Oct 23, 2016

How to Uninstall Tamper-Protected Sophos Antivirus with PowerShell


The Sophos Antivirus Endpoint tamper protection feature prevents even administrators from uninstalling the product. In this article, I will show you how to uninstall Sophos Antivirus with PowerShell.





Several events can lead to this situation:
  1. The company changes ownership.
  2. The company purchases a new AV product.
  3. The tamper protection password cannot be obtained.
  4. The previous AV administrators can’t remove tamper protection due to a domain change.
  5. The company removes tamper protection from a large portion of administered endpoints, but it still needs to remove tamper protection from a number of outlying systems and notebooks.
While Sophos does provide some assistance with removal via a script here, it includes the caveat:

"Note: If enabled, the Sophos Tamper Protection policy must be disabled on the endpoints involved before attempting to uninstall any component of Sophos Endpoint Security and Control. See article 119175 for more information".

Following the article link, we arrive at the dreaded FAQ:

"How can I disable tamper protection?
Normally you would only disable tamper protection if you wanted to make a change to the local Sophos configuration or uninstall an existing Sophos product. The instructions for this are given below. However, if you are not the administrator who installed it and who has the password, you will need to obtain the password before you can carry out the procedure".

To make things a little less painful, we can script those processes. There are a number of prerequisites to complete the removal, so we’ll break them down into individual steps.
  1. You must stop AV system services.
  2. You must replace the hashed tamper-protection password stored in the machine.xml file with a known-good password hash.
  3. You must start AV services.
  4. You must add the currently logged-in administrator to the local “SophosAdministrator” security group.
  5. You must open the application, manually authenticate the tamper-protection user, and then disable tamper protection altogether.
  6. Now run the component uninstallers.
Before writing code, either build a virtual machine (VM) and take a snapshot, or use something like Clonezilla to take an image of the test system’s hard drive. If things go wrong or a script makes a temporary change, we can easily revert to a clean sample. I find that when building scripts, PowerShell ISE is irreplaceable, because we can walk through each step and test separate statements in individual tabs.

Starting with system services, let’s stop only those services that need stopping. Since we don’t know what the system refers to these services as, we first need to get a list of service names that PowerShell can use.

Get-Service *SAV*, *Sophos* | Format-Table -Wrap -AutoSize

That provides us with the service names:

 
Get-Service with wildcards

To stop these services with PowerShell, we use the Get-Service cmdlet, and stop only those services that are actually running:

Get-Service SAVService,'Sophos Agent',SAVAdminService | where {$_.status -eq 'running'} | Stop-Service -force

To replace the unknown/bad-password hash from the machine.xml file located in C:\ProgramData\Sophos\Sophos Anti-Virus\Config\ , we use the Get-Content/Replace/Set-Content command:

(Get-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml').Replace('8EXXXXXXXXXXXXXXXXXXXXX1AD02', 'E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73') | Set-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml'

The hashed value E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73 is equivalent to the value ‘password’, which is all lowercase, not including quotes. When we save this into our machine.xml file, it essentially replaces the old password secret with the new password and will allow us to authenticate and disable tamper protection.

We now need to start our services again to go into the application and disable tamper protection manually, but before we do that, we need to be a member of the local SophosAdministrator security group. Thanks to this post about how to add a domain user to a local group, we can programmatically add our account into this group with the following commands:

$ComputerName = Read-Host "Computer name:"
$Group = 'SophosAdministrator'
$domain = 'name.domain.com'
$user = 'domainusername'
([ADSI]"WinNT://$ComputerName/$Group,group").psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)


Once we add the account, we can disable the tamper-protection feature. Let’s print a message and have PowerShell tell the user who is running the script about what to do next. We’ll have the user hit ENTER to confirm using a Read-Host cmdlet. A great thing about PowerShell is that we only need to place our message in quotes for it to be printed to the screen.

 
User interaction message


Following the message, we want to be nice and open the Sophos Endpoint AV Console for the user. Use the call operator (&) to open the .exe.

& 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVmain.exe'

Now We have the user confirm that the tamper protection has been disabled with a Yes/No message box.

Add-Type -AssemblyName PresentationCore,PresentationFramework
$ButtonType = [System.Windows.MessageBoxButton]::YesNo
$MessageIcon = [System.Windows.MessageBoxImage]::Warning
$MessageBody = "Tamper-Proof has been disabled and it's ok to continue?"
$MessageTitle = "Confirm to Continue Sophos Uninstall"
$Result = [System.Windows.MessageBox]::Show($MessageBody,$MessageTitle,$ButtonType,$MessageIcon)
Write-Host "$Result has been selected, continuing Sophos Uninstall"

 
Confirmation dialog box

Now that our prerequisites are out of the way, we can finally uninstall the different Sophos Endpoint components. According to Sophos, it’s important to stop the AutoUpdate service first.

#Stop the Sophos AutoUpdate service prior to uninstall
Get-Service 'Sophos AutoUpdate Service' | where {$_.status -eq 'running'} | Stop-Service -force


Next, we’ll want to call a batch file script from PowerShell to run the uninstallers. I wanted to run a batch file from a PowerShell script, because testing and running msiexec.exe inside of PowerShell is overly complicated. Also, having a separate batch file allows me more flexibility. Again, it’s easy to run the batch .bat script using the “&” operand. But, before we run our .msiexec.exe commands, Sophos recommends that we stop the Sophos AutoUpdate Service.

Get-Service 'Sophos AutoUpdate Service' | where {$_.status -eq 'running'} | Stop-Service -force
#Run application uninstallers in correct order according to Sophos Docs.
#Silent uninstall, suppress Reboot, and create log file.
#https://www.sophos.com/en-us/support/knowledgebase/109668.aspx
& 'c:\Admin\SAV-msi-uninstall.bat'


The .bat file contains the following lines that uninstall the Sophos components in a particular order as defined by the Sophos article linked earlier. The commands are silent; they suppress a reboot and send a verbose log to the default Windows\Logs directory. At the end, we include a 15-second delayed system restart command.

msiexec.exe /X {66967E5F-43E8-4402-87A4-04685EE5C2CB} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {09863DA9-7A9B-4430-9561-E04D178D7017} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
msiexec.exe /X {BCF53039-A7FC-4C79-A3E3-437AE28FD918} /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_Log.txt
shutdown /r /t 15

Finally, we copy our RemoveSophosWithTamperEnabled.ps1 file, SAV-msi-uninstall.bat file, and readme.txt into a single folder. The readme.txt file has the following instructions for running the scripts.
  • Copy RemoveSophosWithTamperEnabled.ps1 and .bat scripts to c:\Admin
  • Open PowerShell as Administrator
  • Run the command:
Set-ExecutionPolicy RemoteSigned
  • Run the command: 
& 'C:\admin\RemoveSophosWithTamperEnabled.ps1' 
  • Follow the instructions and you’re done!





While it may not be the most efficient and elegant script, it does bring the uninstall time down significantly, removes potential mistakes during uninstallation, and teaches us a few things about PowerShell.

Below is the final script in full. I like to include hyperlinks for sources of code that I did not write explicitly in the comments preceding the command.
<#
.SYNOPSIS
Powershell script to uninstall Sophos AV that with enabled tamper-proof password without having access to the password. The computer can be in a different AD domain.
#>

#Stop AV services before modifying .xml file only if service is running

Get-Service SAVService,'Sophos Agent',SAVAdminService | where {$_.status -eq 'running'} | Stop-Service -force

#Replace default tamper-proof user password hash with known password hash that is equal to 'password'.
#https://community.sophos.com/products/free-antivirus-tools-for-desktops/f/17/t/9776

(Get-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml').Replace('8E8A6A6DB780D559929D042743DC97BCF6D1AD02', 'E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73') | Set-Content 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml'

#Start AV services in order to run uninstall

get-service SAVService,'Sophos Agent',SAVAdminService | Foreach { start-service $_.name -passthru}

#Get the computer name and add admin user account to SophosAdministrator local computer group
$ComputerName = Read-Host "Computer name:"
$Group = 'SophosAdministrator'
$domain = 'contoso.domain.com'
$user = 'admin_username'
([ADSI]"WinNT://$ComputerName/$Group,group").psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)

#Need to open Sophos AV, manually remove tamper protection

"Open Sophos Endpoint AV, go to the Configure menu -> Authenticate User -> enter the password 'password' and then go into 'Configure Tamper Protection' and uncheck 'Enable Tamper Protection'. Be sure to close the Sophos AV Console window after disabling Tamper-Protect."
Read-Host "Press ENTER to continue"

#Open Sophos Endpoint AV Console for the user. Use the call operator (&) to open the .exe

& 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVmain.exe'

#Prompt user to confirm tamper protection has been disabled.
#https://4sysops.com/archives/how-to-display-a-pop-up-message-box-with-powershell/

Add-Type -AssemblyName PresentationCore,PresentationFramework
$ButtonType = [System.Windows.MessageBoxButton]::YesNo
$MessageIcon = [System.Windows.MessageBoxImage]::Warning
$MessageBody = "Tamper-Proof has been disabled and it's ok to continue?"
$MessageTitle = "Confirm to Continue Sophos Uninstall"

$Result = [System.Windows.MessageBox]::Show($MessageBody,$MessageTitle,$ButtonType,$MessageIcon)

Write-Host "$Result has been selected, continuing Sophos Uninstall"

#Stop the Sophos AutoUpdate service prior to uninstall

Get-Service 'Sophos AutoUpdate Service' | where {$_.status -eq 'running'} | Stop-Service -force

#Run application uninstallers in correct order according to Sophos Docs
#Silent uninstall, suppress reboot, and create log file
#https://www.sophos.com/en-us/support/knowledgebase/109668.aspx

& 'c:\Admin\SAV-msi-uninstall.bat'

Post a Comment

 
TECH SUPPORT © 2012 - Designed by INFOSBIRD