Uninstall Sophos Central Endpoint with tamper protection enabled (Windows)

In this article we will show you how to remove Sophos Central Endpoint Client from your Windows system, even though the tamper protection prevents it.

Important: This variant of uninstalling the Endpoint Client should be used only if there is no possibility to disable tamper protection in the normal way. This may be due to forgetting the password or deleting the computer from Sophos Central without first uninstalling the endpoint client from the computer. How to disable tamper protection in the normal way is shown in this tutorial.

Variante 1

  1. Start your Windows system in safe mode.
  2. Click Start, then Ausführen and type services.msc. Confirm with Enter or click on OK.
  3. Search for Sophos Anti-Virus Service and right-click on it.
  4. From the context menu, select Eigenschaften and then deactivate the service.
  5. Now you can click again on Start and then Ausführen. This time type regedit. Confirm with Enter or click OK.
  6. In the registry editor, change to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set REG_DWORD Start to 0x00000004
  7. Next, in the registry editor, go to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0.
  8. Finally, in the registry editor, go to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the value at REG_DWORDto 0.
  9. Now restart the system in normal mode.

Variant 2

YouTube video
  1. Start your Windows system in safe mode.
  2. Then open the command line (shell) and execute the following commands:REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService" /t REG_DWORD /v Start /d 0x00000004 /f REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /t REG_DWORD /v Start /d 0x00000004 /f REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /t REG_DWORD /v Enabled /d 0 /f
  3. Now restart the system in normal mode.

No matter which of the two variants you choose, they should both result in disabling tamper protection and allow you to uninstall the endpoint client without any problems.