For those of you that use Sophos Anti-Virus and Sophos Central you will know that there are two scenarios that can be the most frustrating. I'm going
For those of you that use Sophos Anti-Virus and Sophos Central you will know that there are two scenarios that can be the most frustrating. I’m going to let you in on a couple of Sophos secrets that can be used to get you past those frustrations.
Remove Tamper Protection without Admin Password
First, a device can be accidentally removed from the Central Console, if that happens the only way to get it added back to the console is to remove the software client and re-install. However, if you did not catch it in time and it has dropped off the recover passwords report then you won’t have the admin password, which will be needed to disable tamper protection so the product can be uninstalled. It’s a catch22, you need to uninstall the Sophos client so it can be reinstalled but you don’t have the Admin password so that you can uninstall it! UGH! Thankfully you can disable tamper protection without the admin password by following the steps in this Sophos Secret:
- Boot the endpoint or server in Safe Mode.
- Click Start followed by Run then type
- Right-click the Sophos Anti-Virus service then Properties.
- Set the Startup type to Disabled then click the OK button.
- In Run, type
regedit.exethen click the OK button.
- Go to
HKEY_LOCAL_MACHINE\SYSTEM\and set the Value data of Start to
CurrentControlSet\Services\ Sophos MCS Agent
Go to HKEY_LOCAL_MACHINE\SYSTEM\Value data
CurrentControlSet\Services\ Sophos Endpoint Defense\TamperProtection\ Config and set the
- Set the Value data of Enabled to
0in the following:
- Enhanced Tamper Protection will now be disabled after you boot the endpoint or server in normal mode.
After disabling tamper protection you can uninstall then reinstall the endpoint protection.
Clear alerts locally on the client endpoint
There may be several reasons why you want to clear alerts locally on the client, one being they are very old alerts that were already remediated and it just doesn’t look good come audit time. If the alert is locally on the endpoint to clear it do the below steps:
- Turn off the Tamper Protection.
- Press the keys Windows and R, then type
- Stop Sophos Health Service.
- Go to
C:\ProgramData\Sophos\and rename the file
- Restart Sophos Health Service.
- Open the Task Manager and end the process Sophos Endpoint User Interface.
- Launch a new Sophos Endpoint user interface by clicking the file
C:\Program Files\Sophos\Sophos UI\Sophos UI.exeand verify that its status is green and the event count is 0.
- Turn on the Tamper Protection.