I was recently involved in assisting a customer with removing Sophos Endpoint Security and Control from their desktops and laptops because it was being replaced with Cylance Protect. Anti-Virus products aren’t something that I typically deal with so I had to do a bit of searching on the internet to come up with script that would check for the services and then subsequently remove them. What I noticed during the process was that the Sophos KB article:
How to uninstall Sophos Endpoint Security and Control from the command line or with a batch file
https://community.sophos.com/kb/en-us/109668
… wasn’t very helpful because I wasn’t able to find all of the components in the registry to extract the uninstall GUID to pair with the msiexec.exe /x command. Another item I noticed was that there are a lot of sample scripts and batch files available but they only worked for specific versions.
So after spending a good half day on this, I thought it would be a good idea to share what finally worked for me in case anyone out there looking for this. As the title of this post indicates, this works for version 10.7 and 10.8.
Sophos Install Script – Copy and paste below into a .cmd file
REM Check for the Sophos service
@Echo off
REM --- Check for an existing installation of Sophos Agent
IF NOT EXIST "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" (
REM --- Check for an existing installation of Sophos Anti-Virus
IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" (
REM --- Check for an existing installation of Sophos Anti-Virus status reporter
IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe" (
REM --- Check for an existing installation of Sophos AutoUpdate on 32-bit (the 'Sophos AutoUpdate Service' process)
IF NOT EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" (
REM --- Check for an existing installation of Sophos AutoUpdate on 64-bit (the 'Sophos AutoUpdate Service' process)
IF NOT EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" (
REM --- Check for an existing installation of Sophos Message Router
IF NOT EXIST "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" (
REM --- Check for an existing installation of Sophos Network Threat Protection
IF NOT EXIST "C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe" (
REM --- Check for an existing installation of Sophos System Protection Service
IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe" (
REM --- Check for an existing installation of Sophos Web Control Service
IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" (
REM --- Check for an existing installation of Sophos Web Intelligence Service 64-bit
IF NOT EXIST "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" (
REM --- Check for an existing installation of Sophos Web Intelligence Service 32-bit
IF NOT EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" (
REM --- Check for an existing installation of Sophos Anti-Virus on Vista+ (the SAV adapter config file)
IF NOT EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" (
goto _End
))))))))))))
REM --- Disabling Sophos Services
sc config "Sophos Agent" start= disabled
sc config "SAVService" start= disabled
sc config "SAVAdminService" start= disabled
sc config "Sophos AutoUpdate Service" start= disabled
sc config "Sophos Message Router" start= disabled
sc config "SntpService" start= disabled
sc config "sophossps" start= disabled
sc config "Sophos Web Control Service" start= disabled
sc config "swi_service" start= disabled
sc config "swi_update_64" start= disabled
REM --- Stopping Sophos Services
net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "SAVService"
net stop "SAVAdminService"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
net stop "swi_service"
net stop "SntpService"
net stop "sophossps"
net stop "swi_filter"
REM --- Taskkill all services just in case services such as AutoUpdate is running and will not stop
taskkill /im ManagementAgentNT.exe /f
taskkill /im SavService.exe /f
taskkill /im SAVAdminService.exe /f
taskkill /im ALsvc.exe /f
taskkill /im RouterNT.exe /f
taskkill /im SntpService.exe /f
taskkill /im ssp.exe /f
taskkill /im swc_service.exe /f
taskkill /im swi_update_64.exe /f
REM --- Disable Tamper Protection
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SAVEnabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /v Enabled /t REG_DWORD /d 0 /f
REM --- Begin uninstall Sophos Components
REM --- Sophos Network Threat Protection
start /wait MsiExec.exe /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-NTPLog.txt
REM --- Sophos System Protection
start /wait MsiExec.exe /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-SPLog.txt
REM --- Sophos Anti-Virus
start /wait MsiExec.exe /X{23E4E25E-E963-4C62-A18A-49C73AA3F963} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-AVLog.txt
REM --- Sophos Anti-Virus 10.7
start /wait MsiExec.exe /X{65323B2D-83D4-470D-A209-D769DB30BBDB} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-SAVlog.txt
REM --- Sophos Anti-Virus 10.8
start /wait MsiExec.exe /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-SAVlog.txt
REM --- Sophos Remote Management System
start /wait MsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-RMSLog.txt
REM --- Sophos AutoUpdate
taskkill /im ALsvc.exe /f
start /wait MsiExec.exe /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SOPH-AULog.txt
REM --- Sophos Endpoint Defense
"C:\Program Files\Sophos\Endpoint Defense\uninstall.exe"
REM --- End of the script
:_End
-----------------------------------------------------------------------------------------------------------------------------------------------
Here are also a few useful items that I had to document during the process of developing the command above
List of Services and Executable Locations
Service Name | Display Name | Path to executable |
Sophos Agent | Sophos Agent | "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent -ORBListenEndpoints iiop://127.0.0.1 |
SAVService | Sophos Anti-Virus | "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" |
SAVAdminService | Sophos Anti-Virus status reporter | "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe" |
Sophos AutoUpdate Service | Sophos AutoUpdate Service | "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe" |
Sophos Message Router | Sophos Message Router | "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 |
SntpService | Sophos Network Threat Protection | "C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe" |
sophossps | Sophos System Protection Service | "C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe" |
Sophos Web Control Service | Sophos Web Control Service | "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" |
swi_service | Sophos Web Intelligence Service | "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" |
swi_update_64 | Sophos Web Intelligence Update | "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" |
Obtaining the GUIDs of Applications
You can obtain the GUID applications using the PowerShell cmdlet:
wmic product get > C:\InstalledPrograms.txt
Locate the GUID of the application that needs to be removed and modify the script to include correct GUID.
3 comments:
Post a Comment