This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't install Central because Enterprise Console Tamper protection is still enabled

I've disabled tamper protection successfully on a few machines by following this article: https://community.sophos.com/kb/en-us/119175

Now I have two machines that I've followed this procedure on and the Central installer still claims that tamper protection is enabled.  What do I do now? 

 



This thread was automatically locked due to age.
  • I'd try the steps described in this article:

    https://community.sophos.com/kb/en-us/124377

     

    I've successfully used it in the past for both SEC and Central Deployments.

  • Thank you FlorianPöthe1, but I have already tried that article to no avail--specifically, these steps:

    Managed by Sophos Enterprise Console

      1. Boot the endpoint or server in Safe Mode.
      2. Click Start followed by Run then type services.msc
      3. Right-click the Sophos Anti-Virus service then Properties.
      4. Set the Startup type to Disabled then click the OK button.
      5. In Run, type regedit.exe then click the OK button.
      6. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data to 0 for SAVEnabled and SEDEnabled.
      7. Set the Value data of Enabled to 0 in the following:
        • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
        • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection

     

    1. Enhanced Tamper Protection will now be disabled after you boot the endpoint or server in normal mode.

     

  • Do you have the option to uninstall it after disabling tamper protection this way?

     

    Also maybe this could be helpful if you have to do that procedure on a lot of machines: community.sophos.com/.../109668

  • The old Enterprise Console install doesn't show up in my installed programs list anymore.  The new Central Endpoint agent does, but it seems to be only partially installed.

  • Hi Darth,

    Assuming Sophos Anti-virus didn't install still, I'd suggest checking the same registry keys again to make sure they didn't change back to Enabled: 1.  I'd also make sure that this key is set to 0: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SavService\TamperProtection

    If Sophos Anti-virus did install but other components are failing, we'd need to know which ones failed and the install logs for them.  You can see this by opening up the UI, clicking about on the bottom right and selecting Run Diagnostic Tool.  After finding the components not installed, you can reference the install log in C:\Windows\Temp\.  Within this log we will want to search for "Return value 3." and the 20 lines above it should tell us why the install failed.

  • Thank you for the help but I ended up re-imaging the machines.