Having issues uninstalling all Sophos components? This is the same script that engineers at Sophos use every day to uninstall problematic installation
Having issues uninstalling all Sophos components? This is the same script that engineers at Sophos use every day to uninstall problematic installations. Remember you still need to disable tamper protection first! If you don’t have the key then we have another article here that will show you how to remove tamper protection without an admin password.
sophos_cleanup.zip (402 downloads)#Sophos Endpoint Removal Script #Usage examples: # .\removesophos.ps1 # Just logs all messages to screen and file. # .\removesophos.ps1 -Remove YES # Removes all Sophos components and logs all messages to screen and file. # .\removesophos.ps1 -Password 1234567 -Remove YES # Password will be provided to SEDCli.exe if TP is on and SEDCLi.exe exists. # .\removesophos.ps1 -ErrorOnly YES # Only print items that exist (errors) on screen. Still logs all to file. # .\removesophos.ps1 -Remove YES -Restart YES # At the end of the process restart the computer. 10 seconds delay by default intDelaySecondsRestart. # .\removesophos.ps1 -NoLogFile YES # No log file will be created. Messages will still be output to screen. Will run quicker. # .\removesophos.ps1 -Debug YES # Outputs a little more data to screen for debugging purposes. Not expected to be used in normal use. #Will exit if the following are present and in "remove" mode: # SafeGuard # Update Cache # RMS as a Server/Relay # SLD # AD Sync Tool # SAV for NetApp # PMEX # SEC # SAVDI # Sophos Transparent Authentication Suite (STAS) # Sophos IPsec Client # Sophos Connect # Sophos Connect Admin # Sophos Update Manager (SUM) # Central Message Relay param( [String]$Password, [String]$Remove, [String]$ErrorOnly, [String]$Restart, [String]$NoLogFile, [String]$Debug, [String]$Silent ) #Version of script $strVer = "7.11" #Start time of script. $StartTime = $(get-date) #Log file location $global:strLogFile = $env:TMP+"\SophosRemoval.txt" $global:blNoLogFile = $false #Global Counters $global:intRegKeysFound = 0 $global:intMSIsRun = 0 $global:intDetoursUpdated = 0 $global:intUninstallCMDsRun = 0 $global:intFileFolderExists = 0 $global:intFolderFilesAttemptDelete = 0 $global:intDriversExist = 0 $global:intServicesExist = 0 $global:intServicesAttemptedToStop = 0 $global:intServicesAttemptedToDelete = 0 $global:intProcessTryKill = 0 $global:intFilesMarkedForDelete = 0 $global:intRemoveUpgradeCodeKey = 0 $global:intDriversTriedToStop = 0 $global:intRegKeysTryDelete = 0 $global:intSophosSurfrightCachedMSIsFound = 0 $global:intProcessesFound = 0 $global:intLocalSAUUsersFound = 0 $global:intLocalSAVGroupsFound = 0 $global:intLocalSAUUsersAttemptDelete = 0 $global:intLocalSAVGroupsAttemptDelete = 0 $global:IFEOWithDebuggerValue = 0 $global:IFEOToDelete = 0 #Pre-Checks state $global:blnPastPrechecks = $false #Force mode on, off by default $global:boolForceMode = $false #If one PFRO is created, set this to true for reboot message to display at end $global:boolPFRONeedReboot = $false #Services that should be running if exist $aBFE = "BFE","Base Filtering Engine" $aCryptSvc = "CryptSvc", "Cryptographic Services" $aRPC = "RpcSs", "Remote Procedure Call (RPC)" $aTaskShed = "Schedule", "Task Scheduler" #MSI backup location to be super safe when deleting cached Sophos MSIs $strBackupMSILocation = $env:TMP+"\SophosRemovalMSIs" #Default time in seconds before shutting down $intDelaySecondsRestart = 10 #Binary to check for, when checking scheduled scans $strSAVSchedScanExe = "BackgroundScanClient.exe" #Uninstaller Keys $UninstallerKeys = "HKLM:\Software\wow6432node\microsoft\Windows\Currentversion\uninstall","HKLM:\Software\microsoft\Windows\Currentversion\uninstall" $UninstallerKeys2 = "HKLM:\Software\wow6432node\microsoft\Windows\Currentversion\uninstall\*","HKLM:\Software\microsoft\Windows\Currentversion\uninstall\*" #EarlyLaunch key $strEarlyLaunchKey = "HKLM:\SYSTEM\CurrentControlSet\Control\EarlyLaunch" #Registry named value for ELAM backup $strELAMBackupPath = "BackupPath" #Drivers not to stop $DriversNotToStop = "hmpalert","sdcfilter","scfdriver" #process fail to get path or signature $aProcessesToCheck = "sedservice.exe","SophosAgentUI.exe","SophosAgentRelay.exe","SophosCertMgr.exe","SophosCWGScannerAutoUpdater.exe" #Router path and client config value checks $strRouterKey = "32|HKLM|SOFTWARE|Sophos\Messaging System\Router" $strRouterKeyName = "ConnectionCache" $strRouterEPCC = 10 #SEC Checks $strSECKey = "32|HKLM|SOFTWARE|Sophos\EE" #SAVDI Checks $strSAVDI = "32|HKLM|SOFTWARE|Sophos\SAVDI" #SAU Updating/Installing Process $strSAUUpdatingProcess = "SophosUpdate.exe","Alupdate.exe" $intRetryCounter = 10 #SafeGuard checks $strSafeGuardKeys = "NATIVE|HKLM|SOFTWARE|Policies\Utimaco","NATIVE|HKLM|SOFTWARE|Utimaco" $strSafeGuardFolders = "NATIVE|PROGRAMDATA|Utimaco" #Block on Server Lock Down (SLD) $strSLDKey = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sldsvc" $strSLDDir = "NATIVE|PROGRAMFILES|Sophos\SLD" #Block on STAS $strSTASKey = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\STAS","32|HKLM|SOFTWARE|Sophos\Sophos Transparent Authentication Suite" $strSTASDir = "32|PROGRAMFILES|Sophos\Sophos Transparent Authentication Suite" #Block on Sophos IPsec Client $strIPsecClientKeys = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\ncprwsnt","NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\ncpsec","NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\ncpclcfg","NATIVE|HKLM|SOFTWARE|NCP engineering GmbH" $strIPsecDir = "NATIVE|PROGRAMFILES|Sophos\sophos ipsec client" #Block on Sophos Connect $strSophosConnectKeys = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\scvpn" $strSophosConnectDir = "32|PROGRAMFILES|Sophos\Connect" #Block on Sophos Central Relay $strSophosCentRKeys = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosMessageRelayService","32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\MR" $strSophosCentDir = "NATIVE|PROGRAMFILES|Sophos\messagerelay", "NATIVE|PROGRAMDATA|Sophos\messagerelay" #Block on Sophos Connect Admin $strSophosConnectAdDir = "32|PROGRAMFILES|Sophos\ConnectAdmin" #Block on Sophos Central AD Sync Tool $strADSyncKey = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Central AD Sync Utility" $strADSyncDir = "32|PROGRAMFILES|Sophos\Cloud\AD Sync" #Block on Update Cache $strUpdateCachedDir = "NATIVE|PROGRAMDATA|Sophos\UpdateCache" $strUpdateCachedReg = "32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\UC" #Block on SAV for NetApp $strSAVNetAppDir = "32|PROGRAMFILES|Sophos\SAV for NetApp" $strSAVNetAppKey = "32|HKLM|SOFTWARE|Sophos\SAV for NetApp" #Block on SUM $strSUMDir = "NATIVE|PROGRAMDATA|Sophos\Update Manager" $strSUMKey = "32|HKLM|SOFTWARE|Sophos\UpdateManager","NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SUM" #Block on SAV for PMEX $strPMEXKey = "32|HKLM|SOFTWARE|Sophos\MMEx" $aPMEXDirs = "NATIVE|PROGRAMFILES|Sophos\PureMessage","32|PROGRAMFILES|Sophos\PureMessage" #Path to the Central uninstaller, will favour this first for best chance of a clean removal $strUninstallAllCommand = $env:ProgramFiles+"\Sophos\Sophos Endpoint Agent\uninstallcli.exe" #Windows Installer Cache $strInstallerCacheDir = "NATIVE|WINDOWS|Installer" #SAU (no XG) has a local user account $strSAULocalUserPrefix = "SophosSAU" #Key for TP state $strSEDStateKey = "hklm:system\currentcontrolset\services\sophos endpoint defense\tamperprotection\config" #SEDCli tool, file, switch and location $strSEDCli = "sedcli.exe" $strSEDOffSwitch = "-TPoff" $strSEDDirectory = "NATIVE|PROGRAMFILES|Sophos\Endpoint Defense" $strSEDEnabled = "SEDEnabled" #Sophos AppInit_DLLs data $strDetoursNative = "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" $strDetoursWow = "HKLM:SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows" $strAppInitName = "AppInit_DLLs" $strSophosDetours = "\\sophos~" #LSP config information $strWebIntKey = "32|HKLM|SOFTWARE|Sophos\Web Intelligence" $strSWIName = "SwiUpdateAction" $strValueToSet = 3 $strSwiUpdate = "swi_update","swi_update_64" $strLSPFileName64 = "swi_ifslsp_64.dll" $strLSPFileName32 = "swi_ifslsp.dll" $strUnregLSPCommandPath = "NATIVE|PROGRAMDATA|Sophos\Web Intelligence" $strUnregLSPCommandBin = "swi_update_64.exe","swi_update.exe" $strUnregLSPCommandPar = "/forceDisableLsp" #SED Service Disable $strSophosEPDServiceKey = "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service" $intStartupType = "4" #List of SAV local groups $aSAVGroups = "SophosUser", "SophosAdministrator", "SophosPowerUser", "SophosOnAccess" #Data - UpgradeCodes $aUGCdSCF = "7EDA9D28-FF94-4FC8-938F-98BE1E3D7F76" $aUGCdMCS = "7A6045EF-603A-4648-B227-2221E4A931BB" $aUGCdSPA = "5D2115BD-C9DA-4824-B652-0C40854D0B87" $aUGCdSSP = "54AA7E32-35B0-46F6-B2BD-8540035852FF" $aUGCdSAU = "3B8886D0-98A2-4992-A0AC-893AEDBB494B" $aUGCdSHS = "CB7EF0DC-8D31-461A-B347-C43F9EB23F33" $aUGCdSHB = "5E565706-8F76-4B09-85E1-CBEB34008839" $aUGCdSDU = "509DE7F3-3276-4D09-95F3-27FD21009F87" $aUGCdNTP = "A6CF693D-C171-4DF5-AE49-223B66F65A1A" $aUGCdSAV = "597B239E-3032-491A-A322-817737925E8A" $aUGCdSVRT = "85c95869-44ad-473e-a0af-839dfda60f91" $aUGCdFIM = "B96143BD-1693-4DD6-B4AE-C7F765794E14" $aUGCdNACA = "6C9D648C-7DF5-4F66-960F-16064CD6B86A" $aUGCdRMS = "875FCE2A-79F9-4561-BC5B-74964678E049" $aUGCdCWGAV = "1B29598D-871A-4DF5-9762-ACC7567194AC" $aUGCdCWGCD = "B9A8CD2A-3AFA-4995-8ADD-2B8DC853502F" $aUGCdCWGRT = "10F0CB89-66F0-4DEE-8709-93325C07A84D" $aUGCdCWGNA = "BE5B7E7B-1E6E-4819-929A-52800A41BBC8" $aUGCdCWGMON = "EEF8EA12-FFDF-4129-8C3C-2A071B164BA9" $aUGCDPA = "A2A22F15-1B15-4C23-A9F5-2B9AD5D72E84" $aUGCESH = "CE66E855-6160-4106-88ED-A94A805EDDA7" $aUGCSEF = "8682C52C-8CC7-4923-9F32-920AF207A2C6" $aUGCSUI = "D7FA14A7-AEB7-449D-8176-A0A2C0F5DFE9" $aUGCSH = "FF75EB1E-7115-4D1A-A5FF-B0F23B7789FE" #All EP UG Codes Data $aUGCDataAll = $aUGCdSCF,$aUGCdMCS,$aUGCdSPA,$aUGCdSSP,$aUGCdSAU,$aUGCdSHS,$aUGCdSHB,$aUGCdSDU,$aUGCdNTP,$aUGCdSAV,$aUGCdSVRT,$aUGCdFIM,$aUGCdNACA,$aUGCdRMS,$aUGCdCWGAV,$aUGCdCWGCD,$aUGCdCWGRT,$aUGCdCWGNA,$aUGCdCWGMON,$aUGCDPA,$aUGCESH,$aUGCSEF,$aUGCSUI,$aUGCSH #Commands not to count in stats as always run $aCommandsNotToCount = "netcfg.exe" #Windows Installer "Folders" key $WIFoldersKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\' #Partial path matches for items to remove from the Windows Installer "Folders" registry key $toFindInFoldersKey = "\\Programdata\\Sophos\\", ` "\\Program Files\\Sophos\\", ` "\\Program Files \(x86\)\\Sophos\\", ` "\\Program Files\\common files\\Sophos\\", ` "\\Program Files \(x86\)\\common files\\Sophos\\" #IFEO keys $strNagiveIFEO = "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" $strNagiveIFEOWow = "HKLM:Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" $strIFEOAll = $strNagiveIFEO, $strNagiveIFEOWow $strToSkipForIFEO = "ConfigTool.exe","Uploader.exe","install.exe","Uninstall.exe" #Prevent Processing XML entries twice. $strFirstGroupAvoidDups = "Hosting and Hardcoded Processes" #NDIS Checks $strMaxFiltersKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Network\" $strMaxNumFilters = "MaxNumFilters" #Reg key to find, Only exists on Win 7 $intDefaultMaxFilters = 8 #The default reg value is 8. (max is 14) $intFiltersRequired = 2 #Suggest 2. SCF and NTP install a NDIS filter. #Other vendor names $aOtherVendors = "AVG","Symantec","Microsoft Security Client","McAfee","Zscaler","Bitdefender","Kaspersky","Microsoft Endpoint Protection","Avast","GriSoft AVG","Crowdstrike","Cylance","Malwarebytes","Panda","Webroot","Trend Micro","F-Secure","Trend OfficeScan","Avira","ClamAV","Comodo","ESET","SentinelOne","VIPRE" #AuthenticodeFlags check for MTD and SCF $AuthenticodeFlagsDWORDProb = 2 $strDWORDAuthenticodeValue = "AuthenticodeFlags" $strFlagsTrustedPublisherKeys = "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer", "HKLM:\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Safer" #Data to derive logic from, could be an external resource. #XML over JSON to avoid PowerShell 3 and better legacy support. #if statements allows the data to be collapsed in editors. if($true){ $xmlComponents = [xml]@""@ #End of data #===================================================================================================== } #===================================================================================================== function Main() { cls Write-Host "=====================================================================================================================" Write-Host "SOPHOS ENDPOINT SOFTWARE REMOVAL SCRIPT - Version $($strVer)" -foregroundcolor Red Write-Host "=====================================================================================================================" Write-Host "Notes:" Write-Host " - Supported methods should be tried before running this script." Write-Host " - This script is not supported by Sophos support." Write-Host " - This script automates a number of manual steps typically carried out by Sophos support." Write-Host " - This script should not be modified or redistributed." Write-Host " - This script is designed to provide feedback via support to enhance the supported uninstaller." Write-Host " - This script is designed to be a last resort." Write-Host " - No guarantees can be made that 'unexpected' data in Sophos locations will not be removed." Write-Host " - It is recommended the computer is restarted after running in removal mode." Write-Host " - It is recommended a suitable backup of important data is made before running in removal mode." Write-Host "=====================================================================================================================" if($Remove -eq "YES") { $global:boolForceMode = $true Write-Host "REMOVAL MODE" -foregroundcolor Red Write-Host " - It is recommended that you close any web browsers that may be open before continuing." if(-not $Silent) { Write-Host "" Read-Host -Prompt "Press enter to continue in 'Remove' mode or CTRL+C to quit." } } else { $global:boolForceMode = $false #default to off anyway when declared globally Write-Host "REPORT MODE" -foregroundcolor Yellow Write-Host " - To run in 'Remove' mode use the command line switch: -Remove YES" if(-not $Silent) { Write-Host "" Read-Host -Prompt "Press enter to continue in 'Report' mode or CTRL+C to quit." } } if($Restart -eq "YES") { $boolRestart = $true Write-Host "IMPORTANT: The option to RESTART the computer at the end of the script has been set." -foregroundcolor RED Write-Host "IMPORTANT: There will be a $($intDelaySecondsRestart) seconds countdown prior to restarting." -foregroundcolor RED Write-Host "IMPORTANT: To abort shutdown in that time, run: shutdown /a" -foregroundcolor RED Write-Host "============================================================================================" if(-not $Silent) { Read-Host -Prompt "Press enter to confirm you wish to run the script and restart or CTRL+C to quit." } } if($NoLogFile -eq "YES") { $global:blNoLogFile = $true } $DebugLog = $false if($Debug -eq "YES") { $DebugLog = $true } #For computer information. $TimeStamp = Get-Date #Get product type switch((Get-WmiObject Win32_OperatingSystem).ProductType) { 1{$strOSType = "Workstation"} 2{$strOSType = "Domain Controller"} 3{$strOSType = "Server"} default{$strOSType = "Unknown"} } #Get Architecture if(Is64bitOS){$strArch = "64-bit"}else{$strArch = "32-bit"} #Print Banner Log-Write "============================================================================================" "HEAD" Log-Write "Script Version: $($strVer)" "INFO" Log-Write "============================================================================================" "HEAD" Log-Write "Environment" "HEAD" Log-Write "============================================================================================" "HEAD" Log-Write "Computer Name: $($env:computername)" "INFO" Log-Write "Operating System: $((Get-WmiObject Win32_OperatingSystem).Name)" "INFO" Log-Write "Role: $($strOSType)" "INFO" Log-Write "Domain Member: $((Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain)" "INFO" Log-Write "Logon Server: $($env:LOGONSERVER)" "INFO" Log-Write "User Name: $($env:USERNAME)" "INFO" Log-Write "UTC Time: $($TimeStamp.ToUniversalTime())" "INFO" Log-Write "Local Time: $($TimeStamp)" "INFO" if($PSVersionTable.PSVersion.Major -ge 5 -and $PSVersionTable.PSVersion.Minor -ge 1) { Log-Write "Timezone: $(get-timezone)" "INFO" } Log-Write "PowerShell Major Version $($PSVersionTable.PSVersion.Major)" "INFO" Log-Write "PowerShell Minor Version $($PSVersionTable.PSVersion.Minor)" "INFO" Log-Write "Windows Dir: $($env:windir)" "INFO" Log-Write "Architecture: $($strArch)" "INFO" Log-Write "============================================================================================" "HEAD" $InstalledSoftware = (Get-ItemProperty -ErrorAction SilentlyContinue $UninstallerKeys2 | Where { $_.Publisher -match "sophos" -or $_.Publisher -match "surfright" }) Log-Write "Installed Sophos Software" "HEAD" Log-Write "============================================================================================" "HEAD" if ($InstalledSoftware) { foreach ($a in $InstalledSoftware) { Log-Write "$($a.DisplayName) - $($a.DisplayVersion)" "ERROR" } } else { Log-Write "Checking the 'uninstall' keys, there doesn't appear to be any Sophos software installed." "PASS" } Log-Write "============================================================================================" "HEAD" Log-Write "Pre-Checks" "HEAD" Log-Write "============================================================================================" "HEAD" #Start of Pre-Checks #1 Check if admin, needs to be checked in Report and Remove If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] "Administrator")) { Log-Write "Administrative rights are required in both 'Report' and 'Remove' mode. Will Exit." "ERROR" Log-Exit break } Log-Write "User is an administrator." "PASS" #2 Check if RMS Server if(IsRMSServer) { if ($global:boolForceMode) { Log-Write "Remote Management System (RMS) is configured as a management server or message relay, will not continue." "ERROR" Log-Exit break } else { Log-Write "Remote Management System (RMS) is configured as a management server or message relay, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "RMS is not configured as a management server or message relay." "PASS" } #3 Check if SafeGuard is installed and if so exit. if (CheckComponent "SafeGuard" $strSafeGuardKeys $strSafeGuardFolders) { if ($global:boolForceMode) { Log-Write "SafeGuard looks to be installed on this computer, will not continue." "ERROR" Log-exit break } else { Log-Write "SafeGuard might be installed on this computer, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "SafeGuard is not installed." "PASS" } #4 Update cache check if (CheckComponent "Update Cache" $strUpdateCachedReg $strUpdateCachedDir) { if ($global:boolForceMode) { Log-Write "Computer is a Sophos Update Cache, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is a Sophos Update Cache, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running a Sophos Update Cache." "PASS" } #5 SLD check if (CheckComponent "Server Lockdown" $strSLDKey $strSLDDir) { if ($global:boolForceMode) { Log-Write "Computer is running Sophos Lockdown, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is running Sophos Lockdown, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Server Lockdown (SLD)." "PASS" } #6 AD Sync check if (CheckComponent "AD Sync" $strADSyncKey $strADSyncDir) { if ($global:boolForceMode) { Log-Write "Computer is running Sophos AD Sync, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is running Sophos AD Sync, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos AD Sync." "PASS" } #7 SAV NetAPP if (CheckComponent "SAV NetApp" $strSAVNetAppKey $strSAVNetAppDir) { if ($global:boolForceMode) { Log-Write "Computer is running Sophos NetApp, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is running Sophos NetApp, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos NetApp." "PASS" } #8 PMEX check if (CheckComponent "PMEX" $strPMEXKey $aPMEXDirs) { if($global:boolForceMode) { Log-Write "Computer is running Sophos PureMessage, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is running Sophos PureMessage, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos PureMessage." "PASS" } #9 SAVDI check if (CheckComponent "SAVDI" $strSAVDI "") { if($global:boolForceMode) { Log-Write "Computer is running SAVDI, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is running SAVDI, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running SAVDI." "PASS" } #10 SEC check if (CheckComponent "SEC" $strSECKey "") { if($global:boolForceMode) { Log-Write "Computer is running SEC, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is running SEC, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running SEC." "PASS" } #11 STAS check if (CheckComponent "Sophos Transparent Authentication Suite" $strSTASKey $strSTASDir) { if($global:boolForceMode) { Log-Write "Computer is running Sophos Transparent Authentication Suite (STAS), will not continue." "ERROR" Log-exit break } else { Log-Write "Computer is running Sophos Transparent Authentication Suite (STAS), will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos Transparent Authentication Suite (STAS)." "PASS" } #12 Sophos IPsec Client check if (CheckComponent "Sophos IPsec Client" $strIPsecClientKeys $strIPsecDir) { if($global:boolForceMode) { Log-Write "Computer maybe running Sophos IPsec Client, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer maybe running Sophos IPsec Client, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos IPsec Client." "PASS" } #13 Sophos Connect check if (CheckComponent "Sophos Connect" $strSophosConnectKeys $strSophosConnectDir) { if($global:boolForceMode) { Log-Write "Computer maybe running Sophos Connect, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer maybe running Sophos Connect, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos Connect." "PASS" } #14 Sophos Connect Admin check if (CheckComponent "Sophos Connect Admin" "" $strSophosConnectAdDir) { if($global:boolForceMode) { Log-Write "Computer maybe running Sophos Connect Admin, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer maybe running Sophos Connect Admin, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos Connect Admin." "PASS" } #15 Sophos Update Manager (SUM) if (CheckComponent "Sophos Update Manager" $strSUMKey $strSUMDir) { if($global:boolForceMode) { Log-Write "Computer maybe running Sophos Update Manager, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer maybe running Sophos Update Manager, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos Update Manager." "PASS" } #16 Block on Sophos Central Relay if (CheckComponent "Sophos Central Message Relay" $strSophosCentRKeys $strSophosCentDir) { if($global:boolForceMode) { Log-Write "Computer maybe running Sophos Central Message Relay, will not continue." "ERROR" Log-exit break } else { Log-Write "Computer maybe running Sophos Central Message Relay, will continue as not 'Remove' Mode." "WARN" } } else { Log-Write "Computer is not running Sophos Central Message Relay." "PASS" } #17 Check if Tamper Protection is enabled using reg key query $SEDState = Get-ItemProperty -Path $strSEDStateKey -Name $strSEDEnabled -ErrorAction silentlycontinue if($SEDState.$strSEDEnabled -gt 0) { Log-Write "Tamper Protection (SED) appears to be enabled based on SEDEnabled registry value being $($SEDState.$strSEDEnabled)." "INFO" if ($global:boolForceMode) { Log-Write "Checking if the SED registry value can just be set to 0 as we are in 'Remove' mode..." "INFO" set-ItemProperty -Path $strSEDStateKey -Name $strSEDEnabled -Value 0 -ErrorAction silentlycontinue #Re-test $SEDState = Get-ItemProperty -Path $strSEDStateKey -Name $strSEDEnabled -ErrorAction silentlycontinue if($SEDState.$strSEDEnabled -eq 0) { Log-Write "Tamper Protection (SED) was not protecting the computer. Tamper Protection is now disabled, SEDEnabled: $($SEDState.$strSEDEnabled)" "PASS" } else { Log-Write "Tamper Protetion (SED) is enabled. SEDEnabled value is $($SEDState.$strSEDEnabled)." "INFO" if (-not $Password) { Log-Write "No password supplied, run with -Password [password] if Tamper Protection is enabled and you can obtain the password." "ERROR" Log-Write "The password should be available in Sophos Central or Enterprise Console." "WARN" Log-Write "If Sophos Home is installed you will need to disable Tamper Protection via the local interface." "WARN" Log-Write "If required, see Sophos article 124377." "WARN" Log-Exit break } Log-Write "Checking if $($strSEDCli) is available..." "INFO" #If tamper protection enabled, does sedcli exist? $strLocalPath = GetLocalPathFolder ($strSEDDirectory) $strPathToSEDCLI = $strLocalPath + "\" + $strSEDCli if (Test-Path -Path $strPathToSEDCLI) { Log-Write "Tool $($strSEDCli) exists." "PASS" $strCommandParameters = @($strSEDOffSwitch, $Password) #Pass password to it. Held in Password if passed in. & $strPathToSEDCLI $strCommandParameters if ($LastExitCode -eq 0) { Log-Write "Tamper Protecton password is correct." "PASS" } else { Log-Write "Tamper Protection password is incorrect." "ERROR" Log-Exit break } } else { Log-Write "SED is enabled, no SEDCLI.exe. Will exit." "WARN" Log-Exit break } } } else { Log-Write "SED is enabled but we are running in 'REPORT' mode, will continue..." "PASS" } } if ($global:boolForceMode) { Log-Write "Tamper Protection is disabled." "PASS" } #End of Tamper Check #18 Check if SAU Is updating or installing and back off for ($intRetry=1; $intRetry -le $intRetryCounter; $intRetry++) { if(IsUpdatingOrInstalling) { Log-Write "Computer is updating or installing. Check $($intRetry) of $($intRetryCounter)." "WARN" if ($intRetry -ge $intRetryCounter) { Log-Write "Computer is still updating or installing, will carry on regardless as updating could be broken." "ERROR" break } $intToWait = 10 * $intRetry Log-Write "Waiting $($intToWait) seconds. Please wait for all retries to complete." "WARN" start-sleep -s $intToWait } else { Log-Write "Computer is not updating or installing" "PASS" break } } if ($global:boolForceMode) { Log-Write "START REMOVAL" "INFO" #Prefer the SAV uninstaller took care of this but then a restart would always be required to allow the #swi_update service to cleanup at startup. Also if the service is deleted before the restart this would not happen. #Also, processes that start before the swi_update service can still load the LSP. #Let the swi_update service delete the LSP from Winsock catalog. To check: (netsh winsock show catalog | more) Log-Write "Try removing Sophos LSP if exists in Winsock Catalog" "INFO" RemoveLSP #Try to set the startup type of "Sophos Endpoint Defense Service" to 4. #This will be possible if TP is disabled. #If SEDService.exe is running it will see this and then disable itself so it can be removed. Log-Write "Try disabling Sophos Endpoint Defense Service" "INFO" if (ExistRegKey($strSophosEPDServiceKey)) { #Try and set start to $intStartupType (4) Log-Write "`t Will set SED Service 'Start' value to 4 (disabled) if possible." "INFO" Set-ItemProperty -Path $strSophosEPDServiceKey -Name "start" -Value $intStartupType -ErrorAction silentlycontinue } if (-Not (Test-Path $strUninstallAllCommand)) { Log-Write "Sophos Central Uninstaller does not exist." "WARN" } else { Log-Write "Running $($strUninstallAllCommand)." "INFO" Log-Write "Note: This could take 5 minutes. Please wait..." "WARN" try { & $strUninstallAllCommand } catch{} Log-Write "Exited with $($LastExitCode)." "INFO" #What to do if it asks for a restart to run? Currently continues, as will run MSIs and Uninstall CMDs #If the official uninstaller worked, prompt for reboot to ensure #services and pending file renames operations can complete. if ($LastExitCode -eq 0) { Log-Write "Removal was successful. Please restart and re-run this script for further checks" "WARN" Log-Exit break } } } else { Log-Write "Running in 'REPORT' mode, will not remove software but will display found items." "INFO" } $global:blnPastPrechecks = $true $xmlComponents | Select-Xml -XPath "//RemovalData/Components" | foreach { foreach ($itemToProcess in $_.node.ChildNodes) { Log-Write "============================================================================================" "HEAD" Log-Write "$($itemToProcess.FridendlyName.element)" "HEAD" Log-Write "============================================================================================" "HEAD" #MSI PRODUCT CODES##################################################### if($itemToProcess.MSIProductCodes) { Log-Write "MSI product codes:" "INFO" foreach ($msiProductCode in $itemToProcess.MSIProductCodes.element) { #For each MSI ActionMSICode $msiProductCode "data" } } ####################################################################### #UNINSTALL CMDS######################################################## if($itemToProcess.UninstallCMDs) { Log-Write "Uninstall commands:" "INFO" foreach ($UninstallCMD in $itemToProcess.UninstallCMDs.element) { #For each uninstall command $strCommandToRemove = GetLocalPathFolder($UninstallCMD) Log-Write "`t $($strCommandToRemove)" "INFO" if ($global:boolForceMode) { #Data has commands with arguments separated by a ! $CMDAndArgs = $strCommandToRemove.split("!") Log-Write "`t Running: $($strCommandToRemove)" "INFO" if ($CMDAndArgs[1]) { Log-Write "`t Running command with arguments if exists..." "DEBG" Log-Write "`t FilePath: $($CMDAndArgs[0]) and ArgumentList: $($CMDAndArgs[1])" "INFO" try { Start-Process -Wait -NoNewWindow -FilePath $CMDAndArgs[0] -ArgumentList $CMDAndArgs[1] -ErrorAction SilentlyContinue -RedirectStandardOutput "NUL" foreach($strCommandNotToCount in $aCommandsNotToCount) { if ($CMDAndArgs[0] -match $strCommandNotToCount) { Log-Write "`t This command does not count against the total commands run." "DEBG" } else { #One to count. $global:intUninstallCMDsRun++ } } } catch { Log-Write "Start-Process failed for the uninstall of the component." "DEBG" } } else { Log-Write "`t Running command without arguments if exists..." "DEBG" try { Start-Process -Wait -NoNewWindow -FilePath $CMDAndArgs[0] -ErrorAction SilentlyContinue $global:intUninstallCMDsRun++ } catch{} } } } } ####################################################################### #USER MODE SERVICES#################################################### if($itemToProcess.UserModeService) { Log-Write "Services:" "INFO" foreach ($ServiceToStop in $itemToProcess.UserModeService.element) { if (ExistService($ServiceToStop)) { $global:intServicesExist++ if ($global:boolForceMode) { Log-Write "`t Stopping: $($ServiceToStop)" "INFO" if($PSVersionTable.PSVersion.Major -ge 5) { $null = stop-service -name $ServiceToStop -force -NoWait -ErrorAction silentlycontinue $global:intServicesAttemptedToStop++ } else { $null = stop-service -name $ServiceToStop -force -ErrorAction silentlycontinue $global:intServicesAttemptedToStop++ } start-Sleep -s 2 Log-Write "`t Deleting service key." "INFO" $arrCommand = ("delete",$ServiceToStop) $global:intServicesAttemptedToDelete++ sc.exe $arrCommand >$null 2>&1 } } } } ####################################################################### #USER MODE PROCESSES################################################### if($itemToProcess.Processes) { Log-Write "Processes:" "INFO" foreach ($processToKill in $itemToProcess.Processes.element) { #For each user mode process, kill it if in force mode $exist = ExistProcess $processToKill $global:boolForceMode } } ####################################################################### #DRIVERS############################################################### if($itemToProcess.Driver) { Log-Write "Drivers:" "INFO" foreach ($driverToStop in $itemToProcess.Driver.element) { #For each kernel mode driver Log-Write "`t $($driverToStop)" "DEBG" if (ExistService($driverToStop)) { $global:intDriversExist++ #Check the list of drivers that can't be unloaded. if (-not ($DriversNotToStop -contains $driverToStop )) { if ($global:boolForceMode) { Log-Write "`t Stopping: $($driverToStop)" "INFO" $global:intDriversTriedToStop++ try { $null = stop-service -Force -name $driverToStop -ErrorAction silentlycontinue Log-Write "`t Running: fltmc unload $($driverToStop)" "INFO" fltmc.exe unload $driverToStop | out-null } catch{} } } else { Log-Write "`t Skipping issuing a stop for: $($driverToStop)" "INFO" } } } } ####################################################################### #UNREG MODULES######################################################### if ($itemToProcess.UnRegModules) { Log-Write "Directories of modules to unregister (this could take a minute):" "INFO" foreach ($strModDir in $itemToProcess.UnRegModules.element) { #For each unreg directory $strLocalPathModules = GetLocalPathFolder($strModDir) Log-Write "`t $($strLocalPathModules)" "DEBG" if(FileFolderExists($strLocalPathModules)) { $strFiles = Get-ChildItem $strLocalPathModules -Filter *.dll -ErrorAction silentlycontinue Foreach ($fileToUnreg in $strFiles) { $strUnregCommandPath = """"+$strLocalPathModules+"\"+$fileToUnreg+"""" Log-Write "`t Unregister command: regsvr32.exe /u /s $($strUnregCommandPath)" "DEBG" if ($global:boolForceMode) { Start-Process -wait -NoNewWindow -FilePath "regsvr32.exe" -ArgumentList "/u","/s",$strUnregCommandPath -RedirectStandardOutput "NUL" } } } } } ####################################################################### #REG KEYS############################################################## if($itemToProcess.RegKeys) { Log-Write "Registry:" "INFO" foreach ($RegKeyToRemove in $itemToProcess.RegKeys.element) { #For each reg key to remove $strKeyLocal = GetLocalPathRegKey($RegKeyToRemove) Log-Write "`t $($strKeyLocal)" "DEBG" if (ExistRegKey ($strKeyLocal)) { $global:intRegKeysFound++ if ($global:boolForceMode) { $arrKey = $strKeyLocal.split("!") if($arrKey.Count -gt 1) { #Reg Value to delete Log-Write "`t Removing: $($arrKey[0]) name value $($arrKey[1])" "INFO" $null = Remove-ItemProperty -Path $arrKey[0] -name $arrKey[1] -Force -ErrorAction silentlycontinue $global:intRegKeysTryDelete++ } else { #Reg key to remove. Log-Write "`t Removing: $($strKeyLocal)" "INFO" $null = Remove-Item -Path $strKeyLocal -Force -Recurse -ErrorAction silentlycontinue $global:intRegKeysTryDelete++ } } } } } ####################################################################### #TAKE OWN############################################################## if($itemToProcess.TakeOwn) { Log-Write "Take ownership:" "INFO" foreach ($FolderORFileTakeOwn in $itemToProcess.TakeOwn.element) { #For each file or folder to take ownership $strLocalPathTakeOwn = GetLocalPathFolder($FolderORFileTakeOwn) Log-Write "`t $($strLocalPathTakeOwn)" "DEBG" if(FileFolderExists($strLocalPathTakeOwn)) { if($global:boolForceMode) { Log-Write "`t Taking ownership of: $($strLocalPathTakeOwn)" "INFO" takeown.exe /f $strLocalPathTakeOwn /r /d y >$null 2>&1 } } } } ####################################################################### #FOLDER OR FILE######################################################## if($itemToProcess.FoldersFiles) { Log-Write "Folders/Files:" "INFO" foreach ($FolderORFile in $itemToProcess.FoldersFiles.element) { $strLocalPath = GetLocalPathFolder($FolderORFile) if(FileFolderExists($strLocalPath)) { Log-Write "`t $($strLocalPath) exists" "DEBG" $global:intFileFolderExists++ if($global:boolForceMode) { Log-Write "`t Removing: $($strLocalPath)" "INFO" $global:intFolderFilesAttemptDelete++ $null = Remove-Item -Path $strLocalPath -Force -Recurse -ErrorAction silentlycontinue } } } } ####################################################################### #Detours############################################################### if($itemToProcess.Detours) { Log-Write "Detours entries:" "INFO" if ($global:boolForceMode) { RemoveSophosDetours 1 #update reg key values by removing Sophos entries } else { RemoveSophosDetours 0 #just display what would be changed } } ####################################################################### #PFRO################################################################## if($itemToProcess.PFRO) { Log-Write "Pending File Rename Operation (PRFO):" "INFO" Log-Write "`t $($strLocalPath)" "DEBG" foreach ($PF in $itemToProcess.PFRO.element) { #For each file or folder to PFRO on $strLocalPath = GetLocalPathFolder($PF) Log-Write "`t $($strLocalPath)" "DEBG" if( FileFolderExists($strLocalPath)) { if ($global:boolForceMode) { #set PFRO if([Posh]::MarkFileDelete($strLocalPath)) { Log-Write "`t $($strLocalPath) marked for deletion at next startup" "INFO" $global:intFilesMarkedForDelete++ $global:boolPFRONeedReboot = $true } } } } } ####################################################################### #END OF COMPONENT } } #As cleaning the Windows Installer data needs "Sophos" Product codes. Other than the included data which will go stale. #Check the cached MSIs, if they are Sophos/Surfright get the productcode and use that to cleanup. Log-Write "============================================================================================" "HEAD" Log-Write "Processing Windows Installer directory. This could take a minute." "HEAD" Log-Write "============================================================================================" "HEAD" $null = RemoveFromInstallerCache Log-Write "============================================================================================" "HEAD" Log-Write "Processing Uninstaller registry keys for Sophos Product Codes." "HEAD" Log-Write "============================================================================================" "HEAD" $null = RemoveUsingUninstallKeys Log-Write "============================================================================================" "HEAD" Log-Write "Processing NDIS FilterList values for Sophos entries" "HEAD" Log-Write "============================================================================================" "HEAD" #Note: "DriverHelper_x64.exe /uninstall /legacy_ndis" as run by the SCF uninstaller should remove these. $null = CheckSCFFilterListRegKey Log-Write "============================================================================================" "HEAD" Log-Write "Processing Upgrade Codes from data." "HEAD" Log-Write "============================================================================================" "HEAD" $null = RemoveUpgradeCodesFromData Log-Write "============================================================================================" "HEAD" Log-Write "Processing IFEO Registry keys" "HEAD" Log-Write "============================================================================================" "HEAD" $null = CheckSophosIFEO Log-Write "============================================================================================" "HEAD" Log-Write "Processing entries under $($WIFoldersKey)" "HEAD" Log-Write "============================================================================================" "HEAD" $null = TidyInstallerFoldersKey #Checks that are easier with a higher version of PowerShell if($PSVersionTable.PSVersion.Major -ge 5 -and $PSVersionTable.PSVersion.Minor -ge 1) { Log-Write "============================================================================================" "HEAD" Log-Write "Processing local SAV user groups" "HEAD" Log-Write "============================================================================================" "HEAD" foreach ($strSAVUser in $aSAVGroups) { Log-Write "Checking for local SAV group: $($strSAVUser)" "DEBG" $null = DeleteSAVLocalGroup $strSAVUser } Log-Write "============================================================================================" "HEAD" Log-Write "Processing local SAU updating users" "HEAD" Log-Write "============================================================================================" "HEAD" $null = DeleteSAUUsers $strSAULocalUserPrefix Log-Write "============================================================================================" "HEAD" Log-Write "Processing Sophos Anti-Virus scheduled tasks" "HEAD" Log-Write "============================================================================================" "HEAD" $null = RemoveSAVScheduledScan } else { Log-Write "Skipping 'SophosSAU' user, SAV groups and SAV scheduled tasks checks due to older PowerShell version." "DEBG" } if($boolRestart) { #Restart has been set will call restart Log-Write "Restart Mode was set. Will restart in $($intDelaySecondsRestart) seconds." "WARN" Log-Write "Run: 'Shutdown /a' to abort if needed." "WARN" &shutdown /r /t $intDelaySecondsRestart } } #End of main #===================================================================================================== #===================================================================================================== function RemoveUpgradeCodesFromData { Log-Write "RemoveUpgradeCodesFromData" "DEBG" #The data for this stage of removal comes from the global $aUGCDataAll foreach ($UpgradeCodeFromData in $aUGCDataAll) { Log-Write "Processing (data) Upgrade Code: $($UpgradeCodeFromData)" "INFO" $strConvertedUGCData = Convert-GUIDtoPID ($UpgradeCodeFromData) Log-Write "Converted Upgrade Code: $($strConvertedUGCData)" "DEBG" $strUGCKey = "HKLM:\SOFTWARE\Classes\Installer\UpgradeCodes\"+$strConvertedUGCData $strUGCKey2 = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\"+$strConvertedUGCData $strUpgradeCodeKeyLocations = $strUGCKey,$strUGCKey2 foreach ($strUGCPath in $strUpgradeCodeKeyLocations) { Log-Write "Upgrade Code key to check: $($strUGCPath)" "INFO" if (ExistRegKey($strUGCPath)) { if ($global:boolForceMode) { #Will attemt to remove the key as we are in remove mode Log-Write "Deleting Upgrade Code Key: $($strUGCPath)" "INFO" $global:intRemoveUpgradeCodeKey++ $null = Remove-Item -Path $strUGCPath -Force -Recurse -ErrorAction silentlycontinue } } } } } #===================================================================================================== #===================================================================================================== function GetLocalPathRegKey([string]$regPath) { Log-Write "GetLocalPathRegKey: $($regPath)" "DEBG" $regComponents = $regPath.split("|") $strbitness = $regComponents[0] $strParentKey = $regComponents[1] $strSubKey = $regComponents[2] $strPath = $regComponents[3] $strRegValue = $regComponents[4] $strFullPath = "" if (Is64bitOS) { if ($strbitness -eq "32") { #32-bit on 64-bit OS $strFullPath = $strParentKey + ":" + $strSubKey + "\WOW6432Node\" + $strPath } else { #64-bit on 64-bit OS $strFullPath = $strParentKey + ":" + $strSubKey + "\" + $strPath } } else { #32-bit OS so applications are "native" $strFullPath = $strParentKey + ":" + $strSubKey + "\" + $strPath } if ($strRegValue) { #Value, not just key return $strFullPath + "!" + $strRegValue } return $strFullPath } #===================================================================================================== #===================================================================================================== function GetLocalPathFolder([string]$FolderPath) { Log-Write "GetLocalPathFolder: $($FolderPath)" "DEBG" $folderComponents = $FolderPath.split("|") $strbitness = $folderComponents[0] #NATIVE|32 $strParentFolder = $folderComponents[1] #PROGRAMDATA|PROGRAMFILES $strPath = $folderComponents[2] #Sophos\\Test $strFile = $folderComponents[3] #File.exe $strFullPath = "" if($strParentFolder -eq "PROGRAMDATA") { $strParentFolderResolved = $env:ProgramData } if($strParentFolder -eq "WINDOWS") { $strParentFolderResolved = $env:SystemRoot } if (Is64bitOS) { if ($strbitness -eq "32") { #32-bit on 64-bit OS if($strParentFolder -eq "PROGRAMFILES") { $strParentFolderResolved = ${env:ProgramFiles(x86)} } if($strParentFolder -eq "COMMONPROGRAMFILES") { $strParentFolderResolved = ${env:CommonProgramFiles(x86)} } $strFullPath = $strParentFolderResolved + "\" + $strPath } else { #Native if($strParentFolder -eq "PROGRAMFILES") { $strParentFolderResolved = ${env:ProgramFiles} } if($strParentFolder -eq "COMMONPROGRAMFILES") { $strParentFolderResolved = ${env:CommonProgramFiles} } $strFullPath = $strParentFolderResolved + "\" + $strPath } } else { #Native if($strParentFolder -eq "PROGRAMFILES") { $strParentFolderResolved = ${env:ProgramFiles} } $strFullPath = $strParentFolderResolved + "\" + $strPath } if ($strFile) { #File, not just folder return $strFullPath + "\" + $strFile } return $strFullPath } #===================================================================================================== #===================================================================================================== function Is64bitOS() { if ([System.IntPtr]::Size -eq 4) { return $false } return $true } #===================================================================================================== #===================================================================================================== function ExistService([string]$strServiceName) { Log-Write "ExistService: $($strServiceName)" "DEBG" try { $service = Get-Service $strServiceName -ErrorAction SilentlyContinue } catch {} If ($service) { Log-Write "`t $($strServiceName) (EXISTS)" "ERROR" return $true } else { Log-Write "`t $($strServiceName) (NOT RUNNING)" "PASS" return $false } } #===================================================================================================== #===================================================================================================== function ExistProcess([string]$strProcessName, [bool]$ActionKill) { Log-Write "ExistProcess: $($strProcessName) ActionKill $($ActionKill)" "DEBG" $StrSubject = "" $strJustProcess = $strProcessName.Substring(0, $strProcessName.lastIndexOf('.')) #Special cases as cannot get the path using Get-Process or check if they are signed foreach ($strHardCoded in $aProcessesToCheck) { if($strHardCoded -eq $strProcessName) { Log-Write "`t Checking for hardcoded process: $($strProcessName)" "INFO" if ($global:boolForceMode) { Log-Write "`t Killing if exists: $($strProcessName)" "INFO" #$global:intProcessTryKill++ #technically we are trying to kill processes here but the stats will always show the number, better to be 0 if clear so will not count these. taskkill.exe /F /IM $strProcessName >$null 2>&1 } return $true } } #Get full path to process with given name $paths = Get-Process $strJustProcess -ErrorAction SilentlyContinue | Select-Object Path foreach ($processpaths in $paths) { if ($processpaths.Path) { #Get signature of process by that name try { $strSig = get-AuthenticodeSignature -ErrorAction SilentlyContinue -filepath $processpaths.Path $StrSubject = $strSig.SignerCertificate.Subject } catch { Log-Write "`t Can not get Authenticode Signature from file." "WARN" } if($StrSubject) { if ($StrSubject.ToLower() -match "sophos" -or $StrSubject.ToLower() -match "surfright" -or $processpaths.Path -match "\Sophos\\") { Log-Write "Sophos/Surfright Signed or path contains '\Sophos\': $($processpaths.Path)" "DEBG" Log-Write "`t Process: $($processpaths.Path) (EXISTS)" "ERROR" $global:intProcessesFound++ #Could just be a check for updating. If(-not $ActionKill) { #Just return true, do not kill return $true } #Try to kill and return $true if ($global:boolForceMode) { Log-Write "`t Terminating: $($strProcessName)" "INFO" $global:intProcessTryKill++ taskkill.exe /F /IM $strProcessName >$null 2>&1 } return $true } else { Log-Write "`t A Process that matches is running but it is not ours based on signature." "WARN" } } else { Log-Write "`t No subject from signature of file." "WARN" } } } Log-Write "`t Sophos process: $($strProcessName) (NOT RUNNING)" "PASS" return $false } #===================================================================================================== #===================================================================================================== function ExistRegKey([string]$strRegKey) { Log-Write "ExistRegKey: $($strRegKey)" "DEBG" if ($strRegKey -match "!") { Log-Write "Processing reg value and key" "DEBG" #Potential reg value as well as key, keys could have a ! in the path but we don't have any $arrKey = $strRegKey.split("!") Log-Write "0 = $($arrKey[0])" "DEBG" Log-Write "1 = $($arrKey[1])" "DEBG" $exist = Get-ItemProperty $arrKey[0] $arrKey[1] -ErrorAction SilentlyContinue if ($exist) { Log-Write "`t Key: $($arrKey[0]) Value: $($arrKey[1]) (EXISTS)" "ERROR" return $true } else { Log-Write "`t Key: $($arrKey[0]) Value: $($arrKey[1]) (NOT FOUND)" "PASS" return $false } } else { Log-Write "Processing just key" "DEBG" If (Test-Path -Path $strRegKey -ErrorAction SilentlyContinue) { Log-Write "`t $($strRegKey) (EXISTS)" "ERROR" return $true } Log-Write "`t $($strRegKey) (NOT FOUND)" "PASS" return $false } } #===================================================================================================== #===================================================================================================== function FileFolderExists([string]$strFolderFile) { Log-Write "FileFolderExists: $($strFolderFile)" "DEBG" If (Test-Path -Path $strFolderFile -ErrorAction SilentlyContinue) { Log-Write "`t $($strFolderFile) (EXISTS)" "ERROR" return $true } else { Log-Write "`t $($strFolderFile) (NOT FOUND)" "PASS" return $false } } #===================================================================================================== #===================================================================================================== Add-Type @" using System; using System.Text; using System.Runtime.InteropServices; public class Posh { public enum MoveFileFlags { MOVEFILE_REPLACE_EXISTING = 0x00000001, MOVEFILE_COPY_ALLOWED = 0x00000002, MOVEFILE_DELAY_UNTIL_REBOOT = 0x00000004, MOVEFILE_WRITE_THROUGH = 0x00000008, MOVEFILE_CREATE_HARDLINK = 0x00000010, MOVEFILE_FAIL_IF_NOT_TRACKABLE = 0x00000020 } [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)] static extern bool MoveFileEx(string lpExistingFileName, string lpNewFileName, MoveFileFlags dwFlags); public static bool MarkFileDelete (string sourcefile) { bool brc = false; brc = MoveFileEx(sourcefile, null, MoveFileFlags.MOVEFILE_DELAY_UNTIL_REBOOT); return brc; } } "@ #===================================================================================================== #===================================================================================================== Function Convert-GUIDtoPID ([string]$strGUID) { Log-Write "Convert-GUIDtoPID: $($strGUID)" "DEBG" $pidc = [regex]::replace($strGUID, "[^a-zA-Z0-9]", "") #Reverse first 8 characters, next 4, next 4. For the remaining reverse every two characters. $ri = 7,6,5,4,3,2,1,0,11,10,9,8,15,14,13,12,17,16,19,18,21,20,23,22,25,24,27,26,29,28,31,30 [string]$toret = -join ($ri | ForEach-Object{$pidc[$_]}) Log-Write "Convert-GUIDtoPID returning: $($toret.ToUpper())" "DEBG" return $toret.ToUpper() } #===================================================================================================== #===================================================================================================== function GetUpgradeCodeRegKey([string]$strPackage) { Log-Write "GetUpgradeCodeRegKey: $($strPackage)" "DEBG" gci "HKLM:\software\classes\Installer\UpgradeCodes" -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match $strPackage) { return $_.PsPath } } } #===================================================================================================== #===================================================================================================== function RemoveSophosDetours([bool]$remove) { Log-Write "RemoveSophosDetours: Remove $($remove)" "DEBG" $strNew = "" $strNewWow = "" $NativeOut = "" $DetoursState1 = Get-ItemProperty -Path $strDetoursNative -Name $strAppInitName -ErrorAction silentlycontinue $strNativeValue = $DetoursState1.$strAppInitName # Special case, if 8.3 has been disabled, we may have a full path to our DLLs in the appinit_dlls values, E.g. # 64-bit computer: # 32-bit key: # HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs # C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll # Native key: # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs # C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll # 32-bit computer: # Native key: # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs # C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll # In this case, although we already have a problem that the paths are incorrect, # splitting the path by the spaces and re-writing them would split the wrong entries into multiple wrong entries. # Therefore, match on the above specific strings and remove them from the considered values to re-write. #3 Possible full paths for both 32 and 64-bit platforms: $str64Disabled8Dot3Key1 = "NATIVE|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured_x64.dll" #64-bit computer 1 $str64Disabled8Dot3Key2 = "32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll" #64-bit computer 2 $str32Disabled8Dot3Key1 = "NATIVE|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll" #32-bit computer $strNewKey1 = "NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured_x64.dll" #64-bit computer 1 $strNewKey2 = "NATIVE|WINDOWS|SYSWOW64\SophosAV|sophos_detoured.dll" #64-bit computer 2 $strNewKey3 = "NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured.dll" #32-bit computer #Localise them: $str64Disabled8Dot3KeyResolved = GetLocalPathFolder($str64Disabled8Dot3Key1) #64-bit computer 1 $str64Disabled8Dot3Key2Resolved = GetLocalPathFolder($str64Disabled8Dot3Key2) #64-bit computer 2 $str32Disabled8Dot3Key1Resolved = GetLocalPathFolder($str32Disabled8Dot3Key1) #32-bit computer #New 10.8.4 paths to detours $strNewKey1Resolved = GetLocalPathFolder($strNewKey1) #64-bit computer 1 $strNewKey2Resolved = GetLocalPathFolder($strNewKey2) #64-bit computer 2 $strNewKey3Resolved = GetLocalPathFolder($strNewKey3) #32-bit computer Log-Write "Paths to also check for:" "DEBG" Log-Write "`t $($strNewKey1Resolved)" "DEBG" Log-Write "`t $($strNewKey2Resolved)" "DEBG" Log-Write "`t $($strNewKey3Resolved)" "DEBG" #Array of the possible paths for both platforms, both old and new locations. $aDetoursPaths = $str64Disabled8Dot3KeyResolved, $str64Disabled8Dot3Key2Resolved, $str32Disabled8Dot3Key1Resolved, $strNewKey1Resolved, $strNewKey2Resolved, $strNewKey3Resolved #HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs if($strNativeValue) { Log-Write "`t Native Key: $($strDetoursNative)" "INFO" Log-Write "`t Native AppInit_DLLs: [$($strNativeValue)]" "INFO" foreach ($strDetourPath in $aDetoursPaths) { Log-Write "`t Possible path: [$($strDetourPath)]" "DEBG" if ($strNativeValue -match [Regex]::Escape($strDetourPath)) { #Remove occurance of incorrect full detours path from strNativeValue Log-Write "`t Removing invalid non 8.3 AppInit_DLLs path: [$($strDetourPath)] from considered values. (EXISTS)" "ERROR" $strNativeValue = $strNativeValue.replace($strDetourPath, "") } } #split native detours key by command and space $splitNative = $strNativeValue.split(", ") #for each detours entry foreach ($detourNative in $splitNative) { if ($detourNative -match $strSophosDetours) { #Sophos detours entry Log-Write "`t Found Sophos (native) 8.3 entry: [$($detourNative)] (EXISTS)" "ERROR" } else { Log-Write "`t Found non Sophos (native) 8.3 entry: [$($detourNative)]" "INFO" if ([string]::IsNullOrEmpty($detourNative)) { Log-Write "`t Empty string, will not add." "DEBG" } else { #Preserve non Sophos values $strNew = $strNew + $detourNative + "," } } } #Remove any trailing space or comma on the string. $NativeOut = $strNew.TrimEnd(',') $NativeOut = $NativeOut.trim() Log-Write "`t New (Native) value: [$($NativeOut)]" "INFO" #Update the registry value if ($remove) { Log-Write "`t Will update detours key." "INFO" Set-ItemProperty -Path $strDetoursNative -Name $strAppInitName -Value $NativeOut -ErrorAction silentlycontinue $global:intDetoursUpdated++ } } else { Log-Write "`t $($strAppInitName) under: $($strDetoursNative) has no value, will skip." "PASS" } ####################################################################### ##WOW $DetoursState2 = Get-ItemProperty -Path $strDetoursWow -Name $strAppInitName -ErrorAction silentlycontinue $strWOWValue = $DetoursState2.$strAppInitName Log-Write "`t WOW3264 Key: $($strDetoursWow)" "INFO" Log-Write "`t WOW3264 AppInit_DLLs: [$($strWOWValue)]" "INFO" if($strWOWValue) { foreach ($strDetourPath in $aDetoursPaths) { Log-Write "`t Possible detours paths if 8.3 is disabled: $($strDetourPath)" "DEBG" if ($strWOWValue -match [Regex]::Escape($strDetourPath)) { #Remove occurance of incorrect full detours path from strWOWValue Log-Write "`t Removing invalid non 8.3 AppInit_DLLs path: $($strDetourPath) from considered values. (EXISTS)" "ERROR" $strWOWValue = $strWOWValue.replace($strDetourPath, "") } } #split native detours key by command and space $splitWoW = $strWOWValue.split(", ") #for each detours entry foreach ($detwow in $splitWoW ) { if ($detwow -match $strSophosDetours) { #Sophos detours entry Log-Write "`t Found Sophos (wow6432node) 8.3 entry: [$($detwow)] (EXISTS)" "ERROR" } else { Log-Write "`t Found non Sophos (wow6432node) 8.3 entry: [$($detwow)]" "INFO" if ([string]::IsNullOrEmpty($detwow)) { Log-Write "`t Empty string, will not add." "DEBG" } else { #Preserve non Sophos values $strNewWow = $strNewWow + $detwow + "," } } } #Remove any trailing space or comma on the string. $WowOut = $strNewWow.TrimEnd(',') $WowOut = $WowOut.Trim() Log-Write "`t New (Wow6432node) value: [$($WowOut)]" "INFO" if ($remove) { Log-Write "`t Will update detours key." "INFO" #Update the registry value set-ItemProperty -Path $strDetoursWow -Name $strAppInitName -Value $WowOut -ErrorAction silentlycontinue $global:intDetoursUpdated++ } } else { Log-Write "`t $($strAppInitName) under: $($strDetoursWow) has no value, will skip." "PASS" } } #===================================================================================================== #===================================================================================================== function Get-TimeStamp() { return "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date) } #===================================================================================================== #===================================================================================================== Function Log-Write([string]$strLogLine, [string]$Level) { if (-not $global:blNoLogFile) { Write-Output "$(Get-TimeStamp) - $Level - $strLogLine" | Out-file $global:strLogFile -append } switch ($level) { "PASS" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " P " $strLogLine -ForegroundColor Green}} "WARN" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " W " $strLogLine -ForegroundColor Yellow}} "ERROR" {If($ErrorOnly -eq "YES" -or $ErrorOnly -eq ""){Write-Host $(Get-TimeStamp) " E " $strLogLine -ForegroundColor Red}} "INFO" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " I " $strLogLine}} "HEAD" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " B " $strLogLine -ForegroundColor Cyan}} "DEBG" {If($DebugLog -eq "YES"){Write-Host $(Get-TimeStamp) " D " $strLogLine -BackgroundColor white -foregroundcolor black}} default {If($ErrorOnly -eq "YES" -or $ErrorOnly -eq ""){Write-Host $(Get-TimeStamp) " E "$strLogLine}} } } #===================================================================================================== #===================================================================================================== function Log-Exit() { #Print the time to run $elapsedTime = $(get-date) - $StartTime $totalTime = "{0:HH:mm:ss}" -f ([datetime]$elapsedTime.Ticks) Log-Write "============================================================================================" "INFO" if($blnPastPrechecks) { Log-Write "============================================================================================" "HEAD" Log-Write "Summary" "HEAD" Log-Write "============================================================================================" "HEAD" Log-Write "Registry keys found: $($intRegKeysFound)" "INFO" Log-Write "Registry keys to delete: $($intRegKeysTryDelete)" "INFO" Log-Write "UpgradeCodes removed: $($intRemoveUpgradeCodeKey)" "INFO" Log-Write "File/folders found: $($intFileFolderExists)" "INFO" Log-Write "File/folders to delete: $($intFolderFilesAttemptDelete)" "INFO" Log-Write "MSIs run: $($intMSIsRun)" "INFO" Log-Write "Uninstall commands: $($intUninstallCMDsRun)" "INFO" Log-Write "AppInit_DLLs updated: $($intDetoursUpdated)" "INFO" Log-Write "Drivers found: $($intDriversExist)" "INFO" Log-Write "Drivers tried to stop: $($intDriversTriedToStop)" "INFO" Log-Write "Services found: $($intServicesExist)" "INFO" Log-Write "Services stop issued: $($intServicesAttemptedToStop)" "INFO" Log-Write "Services to delete: $($intServicesAttemptedToDelete)" "INFO" Log-Write "Verified processes found: $($intProcessesFound)" "INFO" Log-Write "Processes attempted to kill: $($intProcessTryKill)" "INFO" Log-Write "File/folders PFROs created: $($intFilesMarkedForDelete)" "INFO" Log-Write "Cached Sophos/Surfright MSIs: $($intSophosSurfrightCachedMSIsFound)" "INFO" Log-Write "Local SAU users found: $($global:intLocalSAUUsersFound)" "INFO" Log-Write "Local SAU users attempted to delete: $($global:intLocalSAUUsersAttemptDelete)" "INFO" Log-Write "Local SAV groups found: $($global:intLocalSAVGroupsFound)" "INFO" Log-Write "Local SAV groups attempted to delete: $($global:intLocalSAVGroupsAttemptDelete)" "INFO" Log-Write "IFEO Keys with Debugger entries: $($global:IFEOWithDebuggerValue)" "INFO" Log-Write "IFEO Keys with Debugger entries to remove: $($global:IFEOToDelete)" "INFO" Log-Write "============================================================================================" "INFO" Log-Write "============================================================================================" "HEAD" Log-Write "Checking for potential installation problems if reinstalled" "HEAD" Log-Write "============================================================================================" "HEAD" #Make system checks for future installs $null = CheckServiceStatusRunning($aBFE) $null = CheckServiceStatusRunning($aCryptSvc) $null = CheckServiceStatusRunning($arpc) $null = CheckServiceStatusRunning($aTaskShed) $null = CheckThirdParty #Check the max number of NDIS filter that can be installed and how many are installed. $null = CheckNDISFilters #Check AuthenticodeFlags For TrustedPublisher settings $null = CheckAuthenticodeFlagsForTrustedPublisher #Check ELAMBKUP directory exists as referenced in the reg valuye BackupPath under the key: #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch $null = CheckELAMDirOK if ($global:boolForceMode) { Log-Write "Checking Service Control Manager (SCM) for Sophos drivers and services" "INFO" Log-Write "Checking drivers registry state v.s. the Service Control Manager" "DEBG" $null = IsSCMOutOfSyncWithRegistry "Driver" Log-Write "Checking services (user mode) registry state v.s. the Service Control Manager" "DEBG" $null = IsSCMOutOfSyncWithRegistry "UserModeService" #Double Check the Winsock catalog to see if we are still present, being referenced here with no DLL on disk can break neworking. if (CheckLSPInWinsock) { Log-Write "Sophos LSP $($strLSPFileName64) and/or $($strLSPFileName32) is still referenced in the Winsock catalog despite efforts to remove it." "ERROR" Log-Write "You may need to run the following command: 'netsh winsock reset' in an administrative command prompt and reboot to restore network connectivity." "ERROR" Log-Write "Important: Running the above reset command will remove other third party DLLs from the Winsock catalog if they exist." "WARN" Log-Write "Programs that access or monitor the Internet such as antivirus, firewall, or proxy clients may be negatively affected when you run the netsh winsock reset command." "WARN" Log-Write "If you have a program that no longer functions correctly after you use this resolution, reinstall the program to restore functionality." "WARN" Log-Write "Running the command 'netsh winsock show catalog | more' will allow you to view other non default DLLs if they are referenced to identify these other applications." "WARN" } } else { #In Report mode, if we have found some Sophos processes with IFEO keys with debugger values hightlight it. Log-Write "Checking 'Image File Execution Options' (IFEO) registry keys" "INFO" if ($global:IFEOWithDebuggerValue -gt 0) { Log-Write "`t There are $($global:IFEOWithDebuggerValue) 'Image File Execution Options' (IFEO) for Sophos processes with 'Debugger' values set. See 'Processing IFEO Registry keys' section above." "ERROR" Log-Write "`t Possible sign of active or previous malicious code having been run." "WARN" } else { Log-Write "`t There are $($global:IFEOWithDebuggerValue) 'Image File Execution Options' (IFEO) for Sophos processes with 'Debugger' values set." "PASS" } } Log-Write "=============================================================================================" "INFO" } if ($global:boolForceMode) { #print if PFROs have been created. if ($global:boolPFRONeedReboot) { Log-Write "Pending File Rename Operations (PFROs) have been created. Please reboot and optionally re-run the script to re-check." "WARN" } else { Log-Write "No Pending File Rename Operations (PFROs) have been created." "DEBG" } } Log-Write "Time to run: $($totalTime)" "INFO" #If we are logging to a file, show the location at the end. if(-not $global:blNoLogFile) { Log-Write "Log file: $($global:strLogFile)" "INFO" } Log-Write "=============================================================================================" "INFO" } #===================================================================================================== #===================================================================================================== function RemoveLSP() { Log-Write "RemoveLSP" "DEBG" $strLocalPathSWIReg = GetLocalPathRegKey($strWebIntKey) Log-Write "Sophos Web Intelligence key: $($strLocalPathSWIReg)" "INFO" #Set swiupdateaction to 3 to remove LSP Set-ItemProperty -Path $strLocalPathSWIReg -Name $strSWIName -Value $strValueToSet -ErrorAction silentlycontinue start-Sleep -s 1 foreach ($swiUpdateSer in $strSwiUpdate) { if (CheckServiceStartupIsDisabled($swiUpdateSer)) { SetServiceToManual $swiUpdateSer } $null = start-service $swiUpdateSer -ErrorAction silentlycontinue } #Try also using swi_update binary directly as the logged on user as a backup to remove the LSP from the Winsock Catalog: $strLocalPathToSWIUpdate = GetLocalPathFolder ($strUnregLSPCommandPath) Log-Write "swi_update executable path to directory: $($strLocalPathToSWIUpdate)" "INFO" foreach ($strSWIUpdateProcessName in $strUnregLSPCommandBin) { $strCommandToRunSWI = $strLocalPathToSWIUpdate + "\" + $strSWIUpdateProcessName Log-Write "swi_update executable path: $($strCommandToRunSWI)" "INFO" try { Start-Process -Wait -NoNewWindow -FilePath $strCommandToRunSWI -ArgumentList $strUnregLSPCommandPar -RedirectStandardOutput "NUL" } catch {} start-Sleep -s 1 } } #===================================================================================================== #===================================================================================================== Function CheckServiceStartupIsDisabled([string]$strServiceName) { Log-Write "CheckServiceStartupIsDisabled - $($strServiceName)" "DEBG" $ServiceStartup = Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$strServiceName'" -ErrorAction silentlycontinue if ($ServiceStartup) { Log-Write "Service: $($strServiceName) : start-up mode is: $($ServiceStartup.StartMode)" "INFO" if($ServiceStartup.StartMode -eq "Disabled") { return $true } else { return $false } } else { Log-Write "Service: $($strServiceName) does not exist" "INFO" } } #===================================================================================================== #===================================================================================================== function SetServiceToManual([string]$strServiceName) { Log-Write "Setting service: $($strServiceName) to 'Manual' start-up" "INFO" $null = set-service $strServiceName -startupType manual -ErrorAction silentlycontinue } #===================================================================================================== #===================================================================================================== function IsRMSServer() { Log-Write "IsRMSServer" "DEBG" $strLocalRouterKey = GetLocalPathRegKey($strRouterKey) Log-Write "Checking Sophos RMS Router key: $($strLocalRouterKey)" "INFO" $strRouterCC = Get-ItemProperty -Path $strLocalRouterKey -Name $strRouterKeyName -ErrorAction silentlycontinue Log-Write "`t$($strRouterKeyName) = $($strRouterCC.$strRouterKeyName)" "DEBG" if($strRouterCC.$strRouterKeyName -gt $strRouterEPCC) { return $true } return $false } #===================================================================================================== #===================================================================================================== function IsUpdatingOrInstalling() { Log-Write "IsUpdatingOrInstalling" "DEBG" foreach ($strSAUProcess in $strSAUUpdatingProcess) { Log-Write "Checking if $($strSAUProcess) is running..." "INFO" #not in kill mode for process, just check $isUpdating = ExistProcess $strSAUProcess $false if ($isUpdating) { Log-Write "$($strSAUProcess) is running..." "WARN" return $true } } return $false } #===================================================================================================== #===================================================================================================== function ActionMSICode([string]$strMSIPC, [string]$method) { Log-Write "Product Code: $($strMSIPC) - Method: $($method)" "DEBG" $ProductIDFromProductCodeGUID = (Convert-GUIDtoPID $strMSIPC) Log-Write "`t Derived Windows Installer Code: $($ProductIDFromProductCodeGUID)" "DEBG" $strCodeBraces = "{"+$strMSIPC.trim()+"}" $strX = "/X"+$strCodeBraces $strLog = "/L*V """ + $env:temp +"\Sophos-MSI-Uninstall-"+$strMSIPC+".txt""" $strKeyProdCode = "HKLM:\SOFTWARE\Classes\Installer\Products\"+$ProductIDFromProductCodeGUID $strKeyFeatureCode = "HKLM:\SOFTWARE\Classes\Installer\Features\"+$ProductIDFromProductCodeGUID $arrInstallerCodes = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\"+$ProductIDFromProductCodeGUID $strUninstallKeyNative = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"+$strCodeBraces $strUninstallKey32 = "HKLM:\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Uninstall\"+$strCodeBraces $WindowsInstallerKeys = $strKeyProdCode, $arrInstallerCodes, $strKeyFeatureCode, $strUninstallKeyNative, $strUninstallKey32 #Try running the MSI installer. if ($global:boolForceMode) { #Only run the msi if from data not from GUIDs from cached MSIs if($method -eq "data") { if (ExistRegKey($strKeyProdCode)) { Log-Write "`t 'Product' key $($strKeyProdCode) exists, will try MSI command to uninstall..." "INFO" $global:intMSIsRun++ Start-Process -Wait -NoNewWindow -FilePath "msiexec.exe" -ArgumentList "/qn",$strX,$strLog,"REBOOT=ReallySuppress" -RedirectStandardOutput "NUL" } else { Log-Write "`t No 'product' key will not run MSI" "DEBG" } } } #Ensure Windows Installer reg keys are gone, based on the Product Code foreach ($key in $WindowsInstallerKeys) { Log-Write "`t Installer key: $($key)" "DEBG" if (ExistRegKey ($key)) { #Product Code exists. if($global:boolForceMode) { Log-Write "`t Removing: $($key)" "INFO" $global:intRegKeysTryDelete++ $null = Remove-Item -Path "$key" -Force -Recurse -ErrorAction silentlycontinue } } else { Log-Write "`t 'Product Code' does not exist" "DEBG" } } #Delete the upgrade code key $ugc = GetUpgradeCodeRegKey($ProductIDFromProductCodeGUID) if ($ugc) { Log-Write "`t $($ugc) (EXISTS)" "ERROR" if ($global:boolForceMode) { Log-Write "`t Removing: $($ugc)" "INFO" $global:intRemoveUpgradeCodeKey++ $null = Remove-Item -Path $ugc -Force -Recurse -ErrorAction silentlycontinue } } else { Log-Write "`t $($ProductIDFromProductCodeGUID) upgrade code (NOT FOUND)" "PASS" } } #===================================================================================================== #===================================================================================================== Function RemoveUsingUninstallKeys() { Log-Write "RemoveUsingUninstallKeys" "DEBG" #for each msi product under the uninstall keys where the publisher is Sophos or Surfright foreach ($UninstallKey in $UninstallerKeys) { if (test-path -path $UninstallKey) { Log-Write "Enumerating key: $($UninstallKey) for Publisher = Sophos or Surfright" "INFO" $Keys = gci $UninstallKey -ErrorAction SilentlyContinue $Items = $Keys | Foreach-Object {Get-ItemProperty $_.PsPath } ForEach ($Item in $Items) { if($Item.Publisher -match "Sophos" -or $Item.Publisher -match "Surfright") { Log-Write "Check if the 'UninstallString' value contains msiexec.exe" "DEBG" if ($Item.QuietUninstallString -match "msiexec.exe" -or $Item.UninstallString -match "msiexec.exe") { #This is a MSI install, log the name and productcode (key name) Log-Write "$($Item.DisplayName) - $($item.pschildname)" "INFO" #remove braces for ActionMSICode $strCodeStrippedDown = $item.pschildname -replace "{","" $strCodeStrippedDown = $strCodeStrippedDown -replace "}","" Log-Write "Checking $($strCodeStrippedDown)" "INFO" ActionMSICode $strCodeStrippedDown.trim() "data" } } } } } } #===================================================================================================== #===================================================================================================== Function RemoveFromInstallerCache() { Log-Write "RemoveFromInstallerCache" "DEBG" #For Each .msi file in \windows\installer, get the subject of the cert. #Check if it belongs to Sophos/Surfright #If it is, get the ProductCode from the MSI File and run cleanup for it. #at the end delete the msi? $strLocalInstallerCacheDir = GetLocalPathFolder($strInstallerCacheDir) Get-ChildItem $strLocalInstallerCacheDir -Filter *.msi | Foreach-Object { try { $strSig = get-AuthenticodeSignature -ErrorAction SilentlyContinue -filepath $_.FullName $StrSubject = $strSig.SignerCertificate.Subject } catch { Log-Write "Unable to get Authenticode Signature of file, could be in use." "WARN" } if($StrSubject) { if ($StrSubject.ToLower() -match "sophos" -or $StrSubject.ToLower() -match "surfright") { Log-Write "Sophos/Surfright signed file $($_.FullName)" "INFO" $global:intSophosSurfrightCachedMSIsFound++ $ProductCodeFromMSI = ProductCodeFromMSI ($_.FullName) if ($ProductCodeFromMSI -notmatch "-1") { Log-Write "Product Code: $($ProductCodeFromMSI)" "INFO" $strCodeStrippedDown = $ProductCodeFromMSI -replace "{","" $strCodeStrippedDown = $strCodeStrippedDown -replace "}","" Log-Write "$($strCodeStrippedDown) is to be checked as it is in installer cache." "INFO" ActionMSICode $strCodeStrippedDown "cache" } else { Log-Write "No Product Code from MSI file." "INFO" } #Move the MSI if in force mode to a backup location if($global:boolForceMode) { if(!(Test-Path -path $strBackupMSILocation)) { $null = New-Item $strBackupMSILocation -Type Directory } Log-Write "Copying the found Sophos/Surfright cached MSI: $($_.FullName), to backup location: $($strBackupMSILocation)" "INFO" copy-item -path $_.FullName -destination $strBackupMSILocation -force -ErrorAction SilentlyContinue if([Posh]::MarkFileDelete($_.FullName)) { Log-Write "`t $($_.FullName) marked for deletion at next startup" "INFO" $global:intFilesMarkedForDelete++ $global:boolPFRONeedReboot = $true } } } } } #end of GCI } #===================================================================================================== #===================================================================================================== function ProductCodeFromMSI([string]$strPathToMSI) { Log-Write "ProductCodeFromMSI: $($strPathToMSI)" "DEBG" $comObjWI = New-Object -ComObject WindowsInstaller.Installer $MSIDatabase = $comObjWI.GetType().InvokeMember("OpenDatabase","InvokeMethod",$Null,$comObjWI,@($strPathToMSI,0)) $Query = "SELECT Value FROM Property WHERE Property = 'ProductCode'" $View = $MSIDatabase.GetType().InvokeMember("OpenView","InvokeMethod",$null,$MSIDatabase,($Query)) $View.GetType().InvokeMember("Execute", "InvokeMethod", $null, $View, $null) $Record = $View.GetType().InvokeMember("Fetch","InvokeMethod",$null,$View,$null) $Value = $Record.GetType().InvokeMember("StringData","GetProperty",$null,$Record,1) # Commit database and close view $MSIDatabase.GetType().InvokeMember("Commit", "InvokeMethod", $null, $MSIDatabase, $null) $View.GetType().InvokeMember("Close", "InvokeMethod", $null, $View, $null) $MSIDatabase = $null $View = $null if($value) { return $value.trim() } return "-1" } #===================================================================================================== #===================================================================================================== function CheckComponent($strComponentName, $aKeys, $aFolders ) { Log-Write "Checking for component $($strComponentName)" "INFO" if ($aKeys) { #Reg checks foreach($strKeyToCheck in $aKeys) { $strLocalKey = GetLocalPathRegKey ($strKeyToCheck) if (test-path -Path $strLocalKey -ErrorAction silentlycontinue) { Log-Write "Found marker - $($strLocalKey)" "ERROR" return $true } else { Log-Write "Marker not found - $($strLocalKey)" "PASS" } } } else { Log-Write "No registry markers to check for $($strComponentName)" "PASS" } #Folder checks if($aFolders) { foreach($strFolders in $aFolders) { $strLocalFolder = GetLocalPathFolder($strFolders) if (test-path -Path $strLocalFolder -ErrorAction silentlycontinue) { Log-Write "Found marker - $($strLocalFolder)" "ERROR" return $true } else { Log-Write "Marker not found - $($strLocalFolder)" "PASS" } } } else { Log-Write "No folder markers to check for $($strComponentName)" "PASS" } Log-Write "$($strComponentName) component not found" "DEBG" return $false } #===================================================================================================== #===================================================================================================== function DeleteSAUUsers ([string] $strUserName) { Log-Write "DeleteSAUUsers $($strUserName)" "DEBG" Log-Write "Checking for local accounts by name prefixed with $($strUserName) and Sophos in the description." "INFO" $localUsers = Get-LocalUser -name $strUserName"*" -ErrorAction SilentlyContinue | where {$_.Description -like "*Sophos*"} if ($localUsers) { Log-Write "List of local SAU users starting $($strUserName):" "INFO" foreach ($user in $localUsers) { Log-Write "`t Found local user: $($user.name) (EXISTS)" "ERROR" $global:intLocalSAUUsersFound++ if($global:boolForceMode) { Log-Write "`t In Remove Mode, will delete local user: $($user.name)" "INFO" $global:intLocalSAUUsersAttemptDelete++ try { $null = Remove-LocalUser -Name $user.name -ErrorAction SilentlyContinue } catch{} } } } else { Log-Write "No local SAU users starting $($strUserName)" "PASS" } } #===================================================================================================== #===================================================================================================== function CheckThirdParty { #Using DisplayName and $aOtherVendors Log-Write "CheckThirdParty" "DEBG" Log-Write "Checking for other security software using basic string matching" "INFO" $InstalledCSoftware = (Get-ItemProperty -ErrorAction SilentlyContinue $UninstallerKeys2) if ($InstalledCSoftware) { foreach ($SoftwareName in $InstalledCSoftware) { if ($null -ne ($aOtherVendors | ? { $SoftwareName.DisplayName -match "\b$($_)\b" })) { Log-Write "`t $(convert-path $($SoftwareName.pspath))" "INFO" if ($SoftwareName.DisplayVersion) { Log-Write "`t $($SoftwareName.DisplayName) - Version: $($SoftwareName.DisplayVersion)" "ERROR" } else { Log-Write "`t $($SoftwareName.DisplayName) - Version: N/A" "ERROR" } #If the regular uninstall string exists always print if ($SoftwareName.UninstallString) { Log-Write "`t`t Uninstall Command: $($SoftwareName.UninstallString)" "INFO" } #If that doesn't exist only then check for the less common quiet one. else { If($SoftwareName.QuietUninstallString) { Log-Write "`t Quiet Uninstall Command: $($SoftwareName.QuietUninstallString)" "INFO" } else { Log-Write "`t No UninstallString or QuietUninstallString" "WARN" } } } } } else { Log-Write "`t No entries from the 'Uninstall' keys" "WARN" } } #===================================================================================================== #===================================================================================================== function DeleteSAVLocalGroup ([string] $SAVGroup) { Log-Write "Checking for local group $($SAVGroup)." "INFO" $LocalSAVGroup = Get-LocalGroup -Name $SAVGroup -ErrorAction SilentlyContinue if($LocalSAVGroup) { Log-Write "`tLocal SAV Group: $($LocalSAVGroup) (EXISTS)" "ERROR" $global:intLocalSAVGroupsFound++ if($global:boolForceMode) { Log-Write "`t In 'Remove' mode, will delete local group: $($LocalSAVGroup.name)" "INFO" $global:intLocalSAVGroupsAttemptDelete++ try { $null = Remove-LocalGroup -Name $LocalSAVGroup.name -ErrorAction SilentlyContinue } catch{} } } else { Log-Write "No local SAV group named: $($SAVGroup)" "PASS" } } #===================================================================================================== #===================================================================================================== function CheckServiceStatusRunning($aService) { Log-Write "Checking for service $($aService[1]) ($($aService[0]))" "INFO" try { $service = Get-Service $aService[0] -ErrorAction SilentlyContinue } catch { return $false } If ($service) { Log-Write "`t $($aService[1]) (EXISTS)" "INFO" if($service.Status -eq "Running") { Log-Write "`t $($aService[1]) (RUNNING)" "PASS" return $true } else { Log-Write "`t $($aService[1]) (NOT RUNNING)" "ERROR" return $false } } else { Log-Write "`t $($aService[1]) (MISSING)" "ERROR" return $false } } #===================================================================================================== #===================================================================================================== function CheckAuthenticodeFlagsForTrustedPublisher() { Log-Write "CheckAuthenticodeFlagsForTrustedPublisher" "DEBG" Log-Write "Checking TrustedPublisher AuthenticodeFlags for value 2" "INFO" foreach ($TrustedPublisherKey in $strFlagsTrustedPublisherKeys) { Log-Write "Checking $($TrustedPublisherKey)" "DEBG" $AuthenticodeFlagsValue = Get-ItemProperty -Path $TrustedPublisherKey -Name $strDWORDAuthenticodeValue -ErrorAction silentlycontinue If (-not $AuthenticodeFlagsValue) { $AuthenticodeFlagsValue = "[Not set]" } else { $AuthenticodeFlagsValue = $AuthenticodeFlagsValue.$strDWORDAuthenticodeValue } if($AuthenticodeFlagsValue -eq $AuthenticodeFlagsDWORDProb) { Log-Write "`t $($strDWORDAuthenticodeValue) under $($TrustedPublisherKey) is set to $($AuthenticodeFlagsValue)" "WARN" Log-Write "`t This policy setting can cause certain versions of Sophos NTP and/or SCF to fail installation. Please check Group Policy" "WARN" } else { Log-Write "`t $($strDWORDAuthenticodeValue) under $($TrustedPublisherKey) is set to $($AuthenticodeFlagsValue)" "DEBG" } } } #===================================================================================================== #===================================================================================================== function CheckNDISFilters() { Log-Write "CheckNDISFilters" "DEBG" Log-Write "Number required for Sophos: $($intFiltersRequired)" "DEBG" $intMaxNumFilters = Get-ItemProperty -Path $strMaxFiltersKey -Name $strMaxNumFilters -ErrorAction silentlycontinue if ($intMaxNumFilters) { Log-Write "Checking for NDIS filter space" "INFO" $intMaxFilters = $intMaxNumFilters.$strMaxNumFilters Log-Write "`t Checking maximum number of NDIS Filter drivers registry value 'MaxNumFilters': $($intMaxFilters)" "INFO" if ($intMaxFilters -gt $intDefaultMaxFilters) { Log-Write "`t 'MaxNumFilters' has been increased from the default of $($intDefaultMaxFilters)" "INFO" } if ($intMaxFilters -lt $intDefaultMaxFilters) { Log-Write "`t 'MaxNumFilters' has been decreased from the default of $($intDefaultMaxFilters)" "WARN" } if ($intMaxFilters -eq $intDefaultMaxFilters) { Log-Write "`t 'MaxNumFilters' is unchanged from the default ($($intDefaultMaxFilters))" "INFO" } } else { #Using the reg key as a test for Windows 7 and platforms which have a limit. #I assume on Win 7, if the key doesn't exist the default is 8 but then it seems #unlikley someone would have deleted the registry value. Log-Write "($strMaxNumFilters) registry value does not exist. Assuming not a limitation on this platform." "DEBG" return 0 } #Count in use $strRegPath = $strMaxFiltersKey+"{4d36e974-e325-11ce-bfc1-08002be10318}" Log-Write "NDIS registry path: $($strRegPath)" "DEBG" $children = get-childitem -path $strRegPath -ErrorAction SilentlyContinue | get-childitem | where-object {$_.PSChildName -eq "Ndi"} | get-itemproperty | where-object {$_.FilterClass} | get-itemproperty -name FilterClass if ($children) { Log-Write "`t Number of NDIS Filter drivers installed $($children.count)" "INFO" if ($children.count -gt 0) { foreach ($filter in $children) { $strDesc = (get-itemproperty -path $filter.PSParentPath).Description if($strDesc -match "sophos") { Log-Write "`t $($strDesc)" "WARN" } else { Log-Write "`t $($strDesc)" "INFO" } } } $intSpaceLeft = $intMaxFilters - $children.count Log-Write "`t Number of NDIS drivers that still can be installed on computer: $($intSpaceLeft)" "INFO" if ($intSpaceLeft -ge $intFiltersRequired) { Log-Write "`t $($intFiltersRequired) NDIS filters can be installed for Sophos (based on required number of $($intFiltersRequired))" "PASS" } else { Log-Write "`t You need to increase the value of $($strMaxNumFilters) under:" "ERROR" Log-Write "`t $($strMaxFiltersKey)" "ERROR" Log-Write "`t 14 is the maximum and a reboot is required for the change to take effect. See KBA 133450." "ERROR" } } else { Log-Write "$($strRegPath) did not exist. Failed to determine number of NDIS filters installed." "WARN" } } #===================================================================================================== function CheckELAMDirOK() { Log-Write "CheckELAMDirOK" "DEBG" #Check 'EarlyLaunch' registy key exists as a check for the platform supporting ELAM. if (test-path $strEarlyLaunchKey) { Log-Write "Checking registry key: '$($strEarlyLaunchKey)' exists. Assume platform supports ELAM" "DEBG" #Get location, probably windir + ELAMBKUP $strELAMBackupLocation = Get-ItemProperty -Path $strEarlyLaunchKey -Name $strELAMBackupPath -ErrorAction silentlycontinue if ($strELAMBackupLocation) { $strPathToCheck = $strELAMBackupLocation.$strELAMBackupPath #Check if the path found in the registry exists Log-Write "Checking Windows 'EarlyLaunch' backup directory" "INFO" if (test-path $strPathToCheck) { Log-Write "`t $($strPathToCheck) exists." "PASS" return $true } else { Log-Write "`t $($strPathToCheck) does not exists. It is suggested that you create this directory." "ERROR" return $false } } else { Log-Write "Checking Windows 'EarlyLaunch' registry value" "INFO" $WindowsELAMDirSuggestion = $env:windir +"\ELAMBKUP" Log-Write "'$($strELAMBackupPath)' registry value does not exist." "ERROR" Log-Write "It is suggested that you create this REG_SZ under the registry key '$($strEarlyLaunchKey)' and set it to be: $($WindowsELAMDirSuggestion)" "ERROR" return $false } } else { Log-Write "$($strEarlyLaunchKey) does not exist, assume platform does not support ELAM" "DEBG" } return $true } #===================================================================================================== #===================================================================================================== function CheckSCFFilterListRegKey { Log-Write "CheckSCFFilterListRegKey" "DEBG" $key = "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}" $NetCfgInstanceId = "AACC1E53-F734-42C2-A5D0-649E4A59AC5D" $regValueName = "FilterList" #For each key look for a "FilterList" registry value Get-ChildItem $key -recurse -ea SilentlyContinue | ForEach-Object { if($_.Property -eq $regValueName) { #Key has a FilterList $counter = 0 Log-Write "Found $($regValueName) under registry key:" "INFO" Log-Write "`t $($_.PsPath)" "INFO" $FilterListItems = (get-itemproperty $_.PsPath).$regValueName #Array to hold values. $newArray = New-Object System.Collections.ArrayList Log-Write "All existing entries in $regValueName registry value:" "DEBG" foreach ($entry in $FilterListItems) { Log-Write "`t $($entry)" "DEBG" if ($entry -match $NetCfgInstanceId) { #Filter out Sophos entries from being added to the new array. Log-Write "The Sophos value $($entry) is in $($regValueName) reg value under the key:" "ERROR" Log-Write "`t$($_.PsPath)" "ERROR" $counter++ } else { $newArray.add($entry) > $null } } if ($counter -gt 0) { Log-Write "Found $($counter) Sophos item(s)." "DEBG" #Print the new values Log-Write "New values if written would be:" "DEBG" foreach ($newValueToWrite in $newArray) { Log-Write "`t`$($newValueToWrite)" "DEBG" } if($global:boolForceMode) { Log-Write "`t Attempting to update $($regValueName) registry" "INFO" try { $null = set-ItemProperty -Path $_.PsPath -type multistring -Name $regValueName -Value $newArray -ErrorAction silentlycontinue } catch { Log-Write "`t Failed to update registry." "ERROR" } } } else { Log-Write "`t No Sophos entries found in ($regValueName) under $($_.PsPath)" "PASS" } } } } #===================================================================================================== #===================================================================================================== function RemoveSAVScheduledScan { Log-Write "RemoveSAVScheduledScan" "DEBG" $STasks = Get-ScheduledTask -ErrorAction silentlycontinue $intCountTasks = 0 $intCountTasksRemoved = 0 if ($STasks) { foreach ($task in $STasks) { if ($task.Actions.Execute -match $strSAVSchedScanExe) { $intCountTasks++ Log-Write "Found Sophos scheduled task: $($task.TaskName) - $($task.Actions.Execute)" "ERROR" if ($global:boolForceMode) { Log-Write "Removing Sophos Anti-Virus scheduled task" "INFO" try { Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false -ErrorAction silentlycontinue $intCountTasksRemoved++ } catch { Log-Write "Error removing task $($task.TaskName)" "WARN" } } } } if ($intCountTasks -gt 0) { Log-Write "Number of Sophos Anti-Virus scheduled scan tasks found: $($intCountTasks)" "ERROR" if ($global:boolForceMode) { Log-Write "Number of Sophos Anti-Virus scheduled scan tasks removed: $($intCountTasksRemoved)" "INFO" } } else { Log-Write "Number of Sophos Anti-Virus scheduled scan tasks found: $($intCountTasks)" "PASS" } } else { Log-Write "Unable to get a list of scheduled tasks" "WARN" } } #===================================================================================================== #===================================================================================================== function TidyInstallerFoldersKey() { Log-Write "TidyInstallerFoldersKey" "DEBG" #Get just the registry values (folders) where the data value for the path is not 1: $FilteredRegValues = (Get-ItemProperty -ErrorAction SilentlyContinue $WIFoldersKey).psobject.properties | where-object {$_.Value -ne 1} if ($FilteredRegValues) { foreach ($regValue in $FilteredRegValues) { if ($null -ne ($toFindInFoldersKey | ? { $regValue -match $_ }) ) { Log-Write "Found: $($regValue.Name)" "ERROR" if ($global:boolForceMode) { Log-Write "Removing: $($regValue.Name)" "INFO" remove-itemproperty -path $WIFoldersKey -name $regValue.Name -ErrorAction SilentlyContinue } } else { #$regValue.Name would be too much to log to the file. } } } } #===================================================================================================== #===================================================================================================== function IsSCMOutOfSyncWithRegistry ([string]$toCheck) { Log-Write "IsSCMOutOfSyncWithRegistry $($toCheck)" "DEBG" #Create friendly name for logging switch ($toCheck) { "UserModeService" {$strFriendlyName = "Service"} "Driver" {$strFriendlyName = "Driver"} } $SCMOddState = 0 #If this is > 0 then one or more services are out of sync. $xmlComponents | Select-Xml -XPath "//RemovalData/Components" | foreach { foreach ($itemToProcess in $_.node.ChildNodes) { #Don't consider the first service group of the data to prevent duplicates. if ($itemToProcess.FridendlyName.element -ne $strFirstGroupAvoidDups) { Log-Write "Component: $($itemToProcess.FridendlyName.element)" "DEBG" if($itemToProcess.$toCheck) { foreach ($indService in $itemToProcess.$toCheck.element) { Log-Write "`t $($toCheck): $($indService)" "DEBG" if ($indService -ne "Sophos System Protection Service") #sophossps and "Sophos System Protection Service" exist, reg key is sophossps { try { $s = get-service $indService -ErrorAction Stop if ($s.Status) { #We have a status so SCM knows about it but does it have a registry key: $regService = "HKLM:\SYSTEM\CurrentControlSet\Services\"+$indService Log-Write "`t Check: $($regService)" "DEBG" $SvsRegExists = test-path -path $regService if ($SvsRegExists) { Log-Write "`t'$($regService)' exists" "DEBG" #Check if there is a ImagePath $regCheck = (get-itemproperty -path $regService).ImagePath if (-not $regCheck) { Log-Write "$($strFriendlyName): '$($indService)', state: '$($s.Status)', a component of: '$($itemToProcess.FridendlyName.element)' has no ImagePath." "WARN" $SCMOddState++ } } else { $SCMOddState++ Log-Write "$($strFriendlyName): '$($indService)', state: '$($s.Status)', a component of: '$($itemToProcess.FridendlyName.element)' has no service registry key." "WARN" } } } catch { Log-Write "`t`t$($indService) does not exist according to 'get-service'" "DEBG" } } } } } } } if ($SCMOddState -gt 0) { Log-Write "The '$($strFriendlyName)' entries listed above have a 'state' according to the Service Control Manager (SCM) but have no/invalid service registry keys. Please reboot before re-installing to resolve." "ERROR" return $true } return $false } #===================================================================================================== #===================================================================================================== function CheckSophosIFEO() { Log-Write "CheckSophosIFEO" "DEBG" $xmlComponents | Select-Xml -XPath "//RemovalData/Components" | foreach { foreach ($itemToProcess in $_.node.ChildNodes) { #Don't consider the first service group of the data to prevent duplicates. if ($itemToProcess.FridendlyName.element -ne $strFirstGroupAvoidDups) { Log-Write "Component: $($itemToProcess.FridendlyName.element)" "DEBG" if($itemToProcess."Processes") { foreach ($inProcess in $itemToProcess."Processes".element) { if (-not ($strToSkipForIFEO -contains $inProcess )) { foreach ($keyToCheck in $strIFEOAll) { $strPathToCheck = $keyToCheck+$inProcess Log-Write "Checking key: $($strPathToCheck)" "DEBG" if (test-path $strPathToCheck) { Log-Write "$($strPathToCheck) exists" "DEBG" #Check if it has a debugger value $regCheckDebugger = (get-itemproperty -path $strPathToCheck)."Debugger" if($regCheckDebugger) { $global:IFEOWithDebuggerValue++ Log-Write "$($strPathToCheck) has a 'Debugger' value under the key with the value: [$($regCheckDebugger)]" "ERROR" if ($global:boolForceMode) { Log-Write "Running in remove mode, will delete key: $($strPathToCheck)" "INFO" $global:IFEOToDelete++ $null = Remove-Item -Path $strPathToCheck -Force -Recurse -ErrorAction silentlycontinue } } else { Log-Write "No 'Debugger' entry" "DEBG" } } Else { Log-Write "No IFEO registry key: $($strPathToCheck)" "PASS" } } } else { Log-Write "Skipping process named '$($inProcess)' as too generic." "DEBG" } } } } } } } #===================================================================================================== #===================================================================================================== function CheckLSPInWinsock() { Log-Write "CheckLSPInWinsock" "DEBG" try { Log-Write "Attempting to run the command 'netsh winsock show catalog' to see if our LSP is in the Winsock catalog" "DEBG" $StringNetshCatOutput = netsh winsock show catalog if ($StringNetshCatOutput) { foreach ($lineInOutPut in $StringNetshCatOutput) { if ($lineInOutPut -match $strLSPFileName64 -or $lineInOutPut -match $strLSPFileName32) { Log-Write "Found line in catalog: $($lineInOutPut)" "DEBG" return $true } } } } catch { Log-Write "Failed to run netsh command." "DEBG" #will not return true but will default to false as I have tried to remove the LSP in a number of ways } Log-Write "Did not find our LSPs: $($strLSPFileName64) and/or $($strLSPFileName32), in the Winsock Catalog" "DEBG" return $false } #===================================================================================================== Main Log-Exit Hosting and Hardcoded Processes sophosupdate.exe alsvc.exe almon.exe alupdate.exe ManagementAgentNT.exe mcsagent.exe sophosui.exe sophos ui.exe SophosAgentUI.exe savmain.exe sophos-cwg-monitor.exe SophosAgentRelay.exe SophosCertMgr.exe SophosCWGScannerAutoUpdater.exe Sophos AutoUpdate Service Sophos MCS Agent Sophos Agent SAVService SAVAdminService swi_service 32|PROGRAMFILES|Sophos\Remote Management System NATIVE|PROGRAMDATA|Sophos\Remote Management System Sophos Remote Management System (RMS) FED1005D-CBC8-45D5-A288-FFC7BB304121 FF11005D-CBC8-45D5-A288-25C7BB304121 15C418EB-7675-42BE-B2B3-281952DA014D D924231F-D02D-4E0B-B511-CC4A0E3ED547 ManagementAgentNT.exe RouterNT.exe ClientMRInit.exe 32|HKLM|SOFTWARE|Sophos\Messaging System 32|HKLM|SOFTWARE|Sophos\Remote Management System Sophos Message Router Sophos Agent 32|PROGRAMFILES|Sophos\Management Communications System NATIVE|PROGRAMDATA|Sophos\Management Communications System\Endpoint\channels\EDR NATIVE|PROGRAMDATA|Sophos\Management Communications System NATIVE|PROGRAMDATA|Sophos\Remote Management System NATIVE|PROGRAMDATA|Sophos\Certificates\Management Communications System NATIVE|PROGRAMDATA|Sophos\Certificates Sophos Management Communication System (MCS) A1DC5EF8-DD20-45E8-ABBD-F529A24D477B 1FFD3F20-5D24-4C9A-B9F6-A207A53CF179 D875F30C-B469-4998-9A08-FE145DD5DC1A 2C14E1A2-C4EB-466E-8374-81286D723D3A 32|PROGRAMFILES|Sophos\Management Communications System\Endpoint\Uninstall.exe!/quiet NATIVE|PROGRAMDATA|Sophos\Certificates mcsagent.exe mcsclient.exe 32|HKLM|SOFTWARE|Sophos\Management Communications System 32|HKLM|SOFTWARE|Sophos\Remote Management System 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\MCS NATIVE|HKCU|SOFTWARE|Sophos\Management Communications System\Registration NATIVE|HKCU|SOFTWARE|Sophos\Management Communications System NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Management Communications System Sophos MCS Agent Sophos MCS Client NATIVE|WINDOWS|SYSTEM32\netcfg.exe!/u SOPHOS_SOPHOSNTPLWF sntp sophosntplwf NATIVE|PROGRAMFILES|Sophos\Sophos Network Threat Protection NATIVE|PROGRAMDATA|Sophos\Sophos Network Threat Protection NATIVE|PROGRAMDATA|Sophos\Heartbeat NATIVE|WINDOWS|System32\Drivers|sophosntplwf.sys NATIVE|WINDOWS|System32\Drivers|sntp.sys Sophos Network Threat Protection 604350BF-BE9A-4F79-B0EB-B1C22D889E2D 66967E5F-43E8-4402-87A4-04685EE5C2CB 2D2A1891-4657-4E6F-9373-BFCE4C9AC5BA sntpservice.exe SophosNtpTelemetry.exe SophosNtpService.exe SophosSnort.exe NATIVE|HKLM|SOFTWARE|Sophos\Sophos Network Threat Protection 32|HKLM|SOFTWARE|Sophos\Heartbeat NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sntpservice NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sntp NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sophosntplwf 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\NTP NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos Network Threat Protection Diagnostics NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{04aa2cbe-7547-4bd8-b629-381b838565fb} NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\Sophos-NetworkThreatProtection-Driver NATIVE|HKLM|SOFTWARE|Classes\AppID\{C092D533-8791-42F8-8EBE-DB116F79B4B7} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{6886D7DB-850A-4C92-A2F7-CBD741F825E5} NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\SntpService NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\Sophos Network Threat Protection NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SNTP NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SOPHOSNTPLWF sntpservice SFWCallout 32|PROGRAMFILES|Sophos\Sophos Client Firewall NATIVE|PROGRAMDATA|Sophos\Sophos Client Firewall NATIVE|WINDOWS|SYSTEM32\DRIVERS\SFWCallout.sys NATIVE|WINDOWS|SYSTEM32\DRIVERS\scfdriver.sys NATIVE|WINDOWS|SYSTEM32\DRIVERS\scfndis.sys 32|COMMONPROGRAMFILES|Sophos\Sophos Client Firewall Sophos Client Firewall 32|PROGRAMFILES|Sophos\Sophos Client Firewall\DriverHelper_x64.exe!/uninstall /legacy_ndis 32|PROGRAMFILES|Sophos\Sophos Client Firewall\DriverHelper_Win32.exe!/uninstall /legacy_ndis 17071117-5BB2-4737-B05B-C5FABD367313 12C00299-B8B4-40D3-9663-66ABEA3198AB A805FB2A-A844-4cba-8088-CA64087D59E1 12C00299-B8B4-40D3-9663-66ABEA3198AB DriverHelper_x64.exe DriverHelper_Win32.exe op_viewer.exe SCFManager.exe SCFService.exe ConfigTool.exe CustomLogViewWrapper.exe 32|HKLM|SOFTWARE|Sophos\Sophos Client Firewall 32|HKLM|SOFTWARE|Sophos\Heartbeat NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Client Firewall NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Client Firewall Manager NATIVE|HKLM|SYSTEM|ControlSet001\Services\Sophos Client Firewall NATIVE|HKLM|SYSTEM|ControlSet001\Services\Sophos Client Firewall Manager NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\Sophos Client Firewall NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\Sophos Client Firewall Manager NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SFWCallout 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SCF NATIVE|HKLM|SYSTEM|CurrentControlSet\services\scfndis NATIVE|HKLM|SYSTEM|CurrentControlSet\services\scfdriver NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{AACC1E53-F734-42C2-A5D0-649E4A59AC5D} NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Client Firewall NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Client Firewall Manager NATIVE|HKLM|SOFTWARE|Classes\AppID\{387EF71D-9F19-4059-B6E5-B29E521AF040} NATIVE|HKLM|SOFTWARE|Classes\AppID\{B75ECD8A-5E2B-4D7E-8034-4E91B4FC6E26} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{0AE20EE6-FC5C-42A4-9F0C-502D98EA0073} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{5960078F-7D29-4A18-8493-749E10B37215} 32|HKLM|SOFTWARE|Classes\CLSID\{0C7ECBE2-1386-4B21-BF29-6233C07AFF8C} 32|HKLM|SOFTWARE|Classes\CLSID\{3F3D6947-500C-40A3-9F45-893CED400B41} 32|HKLM|SOFTWARE|Classes\CLSID\{4AC2AB2B-CA79-4BBB-B351-DAFE860DA4F5} 32|HKLM|SOFTWARE|Classes\CLSID\{6BD002D1-C42B-4B20-9F88-6E20D03EEBF8} 32|HKLM|SOFTWARE|Classes\CLSID\{93AAF04C-6BD4-4210-8C18-45B8A833B011} 32|HKLM|SOFTWARE|Classes\CLSID\{95A59E09-93B9-4F0B-8A79-2247E04B5012} 32|HKLM|SOFTWARE|Classes\CLSID\{A6AA093B-944F-4C03-B9CF-4C762D161736} 32|HKLM|SOFTWARE|Classes\CLSID\{C02FEE90-2FA0-4B78-8608-5982D85B219E} 32|HKLM|SOFTWARE|Classes\CLSID\{DA05E01D-91D7-4E6C-949C-C8DBF7B80865} NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SCFNDIS NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SCFDRIVER 32|PROGRAMFILES|Sophos\Sophos Client Firewall Sophos Client Firewall Sophos Client Firewall Manager NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner\logs\sophosfilescanner.log NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner\logs NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner NATIVE|PROGRAMFILES|Sophos\Sophos File Scanner Sophos File Scanner NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner SophosFS.exe SophosFileScanner.exe SophosFSTelemetry.exe NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos File Scanner Service NATIVE|HKLM|SOFTWARE|Sophos\Sophos File Scanner NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\{CD39E739-F480-4AC4-B0C9-68CA731D8AC6} NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner NATIVE|PROGRAMFILES|Sophos\Sophos File Scanner\Uninstall.exe!/quiet Sophos File Scanner Service sophosed sophosel NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Logs|sed.log NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\http NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\DirectoryChanges NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryChanges NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataReads NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileHashes NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherReads NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileProperties NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Registry NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\System NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Thread NATIVE|PROGRAMFILES|Sophos\Endpoint Defense|sedservice.exe NATIVE|WINDOWS|System32|SophosNA.exe NATIVE|WINDOWS|System32|drivers\sophosed.man NATIVE|WINDOWS|System32|drivers\sophosel.sys NATIVE|WINDOWS|System32|drivers\Sophosed.sys 32|PROGRAMFILES|Sophos\Endpoint Defense NATIVE|PROGRAMDATA|Sophos\Endpoint Defense NATIVE|WINDOWS|ELAMBKUP\sophosel.sys Sophos Endpoint Defense NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status\tmp NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\http NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\DirectoryChanges NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryChanges NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataReads NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileHashes NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherReads NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileProperties NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Registry NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\System NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Thread NATIVE|PROGRAMFILES|Sophos\Endpoint Defense\sedservice.exe NATIVE|WINDOWS|System32|drivers\sophosed.man NATIVE|WINDOWS|System32|drivers\sophosel.sys NATIVE|WINDOWS|System32|drivers\Sophosed.sys 32|PROGRAMFILES|Sophos\Endpoint Defense NATIVE|PROGRAMFILES|Sophos\Endpoint Defense NATIVE|PROGRAMDATA|Sophos\Endpoint Defense SEDService.exe FileAnalyzerSubmitterTool.exe SEDcli.exe SophosNA.exe SspEdr.exe SSPService.exe Telemetry.exe TelemetryPlugin.exe Uninstall.exe SSPService.exe 32|HKLM|SOFTWARE|Sophos\SystemProtection 32|HKLM|SOFTWARE|Sophos\SAVClients NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Elam NATIVE|HKLM|SOFTWARE|Sophos\EndpointDefense NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Endpoint Defense Service NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Endpoint Defense 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\CORE 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\CORC NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SOPHOS_ENDPOINT_DEFENSE NATIVE|PROGRAMDATA|Sophos\Endpoint Defense NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection NATIVE|PROGRAMFILES|Sophos\Endpoint Defense\uninstall.exe!/quiet 32|PROGRAMFILES|Sophos\Sophos Endpoint Defense\uninstall.exe!/quiet NATIVE|PROGRAMFILES|Sophos\Sophos Endpoint Defense\uninstall.exe!/quiet Sophos Endpoint Defense Service Sophos System Protection Service NATIVE WOW savonaccess sdcfilter sophosbootdriver swi_callout 32|PROGRAMFILES|Sophos\Sophos Anti-Virus NATIVE|PROGRAMDATA|Sophos\Sophos Anti-Virus NATIVE|PROGRAMDATA|Sophos\Web Intelligence NATIVE|PROGRAMDATA|Sophos Web Intelligence NATIVE|PROGRAMDATA|Sophos\Web Control NATIVE|PROGRAMDATA|Sophos\Sophos Device Control NATIVE|PROGRAMDATA|Sophos\Sophos Data Control NATIVE|PROGRAMDATA|Sophos\Sophos Tamper Protection NATIVE|WINDOWS|System32\Drivers|savonaccess.sys NATIVE|WINDOWS|System32\Drivers|swi_callout.sys NATIVE|WINDOWS|System32\Drivers|sdcfilter.sys NATIVE|WINDOWS|System32\Drivers|SophosBootDriver.sys NATIVE|WINDOWS|System32\Drivers|skmscan.sys NATIVE|WINDOWS|System32|SophosBootTasks.exe NATIVE|WINDOWS|System32|sdccoinstaller.dll 32|COMMONPROGRAMFILES|Sophos\Web Control 32|COMMONPROGRAMFILES|Sophos\Web Intelligence NATIVE|COMMONPROGRAMFILES|Sophos\Web Control NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|scf.dat NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|swi_fc.exe NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|swi_fc.exe.0 NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp.dll NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp_64.dll NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured_x64.dll NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured.dll 32|WINDOWS|SYSWOW64\SophosAV|sophos_detoured.dll NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf|Channel_0.xml NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos Sophos Anti-Virus 3A3908E1-F410-48AC-BBDA-1468E7F17AD0 23E4E25E-E963-4C62-A18A-49C73AA3F963 6CA90A07-433B-4859-A785-006771D72109 D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4 577896A8-08F6-47E2-B2EB-DE5265701F39 095BB5FF-C89D-449B-9D6D-3B9CCB3BEFD8 034759DA-E21A-4795-BFB3-C66D17FAD183 9ACB414D-9347-40B6-A453-5EFB2DB59DFA 6654537D-935E-41C0-A18A-C55C2BF77B7E 2519A41E-5D7C-429B-B2DB-1E943927CB3D 66967E5F-43E8-4402-87A4-04685EE5C2CB 72E30858-FC95-4C87-A697-670081EBF065 8123193C-9000-4EEB-B28A-E74E779759FA 36333618-1CE1-4EF2-8FFD-7F17394891CE DFDA2077-95D0-4C5F-ACE7-41DA16639255 CA3CE456-B2D9-4812-8C69-17D6980432EF CA524364-D9C5-4804-92DE-2800BDAC1AA4 3B998572-90A5-4D61-9022-00B288DD755D 4BAF6F55-FFE4-4A3A-8367-CC2EBB0F11C3 BA8752FE-75E5-43DD-9913-23509EFEB409 C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB 9ACB414D-9347-40B6-A453-5EFB2DB59DFA 4320988A-7DE0-478D-A38B-CE9509BCE320 320CD9AF-3E73-453F-A11D-C4DBE23D5476 65C68E09-B673-491F-AB36-2EBD8DDA91F3 5A13E01A-1161-4FAC-ADAF-36AD8FFADF14 NATIVE|WINDOWS|System32\Drivers|savonaccess.sys NATIVE|WINDOWS|System32\Drivers|swi_callout.sys NATIVE|WINDOWS|System32\Drivers|sdcfilter.sys NATIVE|WINDOWS|System32\Drivers|SophosBootDriver.sys NATIVE|WINDOWS|System32\Drivers|skmscan.sys NATIVE|WINDOWS|System32|SophosBootTasks.exe NATIVE|WINDOWS|System32|sdccoinstaller.dll 32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll 32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured_x64.dll 32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll.stf00 32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured_x64.dll.stf00 32|PROGRAMFILES|Sophos\Sophos Anti-Virus|SavShellExtX64.dll 32|PROGRAMFILES|Sophos\Sophos Anti-Virus|SophosOfficeAVx64.dll NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|scf.dat NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|swi_fc.exe NATIVE|COMMONPROGRAMFILES|Sophos\Web Control NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence 32|COMMONPROGRAMFILES|Sophos\Web Control 32|COMMONPROGRAMFILES|Sophos\Web Intelligence 32|PROGRAMFILES|Sophos\Sophos Anti-Virus NATIVE|PROGRAMDATA|Sophos\Sophos Anti-Virus NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp.dll NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp_64.dll NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf|Channel_0.xml NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos savservice.exe swi_service.exe swi_fc.exe savadminservice.exe swc_service.exe SAVMain.exe BackgroundScanClient.exe sav32cli.exe savcleanupservice.exe SAVProxy.exe SAVProgress.exe WSCClient.exe sdcdevcon.exe SAVTelem.exe ForceUpdateAlongSideSGN.exe swi_di.exe swi_lsp32_util.exe swi_lspdiag.exe swi_lspdiag_64.exe swi_update_64.exe swi_filter.exe ssr32.exe ssr64.exe 32|HKLM|SOFTWARE|Sophos\SAVService 32|HKLM|SOFTWARE|Sophos\SAVService\TamperProtection 32|HKLM|SOFTWARE|Sophos\SweepNT 32|HKLM|SOFTWARE|Sophos\Web Intelligence 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SAV 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SWC NATIVE|HKCU|SOFTWARE|SOPHOS NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SAVService NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\savadminservice NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Device Control Service NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_service NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sophos web control service NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_filter NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\savonaccess NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sdcfilter NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_update_64 NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_update NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sophosbootdriver NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_callout NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos_AntiVirus-Perf/Comms NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/BehaviourIntercept NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/Cache NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/JournalTracker NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/OnAccess NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/ProcessFilter NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/Scan NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/Web NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{788a31a2-9d77-4994-a1c5-6c3036f56141} NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Anti-Virus NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\SophosAntiVirus NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SAVOnAccess NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SAVOnAccessControl NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SAVOnAccessFilter NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SDCFilter NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SfwCallout NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SophosBootDriver NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SKMScan NATIVE|HKLM|SOFTWARE|Classes\AppID\{752B5BD1-9128-47B7-9934-E6DE5C5397D0} NATIVE|HKLM|SOFTWARE|Classes\AppID\{F4C3F607-CA7A-4725-AB4E-9B4FF6788ECA} NATIVE|HKLM|SOFTWARE|Classes\Sophos.WebControl NATIVE|HKLM|SOFTWARE|Classes\Sophos.WebControl.1 NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{5123D78B-3CEF-4748-9ABA-20B7150D69C6} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{675AB458-79EE-4F3B-8BC5-1A424B5628AF} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{88E6FEF8-9F4F-49E3-9A75-1870C6339F25} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{946278E5-E994-40B3-AD9E-09BD3F9F2B5E} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{E8EB0E47-C0D4-4AA5-B872-51BFDBF243FE} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{F09ED691-830E-11D4-91D7-009027CAC227} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{F733BA71-46D0-47F8-87ED-B2343DDD9BB7} 32|HKLM|SOFTWARE|Classes\CLSID\{0237D9EB-DC1E-4581-AC00-DA9A76F8A50F} 32|HKLM|SOFTWARE|Classes\CLSID\{0350EF7B-C70F-4BA6-B9A2-C0A466BAA09F} 32|HKLM|SOFTWARE|Classes\CLSID\{12A7F0EC-33F7-4968-9AFD-34D37215184E} 32|HKLM|SOFTWARE|Classes\CLSID\{24DC0815-9D82-47FD-81B3-11DE033EF7A3} 32|HKLM|SOFTWARE|Classes\CLSID\{486EAD99-06D8-42A2-AEC8-353720B02F5D} 32|HKLM|SOFTWARE|Classes\CLSID\{81671ADE-A2EA-412C-8A7D-D0931AE9B02A} 32|HKLM|SOFTWARE|Classes\CLSID\{A0229167-33FE-4B1C-A5DC-E04312B4E967} 32|HKLM|SOFTWARE|Classes\CLSID\{AE5ECDC9-5970-47C0-B0C7-A5F0CC22FD60} 32|HKLM|SOFTWARE|Classes\CLSID\{BD7A8CBB-8AAE-49D3-A042-A6A8AB8B1F52} 32|HKLM|SOFTWARE|Classes\CLSID\{D2B7A809-15DC-40B4-A1E1-C61EA97191DB} 32|HKLM|SOFTWARE|Classes\CLSID\{dda4847c-c939-4c07-8d6a-5869cd694a1c} 32|HKLM|SOFTWARE|Classes\CLSID\{E0577DBF-0123-41F6-BBC7-9E1C94630FD9} 32|HKLM|SOFTWARE|Classes\CLSID\{F2A81486-DE28-4FAF-962A-9836B6C9A06F} 32|HKLM|SOFTWARE|Microsoft\Security Center\Monitoring\SophosAntiVirus NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\SAVService NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SAVONACCESS 32|PROGRAMFILES|Sophos\Sophos Anti-Virus SAVService SAVAdminService swi_service Sophos Web Control Service swi_filter Sophos Device Control Service swi_update_64 swi_update swi_config 32|PROGRAMFILES|Sophos\AutoUpdate NATIVE|PROGRAMDATA|Sophos\Certificates\AutoUpdate NATIVE|PROGRAMDATA|Sophos\AutoUpdate Sophos AutoUpdate 5F3F87F0-7FDF-4776-8951-4E8A0F6B1864 7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16 BCF53039-A7FC-4C79-A3E3-437AE28FD918 9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520 AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54 E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E 72E136F7-3751-422E-AC7A-1B2E46391909 856A0B42-457D-4BD9-B795-6F942370CA6D alsvc.exe almon.exe SophosUpdate.exe Alupdate.exe AUTelem.exe GatherTelem.exe SubmitTelem.exe 32|HKLM|SOFTWARE|Sophos\AutoUpdate NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos AutoUpdate Service 32|HKLM|SOFTWARE|Sophos\Telemetry 32|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Run!Sophos AutoUpdate Monitor NATIVE|HKLM|SOFTWARE|Classes\AppID\{CFC5C7CA-DA4C-4CFB-B16A-65193004E9C2} NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{CE94B62D-25F3-4430-AA85-A22C2888EE65} 32|HKLM|SOFTWARE|Classes\CLSID\{07723A69-B7C8-4113-88F9-F18FB917A82F} 32|HKLM|SOFTWARE|Classes\CLSID\{7CBCADE4-7AA7-43AE-BD20-D88223B6353E} 32|HKLM|SOFTWARE|Classes\CLSID\{ACB50159-5EFF-47D5-B93F-5433C1BD2F3A} 32|HKLM|SOFTWARE|Classes\CLSID\{BF515489-25C1-472D-8F02-378E6CC06B3C} 32|HKLM|SOFTWARE|Classes\CLSID\{DDF239DC-0DCC-45BD-906E-2B283534234E} 32|PROGRAMFILES|Sophos\AutoUpdate Sophos Autoupdate Service NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|ssp.exe NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|SspAdapter.dll NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|TelemetryPlugin.exe NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|integrity.dat NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|NOTICE.txt NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|scf.dat NATIVE|PROGRAMFILES|Sophos\Sophos System Protection 32|PROGRAMFILES|Sophos\Sophos System Protection NATIVE|PROGRAMDATA|Sophos\Sophos System Protection NATIVE|PROGRAMFILES|Sophos\Sophos Data Recorder|SDRService.exe NATIVE|PROGRAMFILES|Sophos\Sophos Data Recorder NATIVE|PROGRAMDATA|Sophos\Sophos Data Recorder Sophos System Protection 934BEF80-B9D1-4A86-8B42-D8A6716A8D27 1093B57D-A613-47F3-90CF-0FD5C5DCFFE6 5EC8210A-38F2-4E76-9836-1B48EFDDA3FA ssp.exe sdrservice.exe TelemetryPlugin.exe NATIVE|HKLM|SOFTWARE|Sophos\SystemProtection 32|HKLM|SOFTWARE|Sophos\SystemProtection 32|HKLM|SOFTWARE|Sophos\SAVClients NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Data Recorder NATIVE|HKLM|SYSTEM|CurrentControlSet\services\sophossps NATIVE|HKLM|SYSTEM|CurrentControlSet\services\SophosDataRecorderService 32|HKLM|SOFTWARE|Sophos\Telemetry NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos System Protection Sophos Data Recorder SophosDataRecorderService sophossps 32|PROGRAMFILES|Sophos\Health NATIVE|PROGRAMDATA|Sophos\Health NATIVE|PROGRAMDATA|Sophos\Health\logs|shsadapter.log NATIVE|PROGRAMDATA|Sophos\Health\logs Sophos Health Service 80D18B7B-8DF1-4BCA-901F-BEC86BAE2774 A5CCEEF1-B6A7-4EB4-A826-267996A62A9E D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44 E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745 Health.exe SophosHealth.exe SophosHealthClient.exe 32|HKLM|SOFTWARE|Sophos\Health 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SHS Sophos Health Service NATIVE|PROGRAMFILES|Sophos\Endpoint Firewall NATIVE|PROGRAMDATA|Sophos\Endpoint Firewall Sophos Endpoint Firewall 2831282D-8519-4910-B339-2302840ABEF3 EfwTelemetryPlugin.exe NATIVE|HKLM|SOFTWARE\Sophos\Endpoint Firewall NATIVE|PROGRAMFILES|Sophos\Endpoint Self Help Sophos Endpoint Self Help 9F69FA12-E3FE-4754-B7E3-B4DEEC8F6B5D 4EFCDD15-24A2-4D89-84A4-857D1BF68FA8 BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8 SophosDiag.exe SophosESH.exe Telemetry.exe NATIVE|HKLM|SOFTWARE|Sophos\Endpoint Self Help NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{c207e3ed-c0f0-4981-89fc-d756f0d08273} 32|PROGRAMFILES|Sophos\Sophos Diagnostic Utility NATIVE|PROGRAMDATA|Sophos\Sophos Diagnostic Utility Sophos Diagnostic Utility 4627F5A1-E85A-4394-9DB3-875DF83AF6C2 E4853018-0364-49B8-9ADD-691C425D7B5A sducli.exe uploader.exe sdugui.exe 32|HKLM|SOFTWARE|Sophos\Diagnose NATIVE|HKCU|SOFTWARE|Sophos\Diagnose NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\App Paths\sducli.exe NATIVE|PROGRAMFILES|Sophos\Sophos UI NATIVE|PROGRAMDATA|Sophos\Sophos UI Sophos Endpoint UI D29542AE-287C-42E4-AB28-3858E13C1A3E Sophos ui.exe SophosUITelemetry.exe NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Run!Sophos UI.exe 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\UI NATIVE|HKCU|SOFTWARE|Sophos\Sophos UI NATIVE|HKLM|SOFTWARE|Sophos\Sophos UI NATIVE|HKCU|Software|Microsoft\SophosUI NATIVE|HKLM|SOFTWARE|Classes\sophosui Sophos Heartbeat DFFA9361-3625-4219-82C2-9EF011E433B1 heartbeat.exe Sophos Heartbeat Service NATIVE|PROGRAMFILES|Sophos\Sophos Endpoint Agent Sophos Endpoint A5CCEEF1-B6A7-4EB4-A826-267996A62A9E D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44 E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745 uninstallcli.exe uninstallgui.exe NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Agent hmpalert NATIVE|WINDOWS|System32|hmpalert.dll 32|WINDOWS|SYSWOW64|hmpalert.dll NATIVE|WINDOWS|System32\Drivers|hmpalert.sys NATIVE|WINDOWS|System32\Drivers|hmpalert.sys.off 32|PROGRAMFILES|HitmanPro.Alert 32|PROGRAMFILES|HitmanPro.Alert|hmpalert.exe 32|PROGRAMFILES|HitmanPro.Alert|bpaif.dll NATIVE|PROGRAMDATA|HitmanPro.Alert\drop NATIVE|PROGRAMDATA|HitmanPro.Alert\logs NATIVE|PROGRAMDATA|HitmanPro.Alert\mcs NATIVE|PROGRAMDATA|HitmanPro.Alert\reports NATIVE|PROGRAMDATA|HitmanPro.Alert|excalibur.db NATIVE|PROGRAMDATA|HitmanPro.Alert|hmpalert.bf NATIVE|PROGRAMDATA|HitmanPro.Alert NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Views|hmpalert.xml Hitman Pro.Alert 866151B2-E14E-40E0-B6D9-64B1D428F5CB NATIVE|PROGRAMDATA|HitmanPro.Alert NATIVE|WINDOWS|System32|hmpalert.dll 32|WINDOWS|SYSWOW64|hmpalert.dll NATIVE|WINDOWS|System32\Drivers|hmpalert.sys NATIVE|WINDOWS|System32\Drivers|hmpalert.old hmpalert.exe EXPTelem.exe Uninstall.exe NATIVE|HKLM|SOFTWARE|HitmanPro.Alert NATIVE|HKCU|SOFTWARE|HitmanPro.Alert NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\hmpalert NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\hmpalertsvc 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\HMPA NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\HitmanPro.Alert NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB} 32|PROGRAMFILES|HitmanPro.alert\uninstall.exe!--quiet 32|PROGRAMFILES|HitmanPro.alert\HitmanPro.exe!/uninstall /quiet 32|PROGRAMFILES|HitmanPro\HitmanPro.exe!/uninstall /quiet hmpalertsvc NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection 32|PROGRAMFILES|Sophos\Sophos Data Protection Sophos Data Protection Agent 6AA8FE12-9958-4E3B-99AD-7AEF6BF7122F B38CEDCD-4B99-42A5-A430-3946FFCA229A NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection Sophos.Encryption.BitLockerService.exe Sophos.Encryption.BitLockerApplication.exe Sophos.Encryption.HtmlEncrypter.exe NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Device Encryption Service 32|HKLM|SOFTWARE|Sophos\DataProtection\McsQueues 32|HKLM|SOFTWARE|Sophos\DataProtection\Status\Volumes 32|HKLM|SOFTWARE|Sophos\DataProtection\Status 32|HKLM|SOFTWARE|Sophos\DataProtection Sophos Device Encryption Service 32|PROGRAMFILES|Sophos\Safestore|safestore64.dll 32|PROGRAMFILES|Sophos\Safestore|SophosSafestore64.exe 32|PROGRAMFILES|Sophos\Safestore|ssr64.exe 32|PROGRAMFILES|Sophos\clean|sophoscleanm.exe NATIVE|PROGRAMFILES|Sophos\Safestore|safestore64.dll NATIVE|PROGRAMFILES|Sophos\Safestore|SophosSafestore64.exe NATIVE|PROGRAMFILES|Sophos\Safestore|ssr64.exe NATIVE|PROGRAMFILES|Sophos\Safestore NATIVE|PROGRAMFILES|Sophos\Clean 32|PROGRAMFILES|Sophos\Safestore 32|PROGRAMFILES|Sophos\Clean NATIVE|PROGRAMDATA|Sophos\Clean NATIVE|PROGRAMDATA|Sophos\Safestore NATIVE|PROGRAMFILES|Sophos\Home Clean Sophos Clean-M 32|PROGRAMFILES|Sophos\Clean|Sophoscleanm.exe 32|PROGRAMFILES|Sophos\Clean 32|PROGRAMFILES|Sophos\Safestore NATIVE|PROGRAMFILES|Sophos\Clean NATIVE|PROGRAMFILES|Sophos\Safestore NATIVE|PROGRAMDATA|Sophos\Clean NATIVE|PROGRAMDATA|Sophos\Safestore SophosClean.exe SophosCleanM.exe Clean.exe SophosSafestore64.exe ssr64.exe Uninstall.exe SophosHomeClean.exe NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Clean Service NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Safestore Service NATIVE|HKLM|SOFTWARE|Sophos\Clean NATIVE|HKLM|SOFTWARE|SophosClean NATIVE|HKLM|SOFTWARE|Sophos\HomeClean NATIVE|HKLM|SOFTWARE|SophosHomeClean NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Clean NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\SophosClean NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Home Clean NATIVE|HKLM|SOFTWARE|Sophos\SophosHomeClean 32|PROGRAMFILES|Sophos\Clean\uninstall.exe Sophos Clean Sophos Clean Service Sophos Safestore Service NATIVE|PROGRAMDATA|Sophos\CloudInstaller Sophos Cloud Installer SophosInstall.exe SophosSetup.exe SophosSetup_Stage2.exe 32|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1 NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1 32|PROGRAMFILES|Sophos\Sophos Standalone Engine NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine Sophos Standalone Engine 32|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1 NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1 32|PROGRAMFILES|Sophos\Sophos Standalone Engine NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine validator.exe Uninstall.exe 32|HKLM|SOFTWARE|Sophos\Sophos Standalone Engine NATIVE|HKLM|SOftware|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Standalone Engine 32|PROGRAMFILES|Sophos\Sophos Standalone Engine\uninstall.exe NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine\uninstall.exe 32|PROGRAMFILES|Sophos\Sophos ML Engine Sophos ML Engine Uninstall.exe 32|HKLM|SOFTWARE|Sophos\Sophos ML Engine NATIVE|HKLM|SOftware|Microsoft\Windows\CurrentVersion\Uninstall\Sophos ML Engine 32|PROGRAMFILES|Sophos\Sophos ML Engine\uninstall.exe 32|PROGRAMFILES|Sophos\Sophos Tester Sophos Tester SophosTester.exe NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Tester NATIVE|HKCU|SOFTWARE|Sophos\Tester NATIVE|PROGRAMFILES|Sophos\Sophos Patch Agent NATIVE|PROGRAMDATA|Sophos\Sophos Patch Agent Sophos Patch Agent 5565E71F-091B-42B8-8514-7E8944860BFD 29006785-9EF7-4E84-ABE8-6244D12E7909 2FB80981-C6B6-4FCA-BC65-24437DF4C8CB NATIVE|PROGRAMFILES|Sophos\Sophos Patch Agent NATIVE|PROGRAMDATA|Sophos\Sophos Patch Agent spa.exe LM.Detection.exe LM.Detection_x64.exe PatchChecker.exe NATIVE|HKLM|SOFTWARE|Patchlink.com NATIVE|HKLM|SOFTWARE|Sophos\Sophos Patch Agent 32|HKLM|SOFTWARE|Sophos\Sophos Patch Agent 32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\PATCH NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Patch Agent NATIVE|PROGRAMFILES|Sophos\Sophos Patch Agent Sophos Patch Agent NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\sbin NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav\Database NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc NATIVE|WINDOWS|System32|drivers\SophosTrafficRedirectorCalloutDriver.sys Sophos Cloud Web Gateway B6D7C122-053F-4DCD-AFCC-877B9236E787 4F73E3E1-FDC7-4CE7-9ACA-0BAA09226688 64139960-C92D-4DB1-9385-0D2DC75B245C 8132D712-5F53-4EAB-9624-4A24EA10EC74 D6B5BD3E-41BE-4714-9514-41EB96975238 NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\sbin NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav\Database NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent SophosAgentUI.exe installer.exe SophosAgentRelay.exe sophos-cwg-monitor.exe SophosCWGScannerAutoUpdater.exe NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\e676025c-1f8e-469b-9136-1a5101eb10b6 NATIVE|HKLM|SOFTWARE|Sophos\CloudAgent NATIVE|HKLM|SOFTWARE|Sophos\CWG NATIVE|HKCU|SOFTWARE|Sophos\CloudAgent NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosCWGMonitor NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosNetworkTrafficRelay NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosRedirectorCallouts NATIVE|HKLM|SOftware|Microsoft\Windows\CurrentVersion\Run|Sophos Cloud Web Gateway NATIVE|PROGRAMFILES|Sophos\Sophos Network Agent\sbin\installer.exe!-r SophosNetworkTrafficRelay SophosCWGMonitor 32|PROGRAMFILES|Sophos\Sophos Home 32|PROGRAMFILES|Sophos\Sophos Home|SophosUI.exe 32|PROGRAMFILES|Sophos\Sophos Home|SophosHomeShellExtX64.dll 32|PROGRAMFILES|Sophos\Sophos Home|SophosHomeShellExt.dll 32|PROGRAMFILES|Sophos\Sophos Home|SophosHomeDesktopMessaging.dll 32|PROGRAMFILES|Sophos\Sophos Home|adapter.dll Sophos Home D812F3D2-990A-47C6-AA92-24EB383500CF E28B49D0-58B4-4387-ADBB-E7F8E57B1322 FF6214A9-8892-4ADD-81EB-327098A9B328 32|PROGRAMFILES|Sophos\Sophos Home SophosUI.exe SophosInstall.exe 32|HKLM|SOFTWARE|SOPHOS\Home NATIVE|PROGRAMDATA|Sophos\File Integrity Monitoring NATIVE|PROGRAMFILES|Sophos\file Integrity Monitoring NATIVE|PROGRAMDATA|Sophos\File Integrity Monitoring Sophos File Integrity Monitor (FIM) 425063CE-9566-43B8-AC61-F8D182828634 NATIVE|PROGRAMDATA|Sophos\File Integrity Monitoring NATIVE|PROGRAMFILES|Sophos\File Integrity Monitoring SophosFIMService.exe SophosFIMTelemetry.exe NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosFIM NATIVE|HKLM|SOFTWARE|SOPHOS\File Integrity Monitoring Sophos File Integrity Monitoring Sophos Virus Removal Tool SVRTgui.exe B829E117-D072-41EA-9606-9826A38D34C1 32|PROGRAMFILES|Sophos\Sophos Virus Removal Tool NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\config NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\localrep NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\logs 32|PROGRAMFILES|Sophos\Sophos Virus Removal Tool NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\config NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\localrep NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\logs SophosVirusRemovalTool NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosVirusRemovalTool 32|HKLM|SOFTWARE|SOPHOS\SophosVirusRemovalTool Sophos Compliance Agent 1A7EE8FF-391D-4030-8021-5F560189B87F b0472397-2e3a-465f-9a08-be9d7d7a8767 8bd17d77-227b-4cf6-bc9a-4304f569d8e9 39837471-4a8b-4355-b85d-45c57c8e8c09 0d30a753-5d4e-475f-8bce-82f024adb33c f564ca58-9d9f-4047-a583-c30eb0f95167 9c04e644-43ea-447a-90a2-ad7e63abb843 NATIVE|PROGRAMFILES|Sophos 32|PROGRAMFILES|Sophos NATIVE|PROGRAMDATA|Sophos 32|COMMONPROGRAMFILES|Sophos NATIVE|COMMONPROGRAMFILES|Sophos NATIVE|WINDOWS|SYSTEM32\SophosAV NATIVE|WINDOWS|SYSWOW64\SophosAV Sophos Cleanup Routine NATIVE|PROGRAMDATA|Sophos NATIVE|PROGRAMFILES|Sophos 32|PROGRAMFILES|Sophos 32|COMMONPROGRAMFILES|Sophos NATIVE|WINDOWS|SYSTEM32\SophosAV NATIVE|WINDOWS|SYSWOW64\SophosAV NATIVE|HKLM|SOFTWARE|SOPHOS 32|HKLM|SOFTWARE|SOPHOS 32|PROGRAMFILES|Sophos NATIVE|PROGRAMFILES|Sophos NATIVE|PROGRAMDATA|Sophos 32|COMMONPROGRAMFILES|Sophos
COMMENTS