You may have come across an issue where you have deleted a Server or workstation from Sophos Central not realising that by default these devices are protected for “Tamper Protection”.
Sophos Central is the unified console for managing all your Sophos products. Sign into your account, take a tour, or start a trial from here. Sophos Endpoint Defense Service: SEDService.exe: Prevents undesired actions to Sophos components which is explained further on KBA 123654. Sophos File Scanner Service: SophosFS.exe: Used to scans files for reputation, deep learning, and Application ID. Sophos Live Query: SophosLiveQueryService.exe: Used to manage and performs live query actions. Sophos is retiring its on-premise products mentioned in this article on 20 July 2023. For product retirement details, see our retirement calendar. Overview This knowledge base article describes how to recover a tamper-protected Windows system if the other methods to.
So now on the local machine you are attempting to uninstall “Sophos” but you can’t and keep getting an error “You must disable “Sophos Tamper Protection before you continue. Contact your administrator or see Sophos KBA119175”.
Contacting Sophos doesn’t help as they claim there is no way around this. From the looks of it you can’t remove the application and potentially you may have to re-build it if you really need to remove the software.
In the below steps I will show you how you can reset the password for “Tamper Protection” and disable it. You can then uninstall the software.
Sophos Kb 119175
1. On the local machine launch “Services” and “Stop” the “Sophos Ant-Virus” service
2. Open a explorer window and navigate to “C:ProgramDataSophosSophos Anti-VirusConfig” right click the filename “machine.xml” and click “Edit” alternatively open with “Notepad” – make sure you make a copy of the file before editing it as a backup should you need to restore it.
3. Click “Edit-Find…” find the line within the file called “<TamperProtectionManagement><settings>”
4. On the line below – highlight the hashed password and remove it out.
Sophos Kba 119175
5. Paste in the following Hash. “E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73” This will set the password to “password”
6. Save the changes
7. Start the “Sophos Anti-Virus” service
8. Launch the Sophos Console and click “Authenticate User”
9. Insert the password “password”
10. Click “Configure tamper protection”
11. uncheck the box “Enable Tamper protection” and click “OK”
12. Now run the the uninstallation process again and the software should uninstall.
Components
| Sophos Endpoint Security and Control | 10.8.11 VE 3.82.0 April 2021 | 10.8.10.1 VE 3.80.1 February 2021 | 10.8.9.610 VE 3.79.0 October 2020 | 10.8.9.292 VE 3.79.0 July 2020 | 10.8.6.1 VE 3.77.1 January 2020 | 10.8.4.4 VE 3.77.1 August 2019 | 10.8.4.4 VE 3.74.1 July 2019 | 10.8.4.3 VE 3.74.1 May 2019 |
|---|---|---|---|---|---|---|---|---|
| Sophos Anti-Virus | 10.8.11.22 | 10.8.10.810 | 10.8.9.610 | 10.8.9.292 | 10.8.6.215 | 10.8.4.227 | 10.8.4.227 | 10.8.4.227 |
| Threat detection engine | 3.82.0 | 3.80.1 | 3.79.0 | 3.79.0 | 3.77.1 | 3.77.1 | 3.74.1 | 3.74.1 |
| Sophos Client Firewall Windows 8 and later | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 | 3.0.6 |
| Sophos Client Firewall Windows 7 and earlier | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 | 2.9.7 |
| Sophos AutoUpdate | 5.17.243 | 5.17.243 | 5.16.37 | 5.16.37 | 5.16.37 | 5.15.166 | 5.15.166 | 5.14.36 |
| Sophos Patch Agent | 1.0.314.11 | 1.0.314.11 | 1.0.314.11 | 1.0.314.11 | 1.0.313.30 | 1.0.313.30 | 1.0.313.30 | 1.0.313.30 |
| Sophos Web Control | 1.7.20 | 1.7.20 | 1.7.20 | 1.5 | 1.5 | 1.5 | 1.5 | 1.5 |
| Sophos Remote Management System | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 | 4.1.2.24 |
| Sophos Network Threat Protection | 1.9.2235 | 1.9.2235 | 1.9.2235 | 1.9.2235 | 1.9.2235 | 1.8.77.8000 | 1.8.77.8000 | 1.8.77.8000 |
| Sophos Endpoint Defense | 2.2.6.8672 | 2.2.6.8672 | 2.2.4.8250 | 2.2.4.8250 | 2.2.0.11405 | 2.1.2.8000 | 2.1.2.8000 | 2.1.2.8000 |
Standalone installations include the Sophos Web Control component but it only provides malicious website blocking.