Pages

Wednesday, September 26, 2018

Uninstall script for Sophos Endpoint Security and Control 10.7 and 10.8

I was recently involved in assisting a customer with removing Sophos Endpoint Security and Control from their desktops and laptops because it was being replaced with Cylance Protect.  Anti-Virus products aren’t something that I typically deal with so I had to do a bit of searching on the internet to come up with script that would check for the services and then subsequently remove them.  What I noticed during the process was that the Sophos KB article:

How to uninstall Sophos Endpoint Security and Control from the command line or with a batch file
https://community.sophos.com/kb/en-us/109668

… wasn’t very helpful because I wasn’t able to find all of the components in the registry to extract the uninstall GUID to pair with the msiexec.exe /x command.  Another item I noticed was that there are a lot of sample scripts and batch files available but they only worked for specific versions.

So after spending a good half day on this, I thought it would be a good idea to share what finally worked for me in case anyone out there looking for this.  As the title of this post indicates, this works for version 10.7 and 10.8.

Sophos Install Script – Copy and paste below into a .cmd file

REM Check for the Sophos service

@Echo off

REM --- Check for an existing installation of Sophos Agent

IF NOT EXIST "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" (

REM --- Check for an existing installation of Sophos Anti-Virus

IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" (

REM --- Check for an existing installation of Sophos Anti-Virus status reporter

IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe" (

REM --- Check for an existing installation of Sophos AutoUpdate on 32-bit (the 'Sophos AutoUpdate Service' process)

IF NOT EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" (

REM --- Check for an existing installation of Sophos AutoUpdate on 64-bit (the 'Sophos AutoUpdate Service' process)

IF NOT EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" (

REM --- Check for an existing installation of Sophos Message Router

IF NOT EXIST "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" (

REM --- Check for an existing installation of Sophos Network Threat Protection

IF NOT EXIST "C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe" (

REM --- Check for an existing installation of Sophos System Protection Service

IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe" (

REM --- Check for an existing installation of Sophos Web Control Service

IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" (

REM --- Check for an existing installation of Sophos Web Intelligence Service 64-bit

IF NOT EXIST "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" (

REM --- Check for an existing installation of Sophos Web Intelligence Service 32-bit

IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" (

REM --- Check for an existing installation of Sophos Anti-Virus on Vista+ (the SAV adapter config file)

IF NOT EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" (

goto _End

))))))))))))

REM --- Disabling Sophos Services

sc config "Sophos Agent" start= disabled

sc config "SAVService" start= disabled

sc config "SAVAdminService" start= disabled

sc config "Sophos AutoUpdate Service" start= disabled

sc config "Sophos Message Router" start= disabled

sc config "SntpService" start= disabled

sc config "sophossps" start= disabled

sc config "Sophos Web Control Service" start= disabled

sc config "swi_service" start= disabled

sc config "swi_update_64" start= disabled

REM --- Stopping Sophos Services

net stop "Sophos AutoUpdate Service"

net stop "Sophos Agent"

net stop "SAVService"

net stop "SAVAdminService"

net stop "Sophos Message Router"

net stop "Sophos Web Control Service"

net stop "swi_service"

net stop "SntpService"

net stop "sophossps"

net stop "swi_filter"

REM --- Taskkill all services just in case services such as AutoUpdate is running and will not stop

taskkill /im ManagementAgentNT.exe /f

taskkill /im SavService.exe /f

taskkill /im SAVAdminService.exe /f

taskkill /im ALsvc.exe /f

taskkill /im RouterNT.exe /f

taskkill /im SntpService.exe /f

taskkill /im ssp.exe /f

taskkill /im swc_service.exe /f

taskkill /im swi_update_64.exe /f

REM --- Disable Tamper Protection

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SAVEnabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /v Enabled /t REG_DWORD /d 0 /f

REM --- Begin uninstall Sophos Components

REM --- Sophos Network Threat Protection

start /wait MsiExec.exe /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-NTPLog.txt

REM --- Sophos System Protection

start /wait MsiExec.exe /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-SPLog.txt

REM --- Sophos Anti-Virus

start /wait MsiExec.exe /X{23E4E25E-E963-4C62-A18A-49C73AA3F963} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-AVLog.txt

REM --- Sophos Anti-Virus 10.7

start /wait MsiExec.exe /X{65323B2D-83D4-470D-A209-D769DB30BBDB} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-SAVlog.txt

REM --- Sophos Anti-Virus 10.8

start /wait MsiExec.exe /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-SAVlog.txt

REM --- Sophos Remote Management System

start /wait MsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-RMSLog.txt

REM --- Sophos AutoUpdate

taskkill /im ALsvc.exe /f

start /wait MsiExec.exe /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-AULog.txt

REM --- Sophos Endpoint Defense

"C:\Program Files\Sophos\Endpoint Defense\uninstall.exe"

REM --- End of the script

:_End

-----------------------------------------------------------------------------------------------------------------------------------------------

Here are also a few useful items that I had to document during the process of developing the command above

List of Services and Executable Locations

Service Name

Display Name

Path to executable

Sophos Agent

Sophos Agent

"C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent -ORBListenEndpoints iiop://127.0.0.1

SAVService

Sophos Anti-Virus

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe"

SAVAdminService

Sophos Anti-Virus status reporter

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe"

Sophos AutoUpdate Service

Sophos AutoUpdate Service

"C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe"

Sophos Message Router

Sophos Message Router

"C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194

SntpService

Sophos Network Threat Protection

"C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe"

sophossps

Sophos System Protection Service

"C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe"

Sophos Web Control Service

Sophos Web Control Service

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe"

swi_service

Sophos Web Intelligence Service

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe"

swi_update_64

Sophos Web Intelligence Update

"C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe"

Obtaining the GUIDs of Applications

You can obtain the GUID applications using the PowerShell cmdlet:

wmic product get > C:\InstalledPrograms.txt

Locate the GUID of the application that needs to be removed and modify the script to include correct GUID.

3 comments:

Daisy Jones said...
This comment has been removed by a blog administrator.
thomie joy said...
This comment has been removed by a blog administrator.
Streym IT Solutions said...
This comment has been removed by the author.