You may have come across an issue where you have deleted a Server or workstation from Sophos Central not realising that by default these devices are protected for “Tamper Protection”.
So now on the local machine you are attempting to uninstall “Sophos” but you can’t and keep getting an error “You must disable “Sophos Tamper Protection before you continue. Contact your administrator or see Sophos KBA119175”.
- Sophos UTM Home Edition. This software version of the Sophos UTM Firewall features full network, web, mail and web application security, with VPN functionality, for as many as 50 IP addresses. The Sophos UTM Home Edition contains its own operating system and overwrites all data on the computer during the installation process.
- The process to merge users with associated computers, into a single user can be seen at the KBA Sophos Central Admin: Automatically created administrator account. For customers using a device-based license, the calculated total can never exceed the licensed amount.
Contacting Sophos doesn’t help as they claim there is no way around this. From the looks of it you can’t remove the application and potentially you may have to re-build it if you really need to remove the software.
In the below steps I will show you how you can reset the password for “Tamper Protection” and disable it. You can then uninstall the software.
1. On the local machine launch “Services” and “Stop” the “Sophos Ant-Virus” service
Sophos Kb 119175
2. Open a explorer window and navigate to “C:ProgramDataSophosSophos Anti-VirusConfig” right click the filename “machine.xml” and click “Edit” alternatively open with “Notepad” – make sure you make a copy of the file before editing it as a backup should you need to restore it.
3. Click “Edit-Find…” find the line within the file called “<TamperProtectionManagement><settings>”
4. On the line below – highlight the hashed password and remove it out.
5. Paste in the following Hash. “E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73” This will set the password to “password”
6. Save the changes
Sophos Kba 119175
7. Start the “Sophos Anti-Virus” service
8. Launch the Sophos Console and click “Authenticate User”
Sophos Central will automatically enable Tamper Protection after four hours. If the Sophos Endpoint UI cannot be launched, open a Command Prompt (Admin) then run SEDcli.exe -TPoff. This file is located at C: Program Files Sophos Endpoint Defense. On the installed Sophos on a Mac endpoint. Click Sophos Endpoint on the Dock bar. Start the “Sophos Anti-Virus” service. Launch the Sophos Console and click “Authenticate User” 9. Insert the password “password” 10. Click “Configure tamper protection” 11. Uncheck the box “Enable Tamper protection” and click “OK” 12. Now run the the uninstallation process again and the software should uninstall. Sophos Endpoint Defense Service: SEDService.exe: Prevents undesired actions to Sophos components which is explained further on KBA 123654. Sophos File Scanner Service: SophosFS.exe: Used to scans files for reputation, deep learning, and Application ID. Sophos Live Query: SophosLiveQueryService.exe: Used to manage and performs live query actions.
9. Insert the password “password”
10. Click “Configure tamper protection”
11. uncheck the box “Enable Tamper protection” and click “OK”
12. Now run the the uninstallation process again and the software should uninstall.
Components
| Sophos Endpoint Security and Control | 10.8.11 VE 3.82.0 April 2021 | 10.8.10.1 VE 3.80.1 February 2021 | 10.8.9.610 VE 3.79.0 October 2020 | 10.8.9.292 VE 3.79.0 July 2020 | 10.8.6.1 VE 3.77.1 January 2020 | 10.8.4.4 VE 3.77.1 August 2019 | 10.8.4.4 VE 3.74.1 July 2019 | 10.8.4.3 VE 3.74.1 May 2019 |
|---|---|---|---|---|---|---|---|---|
| Sophos Anti-Virus | 10.8.11.22 | 10.8.10.810 | 10.8.9.610 | 10.8.9.292 | 10.8.6.215 | 10.8.4.227 | 10.8.4.227 | 10.8.4.227 |
| Threat detection engine | 3.82.0 | 3.80.1 | 3.79.0 | 3.79.0 | 3.77.1 | 3.77.1 | 3.74.1 | 3.74.1 |
| Sophos Client Firewall Windows 8 and later | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 |
| Sophos Client Firewall Windows 7 and earlier | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 |
| Sophos AutoUpdate | 5.17.243 | 5.17.243 | 5.16.37 | 5.16.37 | 5.16.37 | 5.15.166 | 5.15.166 | 5.14.36 |
| Sophos Patch Agent | 1.0.314.11 | 1.0.314.11 | 1.0.314.11 | 1.0.314.11 | 1.0.313.30 | 1.0.313.30 | 1.0.313.30 | 1.0.313.30 |
| Sophos Web Control | 1.7.20 | 1.7.20 | 1.7.20 | 1.5 | 1.5 | 1.5 | 1.5 | 1.5 |
| Sophos Remote Management System | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 |
| Sophos Network Threat Protection | 1.9.2235 | 1.9.2235 | 1.9.2235 | 1.9.2235 | 1.9.2235 | 1.8.77.8000 | 1.8.77.8000 | 1.8.77.8000 |
| Sophos Endpoint Defense | 2.2.6.8672 | 2.2.6.8672 | 2.2.4.8250 | 2.2.4.8250 | 2.2.0.11405 | 2.1.2.8000 | 2.1.2.8000 | 2.1.2.8000 |
Standalone installations include the Sophos Web Control component but it only provides malicious website blocking.
Comments are closed.