Uninstall tamper-protected Sophos Antivirus with PowerShell

The Sophos Antivirus Endpoint tamper protection feature prevents even administrators from uninstalling the product. In this post, you will learn how to uninstall Sophos Antivirus with PowerShell.

Several events can lead to this situation:

  1. The company changes ownership.
  2. The company purchases a new AV product.
  3. The tamper protection password cannot be obtained.
  4. The previous AV administrators can’t remove tamper protection due to a domain change.
  5. The company removes tamper protection from a large portion of administered endpoints, but it still needs to remove tamper protection from a number of outlying systems and notebooks.

While Sophos does provide some assistance with removal via a script here, it includes the caveat:

Note: If enabled, the Sophos Tamper Protection policy must be disabled on the endpoints involved before attempting to uninstall any component of Sophos Endpoint Security and Control. See article 119175 for more information.

Following the article link, we arrive at the dreaded FAQ:

How can I disable tamper protection?

Normally you would only disable tamper protection if you wanted to make a change to the local Sophos configuration or uninstall an existing Sophos product. The instructions for this are given below. However, if you are not the administrator who installed it and who has the password, you will need to obtain the password before you can carry out the procedure.

To make things a little less painful, we can script those processes. There are a number of prerequisites to complete the removal, so we’ll break them down into individual steps.

  1. You must stop AV system services.
  2. You must replace the hashed tamper-protection password stored in the machine.xml file with a known-good password hash.
  3. You must start AV services.
  4. You must add the currently logged-in administrator to the local “SophosAdministrator” security group.
  5. You must open the application, manually authenticate the tamper-protection user, and then disable tamper protection altogether.
  6. Now run the component uninstallers.

Before writing code, either build a virtual machine (VM) and take a snapshot, or use something like Clonezilla to take an image of the test system’s hard drive. If things go wrong or a script makes a temporary change, we can easily revert to a clean sample. I find that when building scripts, PowerShell ISE is irreplaceable, because we can walk through each step and test separate statements in individual tabs.

Starting with system services, let’s stop only those services that need stopping. Since we don’t know what the system refers to these services as, we first need to get a list of service names that PowerShell can use. Following Jeffery Hick’s lead in his article here, it’s easy to find a list of all the services that contain “SAV” and “Sophos” with the command:

That provides us with the service names:

Get-Service with wildcards

Get-Service with wildcards

To stop these services with PowerShell, we use the Get-Service cmdlet, and stop only those services that are actually running:

To replace the unknown/bad-password hash from the machine.xml file located in C:\ProgramData\Sophos\Sophos Anti-Virus\Config\ , we use the Get-Content/Replace/Set-Content command:

 The hashed value E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73 is equivalent to the value ‘password’, which is all lowercase, not including quotes. When we save this into our machine.xml file, it essentially replaces the old password secret with the new password and will allow us to authenticate and disable tamper protection.

We now need to start our services again to go into the application and disable tamper protection manually, but before we do that, we need to be a member of the local SophosAdministrator security group. Thanks to this post about how to add a domain user to a local group, we can programmatically add our account into this group with the following commands:

Once we add the account, we can disable the tamper-protection feature. Let’s print a message and have PowerShell tell the user who is running the script about what to do next. We’ll have the user hit ENTER to confirm using a Read-Host cmdlet. A great thing about PowerShell is that we only need to place our message in quotes for it to be printed to the screen.

User interaction message

User interaction message

User interaction message

Following the message, we want to be nice and open the Sophos Endpoint AV Console for the user. Use the call operator (&) to open the .exe.

With the help of Venkat Sri’s post here on 4sysops, we have the user confirm that the tamper protection has been disabled with a Yes/No message box.

Confirmation dialog box

Confirmation dialog box

Confirmation dialog box

Now that our prerequisites are out of the way, we can finally uninstall the different Sophos Endpoint components. According to Sophos, it’s important to stop the AutoUpdate service first.

Next, we’ll want to call a batch file script from PowerShell to run the uninstallers. I wanted to run a batch file from a PowerShell script, because testing and running msiexec.exe inside of PowerShell is overly complicated. Also, having a separate batch file allows me more flexibility. Again, it’s easy to run the batch .bat script using the “&” operand. But, before we run our .msiexec.exe commands, Sophos recommends that we stop the Sophos AutoUpdate Service.

The .bat file contains the following lines that uninstall the Sophos components in a particular order as defined by the Sophos article linked earlier. The commands are silent; they suppress a reboot and send a verbose log to the default Windows\Logs directory. At the end, we include a 15-second delayed system restart command.

Finally, we copy our RemoveSophosWithTamperEnabled.ps1 file, SAV-msi-uninstall.bat file, and readme.txt into a single folder. The readme.txt file has the following instructions for running the scripts.

  1. Copy RemoveSophosWithTamperEnabled.ps1 and .bat scripts to c:\Admin
  2. Open PowerShell as Administrator
  3. Run the command:
  4. Run the command:
  5. Follow the instructions and you're done!

While it may not be the most efficient and elegant script, it does bring the uninstall time down significantly, removes potential mistakes during uninstallation, and teaches us a few things about PowerShell.

Below is the final script in full. I like to include hyperlinks for sources of code that I did not write explicitly in the comments preceding the command.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

3+
avatar
Share
15 Comments
  1. Daniel 4 years ago

    fantastic !!

    Thank you for the info. It worked a treat.

    2+
    avatar
  2. Michael 4 years ago

    Thank you so much. I had a VM that the cloud console no longer could see. The guide really helped.

    1+
    avatar
  3. jahn 4 years ago

    It's already patched. There is no location named \Config\machine.xml

    0

    • Author

      Hmmm. Strange, I find the machine.xml file still on my machine in the same c:\programdata\ directory; Sophos Endpoint 11.5.2. But I do not find the hashed value in the file...

      1+

  4. Fred Fen 3 years ago

    Cannot stop any of the service and i am running powershell as admin.    any help?

    I am getting the following error :

    1+

    • Author

      Hi Fred sorry it looks as though their are either 1. not enough permissions to stop the service or 2. that the service does not exist. Did you look for the service manually and/or stop the service manually?

      0

  5. Spencer 3 years ago

    Hi Jason, great blog.

    Can you explain/detail which hash function(s) you used to get your hash?

    Thanks

    1+

  6. philippe 3 years ago

    Hi Jason, I know it's been a long time since you've published this article, and so far it have been so useful for me.

    I need your help if you don't mind, because I'm stuck with the same kind of problem but with endpoint 11.5.9 

    your previous script unfortunately does not work with this version.

    I have the installation script if you want. Is there a chance that I could get help from you .

    Kind regards.

    Phil

    0

  7. Jason 3 years ago

    I get the following error message when trying to run this command.

    Method invocation failed because [System.Object[]] doesn't contain a method named 'Replace'.

    0

    • Author

      Hi Jason,

      At what point do you get the error? Try running the script in PowerShell ISE, you may get more descriptive error messages so you can track down the exact point the script fails.

      1+

      • Jason 2 years ago

        I was able to get this to work through the ISE. Thanks for the help.

        0

  8. Aaron 2 years ago

    Hopefully this will help someone.

    Just a quick snippet to reset the password without knowing the current value. I've found a few different old passwords used across my sites.

    0

    • Dean Inns 2 years ago

      Hi Aaron,

      I'm trying your script and all i get in the logs is Hostname - No password - Am i missing something very obvious?

      Dean.

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account