contains" />
<Parameter xsi:type="StringParameter" name="Value" value="sama" />
</Condition>
<Then>
<Statement description="Reads the Token from the CustomerIdentifier file to a variable" name="GetVariable" continueOnFail="false">
<Parameter xsi:type="EnumParameter" name="VariableType" value="FileContent" />
<Parameter xsi:type="StringParameter" name="SourceContent" value="C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\CustomerIdentifier.txt" />
<Parameter xsi:type="StringParameter" name="VariableName" value="CustomerIdentifier" />
</Statement>
<If description="">
<Condition name="CheckVariable">
<Parameter xsi:type="StringParameter" name="VariableName" value="#CustomerIdentifier#" />
<Parameter xsi:type="EnumParameter" name="Condition" value="NotEquals" />
<Parameter xsi:type="StringParameter" name="Value" value="987909fb-1780-4848-bfdd-0b5b11fb5b44" />
</Condition>
<Then>
<Statement description="Write the Batch File to our working folder" name="ExecuteScript" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="ScriptID" value="586523495" />
<Parameter xsi:type="StringParameter" name="ScriptName" value="2 - WriteTamperProtectionBatch" />
<Parameter xsi:type="StringParameter" name="TimeDelay" value="" />
<Parameter xsi:type="EnumParameter" name="TimeUnit" value="Immediate" />
</Statement>
<If description="">
<Condition name="Windows 32 or 64 Bit Check">
<Parameter xsi:type="EnumParameter" name="Condition" value="NotExists" />
</Condition>
<Then>
<Statement name="WriteFile" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Path" value="c:\krmmwork\bin\nssm.exe" />
<Parameter xsi:type="StringParameter" name="ManagedFile" value="VSASharedFiles\NSSM\x86\nssm.exe" />
<Parameter xsi:type="BooleanParameter" name="DeleteAfter" value="False" />
</Statement>
</Then>
</If>
<If description="">
<Condition name="Windows 32 or 64 Bit Check">
<Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />
</Condition>
<Then>
<Statement name="WriteFile" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Path" value="c:\krmmwork\bin\nssm.exe" />
<Parameter xsi:type="StringParameter" name="ManagedFile" value="VSASharedFiles\NSSM\x64\nssm.exe" />
<Parameter xsi:type="BooleanParameter" name="DeleteAfter" value="False" />
</Statement>
</Then>
</If>
<Statement description="Create a service that runs a batch file" name="ExecuteShellCommand" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Command" value="c:\krmmwork\bin\nssm install SPSToken "c:\windows\system32\cmd.exe" /C C:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />
<Parameter xsi:type="BooleanParameter" name="Is64Bit" value="True" />
</Statement>
<Statement name="PauseScript" continueOnFail="false">
<Parameter xsi:type="IntegerParameter" name="Seconds" value="10" />
</Statement>
<If description="">
<Condition name="Windows 32 or 64 Bit Check">
<Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />
</Condition>
<Then>
<Statement description="Overwrite some of the settings from NSSM to allow the batch file to execute as a service" name="SetRegistryValue64" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPSToken\ImagePath\" />
<Parameter xsi:type="StringParameter" name="Value" value=""c:\krmmwork\bin\nssm.exe"" />
<Parameter xsi:type="EnumParameter" name="DataType" value="ExpandString" />
</Statement>
<Statement name="SetRegistryValue64" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPSToken\Parameters\Application\" />
<Parameter xsi:type="StringParameter" name="Value" value="%systemroot%\system32\cmd.exe" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
<Statement name="SetRegistryValue64" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPSToken\Parameters\\AppParameters" />
<Parameter xsi:type="StringParameter" name="Value" value=""/C C:\KRMMwork\SPS_TurnOffTamperProtection.bat"" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
<Statement description="Enable the service for running in Safe mode" name="SetRegistryValue64" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SPSToken\" />
<Parameter xsi:type="StringParameter" name="Value" value="Service" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
<Statement name="SetRegistryValue64" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SPSToken\" />
<Parameter xsi:type="StringParameter" name="Value" value="Service" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
</Then>
</If>
<If description="">
<Condition name="Windows 32 or 64 Bit Check">
<Parameter xsi:type="EnumParameter" name="Condition" value="NotExists" />
</Condition>
<Then>
<Statement description="Overwrite some of the settings from NSSM to allow the batch file to execute as a service" name="SetRegistryValue" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPSToken\ImagePath\" />
<Parameter xsi:type="StringParameter" name="Value" value=""c:\krmmwork\bin\nssm.exe"" />
<Parameter xsi:type="EnumParameter" name="DataType" value="ExpandString" />
</Statement>
<Statement name="SetRegistryValue" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPSToken\Parameters\Application\" />
<Parameter xsi:type="StringParameter" name="Value" value="%systemroot%\system32\cmd.exe" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
<Statement name="SetRegistryValue" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPSToken\Parameters\\AppParameters" />
<Parameter xsi:type="StringParameter" name="Value" value=""/C C:\KRMMwork\SPS_TurnOffTamperProtection.bat"" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
<Statement description="Enable the service for running in Safe mode" name="SetRegistryValue" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SPSToken\" />
<Parameter xsi:type="StringParameter" name="Value" value="Service" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
<Statement name="SetRegistryValue" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SPSToken\" />
<Parameter xsi:type="StringParameter" name="Value" value="Service" />
<Parameter xsi:type="EnumParameter" name="DataType" value="String" />
</Statement>
</Then>
</If>
<Statement description="Reboots in Safe Mode. The batch file executes, disables Tamper protection and reboots back to standard mode" name="ExecuteScript" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="ScriptID" value="346308920" />
<Parameter xsi:type="StringParameter" name="ScriptName" value="Safe Mode Reboot On (Vista/7/2008/8/2012)" />
<Parameter xsi:type="StringParameter" name="TimeDelay" value="" />
<Parameter xsi:type="EnumParameter" name="TimeUnit" value="Immediate" />
</Statement>
<Statement name="Reboot" continueOnFail="false" />
<Statement description="Pauses to allow time for the reboot to complete" name="ExecuteScript" continueOnFail="false" osType="None">
<Parameter xsi:type="StringParameter" name="ScriptID" value="497988846" />
<Parameter xsi:type="StringParameter" name="ScriptName" value="Pause5Minutes" />
<Parameter xsi:type="StringParameter" name="TimeDelay" value="" />
<Parameter xsi:type="EnumParameter" name="TimeUnit" value="Immediate" />
</Statement>
<Statement name="DeleteFile" continueOnFail="false" osType="None">
<Parameter xsi:type="StringParameter" name="Path" value="C:\KRMMwork\SPSTPclean.bat" />
</Statement>
<Statement description="Reinstall correct Sophos Endpoint" name="ExecuteScript" continueOnFail="false" osType="None">
<Parameter xsi:type="StringParameter" name="ScriptID" value="636091414" />
<Parameter xsi:type="StringParameter" name="ScriptName" value="Remove Endpoint - tamper protection disabled" />
<Parameter xsi:type="StringParameter" name="TimeDelay" value="" />
<Parameter xsi:type="EnumParameter" name="TimeUnit" value="Immediate" />
</Statement>
<Statement name="Reboot" continueOnFail="false" osType="None" />
<Statement name="ExecuteScript" continueOnFail="false" osType="None">
<Parameter xsi:type="StringParameter" name="ScriptID" value="2035847271" />
<Parameter xsi:type="StringParameter" name="ScriptName" value="SAMA - Sophos Endpoint Install" />
<Parameter xsi:type="StringParameter" name="TimeDelay" value="2" />
<Parameter xsi:type="EnumParameter" name="TimeUnit" value="Minutes" />
</Statement>
</Then>
</If>
</Then>
</If>
</Body>
</Procedure>
</ScriptExport>
<?xml version="1.0" encoding="utf-8"?>
<ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">
<Procedure name="2 - WriteTamperProtectionBatch" treePres="3" id="540013387" folderId="700047816801838" treeFullPath="InfoSys Procedures.Endpoint Protection.Generic Sophos Endpoint - Safe Mode Disable Tamper Protection">
<Body description="">
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="del c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="C:\KRMMwork\SPSTPclean.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="True" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="shutdown /r /t 0" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="C:\KRMMwork\SPSTPclean.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="bcdedit /deletevalue safeboot" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="True" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService" /t REG_DWORD /v Start /d 0x00000004 /f" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /t REG_DWORD /v Start /d 0x00000004 /f" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /t REG_DWORD /v Enabled /d 0 /f" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="sc delete SPSToken" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="fsutil file createnew c:\krmmwork\tamperdisabled.txt 256" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
<Statement name="Write text to file" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="call C:\KRMMwork\SPSTPclean.bat" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="c:\KRMMwork\SPS_TurnOffTamperProtection.bat" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="False" />
</Statement>
</Body>
</Procedure>
</ScriptExport>
You need to run the SEDcli.exe through the elevated command prompt. But it might not run without disabling the tamper protection as tamper protection will not allow it to alter any of the configuration file, registry or services.
Regards,
Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
