Home  ›  How to Disable Tamper Protection Sophos From Registry

How to Disable Tamper Protection Sophos From Registry

Written By Saturday, December 4, 2021 Add Comment Edit

Sometimes it fails when you try to remove Sophos Endpoint Protection, for some weird reason tamper protection get's messed up, and keep telling you that the entered code is invalid or maybe you lost it, due to cancellation of the Sophos Central Account, this can help you get things going again:

Overview

This article describes how to recover a tamper protected system if  the tamper protection password is lost and the client cannot receive a new policy with a known password.

The following sections are covered:

  • How to recover a tamper protected system
  • Related information
  • Feedback and contact

Applies to the following Sophos products and versions
Central Windows Endpoint
Sophos Endpoint Security and Control

How to recover a tamper protected system

Remember to do a backup of the registry before attempting these procedures.

Sophos Enterprise Console managed client

To recover a tamper protected system, you must disable Enhanced Tamper Protection, do the following:

  1. Boot the system intoSafe Mode.
  2. ClickStart>Run> typeservices.msc > right-click Sophos Anti-Virus service >Properties> set the Startup type toDisabled> then clickOK.
  3. ClickStart>Run> typeregeditand then clickOK.
  4. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
  5. Set the following DWORD values to0:SAVEnabledandSEDEnabled
  6. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORDEnabledto0.
  7. Reboot the system in normal mode.

Sophos Central managed client

From 20th January 2018 the Tamper Protection passwords can be retrieved for deleted endpoints/servers from within Sophos Central. To obtain this information:

  1. Log in to Sophos Central.
  2. Access Logs & Reports > Recover Tamper Protection passwords.
  3. Click onView details to expand the password(s) that has been set on the endpoint/server. The password at the top of the list is the most recent.

This password can be used to authenticate on the local endpoint/server, allowing access to theSettings and the option to disableTamper Protection.

Note: The report will display endpoints/servers that have been deleted over the previous 60 days. For release, the start date for displaying any deleted endpoints/servers is 09th December 2017.

If you do not have access to Sophos Central the following steps can be used.

To recover a tamper protected system, you must disable Enhanced Tamper Protection. Do the following:

  1. Boot the system intoSafe Mode.
  2. ClickStart > Run> typeservices.msc > right-click Sophos Anti-Virus service > Properties > set the Startup type toDisabled> then clickOK.
  3. ClickStart>Run> typeregeditand then clickOK.
  4. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agentand set the REG_DWORDStart to0x00000004.
  5. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Configand set the following REG_DWORD valuesSAVEnabled andSEDEnabledto0 .
  6. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORDEnabled to0.
  7. Reboot the system in normal mode.

Enhanced Tamper Protection is now disabled and you should now be able to access the system.

Registry keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection

Related information

  • Sophos Endpoint Defense: Default configuration settings
  • 0x00000082: The installation could not be started
  • Sophos Endpoint Defense: Overview
  • Sophos Endpoint Defense: FAQs on Enhanced Tamper Protection
  • Sophos Endpoint Defense: Supported operating systems
  • Sophos Endpoint Defense: How to enable Tamper Protection
  • Sophos Endpoint Defense: How to disable Tamper Protection
  • Sophos Endpoint Defense: Relevant files, folder, and registry entries
  • Enhanced Tamper Protection not supported on systems with Sophos Update Manager

Source: https://community.sophos.com/kb/en-us/124377

How to Disable Tamper Protection Sophos From Registry

Source: https://martinsblog.dk/sophos-endpoint-defense-how-to-recover-a-tamper-protected-system/

0 Response to "How to Disable Tamper Protection Sophos From Registry"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel