+ Post New Thread
Results 1 to 10 of 10
Scripts Thread, Sophos removal script in Coding and Web Development; So I am currently faced with replacing the AV software on 300 machines in our school, switching from Sophos to ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833

    Sophos removal script

    So I am currently faced with replacing the AV software on 300 machines in our school, switching from Sophos to CA eTrust Antivirus.

    Rather than having to click dozens of things on every machine, I have rustled up this nice simple script which
    1. removes executables
    2. removes registry items
    3. removes left over folders
    4. updates the group policy (ie. to remove windows firewall rules for Sophos, and add new ones for eTrust)
    5. reboots the computer


    All it requires is a Windows XP machine and a copy of PSExec. To run it, stick it in a .cmd file and from a command prompt, enter the cmd file followed by the name of the computer to remove Sophos from.
    eg.
    Code:
    removesophos.cmd \\Computer
    Code:
    @echo off
    echo "Starting Removal of Sophos"
    
    psexec %1 msiexec.exe /x "c:\program files\sophos\autoupdate\cache\savxp\sophos anti-virus.msi" /q /norestart
    psexec %1 msiexec.exe /x "c:\program files\sophos\autoupdate\cache\rms\sophos remote management system.msi" /q /norestart
    psexec %1 msiexec.exe /x "c:\program files\sophos\autoupdate\cache\sau\sophos autoupdate.msi" /q /norestart
    
    echo "MSI's removed"
    
    psexec %1 reg delete HKLM\Software\Sophos /f
    psexec %1 reg delete HKCU\Software\Sophos /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Agent" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SavService" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SAVAdminService" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Agent" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Certification Manager" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos EMLib Update Agent" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SEMscheduler" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Management Service" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Message Router" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SQLAgent$SOPHOS" /f
    psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\MSSQL$SOPHOS" /f
    psexec %1 reg delete "HKLM\System\CurrentControlSet\Services\Eventlog\Sophos" /f
    
    echo "Registry cleaned up"
    
    psexec %1 rmdir "c:\program files\sophos" /s /q
    
    echo "Sophos folder removed"
    
    psexec %1 "c:\windows\system32\gpupdate" /force /boot
    
    echo "Group Policy updated"
    echo "Rebooting"
    If anyone can recommend any changes, or if I alter it in any way, give me a shout. Also, obviously, this could be automated with a batch of machines using a second batch file which calls this one repeatedly.

  2. #2
    ICT_GUY's Avatar
    Join Date
    Feb 2007
    Location
    Weymouth
    Posts
    2,261
    Thank Post
    646
    Thanked 283 Times in 204 Posts
    Rep Power
    104
    Uninstalling Sophos

    On that thread is the sophos own brand uninstal script. It might be of use to check against.

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    Quote Originally Posted by ICT_GUY View Post
    Uninstalling Sophos

    On that thread is the sophos own brand uninstal script. It might be of use to check against.
    Yeah I used that thread a bit already. Much of it is aimed at running a script on a local machine, or removing the server software, and also refers to older versions of the software (we're now on v7.6.3). My script is an attempt to simplify it all and make it a 'click click done' process.

    Cheers though.

  4. #4
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,342
    Thank Post
    9
    Thanked 305 Times in 214 Posts
    Rep Power
    100
    Why are you downgrading your AV ?

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    Quote Originally Posted by Galway View Post
    Why are you downgrading your AV ?
    Because CA AV is provided for free by our LEA, and Sophos would require us to buy licenses ourselves.

  6. #6

    Join Date
    Jan 2009
    Location
    Aberdeenshire
    Posts
    5
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Etrust Installation on CC3

    At Aberdeenshire LEA we are currently removing Sophos from all our CC3 networks and Install CA Etrust Threat Manager.

    We can successfully remove Sophos by running their removal scripts as 2 packages.

    When we insatll our Etrust package it breaks the application installation/removal system.

    Appagent will not run and no packages can be added or removed from the computers.

    If you run Appagent manualy via an "installrm" command or Restart the "Autoexnt" service them computer comes good.

    The same happens if you disable the anti-virus and reboot.

    Sometimes they come good eventullay themselves!

    How have you pushed out etrust to the stations and have you encountered these problems?

    I think it might be useful to speak about things?

  7. #7

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,611
    Thank Post
    1,496
    Thanked 1,051 Times in 920 Posts
    Rep Power
    303
    @paul have you got the Sophos scripts you mention that you could post them on here please?

  8. #8

    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    24
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hello, I tried the script but the CMD box reads: Access Denied on each line.
    I added Enterprise Admins to local group Admins (a common error when manually removing Sophos) but no luck.
    PSExec is running OK but if you know why this is not completing let me know!

    Thx.

  9. #9

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    Are you running it from an administrator command line? In Windows Vista/7 it won't run in a 'normal' cmd prompt, as it hasn't got privileges. Also, bear in mind that this script is from 2009... So, it may not work with newer versions of Sophos.

  10. #10

    Join Date
    Nov 2012
    Location
    Lancashire
    Posts
    40
    Thank Post
    2
    Thanked 4 Times in 4 Posts
    Rep Power
    4
    Hello. This is the script that I use for removing version 10. But it can be used for any version. You can copy/paste it into a batch script.
    Code:
     @Rem Batch file to remove RMS, SAU, SCF and SAV sufficiently to allow re-installation via reprotect
    @set ScriptVersion=1.4 @Rem @Rem Return codes: @Rem 0 : Removal process completed, no reboot required. @Rem 1 : Removal process completed, reboot required. @Rem 2 : Administrator privileges required.
     @echo off
    setlocal
    
    call :SetLogFile
    echo %DATE% %TIME% > %LogFile%
    call :echo RemSHH version %ScriptVersion%
    call :echo Log file location:
    call :echo %LogFile%
    
    rem Must be an administrator
    NET SESSION >nul 2>nul
    if ERRORLEVEL 1 (
        call :echoNewLine
        call :echo Administator privileges are required to run this script.
        endlocal
        exit /B 2
    )
    
    set ProgramDir=%ProgramFiles(x86)%
    if "%ProgramFiles(x86)%" == "" set ProgramDir=%ProgramFiles%
    
    call :echo Removing Sophos Remote Management System
    call :RemRMS >>%LogFile% 2>>&1
    call :echo Removing Sophos AutoUpdate
    call :RemSAU >>%LogFile% 2>>&1
    call :echo Removing Sophos Client Firewall
    call :RemSCF >>%LogFile% 2>>&1
    call :echo Removing Sophos Anti-Virus
    call :RemSAV >>%LogFile% 2>>&1
    
    call :echoNewLine
    call :echo Removal process complete
    
    set rebootRequired=0
    if exist "%Windir%\Temp\SophosRebootTest.txt" set rebootRequired=1
    if exist "%Windir%\Temp\SophosNoupgrade.txt" set rebootRequired=1
    if %rebootRequired%==1 (
        call :echoNewLine
        call :echo A restart is required before re-installing Sophos Anti-Virus.
        endlocal
        exit /B 1
    )
    endlocal
    exit /B 0
    
    
    :echoNewLine
    echo.
    echo. >>%LogFile% 2>>&1
    goto :EOF
    
    
    :echo
    echo %*
    echo %* >>%LogFile% 2>>&1
    goto :EOF
    
    
    :SetLogFile
    set BaseLogName=%TEMP%\SophosForceRemove_%RANDOM%
    set LogFile="%BaseLogName%_Log.txt"
    goto :EOF
    
    
    rem Remove RMS 2.0 & 3.2 +
    :RemRMS
    echo on
    MsiExec.exe /X{FF11005D-CBC8-45D5-A288-25C7BB304121} /qn rebootyesno="no" reboot="supress" /lv* "%BaseLogName%_UninstallRMS2.txt"
    MsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn rebootyesno="no" reboot="supress" /lv* "%BaseLogName%_UninstallRMS3.txt"
    net stop "Sophos Agent"
    net stop "Sophos Message Router"
    taskkill /F /IM ManagementAgentNT.exe
    taskKill /F /IM RouterNT.exe
    taskKill /F /IM ClientMRInit.exe
    taskKill /F /IM AutoUpdateAgentNT.exe
    taskKill /F /IM EMLibUpdateAgentNT.exe
    rd "%ProgramDir%\Sophos\Remote Management System" /s /q
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System"
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System"
    call :RemMSIReg FF11005D-CBC8-45D5-A288-25C7BB304121 D50011FF8CBC5D542A88527CBB031412
    call :RemMSIReg FED1005D-CBC8-45D5-A288-FFC7BB304121 D5001DEF8CBC5D542A88FF7CBB031412
    echo off
    goto :EOF
    
    
    rem SAU 2.x
    :RemSAU
    echo on
    MsiExec.exe /X{15C418EB-7675-42be-B2B3-281952DA014D} /qn rebootyesno="no" reboot="supress" /lv* "%BaseLogName%_UninstallSAU2.txt"
    net stop "Sophos AutoUpdate Service"
    taskkill /F /IM alsvc.exe
    taskkill /F /IM almon.exe
    taskkill /F /IM ALUpdate.exe
    rd "%ProgramDir%\Sophos\AutoUpdate" /s /q
    rd "%AllUsersProfile%\Sophos\AutoUpdate" /s /q
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate"
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate"
    call :RemMSIReg 15C418EB-7675-42be-B2B3-281952DA014D BE814C515767eb242B3B829125AD10D4
    echo off
    goto :EOF
    
    
    rem Firewall SCF 1.5 & 2.5+
    :RemSCF
    echo on
    MsiExec.exe /X{17071117-5BB2-4737-B05B-C5FABD367313} /qn rebootyesno="no" reboot="supress" /lv* "%BaseLogName%_UninstallSCF15.txt"
    MsiExec.exe /X{12C00299-B8B4-40D3-9663-66ABEA3198AB} /qn rebootyesno="no" reboot="supress" /lv* "%BaseLogName%_UninstallSCF25.txt"
    net stop "Sophos Client Firewall"
    net stop "Sophos Client Firewall Manager"
    taskkill /F /IM SCFService.exe
    taskkill /F /IM SCFManager.exe
    taskkill /F /IM DriverHelper_x64.exe
    taskkill /F /IM op_viewer.exe
    rd "%ProgramDir%\Sophos\Sophos Client Firewall" /s /q
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos Client Firewall"
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Sophos Client Firewall"
    call :RemMSIReg 17071117-5BB2-4737-B05B-C5FABD367313 711170712BB573740BB55CAFDB633731
    call :RemMSIReg 12C00299-B8B4-40D3-9663-66ABEA3198AB 99200C214B8B3D04693666BAAE1389BA
    echo off
    goto :EOF
    
    
    Rem SAV 7.x & 9.x & 10.0.x
    :RemSAV
    rem keep old log
    echo on
    copy "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Logs\sav.txt" "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Logs\removal-backup-txt" /Y
    copy "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Logs\sav.txt" "%BaseLogName%_SAVlog.txt" /Y
    if exist "%Windir%\Temp\SophosRebootTest.txt" (
        set rebootfileexists=1
    ) else (
        set rebootfileexists=0
    )
    MsiExec.exe /X{034759DA-E21A-4795-BFB3-C66D17FAD183} /qn rebootyesno="no" reboot="ReallySuppress" UNINSTALLDRIVERS="0" UNINSTALLCLASSFILTER="0" UNINSTALLBOOTDRIVERS="1" UNINSTALLKMSDRIVERS="1" CHECKFORSCF="0" /lv* "%BaseLogName%_UninstallSAV7.txt"
    MsiExec.exe /X{9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn rebootyesno="no" reboot="ReallySuppress" UNINSTALLDRIVERS="0" UNINSTALLCLASSFILTER="0" UNINSTALLBOOTDRIVERS="1" UNINSTALLKMSDRIVERS="1" CHECKFORSCF="0" /lv* "%BaseLogName%_UninstallSAV9.txt"
    if rebootfileexists==0 (
        del "%Windir%\Temp\SophosRebootTest.txt"
    )
    net stop "SAVService"
    net stop "SAVAdminSerivce"
    net stop "Sophos Web Control Service"
    net stop "swi_service"
    net stop "Sophos Device Control Service"
    net stop "Sophos Web Intelligence Update"
    taskkill /F /IM SAVService.exe
    taskkill /F /IM SAVAdminService.exe
    taskkill /F /IM swc_service.exe
    taskkill /F /IM swi_service.exe
    taskkill /F /IM sdcservice.exe
    taskkill /F /IM SavMain.exe
    taskkill /F /IM SavProgress.exe
    taskkill /F /IM SavProxy.exe
    taskkill /F /IM sdcdevcon.exe
    taskkill /F /IM WSCClient.exe
    taskkill /F /IM BackgroundScanClient.exe
    taskkill /F /IM sav32cli.exe
    taskkill /F /IM native.exe
    rd "%ProgramDir%\Sophos\Sophos Anti-Virus" /s /q
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService"
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService"
    call :RemMSIReg 034759DA-E21A-4795-BFB3-C66D17FAD183 AD957430A12E5947FB3B6CD671AF1D38
    call :RemMSIReg 9ACB414D-9347-40B6-A453-5EFB2DB59DFA D414BCA974396B044A35E5BFD25BD9AF
    
    copy "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Logs\removal-backup-txt" "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Logs\sav.txt" /Y
    echo off
    goto :EOF
    
    
    :RemMSIReg 
    call :DelRegKey "HKEY_CLASSES_ROOT\Installer\Products\%2"
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\%2"
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{%1}"
    call :DelRegKey "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{%1}"
    goto :EOF
    
    
    :DelRegKey
    echo REGEDIT4 > "%TEMP%\SophosRemSSHRegFile.tmp"
    echo. >> "%TEMP%\SophosRemSSHRegFile.tmp"
    echo [-%~1] >> "%TEMP%\SophosRemSSHRegFile.tmp"
    regedit /S "%TEMP%\SophosRemSSHRegFile.tmp"
    del "%TEMP%\SophosRemSSHRegFile.tmp"
    goto :EOF
    Last edited by techsup1983; 7th December 2012 at 07:43 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. [MS Office - 2007] MSOCache Removal
    By Mr.Ben in forum Office Software
    Replies: 4
    Last Post: 12th June 2009, 09:17 AM
  2. Notification of ps/2 removal
    By fafster in forum Hardware
    Replies: 6
    Last Post: 24th September 2008, 01:58 PM
  3. [MS Office - 2007] Office 2007 Removal
    By danIT in forum Office Software
    Replies: 3
    Last Post: 13th May 2008, 03:01 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •