(Note: prior to watching the video, turn off Sophos Home tamper protection as per step 1 in this article - The video shows how to turn it off for business installations/password- ignore that part). 1 - Disable Sophos Home Windows -How to disable Tamper protection 2 - Download SophosZap by clicking here 3 - Confirm the version is 1.0.1853.0. Ensure tamper protection is enabled – other ransomware strains attempt to disable your endpoint protection, and tamper protection is designed to prevent this from happening; 3. Ongoing staff education. People are invariably the weakest link in cybersecurity, and cybercriminals are experts at exploiting normal human behaviors for nefarious gain.

Good day everyone,Hope I can get some help as the closest Sophos support centre is in Dubai. I had to re-install a server for a client due to viruses. It was a central management server for sophos. I have since installed Kaspersky and deployed it; but there are machines which still have sophos on them.

I cannot uninstall as Tamper protection is turned on and the policy management server is non-existent. If I deploy Kaspersky to these machines their internet just stops working(probably due to clash between 2 AV products). Please I need info on how to forcefully remove these AV clients.

So just a couple questions, do you have the admin credentials for the Sophos install? If so then you should be able to disable the tamper protection and then remove the AV.

As far as losing the Internet, I don't think that is really a conflict but seems more like Kaspersky is enabling a firewall (could be that it is trying to install and Sophos then quarantines the installer.) Also can you reinstall the central management server in order to pull the local installs?Any reason you would choose Kaspersky over Sophos? What type of virus hit that is making you want to switch that you feel Kaspersky would be better at protecting against. While I don't think Sophos is perfect (can't stop someone from clicking things they shouldn't but neither will 99% or AV) I think it still out performs most other AVs out there so just curious why the drastic change in coverage? Our go-to AV is Kaspersky; we are an Accpac/Sage business partner and we know how to get Kaspersky to work with that. The server had to be re-installed as it was an SBS box and Sophos was happily scanning and not reporting any issues but the server suddenly wouldn't startup/load the desktop.Malwarebytes found 24 viruses.I managed to get it(the server) to work again somehow but on SBS with that much damage a re-install is much easier than fixing exchange services, sharepoint, VSS, etc.Thanks for all the suggestions, I managed to get hold of Support and will try a removal that way(stopping services). Would have done it but was afraid it may break things.It's just 2 workstations so yeah.

Thanks for the input once again!!

Instructions if you are unable to uninstall Sophos because of Tamper Protection needs to be turned off or the tamper protection password is lost and the client cannot receive a new policy without a known password.

To recover a tamper protected system, you must disable Enhanced Tamper Protection.

NOTE: Do a backup of your registry before you attempt this procedure. Free download psychodrama full zip by dave.

Applies to the following Sophos products and versions
Sophos Endpoint Security and Control 10.6.4
Sophos Cloud Managed Endpoint

2 Steps total

Step 1: Sophos Enterprise Console managed client

1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig
5. Set the following DWORD values to 0: SAVEnabled and SEDEnabled
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.

Step 2: Sophos Central managed client

1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos MCS Agent and set the REG_DWORD Start to 0x00000004
5. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.

Enhanced Tamper Protection is now disabled.
You should now be able to uninstall Sophos Protection.

References

• Sophos Endpoint Defense: How to recover a tamper protected system

1 Comment

• Jalapeno
  jimarnold Aug 2, 2019 at 01:08pm

  There might be an easier way:

  If you log into the admin portal for Sophos, then go to Logs & Reports, there is a report under the 'Endpoint & Server Protection' category called 'Recover Tamper Protection Passwords'

  If you run this report, it allows you to search for the deleted computer name and provides you with the tamper protection password for that computer. This allows you then to 'login' on the client software to override the policy and turn off tamper protection for 4 hours. This should be enough time to uninstall.

  I found myself cursing the Sophos portal until I discovered this little nudget of gold!