- Windows 10 Fall Creators Update installation and features - Thu, Nov 2 2017
- Install Microsoft SQL Server on Ubuntu Linux - Thu, Jan 5 2017
- Use PowerShell with Google Cloud Platform - Thu, Dec 8 2016
Several events can lead to this situation:
- The company changes ownership.
- The company purchases a new AV product.
- The tamper protection password cannot be obtained.
- The previous AV administrators can’t remove tamper protection due to a domain change.
- The company removes tamper protection from a large portion of administered endpoints, but it still needs to remove tamper protection from a number of outlying systems and notebooks.
While Sophos does provide some assistance with removal via a script here, it includes the caveat:
Note: If enabled, the Sophos Tamper Protection policy must be disabled on the endpoints involved before attempting to uninstall any component of Sophos Endpoint Security and Control. See article 119175 for more information.
Following the article link, we arrive at the dreaded FAQ:
How can I disable tamper protection?
Normally you would only disable tamper protection if you wanted to make a change to the local Sophos configuration or uninstall an existing Sophos product. The instructions for this are given below. However, if you are not the administrator who installed it and who has the password, you will need to obtain the password before you can carry out the procedure.
To make things a little less painful, we can script those processes. There are a number of prerequisites to complete the removal, so we’ll break them down into individual steps.
- You must stop AV system services.
- You must replace the hashed tamper-protection password stored in the machine.xml file with a known-good password hash.
- You must start AV services.
- You must add the currently logged-in administrator to the local “SophosAdministrator” security group.
- You must open the application, manually authenticate the tamper-protection user, and then disable tamper protection altogether.
- Now run the component uninstallers.
Before writing code, either build a virtual machine (VM) and take a snapshot, or use something like Clonezilla to take an image of the test system’s hard drive. If things go wrong or a script makes a temporary change, we can easily revert to a clean sample. I find that when building scripts, PowerShell ISE is irreplaceable, because we can walk through each step and test separate statements in individual tabs.
Starting with system services, let’s stop only those services that need stopping. Since we don’t know what the system refers to these services as, we first need to get a list of service names that PowerShell can use. Following Jeffery Hick’s lead in his article here, it’s easy to find a list of all the services that contain “SAV” and “Sophos” with the command:
Get-Service *SAV*, *Sophos* | Format-Table -Wrap -AutoSize
That provides us with the service names:
Get-Service with wildcards
To stop these services with PowerShell, we use the Get-Service cmdlet, and stop only those services that are actually running:
Get-Service SAVService,'Sophos Agent',SAVAdminService | where {$_.status -eq 'running'} | Stop-Service -force
To replace the unknown/bad-password hash from the machine.xml file located in C:\ProgramData\Sophos\Sophos Anti-Virus\Config\ , we use the Get-Content/Replace/Set-Content command:
(Get-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml').Replace('8EXXXXXXXXXXXXXXXXXXXXX1AD02', 'E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73') | Set-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml'
The hashed value E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73 is equivalent to the value ‘password’, which is all lowercase, not including quotes. When we save this into our machine.xml file, it essentially replaces the old password secret with the new password and will allow us to authenticate and disable tamper protection.
We now need to start our services again to go into the application and disable tamper protection manually, but before we do that, we need to be a member of the local SophosAdministrator security group. Thanks to this post about how to add a domain user to a local group, we can programmatically add our account into this group with the following commands:
$ComputerName = Read-Host "Computer name:"
$Group = 'SophosAdministrator'
$domain = 'name.domain.com'
$user = 'domainusername'
([ADSI]"WinNT://$ComputerName/$Group,group").psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)
Once we add the account, we can disable the tamper-protection feature. Let’s print a message and have PowerShell tell the user who is running the script about what to do next. We’ll have the user hit ENTER to confirm using a Read-Host cmdlet. A great thing about PowerShell is that we only need to place our message in quotes for it to be printed to the screen.
User interaction message
User interaction message
Following the message, we want to be nice and open the Sophos Endpoint AV Console for the user. Use the call operator (&) to open the .exe.
& 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVmain.exe'
With the help of Venkat Sri’s post here on 4sysops, we have the user confirm that the tamper protection has been disabled with a Yes/No message box.
Add-Type -AssemblyName PresentationCore,PresentationFramework $ButtonType = [System.Windows.MessageBoxButton]::YesNo $MessageIcon = [System.Windows.MessageBoxImage]::Warning $MessageBody = "Tamper-Proof has been disabled and it's ok to continue?" $MessageTitle = "Confirm to Continue Sophos Uninstall" $Result = [System.Windows.MessageBox]::Show($MessageBody,$MessageTitle,$ButtonType,$MessageIcon) Write-Host "$Result has been selected, continuing Sophos Uninstall"
Confirmation dialog box
Confirmation dialog box
Now that our prerequisites are out of the way, we can finally uninstall the different Sophos Endpoint components. According to Sophos, it’s important to stop the AutoUpdate service first.
#Stop the Sophos AutoUpdate service prior to uninstall
Get-Service 'Sophos AutoUpdate Service' | where {$_.status -eq 'running'} | Stop-Service -force
Next, we’ll want to call a batch file script from PowerShell to run the uninstallers. I wanted to run a batch file from a PowerShell script, because testing and running msiexec.exe inside of PowerShell is overly complicated. Also, having a separate batch file allows me more flexibility. Again, it’s easy to run the batch .bat script using the “&” operand. But, before we run our .msiexec.exe commands, Sophos recommends that we stop the Sophos AutoUpdate Service.
Get-Service 'Sophos AutoUpdate Service' | where {$_.status -eq 'running'} | Stop-Service -force
#Run application uninstallers in correct order according to Sophos Docs.
#Silent uninstall, suppress Reboot, and create log file.
#https://www.sophos.com/en-us/support/knowledgebase/109668.aspx
& 'c:\Admin\SAV-msi-uninstall.bat'
The .bat file contains the following lines that uninstall the Sophos components in a particular order as defined by the Sophos article linked earlier. The commands are silent; they suppress a reboot and send a verbose log to the default Windows\Logs directory. At the end, we include a 15-second delayed system restart command.
msiexec.exe /X {66967E5F-43E8-4402-87A4-04685EE5C2CB} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {09863DA9-7A9B-4430-9561-E04D178D7017} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {BCF53039-A7FC-4C79-A3E3-437AE28FD918} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
shutdown /r /t 15
Finally, we copy our RemoveSophosWithTamperEnabled.ps1 file, SAV-msi-uninstall.bat file, and readme.txt into a single folder. The readme.txt file has the following instructions for running the scripts.
- Copy RemoveSophosWithTamperEnabled.ps1 and .bat scripts to c:\Admin
- Open PowerShell as Administrator
- Run the command:
Set-ExecutionPolicy RemoteSigned
- Run the command:
& 'C:\admin\RemoveSophosWithTamperEnabled.ps1'
- Follow the instructions and you're done!
While it may not be the most efficient and elegant script, it does bring the uninstall time down significantly, removes potential mistakes during uninstallation, and teaches us a few things about PowerShell.
Below is the final script in full. I like to include hyperlinks for sources of code that I did not write explicitly in the comments preceding the command.
Subscribe to 4sysops newsletter!
<#
.SYNOPSIS
Powershell script to uninstall Sophos AV that with enabled tamper-proof password without having access to the password. The computer can be in a different AD domain.
.NOTES
Author : Jason Coltrin
.LINK
Home
#>
#Stop AV services before modifying .xml file only if service is running
Get-Service SAVService,'Sophos Agent',SAVAdminService | where {$_.status -eq 'running'} | Stop-Service -force
#Replace default tamper-proof user password hash with known password hash that is equal to 'password'.
#https://community.sophos.com/products/free-antivirus-tools-for-desktops/f/17/t/9776
(Get-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml').Replace('8E8A6A6DB780D559929D042743DC97BCF6D1AD02', 'E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73') | Set-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml'
#Start AV services in order to run uninstall
get-service SAVService,'Sophos Agent',SAVAdminService | Foreach { start-service $_.name -passthru}
#Get the computer name and add admin user account to SophosAdministrator local computer group
$ComputerName = Read-Host "Computer name:"
$Group = 'SophosAdministrator'
$domain = 'contoso.domain.com'
$user = 'admin_username'
([ADSI]"WinNT://$ComputerName/$Group,group").psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)
#Need to open Sophos AV, manually remove tamper protection
"Open Sophos Endpoint AV, go to the Configure menu -> Authenticate User -> enter the password 'password' and then go into 'Configure Tamper Protection' and uncheck 'Enable Tamper Protection'. Be sure to close the Sophos AV Console window after disabling Tamper-Protect."
Read-Host "Press ENTER to continue"
#Open Sophos Endpoint AV Console for the user. Use the call operator (&) to open the .exe
& 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVmain.exe'
#Prompt user to confirm tamper protection has been disabled.
#https://4sysops.com/archives/how-to-display-a-pop-up-message-box-with-powershell/
Add-Type -AssemblyName PresentationCore,PresentationFramework
$ButtonType = [System.Windows.MessageBoxButton]::YesNo
$MessageIcon = [System.Windows.MessageBoxImage]::Warning
$MessageBody = "Tamper-Proof has been disabled and it's ok to continue?"
$MessageTitle = "Confirm to Continue Sophos Uninstall"
$Result = [System.Windows.MessageBox]::Show($MessageBody,$MessageTitle,$ButtonType,$MessageIcon)
Write-Host "$Result has been selected, continuing Sophos Uninstall"
#Stop the Sophos AutoUpdate service prior to uninstall
Get-Service 'Sophos AutoUpdate Service' | where {$_.status -eq 'running'} | Stop-Service -force
#Run application uninstallers in correct order according to Sophos Docs
#Silent uninstall, suppress reboot, and create log file
#https://www.sophos.com/en-us/support/knowledgebase/109668.aspx
& 'c:\Admin\SAV-msi-uninstall.bat'
fantastic !!
Thank you for the info. It worked a treat.
Thank you so much. I had a VM that the cloud console no longer could see. The guide really helped.
Glad it helped you out! Thanks for the feedback. Did you have to make any changes to the script?
It’s already patched. There is no location named \Config\machine.xml
Hmmm. Strange, I find the machine.xml file still on my machine in the same c:\programdata\ directory; Sophos Endpoint 11.5.2. But I do not find the hashed value in the file…
Cannot stop any of the service and i am running powershell as admin. any help?
I am getting the following error :
Stop-Service : Service 'Sophos Anti-Virus status reporter (SAVAdminService)' cannot be stopped due to the following error: Cannot open SAVAdminService service on computer '.'. At line:1 char:95 + ... VAdminService | where {$_.status -eq 'running'} | Stop-Service -force + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service], ServiceCommand Exception + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommandHi Fred sorry it looks as though their are either 1. not enough permissions to stop the service or 2. that the service does not exist. Did you look for the service manually and/or stop the service manually?
Hi Jason, great blog.
Can you explain/detail which hash function(s) you used to get your hash?
Thanks
Hi Spencer, Sorry I did not generate the hash. I believe I found it in the following forum post at sophos:
https://community.sophos.com/products/free-antivirus-tools-for-desktops/f/sophos-anti-virus-for-mac-home-edition/9776/remove-sophos-but-no-tamper-protection-password
Hi Jason, I know it’s been a long time since you’ve published this article, and so far it have been so useful for me.
I need your help if you don’t mind, because I’m stuck with the same kind of problem but with endpoint 11.5.9
your previous script unfortunately does not work with this version.
I have the installation script if you want. Is there a chance that I could get help from you .
Kind regards.
Phil
I get the following error message when trying to run this command.
Method invocation failed because [System.Object[]] doesn’t contain a method named ‘Replace’.
Hi Jason,
At what point do you get the error? Try running the script in PowerShell ISE, you may get more descriptive error messages so you can track down the exact point the script fails.
I was able to get this to work through the ISE. Thanks for the help.
$Computer = 'Hostname' $File = '\\' + $Computer + '\c$\ProgramData\Sophos\Sophos Anti-Virus\config\machine.xml' $Logfile = '\\ServerToStoreLogFile\SophosPWD.log' $NewPassword = 'E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73' $xml = [xml](Get-Content $File -ErrorAction SilentlyContinue) $node = $xml.configuration.components.TamperProtectionManagement.settings.password if ($node -eq $null){ Add-Content $Logfile -value ((Get-Date -DisplayHint DateTime).ToString() + ' - ' + $Computer + ' - No Password') } else{ $node = $xml.configuration.components.TamperProtectionManagement.settings $node.password = $NewPassword $xml.Save($File) Add-Content $Logfile -value ((Get-Date -DisplayHint DateTime).ToString() + ' - ' + $Computer + ' - Password reset') }Hopefully this will help someone.
Just a quick snippet to reset the password without knowing the current value. I’ve found a few different old passwords used across my sites.
Hi Aaron,
I’m trying your script and all i get in the logs is Hostname – No password – Am i missing something very obvious?
Dean.
Hi Mate
I'm geeting error at last line unable to find .bat file
Would be great if you could provide a script to do the current version of sophos…
I don’t know about anyone else’s Sophos setup, but in ours Tamper Protection stops you from stopping any of those services. I had to resort to using an SCCM task sequence that restarted in WinPE, mounted the “live” registry, turned off Tamper Protection there, restarted in normal OS and reconfigured the Sophos client to point to the new estate.
This no longer appears to work. Would love if someone had an update on removing sophos without being local to the system.
tested and confirm, this script is no longer working – you must update parts of this with updated GUID’s to get it working again