Uninstalling Sophos Endpoint Protection

steagle
New Contributor II

Hi all, we're having a difficult time uninstalling Sophos Endpoint Protection from our Mac endpoints with Jamf. This particular enterprise version of Sophos employs Tamper Protection, which was easy enough for us to disable by creating a policy that deletes the SophosSecure.keychain file that Tamper Protection creates on all the endpoints, but even with Tamper Protection disabled we can't figure out how to remotely uninstall the client itself. So far, we've tried the following approaches, both of these scoped to a test machine with Sophos Endpoint Protection installed and with Tamper Protection disabled:

  • Packaged the Sophos uninstaller (Remove Sophos Endpoint.app) with Composer and added it to a Policy with the Packages payload (specifically, we installed Sophos on the test machine, started Composer and took a before snapshot, uninstalled Sophos, then took an after snapshot, saved and uploaded the resulting .pkg to Jamf)
  • Created a Policy with the Files & Processes payload, using the Execute Command feature to call up the Sophos uninstaller app directly on the endpoint (/Applications/Remove Sophos Endpoint.app)

No luck with either method. If anyone here has successfully removed Sophos Endpoint Protection with a Jamf policy, or if you have any other ideas in general, your feedback would be most appreciated. Sophos support told us that they do not have a batch uninstall feature but I have to believe it's possible with Jamf.

15 REPLIES 15

zoeleech
New Contributor II

I have policy which runs a script that in essence runs this command which works in 99% of cases

/Applications/Remove Sophos Endpoint.app/Contents/MacOS/tools/InstallationDeployer --force_remove --tamper_password <password>

abutterman
New Contributor III

Guess I'm not the only one in the process of removing that nightmare. We disabled tamper protection universally and gave it a little time to update all of the clients. I then deployed the following script for the Macs which seems to be working just fine:

!/bin/bash

cd /Library/Preferences
sudo rm -r com.sophos.*
sudo /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove

galudo
New Contributor

That worked! Thank you so much!

ekey
New Contributor

I was able to push the uninstaller.pkg via policy and that worked for me.

nick_piperSD
New Contributor

@ekey Can you give me an idea of how you did this? I attempted to do the same and it did not work. Was it just a matter of dragging the uninstaller.pkg and deploying as-is or did you need to add a post-install script/ any commands? I have a ticket open with Sophos but am very stuck so any help is much appreciated!

ZeD
New Contributor

Hi Guys,
If it can help someone in my case I had different path to the uninstaller... I used this script bellow to uninstall Sophos. Before I ran the script, tamper protection has been disabled.

#!/bin/bash

if [ -e /Library/Application Support/Sophos/opm/Installer.app ]
then
    /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
fi

if [ -e /Library/Sophos Anti-Virus/Remove Sophos Endpoint.app ]
then
    /Library/Sophos Anti-Virus/Remove Sophos Endpoint.app/Contents/MacOS/tools/InstallationDeployer --force_remove
fi

if [ -e /Library/Application Support/Sophos/opm-sa/Installer.app ]
then
    /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
fi

Dan0
New Contributor

This works:

!/bin/bash

rm -R /Library/Sophos Anti-Virus/product-info.plist
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove

Note: The first command removes tamper protection. The second command uninstalls Sophos.

dvsjr
New Contributor

Hi @dan0 Your fix is for Sophos antivirus product, the post is about endpoint (a different product) to avoid confusion. The path for your product will not be the same.

cradice
New Contributor II

@dsjc we use Sophos Endpoint, and @Dan0's script worked for us.

user-TOQuwYftgq
New Contributor II

I'm trying to remove it from our computers, so far no luck. Every script I try runs, but none of them actually seem to remove the app (based on JAMF's reporting). I can't figure out what I'm doing wrong. Does anyone have any thoughts?

gcarmichael
New Contributor III

If you remove the SecureKeychain from the "LibrarySophos Anti-Virus" folder you can remove at will without a tamper proof key. I have an automator action and a script that does this and kicks off the removal tool which when ran from an admin account works out awesome.

MrRoboto
Contributor II

What are you thoughts on just removing all of the Sophos components via script?

#!/bin/sh

pkill Sophos

rm -rf /Library/Sophos*

rm -rf /Library/Application Support/Sophos*

rm -rf /Applications/Sophos*

rm -rf /Library/Frameworks/Sophos*
rm -rf /Library/Frameworks/SAVI*

rm -rf /usr/local/bin/SophosUpdate
rm -rf /usr/local/bin/sweep

launchctl remove /Library/LaunchAgents/com.sophos*
rm -rf /Library/LaunchAgents/com.sophos*

launchctl remove /Library/LaunchDaemons/com.sophos*
rm -rf /Library/LaunchDaemons/com.sophos*

rm -rf /Library/Extensions/Sophos*
kextcache -prune-staging

bscarborough
New Contributor II

With Tamper Protection disabled from the Sophos Central admin console, Dan0's script:

/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove

worked for me on my own Mojave machine. I will begin rolling this out gradually through my environment.

From a manual removal situation, I had a machine recently that copied the Sophos application components over to a new machine while using Migration Assistant. Knowing I did not intend to use Sophos Endpoint on this machine, but not thinking that it would copy over, I declined all permission requests from Sophos. However, with no services running, now it did not communicate with Sophos Central so I could not see the machine to disable Tamper Protection, AND when I tried to run Remove Sophos Endpoint.app to uninstall, the app prompted me for a password. Needless to say I had no idea what such a password would be, nor could I find it in my Sophos Central admin panel anywhere. I finally resorted to filing a support ticket with Sophos, and they said for versions above 9.7, to delete /Library/Sophos Anti-Virus/SophosSecure.keychain to disable the Tamper Protection, then run the application. I did this, and then Remove Sophos Endpoint.app ran successfully without any password prompt.

tgoodpaster
New Contributor II

Has anyone tried this on Big Sur? Seems like this scripts work up to Catalina but we have not seen any work due to the new format Big Sur is 11.x. 

Update: MrRoboto's script looks to work fine on Big Sur! Pushing it out now and it's working great! 

Just got done with a week of fiddling with this. We are looking to switch from Sophos to CrowdStrike and I have been validating the Big Sur part of all that. Have been using a script much like MrRobotos's for years with no issues, but Big Sur is a different story. The Sophos provided uninstaller doesn't remove the System Extensions, so you will have to do it manually or sorta scripted:

https://community.sophos.com/intercept-x-endpoint/big-sur-eap/f/recommended-reads/124391/how-to-remo...

https://grahamrpugh.com/2021/04/06/delete-system-extension-command-line.html

 

FWIW the CrowdStrike agent does do the right thing and tell macOS to remove their System Extension, so maybe someday Sophos will too. For now you need to make sure and have the System Extensions deleted first and then run the script or the removal app in the Sophos folder. My testing was on macOS 11.5.2 using Sophos Endpoint 10.1.4. We use Central and have Jamf MDM with profiles/policies for all the needful. Wanted to give people the heads up, since once Sophos is removed you can't easily get rid of the extensions without installing Sophos again and then manually removing them. This will complicate the CrowdStrike rollout a little, but hey it is so secure!