Posted on 10-20-2017 07:34 AM
Hi,
A little while ago I noticed the Remove Sophos Endpoint.app had appeared on my Mac. After checking other machines I can see it's installed on everything.
Not cool.
I ran a script to remove it from all the Macs and manually deleted it from mine.
However, it reappears in /Applications the next day.
I've been running a daily script to remove it from all Macs but now it's getting to me.
I can match up a Sophos update in the logs to the same time the app was created last night so it appears to be pulling it down when Sophos updates. Although I 'think' it's only doing this once a day.
Most logs show Sophos Anti-Virus is up to date but the one that i think is downloading shows as Sophos Anti-Virus was updated.
Update is pointing at Sophos as the primary locations (no secondary) and if i force an update the app doesn't install.
Has anyone else seen this behaviour?
(I don't want to have to open a ticket with them as previous experience knows it'll go nowhere)
Thanks
Al
Posted on 10-20-2017 08:25 AM
Maybe there's a launch daemon looking for the app and if it doesn't see it it it runs a script to download and install?
Posted on 10-20-2017 08:41 AM
Is your Sophos management console re-installing it?
Are you using any specific script to remove Sophos? The one we're using is Rich Trouton's (though, edited a little for us) and it worked in our environment.
#!/bin/bash
# Uninstall existing copy of Sophos 8.x by checking for the
# Sophos Antivirus uninstaller package in /Library/Sophos Anti-Virus.
# If present, the uninstallation process is run.
if [ -d "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
echo "Sophos AV present on Mac. Uninstalling before installing new copy."
/usr/sbin/installer -pkg "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target ""
killall SophosUIServer
elif [ -d "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
echo "Sophos AV present on Mac. Uninstalling before installing new copy."
/usr/sbin/installer -pkg "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target ""
killall SophosUIServer
else
echo "Sophos Anti-Virus 8.x Uninstaller Not Present"
fi
# Uninstall existing copy of Sophos 9.x by checking for the InstallationDeployer application
# in the following locations:
#
# Sophos AV Cloud
# /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/
# /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/
#
# Sophos AV Home Edition
# /Library/Application Support/Sophos/he/Installer.app/Contents/MacOS
# /Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools
#
# Sophos AV Standalone
# /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS
# /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools
#
# Sophos AV Enterprise
# /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS
# /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools
#
# If the InstallationDeployer application is present in the Contents/MacOS/tools directory, the
# uninstallation process is run using the InstallationDeployer tool located there.
#
# If the InstallationDeployer application is present only in the Contents/MacOS directory, the
# uninstallation process is run using the InstallationDeployer tool located there.
#
# The reason for the directory-specific check is that running the InstallationDeployer application
# from Contents/MacOS on Sophos 9.1.x and later will cause the Sophos uninstaller application to
# launch in the dock and interfere with a normal installation via installer package.
#
# For more information, see the link below:
# http://www.sophos.com/en-us/support/knowledgebase/14179.aspx
if [[ -f "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" --remove
elif [[ -f "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
elif [[ ! -f "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
else
echo "Sophos Anti-Virus 9.x Home Edition Uninstaller Not Present"
fi
if [[ -f "/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Standalone present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" --remove
elif [[ -f "/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Standalone present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
elif [[ ! -f "/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Standalone present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
else
echo "Sophos Anti-Virus 9.x Standalone Uninstaller Not Present"
fi
if [[ -f "/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" --remove
elif [[ -f "/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
elif [[ ! -f "/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
else
echo "Sophos Anti-Virus 9.x Enterprise Uninstaller Not Present"
fi
if [[ -f "/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Cloud present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" --remove
elif [[ -f "/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Cloud present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
elif [[ ! -f "/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then
echo "Sophos AV Cloud present on Mac. Uninstalling before installing new copy."
"/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" --remove
else
echo "Sophos Anti-Virus 9.x Cloud Uninstaller Not Present"
fi
exit 0
Posted on 10-23-2017 12:57 AM
We're not using Sophos Management Console, although we have it most of our Mac users are remote so I just set it to update directly from Sophos.
I actually saw the download happening on Friday evening. Logged in Sophos updates and pulls down the uninstaller app.
The script i'm running to remove the app itself is just pretty straightforward rm -r stuff. It deletes the uninstall app and leaves the rest of Sophos in place.
Can't see any evidence of a daemon or agent apart from the one that Sophos uses anyway.
Seems to be part of the update process once daily.
Just weird.
Posted on 10-23-2017 06:01 AM
Try the script above that actually runs the uninstaller.
Posted on 10-23-2017 07:50 AM
Thanks @jmahlman
I don't actually want to uninstall Sophos though, just the Remove Sophos app gone from the apps folder so users aren't tempted to uninstall it themselves.
Posted on 10-23-2017 09:59 AM
Just change the permissions on the app so it cannot be removed. I don't think you can remove the app itself without it being re-pushed with updates.