Remove Sophos from Mac without tamper protection password.md

Save lukebussey/70fe3b245c7b55fa41300670d2698e54 to your computer and use it in GitHub Desktop.

Open terminal
'command + spacebar' search for "terminal"
vi kill_sophos
Copy text below, right-click on terminal window and select 'Paste':
#!/bin/bash
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Application\ Support/Sophos/
sudo rm -R /Library/Preferences/com.sophos.*
sudo rm /Library/LaunchDaemons/com.sophos.*
sudo rm /Library/LaunchAgents/com.sophos.*
sudo rm -R /Library/Extensions/Sophos*
sudo rm -R /Library/Caches/com.sophos.*
Press 'Esc' on your keyboard
Enter ' :wq' and press return
( Colon W Q Enter)
sudo chmod +x kill_sophos
Enter local mac password
run script by entering below on terminal
./kill_sophos
enter password and watch everything die
Open Finder and go to 'Applications'
click Remove Sophos Endpoint
It will now let you remove Sophos Endpoint without the tamper protection password
Rejoice
Thank you for all the help. It's been rough lol

It worked like a charm, thanks

Open terminal

enter the following 3 commands (one at a time) -- enter password where prompted.
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Preferences/com.sophos.*
sudo /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

Sophos will uninstall.

NOTE: Some for some installations replace /saas/ with /cloud/ or /opm/

Note: For clarity, I put my comments in parentheses () and my Terminal commands in quotation marks ""

Open terminal
'command + spacebar' search for "terminal"
vi kill_sophos
(Hit Enter/Return after typing the above line. This creates a VI and names it "kill_sophos".)
Copy text below (Starting with "#!/bin/bash" and ending with "sudo rm -R /Library/Caches/com.sophos.*"), right-click on terminal window and select 'Paste': (It doesn't matter where in the window you paste it, it will end up in the same place. Make sure the text you pasted appears exactly as it looks below.)

#!/bin/bash
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Application\ Support/Sophos/
sudo rm -R /Library/Preferences/com.sophos.*
sudo rm /Library/LaunchDaemons/com.sophos.*
sudo rm /Library/LaunchAgents/com.sophos.*
sudo rm -R /Library/Extensions/Sophos*
sudo rm -R /Library/Caches/com.sophos.*

Press 'Esc' on your keyboard
Enter ' :wq' and press return
( Colon W Q Enter)
sudo chmod +x kill_sophos
Enter local mac password
run script by entering below on terminal
./kill_sophos
enter password and watch everything die (I found this extremely satisfying)
Open Finder and go to 'Applications'
click Remove Sophos Endpoint
It will now let you remove Sophos Endpoint without the tamper protection password
Rejoice
Thank you for all the help. It's been rough lol

It worked like a charm, thanks

Thank you, the "VI" method successfully removed the accursed anti-virus software that was preventing me from using Boot Camp, and at last I am looking at a Windows logo on my mac thanks to you!

For those desperate souls at their wits' end stumbling across this thread in the year 2020 who have no idea what a "VI" is or how to use it (like me), the University of Washington has this short and very helpful guide:

https://www.washington.edu/computing/unix/vi.html

After too much time searching the web for a solution...
thomaslachowsky's version of vinod827's solution worked like a CHARM for me!
Thanks a lot to you both!

Open terminal

enter the following 3 commands (one at a time) -- enter password where prompted.
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Preferences/com.sophos.*
sudo /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

Sophos will uninstall.

NOTE: Some for some installations replace /saas/ with /cloud/ or /opm/

@fuze-mlambert this worked great for me. Thank you so much!

👆 worked for me too, thanks!

Thanks @bobbycooke! A real life-saver. Below you can see the exact moment where I was finally able to rid my machine of this pest.

@bobbycooke i owe you a beer!

Cheers folks. Through the following into our MDM platform and managed to remove Sophos Endpoint 9.6 & 9.8 across ~35 devices that had lost contact with Sophos Central and fell out of management:

#!/bin/bashrm /Library/Sophos\ Anti-Virus/ rm /Library/Preferences/com.sophos.* /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

Cheers folks. Through the following into our MDM platform and managed to remove Sophos Endpoint 9.6 & 9.8 across ~35 devices that had lost contact with Sophos Central and fell out of management:

#!/bin/bashrm /Library/Sophos\ Anti-Virus/ rm /Library/Preferences/com.sophos.* /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

Open terminal
enter the following 3 commands (one at a time) -- enter password where prompted.
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Preferences/com.sophos.*
sudo /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove
Sophos will uninstall.
NOTE: Some for some installations replace /saas/ with /cloud/ or /opm/

@fuze-mlambert this worked great for me. Thank you so much!

Worked for me with Sophos Endpoint 10.x

Open terminal
enter the following 3 commands (one at a time) -- enter password where prompted.
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Preferences/com.sophos.*
sudo /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove
Sophos will uninstall.
NOTE: Some for some installations replace /saas/ with /cloud/ or /opm/

@fuze-mlambert this worked great for me. Thank you so much!

Worked for me with Sophos Endpoint 10.x

Indeed – still good. Thanks!

Open terminal

enter the following 3 commands (one at a time) -- enter password where prompted.
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Preferences/com.sophos.*
sudo /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

Sophos will uninstall.

NOTE: Some for some installations replace /saas/ with /cloud/ or /opm/

Many thanks!!!

Thanks a lot, you saved me!
By the way: How can i protect myself from the it crowd installing Sophos remotely over and over again?
(We don't talk to each other that much ;-)

All hail @bobbycooke!!!
Thank you for taking the time to write this out. Your detailed instructions worked for me.

Worked for me too, nothing else would work. Thanks!

@stoltenhoff have a look at profile in system preferences :D

Any such thing for Windows users?

I was able to do it, information was provided by Aditya Patel from Sophos:
"Workaround: you can completely remove the Sophos Anti-Virus software from a Mac endpoint by removing the following files and directories. Obviously it will require admin / sudo permissions, and obviously, you should be quite careful as to not remove other things. here is the list:
/Library/Sophos Anti-Virus/
/Library/Application Support/Sophos/
/Library/Preferences/com.sophos.*
/Library/LaunchDaemons/com.sophos.*
/Library/LaunchAgents/com.sophos.*
/Library/Extensions/Sophos*
/Library/Caches/com.sophos.*
"
the syntax I used was sudo rm -R /Library/see above list

Thanks for this Workaround. it saved the day. Don't forget to run the final sudo ./InstallationDeployer --force_remove

for me the Installer.app was in /Applications/Remove Sophos Endpoint.app/Contents/MacOS/tools/ otherwise did the trick!

This didn't work for me, as the Remove Sophos Endpoint.app directory is now nested under a Sophos directory. So here is what did the trick for me:

/Applications/Sophos/Remove Sophos Endpoint.app/Contents/MacOS/tools/

Open terminal
enter the following 3 commands (one at a time) -- enter password where prompted.
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Preferences/com.sophos.*
sudo /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove
Sophos will uninstall.
NOTE: Some for some installations replace /saas/ with /cloud/ or /opm/

@fuze-mlambert this worked great for me. Thank you so much!

Worked for me with Sophos Endpoint 10.x

Indeed – still good. Thanks!

Worked perfectly for me. Thank you! (anyone got a solution for windows machines?)

Thank you @bobbycooke that worked for me!

Thanks sop much!!!

cd /Library/Preferences
sudo rm com.sophos.sav.plist
then open Remove Sophos Endpoint just work for me without tamper protection password.

Open terminal
enter the following 3 commands (one at a time) -- enter password where prompted.
sudo rm -R /Library/Sophos\ Anti-Virus/
sudo rm -R /Library/Preferences/com.sophos.*
sudo /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove
Sophos will uninstall.
NOTE: Some for some installations replace /saas/ with /cloud/ or /opm/

@fuze-mlambert this worked great for me. Thank you so much!

Worked for me with Sophos Endpoint 10.x

Indeed – still good. Thanks!

Worked perfectly for me. Thank you! (anyone got a solution for windows machines?)

Indeed! Works like a charm! Thanks guys! 🙌

The IT guys get a notification o something like that if you do this?

The IT guys get a notification o something like that if you do this?

@samuaz If your IT are any good they will know you've removed it. If you're on a work/school computer, I wouldn't mess around - It's there for a reason. If it's blocking you from working/studying have a discussion with your IT department and go from there. In short, don't remove it unless you're authorized.

Just testing out these scripts and it seems like it works great, except it leaves behind the Sophos System Extensions, including an endpoint security system extension and a network system extension.

Any idea how to remove those with a script as well?

Just testing out these scripts and it seems like it works great, except it leaves behind the Sophos System Extensions, including an endpoint security system extension and a network system extension.

Any idea how to remove those with a script as well?

To remove them disable System Integrity:
Shut off
Hold power button or CMD+R (depending on the mac) > options > terminal
csrutil disable
Enter username
Enter password
Wait for confirm
Reboot

Open terminal
systemextensionsctl list
systemextensionsctl uninstall TEAMID BUNDLEID (teamid is an id string, the bundleid is com.sophos… etc)
repeat the command for the second extension

Re-enable System Integrity:
Shut off
Hold power button or CMD+R (depending on the mac)> options > terminal
csrutil enable
Enter username
Enter password
Wait for confirm
Reboot

Hello ,

Iam trying to remove sophos from vmware workspace one .

can anyone help me how exactly this works .

Open terminal 'command + spacebar' search for "terminal" vi kill_sophos Copy text below, right-click on terminal window and select 'Paste': #!/bin/bash sudo rm -R /Library/Sophos\ Anti-Virus/ sudo rm -R /Library/Application\ Support/Sophos/ sudo rm -R /Library/Preferences/com.sophos.* sudo rm /Library/LaunchDaemons/com.sophos.* sudo rm /Library/LaunchAgents/com.sophos.* sudo rm -R /Library/Extensions/Sophos* sudo rm -R /Library/Caches/com.sophos.* Press 'Esc' on your keyboard Enter ' :wq' and press return ( Colon W Q Enter) sudo chmod +x kill_sophos Enter local mac password run script by entering below on terminal ./kill_sophos enter password and watch everything die Open Finder and go to 'Applications' click Remove Sophos Endpoint It will now let you remove Sophos Endpoint without the tamper protection password Rejoice Thank you for all the help. It's been rough lol

It worked like a charm, thanks

Amazing, thank you so much!