Need to manually disable Tamper Protection - computer disabled from Central

I need to manually disable Tamper Protection.  One of our Endpoints disappeared from Central and I am unable to retrieve the key or turn it off.  I tried the steps outlined in this article:

https://community.sophos.com/kb/en-us/124377

However, Tamper Protection is still enabled after the reboot.  Are there new steps for the recent 11.5 Endpoint / 2.0.33 CWG?

  • Hi Keith, 

    It would be easy to come up with a solution if we know the reason why you are trying to disable the Tamper protection?

    1. Are you trying to uninstall the Sophos Endpoint from the machine?

    2. Or, are you trying to add the client machine to the Central again?

  • In reply to Haridoss Sreenivasan:

    I was trying to re-install a malfunctioning Sophos Endpoint and CWG install on the computer.  We opted to re-image it as support does not respond and we could not afford to wait any longer.

  • In reply to K_M:

    Hi Keith, 

    Sorry for the delayed response. Is everything working fine right now? 

  • In reply to Haridoss Sreenivasan:

    Date Started Description of Issue Update / Current Status
    Since Day 1 Random failures of the Endpoint software. Sophos has not been able to provide an explanation and in each instance the solution has been a manual re-install. About 50+ manual re-installs and climbing. ONGOING
    Since Day 1 Cloud Web Gateway fails to automatically update and eventually requires a manual update for it to continue to work. UPDATE - 2.0.31 and beyond may have fixed this issue as of early 2017. Older agents still need manual update however.
    Since Day 1 Sophos will randomly push out major revision changes to their software with no release notes or new user guides. In several instances, this caused major outages. ONGOING
    Since Day 1 Random failures of Sophos Central servers causing update and/or installation failures for 1-2 days at a time. ONGOING - most outages are not listed on the Central Status page.
    Since Day 1 A large number of our tickets are handled by individuals who are not familiar with the product in question. Example - we had a problem with a specific component of the Endpoint software and support told us to uninstall the 'broken' product to fix the problem with Sophos. This would mean uninstalling Sophos. ONGOING
    4/6/2017 New version of Sophos Central web page released. No user guide available and no advance notice. Tasks that only took a few steps before now take much longer and information is more scattered. UPDATE - Sophos closed our ticket and said "The Cloud console is web-based and being used by all our cloud-based clients, which can't be customized depending on what version clients want to use. You just need to get familiarize with the navigation of the new version." No assistance in learning the new system was provided.
    4/14/2017 Unable to use LogMeIn with Cloud Web Gateway running. (Cummins uses this to fix engine-software issues) With development - no ETA on fix.
    5/4/2017 We are experiencing more duplicate entries in the web console. This was supposedly resolved under ticket 6863132, but we are seeing new duplicates appearing. UPDATE - 2.0.33 may have fixed this issue, but need more time to be certain. No official word from Sophos.
    5/5/2017 When going through the 'Devices' list trying to page through it 50 at a time will quickly break the site (script errors occur after a number of pages). With development - no ETA on fix.
    5/9/2017 Cloud Web Gateway Network Activity search is not working. Example: When I select the category 'Anonymizers', there are no results even though I can find them manually. With development - no ETA on fix.
    5/16/2017 Not getting email alerts for PUA/Malware detections. Only 1 alert sends an email. UPDATE - Sophos closed our ticket and said this is normal behavior. They feel the amount of emails was too burdensome for clients. To check status, you must log in and see if there are any new malware/PUA detections or update failures. They will not send emails for these.
    5/17/2017 CWG is malfunctioning. It is not checking in with Central and policy is not updating. All agents appear to be affected. UPDATE - We are also missing huge sections of logs.
    5/22/2017 CWG not filtering correctly. Tried various sites on Sophos test site and they were allowed: Should be WARN: <see list> Should be BLOCK: <see list>. With development - no ETA on fix.
    7/11/2017 Unable to install new Endpoints.

    UPDATE - Sophos closed our ticket and said we need to check the Central Status page to see when it is resolved.
    UPDATE - Existing Endpoints are failing to update as well.

    UPDATE - *might* be fixed - need to test.

  • In reply to K_M:

    Hi Keith, 

    About being Unable to install new Endpoints, it was a known issue and has been resolved now. Please refer to the KBA Advisory: Sophos Central Admin experiencing delays with the enforcement of Central policies for US-West region (Error codes 142, 136 and 137 seen with new installations).

    Please download the new client package and install which should fix the issue. Please refer to the thread Sophos Central Admin – US-West region - Delays with the enforcement of Central policies on managed endpoints. Let me know if this helps resolve the issue. 

  • In reply to Haridoss Sreenivasan:

    Believe me, I (and many others) are well aware of the major failure that occurred with Central.  The fix for this broken Endpoint (not failed install) was to re-image the machine.

  • In reply to K_M:

    Why? When you can just elevate to localsystem stop the services, uninstall the endpoint and then reinstall it.

  • In reply to Garrett:

    Hi Garrett - can you please elaborate?  Does this allow you to bypass the Tamper Protection and if so, what are the exact steps you took?  It would be very handy to have an alternative to re-imaging the machine.