w w w . t j e e n a . s e

The digital life of Jörgen Larsson

By

Sophos Endpoint Protection uninstall script

We were in the process of deploying System Center Endpoint Protection and unfortunately Sophos isn’t one of the vendors it can uninstall.

I created a collection that simply checks if “System Center Endpoint Protection” is present in add/remove programs then runs the sophos_uninstall.bat

After much testing I found out that to reach a 99% success rate all the taskkill and net stop must be there. Sometimes Sophos is performing an update when the script runs and if not terminated properly it will reinstall or just stay there broken.
We have tamper protection enabled in Sophos but this script is run with SCCM (admin) privileges so shutting down the tasks/services is no problem.

You will have to insert the path to your Sophos Endpoint deployment server at the YOUR-SERVER-HERE (line 38).

@echo off 

:: Checks if Sophos is present in registry. If yes it will be uninstalled.

reg query HKEY_LOCAL_MACHINE\SOFTWARE |find "Sophos" && GOTO Uninstall
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node |find "Sophos" && GOTO Uninstall

EXIT 0


:Uninstall

:: Shutting down running processes and stopping/disabling services

sc config "Sophos AutoUpdate Service" start= disabled
sc config "Sophos Agent" start= disabled
sc config "SAVService" start= disabled
sc config "SAVAdminService" start= disabled
sc config "Sophos Message Router" start= disabled
sc config "Sophos Web Control Service" start= disabled
sc config "swi_service" start= disabled
sc config "swi_update" start= disabled

net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "SAVService"
net stop "SAVAdminService"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
net stop "swi_service"
net stop "swi_update"

taskkill /f /im ALUpdate.exe
taskkill /f /im swi_service.exe
taskkill /f /im swc_service.exe
taskkill /f /im RouterNT.exe
taskkill /f /im ALMon.exe
taskkill /f /im ALsvc.exe
taskkill /f /im ManagementAgentNT.exe
taskkill /f /im SAVAdminService.exe
taskkill /f /im sav32cli.exe
taskkill /f /im savcleanupservice.exe
taskkill /f /im savmain.exe
taskkill /f /im savprogress.exe
taskkill /f /im backgroundscanclient.exe
taskkill /f /im savproxy.exe
taskkill /f /im sdcdevcon.exe
taskkill /f /im sdcservice.exe
taskkill /f /im wscclient.exe
taskkill /f /im clientmrinit.exe
taskkill /f /im emlibupdateagentnt.exe
taskkill /f /im agentapi.exe
taskkill /f /im agentasst.exe
taskkill /f /im SavService.exe
taskkill /f /im swc_service.exe
taskkill /f /im swi_service.exe
taskkill /f /im scfmanager.exe
taskkill /f /im autoupdateagentnt.exe

sc config "Sophos AutoUpdate Service" start= disabled
sc config "Sophos Agent" start= disabled
sc config "SAVService" start= disabled
sc config "SAVAdminService" start= disabled
sc config "Sophos Message Router" start= disabled
sc config "Sophos Web Control Service" start= disabled
sc config "swi_service" start= disabled
sc config "swi_update" start= disabled

net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "SAVService"
net stop "SAVAdminService"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
net stop "swi_service"
net stop "swi_update"

taskkill /f /im ALUpdate.exe
taskkill /f /im swi_service.exe
taskkill /f /im swc_service.exe
taskkill /f /im RouterNT.exe
taskkill /f /im ALMon.exe
taskkill /f /im ALsvc.exe
taskkill /f /im ManagementAgentNT.exe
taskkill /f /im SAVAdminService.exe
taskkill /f /im sav32cli.exe
taskkill /f /im savcleanupservice.exe
taskkill /f /im savmain.exe
taskkill /f /im savprogress.exe
taskkill /f /im backgroundscanclient.exe
taskkill /f /im savproxy.exe
taskkill /f /im sdcdevcon.exe
taskkill /f /im sdcservice.exe
taskkill /f /im wscclient.exe
taskkill /f /im clientmrinit.exe
taskkill /f /im emlibupdateagentnt.exe
taskkill /f /im agentapi.exe
taskkill /f /im agentasst.exe
taskkill /f /im SavService.exe
taskkill /f /im swc_service.exe
taskkill /f /im swi_service.exe
taskkill /f /im scfmanager.exe
taskkill /f /im autoupdateagentnt.exe

sc config "Sophos AutoUpdate Service" start= disabled
sc config "Sophos Agent" start= disabled
sc config "SAVService" start= disabled
sc config "SAVAdminService" start= disabled
sc config "Sophos Message Router" start= disabled
sc config "Sophos Web Control Service" start= disabled
sc config "swi_service" start= disabled
sc config "swi_update" start= disabled

net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "SAVService"
net stop "SAVAdminService"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
net stop "swi_service"
net stop "swi_update"

:: Uninstalling 

msiexec /x "%ProgramData%\Sophos\AutoUpdate\Cache\rms\Sophos Remote Management System.msi" /qn REBOOT=SUPPRESS /PASSIVE

msiexec /x "%ProgramData%\Sophos\AutoUpdate\Cache\sau\Sophos AutoUpdate.msi" /qn REBOOT=SUPPRESS /PASSIVE

msiexec /x "%ProgramData%\Sophos\AutoUpdate\Cache\savxp\Sophos Anti-Virus.msi" /qn REBOOT=SUPPRESS /PASSIVE


:: Removing Sophos Remote Management System
	:: 4.0.2
	MsiExec.exe /X {FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn REBOOT=SUPPRESS /PASSIVE


:: Removing Sophos Anti-Virus using the most recent MSI from the server
        Msiexec /x "\\YOUR-SERVER-HERE\sophosupdate\CIDs\S004\SAVSCFXP\savxp\Sophos Anti-Virus.msi" /qn REBOOT=SUPPRESS /l*v c:\SAVUninstall.log 

	:: 10.3.12
	MsiExec.exe /X {D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4} /qn REBOOT=SUPPRESS /PASSIVE
	MsiExec.exe /X {9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn REBOOT=SUPPRESS /PASSIVE


:: Removing Sophos Update Manager
	MsiExec.exe /X {2C7A82DB-69BC-4198-AC26-BB862F1BE4D0} /qn REBOOT=SUPPRESS /PASSIVE


:: Removing Sophos AutoUpdater
	:: 4.1.0.273
	MsiExec.exe /X {7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} /qn REBOOT=SUPPRESS /PASSIVE
	:: 4.10.64
	MsiExec.exe /X {15C418EB-7675-42be-B2B3-281952DA014D} /qn REBOOT=SUPPRESS /PASSIVE


:: Cleaning up stuff that might me left behind

if exist "%PROGRAMFILES%\Sophos" rd "%PROGRAMFILES%\Sophos" /S /Q
if exist "%PROGRAMFILES(x86)%\Sophos" rd "%PROGRAMFILES(x86)%\Sophos" /S /Q

if exist "%ALLUSERSPROFILE%\Sophos" rd "%ALLUSERSPROFILE%\Sophos" /S /Q

if exist "%CommonProgramFiles%\Sophos" rd "%CommonProgramFiles%\Sophos" /S /Q
if exist "%CommonProgramFiles(x86)%\Sophos" rd "%CommonProgramFiles(x86)%\Sophos" /S /Q

if exist "c:\Documents and Settings\All users\Sophos" rd "c:\Documents and Settings\All users\Sophos" /S /Q


reg query HKEY_LOCAL_MACHINE\SOFTWARE |find "Sophos Temp" && REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos Temp" /f
reg query HKEY_LOCAL_MACHINE\SOFTWARE |find "Sophos" && REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Sophos /f

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node |find "Sophos Temp" && REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos Temp" /f
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node |find "Sophos" && REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos /f

EXIT 0

Leave a Reply

Your email address will not be published. Required fields are marked *