Posted on  by admin

This article will show you how to remove the Sophos Central Endpoint Client from your Windows system, even if the tamper protection prevents this.

Important: This method of uninstalling the Endpoint Client should only be used if there is no chance to disable tamper protection in the normal way. This may be because you forgot your password or deleted your computer from Sophos Central without uninstalling the Endpoint Client on your computer. How to disable tamper protection in the proper way is explained in this tutorial.

Sophos Central is the unified console for managing all your Sophos products. Sign into your account, take a tour, or start a trial from here. This knowledge base article provides information on gathering the uninstall string of different Sophos Endpoint Security and Control components and how to uninstall each using a command line or a batch file. Every product version has a different uninstall string, meaning that the script does not uninstall components as expected.

Option 1

  1. Boot your Windows system into Safe Mode.
  2. Click Start, than Run and type services.msc and then confirm with Enter or click on OK
  3. Search for the Sophos Anti-Virus service and click on it with the right mouse button.
  4. From the context menu, select Properties and then deactivate the service.
  5. Now you can click on Start and type Run again. Enter regedit this time. Confirm with Enter or click OK.
  6. Go to the following location in the registry editor: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos MCS Agent and set REG_DWORD Start to 0x00000004
  7. Next, Go to the following location in the registry editor: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig set the following REG_DWORD-values SAVEnabled and SEDEnabled to 0.
  8. Finally, go to the following location in the registry editor: HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the value at REG_DWORDto 0.
  9. Reboot the system in normal mode.

Option 2

  1. Boot your Windows system into Safe Mode.
  2. Then open the command line (Shell) and execute the following commands:
  3. Reboot the system in normal mode.

No matter which of the two options you choose, they should both result in the tamper protection being disabled and you can uninstall the Endpoint Client without any problems.

Ensuring that your endpoint and server protection is correctly configured is one of the most important things you can do for your organization’s security.

This article will give you some quick tips and links to resources so you can get the most out of your Sophos protection.

Getting started

In Sophos Central policies are used to apply protection settings such as specific exploit preventions, application control, and peripheral control. Policies can apply to endpoints, servers, users or groups depending on how you want to set things up. How to create a policy.

Application Control

Controls which applications should be blocked. For example, uTorrent and Steam games.
Endpoint setup Server setup

Data Loss Prevention

Stops specific file types or content in a file from being transferred from a device. For example, stop files containing account numbers being sent from a device.
Endpoint setup Server setup

Windows Firewall

Sophos endpoint proxy

Blocks inbound connections from specific domains or networks. For example, stopping all private networks accessing a device.
Endpoint setup Server setup

Peripheral Control

Controls what can be plugged into a device. For example, blocking USB sticks and optical drives.
Endpoint setup Server setup

Threat Protection

Configures protection features. We strongly suggest always using Sophos recommended settings.
Endpoint setup Server setup

Update Management

Schedules updates to a specific time. For example, setting them after office hours.

Endpoint setup Server setup

Web Control

Stops users downloading risky files or accessing inappropriate websites. For example, block .exe file downloads.
Endpoint setup Server setup

File Integrity Monitoring (Server only)

Monitors important files and folders for signs of tampering. For example, critical Windows directories or key programs.
How to set one up.

Tamper Protection
Tamper protection stops unauthorized users and types of malware from uninstalling Sophos protection. You should always have it enabled. Learn more.

Do I need to log in and check for alerts?

Sophos Endpoint

Users often ask how often they should log in to check for alerts and actions. The good news is that Sophos Central automatically emails admins when there is an event requiring their attention. Here’s how to configure alerts.

Check your security posture with EDR

Sophos Endpoint Agent Download

Endpoint Detection and Response (EDR) is a powerful tool to help you find threats across your network. It’s easy to get started by checking the list of the most suspicious potential threats for investigation in your organization.

We give you curated threat intelligence so you can quickly decide whether a potential threat needs taking care of. Watch the EDR how-to videos.

Sophos Endpoint Dlp

More information