Sophos removal script

[localzuk]

So I am currently faced with replacing the AV software on 300 machines in our school, switching from Sophos to CA eTrust Antivirus.

Rather than having to click dozens of things on every machine, I have rustled up this nice simple script which

1. removes executables
2. removes registry items
3. removes left over folders
4. updates the group policy (ie. to remove windows firewall rules for Sophos, and add new ones for eTrust)
5. reboots the computer

All it requires is a Windows XP machine and a copy of PSExec. To run it, stick it in a .cmd file and from a command prompt, enter the cmd file followed by the name of the computer to remove Sophos from.
eg.

Code:

removesophos.cmd \\Computer

Code:

@echo off
echo "Starting Removal of Sophos"

psexec %1 msiexec.exe /x "c:\program files\sophos\autoupdate\cache\savxp\sophos anti-virus.msi" /q /norestart
psexec %1 msiexec.exe /x "c:\program files\sophos\autoupdate\cache\rms\sophos remote management system.msi" /q /norestart
psexec %1 msiexec.exe /x "c:\program files\sophos\autoupdate\cache\sau\sophos autoupdate.msi" /q /norestart

echo "MSI's removed"

psexec %1 reg delete HKLM\Software\Sophos /f
psexec %1 reg delete HKCU\Software\Sophos /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Agent" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SavService" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SAVAdminService" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Agent" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Certification Manager" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos EMLib Update Agent" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SEMscheduler" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Management Service" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Message Router" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SQLAgent$SOPHOS" /f
psexec %1 reg delete "HKLM\SYSTEM\CurrentControlSet\Services\MSSQL$SOPHOS" /f
psexec %1 reg delete "HKLM\System\CurrentControlSet\Services\Eventlog\Sophos" /f

echo "Registry cleaned up"

psexec %1 rmdir "c:\program files\sophos" /s /q

echo "Sophos folder removed"

psexec %1 "c:\windows\system32\gpupdate" /force /boot

echo "Group Policy updated"
echo "Rebooting"

If anyone can recommend any changes, or if I alter it in any way, give me a shout. Also, obviously, this could be automated with a batch of machines using a second batch file which calls this one repeatedly.

[ICT_GUY]

Uninstalling Sophos

On that thread is the sophos own brand uninstal script. It might be of use to check against.

[localzuk]

Uninstalling Sophos

On that thread is the sophos own brand uninstal script. It might be of use to check against.

Yeah I used that thread a bit already. Much of it is aimed at running a script on a local machine, or removing the server software, and also refers to older versions of the software (we're now on v7.6.3). My script is an attempt to simplify it all and make it a 'click click done' process.

Cheers though.

[Galway]

Why are you downgrading your AV ?

[localzuk]

Why are you downgrading your AV ?

Because CA AV is provided for free by our LEA, and Sophos would require us to buy licenses ourselves.

[pauldsimpson]

At Aberdeenshire LEA we are currently removing Sophos from all our CC3 networks and Install CA Etrust Threat Manager.

We can successfully remove Sophos by running their removal scripts as 2 packages.

When we insatll our Etrust package it breaks the application installation/removal system.

Appagent will not run and no packages can be added or removed from the computers.

If you run Appagent manualy via an "installrm" command or Restart the "Autoexnt" service them computer comes good.

The same happens if you disable the anti-virus and reboot.

Sometimes they come good eventullay themselves!

How have you pushed out etrust to the stations and have you encountered these problems?

I think it might be useful to speak about things?

[john]

@paul have you got the Sophos scripts you mention that you could post them on here please?