Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 5450 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Complete Removal of Sophos - swi_service.exe still remains

Stephen Baker

Hi,

I'm trying to completely remove Sophos from some of our machines via batch script. We have disabled tamper protection on the relevant machines and I've gone through the registry to try and find all the keys. Just about everything removes cleanly except that the Web Intelligence Update service seems to remain. I have checked on the Sophos Enterprise Console and by default Web Control is turned off. On the computers that we are trying to remove Sophos from it reports Web Control as being inactive.

The following folder also still remains and contains 4 dll files, 2 of them hidden.

C:\Program Files (x86)\Sophos\Sophos Anti-Virus\

If I try to delete this folder via batch script I get access denied, even when run as administrator.

Does anyone know how to remove this last part of Sophos?

Script I am running is below

Thanks

Steve

 

net stop "savservice"
net stop "Sophos AutoUpdate Service"
"C:\program files\Sophos\Sophos Endpoint Agent\uninstall.exe"
:Sophos AutoUpdate
MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress
MsiExec.exe /qn /X{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E} REBOOT=ReallySuppress
MsiExec.exe /qn /X{72E136F7-3751-422E-AC7A-1B2E46391909} REBOOT=ReallySuppress
:Sophos Anti-Virus (Endpoint)
MsiExec.exe /qn /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} REBOOT=ReallySuppress
MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
MsiExec.exe /qn /X{DFDA2077-95D0-4C5F-ACE7-41DA16639255} REBOOT=ReallySuppress
MsiExec.exe /qn /X{CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress
MsiExec.exe /qn /X{CA524364-D9C5-4804-92DE-2800BDAC1AA4} REBOOT=ReallySuppress
MsiExec.exe /qn /X{3B998572-90A5-4D61-9022-00B288DD755D} REBOOT=ReallySuppress
MsiExec.exe /qn /X{4BAF6F55-FFE4-4A3A-8367-CC2EBB0F11C3} REBOOT=ReallySuppress
:Sophos Anti-Virus (Server)
MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress
MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
MsiExec.exe /qn /X{2519A41E-5D7C-429B-B2DB-1E943927CB3D} REBOOT=ReallySuppress
:Sophos System Protection
MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress
MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
:Sophos Network Threat Protection
MsiExec.exe /qn /X{604350BF-BE9A-4F79-B0EB-B1C22D889E2D} REBOOT=ReallySuppress
:Sophos Health
MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
MsiExec.exe /qn /X{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745} REBOOT=ReallySuppress
:SDU (1.x)
MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress
:Heartbeat
MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress
:Sophos Management Communications System
MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress
:UI
MsiExec.exe /qn /X{D29542AE-287C-42E4-AB28-3858E13C1A3E} REBOOT=ReallySuppress
:Sophos Endpoint Firewall
MsiExec.exe /qn /X{2831282D-8519-4910-B339-2302840ABEF3} REBOOT=ReallySuppress
:Sophos Endpoint Self Help
MsiExec.exe /qn /X{4EFCDD15-24A2-4D89-84A4-857D1BF68FA8} REBOOT=ReallySuppress
MsiExec.exe /qn /X{BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8} REBOOT=ReallySuppress
:Sophos Lockdown
MsiExec.exe /qn /X{77F92E90-ED4F-4CFF-8F60-3E3E4AEB705C} REBOOT=ReallySuppress
:Sophos File Scanner

MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
MsiExec.exe /qn /X{6AC29448-9612-4948-B790-822BE441E6D3} REBOOT=ReallySuppress
MsiExec.exe /qn /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} REBOOT=ReallySuppress
MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress
"C:\Program Files\Sophos\Endpoint Defense\uninstall.exe" REBOOT=ReallySuppress

"C:\Program Files\Sophos\Sophos File Scanner\Uninstall.exe"
:Sophos Standalone Engine
"C:\Program Files\Sophos\Sophos Standalone Engine\uninstall.exe"
:Sophos ML Engine
"C:\Program Files\Sophos\Sophos ML Engine\uninstall.exe"
:Sophos Endpoint Agent 2.0.0
"C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe"
:SophosClean
"C:\Program Files\Sophos\Clean\uninstall.exe"
:Sophos Clean 3.8.3.1
"C:\Program Files (x86)\Sophos\Clean\uninstall.exe"
:SED
"C:\Program Files\Sophos\Endpoint Defense\uninstall.exe"
:HMPA (managed)
"C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet
:HMPA 1.0.0.699
"C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe"
:HMPA 3.7.14.265
"C:\Program Files\HitmanPro\HitmanPro.exe" /uninstall /quiet



This thread was automatically locked due to age.
  • 0

    Hello Stephen Baker,

    Can you please clarify which Sophos version are you trying to remove?  (This is the Sophos Central forum, but I have noticed you mentioned the Enterprise Console, so I want ensure we are providing assistance for the right program).

    This KB article contains steps regarding how to delete the swi_service.

    If you are using SEC, please have a look at this article
    How to uninstall Sophos Endpoint Security and Control from the command line or with a batch file

    If you are removing Sophos Central instead, please use this batch file

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • 0 in reply to Barb@Sophos

    Can you check the first command.  Does that file exist?

    C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallcli.exe

    Exists for me.

    Also, have you tried rebooting after the install?

    I think the Sophos Web Intelligent update service (Win 7 / 2008 and 2008R2 only) removes itself on startup based on the swiupdateaction registry value under: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Web Intelligence\

    The update service is responsible for removing the LSP from Winsock and it's only really safe to do that early on the next restart which is when the update service runs and then deletes itself on uninstall.

    As for the other files, they are probably loaded into modules,  you may need to restart twice to ensure no process loads them so they can be removed. To be totally sure no processes are loading modules 2 restarts may be required.

    Regards,
    Jak

Unfiltered HTML