Sophos Endpoint Instructions for uninstalling using Registry

April 18, 2023 Tri Nguyen Sophos 0

1 Overview

In some cases, you lose tamper protection and cannot restore tamper protection on Sophos central. We need to remove the endpoint by changing the Registry.

This article guides you to change the registry on Windows 10, Windows server 2016, 2019.

Apply to Endpoint with Core Agent version 2.20.13 or higher

2 Steps to config

2.1 Prepare

Access Settings > Update & Security > Recovery under Advanced start-up Click Restart now.

Select Trouble Shoot

Select Advanced Options

Select Command Prompt

Log in with your local account

Execute the following command:

  • Type C: and Click Enter.( Your Boot drive may differ from C. If so, use Diskpart > list volume to show list volumes)
  • Type cd Windows\System32\drivers and Click Enter.
  • Type ren SophosED.sys SophosED.sys.old and Click Enter.
  • Type exit and Click Enter

Select Continue and Restart the computer

2.2 Edit registry

Open Registry Editor and make the following edits. (Before editing, you need to export a backup file in case something goes wrong)

Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent. And edit Start value to 4.

Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service. And edit Start value to 4.

Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services. Then at each subsection in that directory, we set Protected to 0.

Continue until all subsections in that have value Protected by 0.

Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config. And edit SEDEnabled value to 0.

Then restart the computer. If the Sophos endpoint icon does not appear in the bottom corner of the screen anymore, we have done it successfully. Proceed to uninstall the application.

In case the following error still occurs.

Go to Registry Editor. At HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service we set Start to 2.

Then reboot the machine and uninstall

So we have successfully uninstalled Sophos Endpoint using the Registry.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.