Sophos Endpoint Defense: How to recover a tamper protected system

https://community.sophos.com/kb/en-us/124377

Sophos Endpoint Defense: How to recover a tamper protected system

  • 124377

  • 20 Jun 2019

  • 62 people found this helpful

  • English | Español | Italiano | 日本語 | Français | Deutsch

Overview

This article describes how to recover a tamper protected system if the tamper protection password is lost and the client cannot receive a new policy with a known password.

Applies to the following Sophos products and versions
Sophos Endpoint Security and Control
Central Endpoint Advanced 11.5.11
Central Endpoint Standard 11.5.11

What to do

Note : Remember to do a backup of the registry before attempting these procedures.

Managed by Sophos Enterprise Console

  1. Boot the endpoint or server in Safe Mode .
  2. Click Start followed by Run then type services.msc
  3. Right-click the Sophos Anti-Virus service then Properties .
  4. Set the Startup type to Disabled then click the OK button.
  5. In Run , type regedit.exe then click the OK button.
  6. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data to 0 for SAVEnabled and SEDEnabled .
  7. Set the Value data of Enabled to 0 in the following:
  • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
  • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection
  1. Enhanced Tamper Protection will now be disabled after you boot the endpoint or server in normal mode.

Managed by Sophos Central

Starting 20th January 2018, the Tamper Protection passwords can now be retrieved for deleted endpoints and servers from within Sophos Central. Follow the steps below to obtain this information:

  1. Log in to Sophos Central.
  2. Access Logs & Reports > Recover Tamper Protection passwords .
  3. Click on View details to expand the password(s) that has been set on the endpoint or server. The password at the top of the list is the most recent. This password can be used to authenticate on the local endpoint or server, allowing access to the Settings and the option to disable Tamper Protection .

Note: The report will display endpoints and servers that have been deleted over the previous 60 days. For release, the start date for displaying any deleted endpoints and servers is 09th December 2017.

If you do not have access to Sophos Central, perform the following steps to disable the Enhanced Tamper Protection:

  1. Boot the endpoint or server in Safe Mode .
  2. Click Start followed by Run then type services.msc
  3. Right-click the Sophos Anti-Virus service then Properties .
  4. Set the Startup type to Disabled then click the OK button.
  5. In Run , type regedit.exe then click the OK button.
  6. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the Value data of Start to 0x00000004
  7. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0.
  8. Set the Value data of Enabled to 0 in the following:
  • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
  • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection
  1. Enhanced Tamper Protection will now be disabled after you boot the endpoint or server in normal mode.

Registry keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection

https://community.sophos.com/kb/en-us/124377

``

Curated by Liquid Layer Networks

At Liquid Layer Web Hosting [LiquidLayer.net], we’ve made a shared web hosting platform that’s both feature-rich and easy to make use of. Our programmers have built up a custom Linux cloud web hosting platform plus an innovative Control Panel that perfectly takes advantage of its capabilities. After long hours of programming and bug fixing on our end, we are now capable to guarantee that all of our shared web hosting services are safe, virus-free, full of capabilities and very easy-to-work-with. In addition, they feature 99.9% server uptime as well as 99.9% network uptime warranties.

Powered by:

HostCheetah Networks
Global Web Hosting, Domain Registration, and Internet Services
https://hostcheetah.net | http://hostcheetah.uk


PC Helper | Est 1996 - Web Hosting | US, AU, UK, Finland, Bulgaria | :sunglasses:
https://pchelper.com