Endless Sophos Loop

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
User avatar
lkpowell
New Member
Posts: 11
Joined: Wed Apr 11, 2012 4:41 pm
Location: Southeast Idaho

Endless Sophos Loop

#1

Post by lkpowell »

I seem to be in an endless Sophos install/uninstall loop, but I don't use the computer often enough to find the issue.

Nearly every Sunday, I'm prompted with a church message that Sophos will be uninstalled. This is fine as I'm aware the church is not going to be using Sophos on clerk computers any longer. I tell it to go ahead and it removes Sophos and I can tell it's no longer installed. Then, next Sunday when I come in to do finances, Sophos is again on the computer and the church message about removing Sophos is back again.

I'm not installing Sophos, so either someone at church headquarters is doing it remotely or there is some automated process like a scheduled task that is detecting Sophos isn't installed and has the overwhelming desire to install it again.

I haven't found anything. This is a new clerk computer...a Lenovo ThinkCentre 11DUS45J00. I have recently installed 11 of these same computers at different wards. No other clerks have been complaining about the same issue, but I fear it exists on all of them.

I called the Global Services Center and I got some noob who claims they can't fix it without the problem happening at the time. However, the only part of it I catch is the notice that it will be uninstalled which is not the problem. The installation is the problem and I have no idea when or how it is getting installed.

Thanks.
danpass
Senior Member
Posts: 514
Joined: Wed Jan 24, 2007 5:38 pm
Location: Oregon City, OR
Contact:

Re: Endless Sophos Loop

#2

Post by danpass »

Have you tried manually running the tool that puts the computer under church management? It might reset some token somewhere, that will help break out of the loop.
russellhltn
Community Administrator
Posts: 34418
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Endless Sophos Loop

#3

Post by russellhltn »

I'd suggest contacting the GSD and opening a ticket on the issue. They'll also need the S/N of the machine. The developers will need that S/N to look into the issue.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
dnslynn
Member
Posts: 52
Joined: Tue Jan 26, 2010 8:56 pm
Location: Klamath Falls, OR, USA

Re: Endless Sophos Loop

#4

Post by dnslynn »

I also had this problem when I configured our latest batch of clerk computers. The initial computer I configured installed Sophos, and since it was the latest version, a simple uninstall ran up against its new "Tamper Protection" feature. For the first one that this happened on, I called GSD and managed to get them to give me the Tamper Protection password for the computer. The tech had to look in the "workforce" zone (as opposed to the meetinghouse zone) to find it. I believe that for some reason, some computers end up in that zone, so that is why Sophos gets installed. Later on, Big Fix tries to uninstall it, but as near as I can tell, its uninstaller only tries to disable the Sophos services then do an uninstall. But, without the tamper protection password, the services don't shut down and Sophos doesn't uninstall. Hence the continuous loop of uninstall attempts.

When I called GSD a second two times to try to get the tamper protection passwords for the other computers I configured (they all eventually installed Sophos), I couldn't manage to explain the problem to them. I was just given the original instructions about manually stopping services and doing the uninstall and told to re-image the computer if that didn't work.

I managed to find instructions online (see link below) for manualy disabling Sophos tamper protection. It involves disabling SophosED.sys via advanced startup command prompt, and then disabling the remaining services via registry edits, then uninstalling. However, even after doing this I found that Sophos would re-install, even on machines where Big Fix tried previously to uninstall it.

My final solution was this -- I'm not sure why it works: Disconnect the machine from the internet, disable tamper protection and manually uninstall Sophos. Then recreate the C:\Program Files (x86)\Sophos folder. Change the owner of the folder to the unit number (i.e. clerk) user. Windows will ask if you want to disable permission inheritance when you do this. Clicking yes will remove all permissions for all users (including the unit number user). I also did this for the C:\ProgramData\Sophos directory (applying changes to all files and subdirectories in the process). No machines I have done this on have re-installed Sophos (its been several weeks now). As I said, I don't know why it works -- maybe just the presence of the Sophos directory is all that is checked to see if Sophos is installed and maybe permissions don't need to be changed.

The instructions for manually removing Sophos tamper protection are at
https://support.sophos.com/support/s/ar ... uage=en_US
Go down to the section entitled "Recover tamper protection password in the registry".
Don't do this while Sophos is updating virus definitions -- one reason to do it while the machine is disconnected from the internet.
russellhltn
Community Administrator
Posts: 34418
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Endless Sophos Loop

#5

Post by russellhltn »

dnslynn wrote: Sun Jan 16, 2022 2:03 pm My final solution was this -- I'm not sure why it works: ... Change the owner of the folder to the unit number (i.e. clerk) user. Windows will ask if you want to disable permission inheritance when you do this.
I'm guessing that changing the permissions crashes any install attempt, either because it can't copy files into the directory, or because a script aborts when it tries to set the permissions.

Working on our stake machine today, I noticed Sophos re-installed on 1/12. <sigh>
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Endless Sophos Loop

#6

Post by Mikerowaved »

russellhltn wrote: Sun Jan 16, 2022 5:52 pm Working on our stake machine today, I noticed Sophos re-installed on 1/12. <sigh>
Oh my. I'm going to have to check mine now.

The latest word I got was Sophos is no longer being used on clerk PC's, and if found, will be uninstalled automatically. It was determined that Microsoft Defender was sufficient, and being free, could save the church a nice sum in Sophos licensing fees. Personally, I haven't seen any installation of Sophos on a clerk PC get removed by the church, automatically or otherwise.
So we can better help you, please edit your Profile to include your general location.
matthewk
New Member
Posts: 11
Joined: Sun May 22, 2011 10:06 pm

Re: Endless Sophos Loop

#7

Post by matthewk »

Sophos is about to be installed by IBM BigFix on a machine I'm provisioning. Are we supposed to try and prevent that?
russellhltn
Community Administrator
Posts: 34418
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Endless Sophos Loop

#8

Post by russellhltn »

matthewk wrote: Fri Mar 11, 2022 7:35 pm Sophos is about to be installed by IBM BigFix on a machine I'm provisioning. Are we supposed to try and prevent that?
I'm not aware of anything you can do about it.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
drepouille
Senior Member
Posts: 2859
Joined: Sun Jul 01, 2007 6:06 pm
Location: Plattsmouth, NE

Re: Endless Sophos Loop

#9

Post by drepouille »

I received a new Lenovo Thinkcentre M70q yesterday for my ward. When I booted it up, I found that it had a generic Windows 10 Pro image on it. The Global Service Center told me to create a local user account, then download and install the church provisioning tool. All went well. Then I kicked off Windows Update, and left it to run overnight. This morning, I found all updates had been installed, but the computer was still running Windows 10 20H2. So i went to the Microsoft website and ran the Windows 10 21H2 upgrade assistant, which quickly went to 85% completion, and then slowed to a crawl.

Now I see that Sophos File Scanner and Sophos Endpoint Defense are eating up most of the CPU time. I will just let this run overnight again. Hopefully by morning, 21H2 will have been installed.

I will wait for Monday to call the GSC again to ask them what I need to do about Sophos, which was not supposed to have been installed at all.
Dana Repouille, Plattsmouth, Nebraska
russellhltn
Community Administrator
Posts: 34418
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Endless Sophos Loop

#10

Post by russellhltn »

You might try and see if it will play nice and uninstall though the normal Windows uninstall process.

That might buy you some time.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Clerk Computers”