Jump to content
dhelbin

Sophos Removal Script

Recommended Posts

Hi All, 

Looking for a script to forcibly remove Sophos Endpoint from several machines, I did a search and the most recent I could find was about 3 years old and does not appear to work on the current version of Sophos. 

 

Does anyone have a working script to remove Sophos? Willing to share the XML script from LT? 

 

Thanks! 

Share this post


Link to post
Share on other sites

I actually tried that article yesterday for one of our new clients.
There last MSP didn't/wouldn't remove there Sophos agents.

I've managed to be able to remove a variance of AV (including older versions of Sophos), however I couldn't make any progress on this one.
The issue was that everything from DomainAdmin through to SYSTEM accounts only had read level perms to the services.
Safe mode was the only way I could get this removed.
Sophos tamper protection has come pretty far.

I'm pretty determined, 
If I get something working that doesn't require safe mode, ill automate and share.

(please note, Sophos AV without tamper protection isn't to difficult, a quick google should get you there)
 

Share this post


Link to post
Share on other sites

This is an older script, but it is what I use (my company is switching from Sophos to Webroot, so I've done lots of Sophos removing) : https://community.spiceworks.com/scripts/show/2053-completely-remove-sophos-clients-from-all-systems-on-a-domain 

After running this you'll find a few left over components. Using the uninstall string should do the trick. You might find that the application is actually gone, but the software list entry is still present. Deleting the registry key for the entry will clear that up and remove it from the software list in Automate. 

Kick off the VBS file via the "Shell" option in Automate and you should make some progress.

Share this post


Link to post
Share on other sites
On 6/26/2018 at 12:45 AM, Willf said:

Safe mode was the only way I could get this removed.
Sophos tamper protection has come pretty far.

Automate can actually restart in Safe Mode and continue with the script. So any steps that you are performing for removal in Safe Mode are able to be scripted.

Share this post


Link to post
Share on other sites
net stop "Sophos Anti-Virus"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Anti-Virus status reporter"
net stop "Sophos Clean"
net stop "Sophos Device Control Service"
net stop "Sophos Safestore"
net stop "Sophos Web control Service"
net stop "Sophos Web Intelligence Service"
net stop "Sophos Web Intelligence Updater"

"C:\program files\Sophos\Sophos Endpoint Agent\uninstallcli.exe"

:Sophos AutoUpdate
MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress
MsiExec.exe /qn /X{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E} REBOOT=ReallySuppress

:Sophos Anti-Virus (Endpoint)
MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
MsiExec.exe /qn /X{DFDA2077-95D0-4C5F-ACE7-41DA16639255} REBOOT=ReallySuppress
MsiExec.exe /qn /X{CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress
MsiExec.exe /qn /X{3B998572-90A5-4D61-9022-00B288DD755D} REBOOT=ReallySuppress

:Sophos Anti-Virus (Server)
MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress

:Sophos System Protection
MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress
MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress

:Sophos Network Threat Protection
MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress

:Sophos Health
MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
MsiExec.exe /qn /X{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745} REBOOT=ReallySuppress
:SDU (1.x)
MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress

:Heartbeat
MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress

:Sophos Management Communications System
MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress

:UI
MsiExec.exe /qn /X{D29542AE-287C-42E4-AB28-3858E13C1A3E} REBOOT=ReallySuppress

:SophosClean
"C:\Program Files\Sophos\Clean\uninstall.exe"
"C:\Program Files (x86)\Sophos\Clean\uninstall.exe"
:SED
"C:\Program Files\Sophos\Endpoint Defense\uninstall.exe" /quiet
:HMPA (managed) 3.5.3.563
"C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet
:HMPA 1.0.0.699
"C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe" /uninstall /quiet
:HMPA 3.7.14.265
"C:\Program Files\HitmanPro\HitmanPro.exe" /uninstall /quiet



:Sophos Endpoint Firewall
MsiExec.exe /qn /X{2831282D-8519-4910-B339-2302840ABEF3} REBOOT=ReallySuppress
:Sophos Endpoint Self Help
MsiExec.exe /qn /X{BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8} REBOOT=ReallySuppress
:Sophos Clean

:Sophos Anti-Virus
MsiExec.exe /qn /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} REBOOT=ReallySuppress

:Sophos AutoUpdate XG
MsiExec.exe /qn /X{72E136F7-3751-422E-AC7A-1B2E46391909} REBOOT=ReallySuppress

:Sophos Endpoint Agent
"C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallcli.exe"

sc config "Sophos Device Control Service" start= disabled
sc config "Sophos Web Control Service" start= disabled
sc config "SophosBootDriver" start= disabled
sc config "SAVAdminService" start= disabled
sc config "SAVService" start= disabled
sc config "SAVOnAccess" start= disabled
sc config "swi_service" start= disabled
sc config "swi_update_64" start= disabled

reg delete "HKLM\SYSTEM\CurrentControlSet\services\Sophos Device Control Service" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Sophos Web Control Service" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\SophosBootDriver" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\SAVAdminService" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\SAVService" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\SAVOnAccess" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\swi_service" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\swi_update_64" /f

regsvr32 /u /s "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavShellExtX64.dll"
regsvr32 /u /s "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll"
regsvr32 /u /s "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll"

rmdir "C:\Program Files\Sophos" /s /q
rmdir "C:\Program Files (x86)\Sophos" /s /q

pause

Although this is not an Automate script, this is what I hacked together from a few sources for a .bat when I had to remove troublesome Sophos Antivirus. It can easily be adapted.

Share this post


Link to post
Share on other sites

The batch file I put together comes from a combination of what the Sophos in-house engineers use to remove it from their own machines, plus additional discoveries of other registry entries left behind, etc... It also self elevates, as long as you're running it from an admin user (ie; use LT's as {location} admin, and not the default which runs as SYSTEM.)

Share this post


Link to post
Share on other sites

Hi,

Tell the other MSP to turn of Tamper Protection for all endpoints. Tell them to send customer token and mgmt server address from Sophos Central Partner portal.

Follow this guide to integrate sophos central with Automate: https://community.sophos.com/kb/en-us/132352

After this is done you can uninstall the endpoint with the scripts provided in the integration package from solution center.

Bare in mind that if they are using synchronized security you will loose connection to the clients when the firewall is missing heartbeats from the endpoint.

  • Like 1

Share this post


Link to post
Share on other sites

Hello all!

I would like to share with you a script I had ceased working on related to Sophos.

First and foremost, this script is for...

  • Businesses with dozens if not hundreds or more machines with Sophos
  • Managed Service Providers (MSP)

This script is NOT for...

  • Non-business/consumer/home/personal flavors and end-users of Sophos products

Other notes:

  • This script a DEVELOPER release, meaning it has not thoroughly passed through testing and may result in system instability or a Windows OS that might not boot
  • Make system backups before running this script.
  • Usage of this script is at YOUR OWN RISK. If your system fails to boot or experiences some issue as a result of this script, restore from backups / fix the problem and post the solution / update the script and post about it
  • This script was developed with the intent to specifically remove Sophos Anti-Virus (SAV)

The reason this script was created was because of how incredibly stubborn, resistant, and problematic Sophos business products are for removal through normal and proper means (i.e. removal through Programs and Features). There are cases where following the normal methods of removal are unsuccessful and result in entries from Programs & Features disappearing while leaving remnants if not fully active Sophos installations on systems. When this scenario is encountered and dozens/hundreds of machines are involved it becomes a nightmare for technician labor time (time = $$$) without having any means of automation to aide with removal of Sophos products from client machines (hence the existence of this script).

The reason for release of this script is because of the necessity to involve and receive further development on this script from and by the community.

In my testing of this script on machines that I do not have physical access to I have found that a little more than 50% do not come back online after running this script and rebooting those machines (I do not know why and would appreciate finding out how to overcome this).

For machines that do come back online Sophos is 99-100% gone. In successful removals: (1) in some cases may be a few folders remaining on the system (particularly with some Web Intelligence DLLs and a SAV Temp folder), and (2) WinSock providers may still be present (even if the files no longer exist on the system), this can be verified with the "netsh winsock show catalog" command. Since my focus has been specifically on removal of Sophos Anti-Virus (SAV) I do not expect this script to be 99-100% for other Sophos products, but this script was designed to allow for further development to expand the scope to other Sophos products (and serve as an 'ultimate Sophos removal' script) and improve its reliability in removal.

The script is a single batch script file. To run it, it must be run with elevation (right-click > Run as Administrator).

7Z Archive (password: SOPHOS)

http://szan.to/cloud/Ultimate_Sophos_Removal_20190111-0845_Development_Password-SOPHOS.7z

TXT file (save with .bat extension instead of .txt)

http://szan.to/cloud/Ultimate_Sophos_Removal_20190111-0845_Development.txt

For courtesy, feel free to scan the script and these URLs with virustotal.com - they are clean

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×