Uninstall Sophos Endpoint Protection with Tamper Protection enabled (Windows)

This article will show you how to remove the Sophos Central Endpoint Client from your Windows system, even if the tamper protection prevents this.

Important: This method of uninstalling the Endpoint Client should only be used if there is no chance to disable tamper protection in the normal way. This may be because you forgot your password or deleted your computer from Sophos Central without uninstalling the Endpoint Client on your computer. How to disable tamper protection in the proper way is explained in this tutorial.

Option 1

  1. Boot your Windows system into Safe Mode.
  2. Click Start, than Run and type services.msc and then confirm with Enter or click on OK
  3. Search for the Sophos Anti-Virus service and click on it with the right mouse button.
  4. From the context menu, select Properties and then deactivate the service.
  5. Now you can click on Start and type Run again. Enter regedit this time. Confirm with Enter or click OK.
  6. Go to the following location in the registry editor: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set REG_DWORD Start to 0x00000004
  7. Next, Go to the following location in the registry editor: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config set the following REG_DWORD-values SAVEnabled and SEDEnabled to 0.
  8. Finally, go to the following location in the registry editor: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the value at REG_DWORDto 0.
  9. Reboot the system in normal mode.

Option 2

  1. Boot your Windows system into Safe Mode.
  2. Then open the command line (Shell) and execute the following commands: 
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService" /t REG_DWORD /v Start /d 0x00000004 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /t REG_DWORD /v Start /d 0x00000004 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /t REG_DWORD /v Enabled /d 0 /f
  3. Reboot the system in normal mode.

No matter which of the two options you choose, they should both result in the tamper protection being disabled and you can uninstall the Endpoint Client without any problems.