Sophos Anti-Virus Secrets

Sophos Anti-Virus Secrets

For those of you that use Sophos Anti-Virus and Sophos Central you will know that there are two scenarios that can be the most frustrating. I'm going

Sophos Cleanup Script
Server Supports Weak Diffie-Hellman Key Exchange
Bad Actors Tipped off by the NSA?

For those of you that use Sophos Anti-Virus and Sophos Central you will know that there are two scenarios that can be the most frustrating. I’m going to let you in on a couple of Sophos secrets that can be used to get you past those frustrations.

Remove Tamper Protection without Admin Password

First, a device can be accidentally removed from the Central Console, if that happens the only way to get it added back to the console is to remove the software client and re-install. However, if you did not catch it in time and it has dropped off the recover passwords report then you won’t have the admin password, which will be needed to disable tamper protection so the product can be uninstalled. It’s a catch22, you need to uninstall the Sophos client so it can be reinstalled but you don’t have the Admin password so that you can uninstall it! UGH! Thankfully you can disable tamper protection without the admin password by following the steps in this Sophos Secret:

  1. Boot the endpoint or server in Safe Mode.
  2. Click Start followed by Run then type services.msc
  3. Right-click the Sophos Anti-Virus service then Properties.
  4. Set the Startup type to Disabled then click the OK button.
  5. In Run, type regedit.exe then click the OK button.
  6. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent  and set the Value data of Start to 0x00000004
  7. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0.
  8. Set the Value data of Enabled to 0 in the following:
    • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
    • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection
  9. Enhanced Tamper Protection will now be disabled after you boot the endpoint or server in normal mode.

After disabling tamper protection you can uninstall then reinstall the endpoint protection.

Clear alerts locally on the client endpoint

There may be several reasons why you want to clear alerts locally on the client, one being they are very old alerts that were already remediated and it just doesn’t look good come audit time. If the alert is locally on the endpoint to clear it do the below steps:

  1. Turn off the Tamper Protection.
  2. Press the keys Windows and R, then type services.msc.
  3. Stop Sophos Health Service.
  4. Go to C:\ProgramData\Sophos\Health\Event Store\Database and rename the file events.db to events.orig.
  5. Restart Sophos Health Service.
  6. Open the Task Manager and end the process Sophos Endpoint User Interface.
  7. Launch a new Sophos Endpoint user interface by clicking the file C:\Program Files\Sophos\Sophos UI\Sophos UI.exe and verify that its status is green and the event count is 0.
  8. Turn on the Tamper Protection.