Sophos Endpoint Defense: How to recover a tamper protected system

Martin 05/04/2018

Sometimes it fails when you try to remove Sophos Endpoint Protection, for some weird reason tamper protection getø’s messed up, and keep telling you that the entered code is invalid or maybe you lost it, due to cancellation of the Sophos Central Account, this can help you get things going again:

Overview

This article describes how to recover a tamper protected system if  the tamper protection password is lost and the client cannot receive a new policy with a known password.

The following sections are covered:

Applies to the following Sophos products and versions
Central Windows Endpoint
Sophos Endpoint Security and Control

How to recover a tamper protected system

Remember to do a backup of the registry before attempting these procedures.

Sophos Enterprise Console managed client

To recover a tamper protected system, you must disable Enhanced Tamper Protection, do the following:

  1. Boot the system into Safe Mode.
  2. Click Start Run > type services.msc > right-click Sophos Anti-Virus service > Properties > set the Startup type to Disabled > then click OK.
  3. Click Start Run > type regedit and then click OK.
  4. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
  5. Set the following DWORD values to 0SAVEnabled and SEDEnabled
  6. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORD Enabled to 0.
  7. Reboot the system in normal mode.

Sophos Central managed client

From 20th January 2018 the Tamper Protection passwords can be retrieved for deleted endpoints/servers from within Sophos Central. To obtain this information:

  1. Log in to Sophos Central.
  2. Access Logs & Reports > Recover Tamper Protection passwords.
  3. Click on View details to expand the password(s) that has been set on the endpoint/server. The password at the top of the list is the most recent.

This password can be used to authenticate on the local endpoint/server, allowing access to the Settings and the option to disable Tamper Protection.

Note: The report will display endpoints/servers that have been deleted over the previous 60 days. For release, the start date for displaying any deleted endpoints/servers is 09th December 2017.

If you do not have access to Sophos Central the following steps can be used.

To recover a tamper protected system, you must disable Enhanced Tamper Protection. Do the following:

  1. Boot the system into Safe Mode.
  2. Click Start > Run > type services.msc > right-click Sophos Anti-Virus service > Properties > set the Startup type to Disabled > then click OK.
  3. Click Start Run > type regedit and then click OK.
  4. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to0x00000004.
  5. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the following REG_DWORD values SAVEnabled and SEDEnabled to0

    .

  6. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORD Enabled to 0.
  7. Reboot the system in normal mode.

Enhanced Tamper Protection is now disabled and you should now be able to access the system.

Registry keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection

Related information

Source: https://community.sophos.com/kb/en-us/124377

About the Author

Leave a Reply