Part 1: How To Manually Uninstall Sophos Anti-Virus on Mac. Keep it in mind that you cannot uninstall the Sophos Anti-virus program by dragging it from the Applications folder to the Trash, even most of Mac apps strictly follow this principle.
Instructions if you are unable to uninstall Sophos because of Tamper Protection needs to be turned off or the tamper protection password is lost and the client cannot receive a new policy without a known password.
To recover a tamper protected system, you must disable Enhanced Tamper Protection.
NOTE: Do a backup of your registry before you attempt this procedure.
Applies to the following Sophos products and versions
Sophos Endpoint Security and Control 10.6.4
Sophos Cloud Managed Endpoint
2 Steps total
Step 1: Sophos Enterprise Console managed client
1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig
5. Set the following DWORD values to 0: SAVEnabled and SEDEnabled
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.
Step 2: Sophos Central managed client
1. Boot the system into Safe Mode.
2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
3. Click Start > Run and type regedit and then click OK.
4. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos MCS Agent and set the REG_DWORD Start to 0x00000004
5. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
6. Go to the following location in the registry editor:
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the REG_DWORD Enabled to 0
7. Reboot the system in normal mode.
- Choose your uninstall method. Click the keys command + spacebar to open Spotlight. Type Remove Sophos. Note: If the tool exists or has not been moved to Trash, Spotlight will find it. Click enter to run the tool. Note: Sophos Anti-Virus cannot be uninstalled by dragging it from the Applications folder to the Trash.
- Sophos Antivirus is a free utility that protects a Mac from malware, dangerous websites, and viruses. Many users face issues when trying to uninstall Sophos from a Mac computer or still get notifications from the antivirus even after its removal.
Enhanced Tamper Protection is now disabled.
You should now be able to uninstall Sophos Protection.
References
- Sophos Endpoint Defense: How to recover a tamper protected system
2 Comments
Manually Remove Sophos Tamper Protection
- Jalapenojimarnold Aug 2, 2019 at 01:08pm
There might be an easier way:
If you log into the admin portal for Sophos, then go to Logs & Reports, there is a report under the 'Endpoint & Server Protection' category called 'Recover Tamper Protection Passwords'
If you run this report, it allows you to search for the deleted computer name and provides you with the tamper protection password for that computer. This allows you then to 'login' on the client software to override the policy and turn off tamper protection for 4 hours. This should be enough time to uninstall.
I found myself cursing the Sophos portal until I discovered this little nudget of gold!
- Pimientospicehead-3jrws Aug 10, 2021 at 03:56am
What do I need to do if I go to the safe mode to change the computer's registry as indicated above but the registry does not allow me to modify the values on it?