How to disable Sophos Endpoint Defense without booting into safe mode

I recently deployed the new Sophos Central Endpoint to over 300 workstations to replace our older Sophos Endpoint. Approximately 20% of the workstations failed during install and were left with these three programs listed in Programs and Features:

  • Sophos AutoUpdate XG
  • Sophos Endpoint Defense
  • Sophos Management Communications System

When I attempt to reinstall the Sophos Central Endpoint on one of these workstations, I get the following error: You must disable Sophos Tamper Protection before you continue. Contact your administrator or see Sophos KBA 119175.

When I attempt to remove the Sophos Endpoint Defense application from Programs and Features, I get the same error. I have attempted to disable Tamper Protection through Sophos Central as well but this has no effect.

I contacted support and was referred to Sophos KBA 124377 which explains how to resolve this issue by booting into safe mode, modifying the registry to disable Sophos Endpoint Defense, and then booting back into Windows. Unfortunately, this is not a workable solution since we have over 60 affected clients all over the country. I have tried modifying the registry keys mentioned in KBA 124337 using Group Policy (both using startup scripts and using Registry Group Policy Preferences) but this has no effect because tamper protection is enabled before they run which locks down the registry keys I need to change.

Anyone have any thoughts on how I can get Sophos Central Endpoint reinstalled on these workstations without having to boot each one into safe mode and manually modifying the registry? Or how to redeploy the client to these workstations since they do have the AutoUpdate component?

  • Hello Christopher Thompson,

    I'm neither a Central nor an SED expert but I fear I'm right when I say there's no other way than 124377. I wonder how this crippled installation came about though. 

    they do have the AutoUpdate component
    Is it working? If it is, it should try to install the missing components but then this very likely fails for the same reason as the initial attempt. Although SAV is not installed - is the SavService present? AFAIK (but this might have changed with SED) installs/uninstalls are only blocked when it is running.

    In either case the failure rate suggests a common cause that you probably have to identify and correct before an install will succeed.

    Christian

  • Hello Christopher,

    Would it be possible to confirm the method of migration you have used here to understand the process that has happened here?

    Additionally if Sophos Management Communications System is on the system do you know if the endpoint has created an entry for itself in the central dashboard? If so can you disable Tamper Protection from the console and does this feedback to the endpoint?

    I would also highly recommend raising a case with Sophos Support if you have not already. If you have can you message me the case reference?

    https://secure2.sophos.com/en-us/support/contact-support.aspx

  • In reply to QC:

    As far as I can tell, the only two Sophos processes running are ALsvc.exe (AutoUpdate) and McsClient.exe. Sophos support directed me to replace C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg on a bad install with a copy from a good install. This seems promising because the file is almost empty on bad installs and contains necessary parameters like the server URL, username and password. Unfortunately, if I try to update or replace the file I'm again thwarted by Endpoint Defense.

    The workstations with bad installs are no different from workstations with the good installs, as far as I can tell. I have good and bad installs on all our images and in all of our offices. I haven't been able to figure out why some succeeded and others failed.

  • In reply to WomboCombo:

    I performed the migrations using two different methods. First, I migrated about 30 clients using the Sophos Cloud Migration Tool and of those, 3 were failures. I migrated the remainder through SCCM using a deployment packager called PowerShell App Deployment Toolkit. The package took three actions, first uninstalling Sophos Client Firewall (if present), then running "SophosInstall.exe -q -tps remove" and forcing a reboot at the end.

    Yes, all affected installs are registered in Sophos Central and communicating with the portal. Once a day, they try to update the agent and fail. Interestingly, they only display "medium" status even though they're completely missing AV and web filtering. I did try disabling tamper protection through Sophos Central on multiple clients but it does not deactivate Endpoint Defense.

    I do have a case open with Sophos and will send you the number.

    Thank you for your help.

  • In reply to Christopher Thompson:

    Hello Christopher Thompson,

    I hope they do something with the logs. Seems that under certain circumstances the Central installer paints itself into a corner. It's somewhat, err, funny that SED is apparently in full operation before the product is successfully installed.

    Christian