https://community.sophos.com/kb/en-us/124377
Sophos Endpoint Defense: How to recover a tamper protected system
-
124377
-
20 Jun 2019
-
62 people found this helpful
Overview
This article describes how to recover a tamper protected system if the tamper protection password is lost and the client cannot receive a new policy with a known password.
Applies to the following Sophos products and versions
Sophos Endpoint Security and Control
Central Endpoint Advanced 11.5.11
Central Endpoint Standard 11.5.11
What to do
Note : Remember to do a backup of the registry before attempting these procedures.
Managed by Sophos Enterprise Console
- Boot the endpoint or server in Safe Mode .
- Click Start followed by Run then type
services.msc
- Right-click the Sophos Anti-Virus service then Properties .
- Set the Startup type to Disabled then click the OK button.
- In Run , type
regedit.exe
then click the OK button. - Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
and set the Value data to0
for SAVEnabled and SEDEnabled . - Set the Value data of Enabled to
0
in the following:
- 32-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
- 64-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection
- Enhanced Tamper Protection will now be disabled after you boot the endpoint or server in normal mode.
Managed by Sophos Central
Starting 20th January 2018, the Tamper Protection passwords can now be retrieved for deleted endpoints and servers from within Sophos Central. Follow the steps below to obtain this information:
- Log in to Sophos Central.
- Access Logs & Reports > Recover Tamper Protection passwords .
- Click on View details to expand the password(s) that has been set on the endpoint or server. The password at the top of the list is the most recent. This password can be used to authenticate on the local endpoint or server, allowing access to the Settings and the option to disable Tamper Protection .
Note: The report will display endpoints and servers that have been deleted over the previous 60 days. For release, the start date for displaying any deleted endpoints and servers is 09th December 2017.
If you do not have access to Sophos Central, perform the following steps to disable the Enhanced Tamper Protection:
- Boot the endpoint or server in Safe Mode .
- Click Start followed by Run then type
services.msc
- Right-click the Sophos Anti-Virus service then Properties .
- Set the Startup type to Disabled then click the OK button.
- In Run , type
regedit.exe
then click the OK button. - Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent
and set the Value data of Start to0x00000004
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0.
- Set the Value data of Enabled to
0
in the following:
- 32-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
- 64-bit:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection
- Enhanced Tamper Protection will now be disabled after you boot the endpoint or server in normal mode.
Registry keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection
https://community.sophos.com/kb/en-us/124377
``
Curated by Liquid Layer Networks
At Liquid Layer Web Hosting [LiquidLayer.net], we’ve made a shared web hosting platform that’s both feature-rich and easy to make use of. Our programmers have built up a custom Linux cloud web hosting platform plus an innovative Control Panel that perfectly takes advantage of its capabilities. After long hours of programming and bug fixing on our end, we are now capable to guarantee that all of our shared web hosting services are safe, virus-free, full of capabilities and very easy-to-work-with. In addition, they feature 99.9% server uptime as well as 99.9% network uptime warranties.
Powered by:
HostCheetah Networks
Global Web Hosting, Domain Registration, and Internet Services
https://hostcheetah.net | http://hostcheetah.uk
PC Helper | Est 1996 - Web Hosting | US, AU, UK, Finland, Bulgaria |
https://pchelper.com