Page 1 of 1

Endless Sophos Loop

Posted: Wed Jan 12, 2022 1:54 pm
by lkpowell
I seem to be in an endless Sophos install/uninstall loop, but I don't use the computer often enough to find the issue.

Nearly every Sunday, I'm prompted with a church message that Sophos will be uninstalled. This is fine as I'm aware the church is not going to be using Sophos on clerk computers any longer. I tell it to go ahead and it removes Sophos and I can tell it's no longer installed. Then, next Sunday when I come in to do finances, Sophos is again on the computer and the church message about removing Sophos is back again.

I'm not installing Sophos, so either someone at church headquarters is doing it remotely or there is some automated process like a scheduled task that is detecting Sophos isn't installed and has the overwhelming desire to install it again.

I haven't found anything. This is a new clerk computer...a Lenovo ThinkCentre 11DUS45J00. I have recently installed 11 of these same computers at different wards. No other clerks have been complaining about the same issue, but I fear it exists on all of them.

I called the Global Services Center and I got some noob who claims they can't fix it without the problem happening at the time. However, the only part of it I catch is the notice that it will be uninstalled which is not the problem. The installation is the problem and I have no idea when or how it is getting installed.

Thanks.

Re: Endless Sophos Loop

Posted: Wed Jan 12, 2022 3:21 pm
by danpass
Have you tried manually running the tool that puts the computer under church management? It might reset some token somewhere, that will help break out of the loop.

Re: Endless Sophos Loop

Posted: Wed Jan 12, 2022 5:31 pm
by russellhltn
I'd suggest contacting the GSD and opening a ticket on the issue. They'll also need the S/N of the machine. The developers will need that S/N to look into the issue.

Re: Endless Sophos Loop

Posted: Sun Jan 16, 2022 2:03 pm
by dnslynn
I also had this problem when I configured our latest batch of clerk computers. The initial computer I configured installed Sophos, and since it was the latest version, a simple uninstall ran up against its new "Tamper Protection" feature. For the first one that this happened on, I called GSD and managed to get them to give me the Tamper Protection password for the computer. The tech had to look in the "workforce" zone (as opposed to the meetinghouse zone) to find it. I believe that for some reason, some computers end up in that zone, so that is why Sophos gets installed. Later on, Big Fix tries to uninstall it, but as near as I can tell, its uninstaller only tries to disable the Sophos services then do an uninstall. But, without the tamper protection password, the services don't shut down and Sophos doesn't uninstall. Hence the continuous loop of uninstall attempts.

When I called GSD a second two times to try to get the tamper protection passwords for the other computers I configured (they all eventually installed Sophos), I couldn't manage to explain the problem to them. I was just given the original instructions about manually stopping services and doing the uninstall and told to re-image the computer if that didn't work.

I managed to find instructions online (see link below) for manualy disabling Sophos tamper protection. It involves disabling SophosED.sys via advanced startup command prompt, and then disabling the remaining services via registry edits, then uninstalling. However, even after doing this I found that Sophos would re-install, even on machines where Big Fix tried previously to uninstall it.

My final solution was this -- I'm not sure why it works: Disconnect the machine from the internet, disable tamper protection and manually uninstall Sophos. Then recreate the C:\Program Files (x86)\Sophos folder. Change the owner of the folder to the unit number (i.e. clerk) user. Windows will ask if you want to disable permission inheritance when you do this. Clicking yes will remove all permissions for all users (including the unit number user). I also did this for the C:\ProgramData\Sophos directory (applying changes to all files and subdirectories in the process). No machines I have done this on have re-installed Sophos (its been several weeks now). As I said, I don't know why it works -- maybe just the presence of the Sophos directory is all that is checked to see if Sophos is installed and maybe permissions don't need to be changed.

The instructions for manually removing Sophos tamper protection are at
https://support.sophos.com/support/s/ar ... uage=en_US
Go down to the section entitled "Recover tamper protection password in the registry".
Don't do this while Sophos is updating virus definitions -- one reason to do it while the machine is disconnected from the internet.

Re: Endless Sophos Loop

Posted: Sun Jan 16, 2022 5:52 pm
by russellhltn
dnslynn wrote: Sun Jan 16, 2022 2:03 pm My final solution was this -- I'm not sure why it works: ... Change the owner of the folder to the unit number (i.e. clerk) user. Windows will ask if you want to disable permission inheritance when you do this.
I'm guessing that changing the permissions crashes any install attempt, either because it can't copy files into the directory, or because a script aborts when it tries to set the permissions.

Working on our stake machine today, I noticed Sophos re-installed on 1/12. <sigh>

Re: Endless Sophos Loop

Posted: Mon Jan 17, 2022 1:59 am
by Mikerowaved
russellhltn wrote: Sun Jan 16, 2022 5:52 pm Working on our stake machine today, I noticed Sophos re-installed on 1/12. <sigh>
Oh my. I'm going to have to check mine now.

The latest word I got was Sophos is no longer being used on clerk PC's, and if found, will be uninstalled automatically. It was determined that Microsoft Defender was sufficient, and being free, could save the church a nice sum in Sophos licensing fees. Personally, I haven't seen any installation of Sophos on a clerk PC get removed by the church, automatically or otherwise.