Uninstall script for Sophos Endpoint Security and Control 10.7 and 10.8

I was recently involved in assisting a customer with removing Sophos Endpoint Security and Control from their desktops and laptops because it was being replaced with Cylance Protect.  Anti-Virus products aren’t something that I typically deal with so I had to do a bit of searching on the internet to come up with script that would check for the services and then subsequently remove them.  What I noticed during the process was that the Sophos KB article:

How to uninstall Sophos Endpoint Security and Control from the command line or with a batch file
https://community.sophos.com/kb/en-us/109668

… wasn’t very helpful because I wasn’t able to find all of the components in the registry to extract the uninstall GUID to pair with the msiexec.exe /x command.  Another item I noticed was that there are a lot of sample scripts and batch files available but they only worked for specific versions.

So after spending a good half day on this, I thought it would be a good idea to share what finally worked for me in case anyone out there looking for this.  As the title of this post indicates, this works for version 10.7 and 10.8.

Sophos Install Script – Copy and paste below into a .cmd file

REM Check for the Sophos service

@Echo off

REM — Check for an existing installation of Sophos Agent

IF NOT EXIST “C:Program Files (x86)SophosRemote Management SystemManagementAgentNT.exe” (

REM — Check for an existing installation of Sophos Anti-Virus

IF NOT EXIST “C:Program Files (x86)SophosSophos Anti-VirusSavService.exe” (

REM — Check for an existing installation of Sophos Anti-Virus status reporter

IF NOT EXIST “C:Program Files (x86)SophosSophos Anti-VirusSAVAdminService.exe” (

REM — Check for an existing installation of Sophos AutoUpdate on 32-bit (the ‘Sophos AutoUpdate Service’ process)

IF NOT EXIST “C:Program FilesSophosAutoUpdateALsvc.exe” (

REM — Check for an existing installation of Sophos AutoUpdate on 64-bit (the ‘Sophos AutoUpdate Service’ process)

IF NOT EXIST “C:Program Files (x86)SophosAutoUpdateALSVC.exe” (

REM — Check for an existing installation of Sophos Message Router

IF NOT EXIST “C:Program Files (x86)SophosRemote Management SystemRouterNT.exe” (

REM — Check for an existing installation of Sophos Network Threat Protection

IF NOT EXIST “C:Program FilesSophosSophos Network Threat ProtectionbinSntpService.exe” (

REM — Check for an existing installation of Sophos System Protection Service

IF NOT EXIST “C:Program Files (x86)SophosSophos System Protectionssp.exe” (

REM — Check for an existing installation of Sophos Web Control Service

IF NOT EXIST “C:Program Files (x86)SophosSophos Anti-VirusWeb Controlswc_service.exe” (

REM — Check for an existing installation of Sophos Web Intelligence Service 64-bit

IF NOT EXIST “C:ProgramDataSophosWeb Intelligenceswi_update_64.exe” (

REM — Check for an existing installation of Sophos Web Intelligence Service 32-bit

IF NOT EXIST “C:Program Files (x86)SophosSophos Anti-VirusWeb Intelligenceswi_service.exe” (

REM — Check for an existing installation of Sophos Anti-Virus on Vista+ (the SAV adapter config file)

IF NOT EXIST “C:ProgramDataSophosRemote Management System3AgentAdapterStorageSAVSAVAdapterConfig” (

goto _End

))))))))))))

REM — Disabling Sophos Services

sc config “Sophos Agent” start= disabled

sc config “SAVService” start= disabled

sc config “SAVAdminService” start= disabled

sc config “Sophos AutoUpdate Service” start= disabled

sc config “Sophos Message Router” start= disabled

sc config “SntpService” start= disabled

sc config “sophossps” start= disabled

sc config “Sophos Web Control Service” start= disabled

sc config “swi_service” start= disabled

sc config “swi_update_64” start= disabled

REM — Stopping Sophos Services

net stop “Sophos AutoUpdate Service”

net stop “Sophos Agent”

net stop “SAVService”

net stop “SAVAdminService”

net stop “Sophos Message Router”

net stop “Sophos Web Control Service”

net stop “swi_service”

net stop “SntpService”

net stop “sophossps”

net stop “swi_filter”

REM — Taskkill all services just in case services such as AutoUpdate is running and will not stop

taskkill /im ManagementAgentNT.exe /f

taskkill /im SavService.exe /f

taskkill /im SAVAdminService.exe /f

taskkill /im ALsvc.exe /f

taskkill /im RouterNT.exe /f

taskkill /im SntpService.exe /f

taskkill /im ssp.exe /f

taskkill /im swc_service.exe /f

taskkill /im swi_update_64.exe /f

REM — Disable Tamper Protection

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig” /v SAVEnabled /t REG_DWORD /d 0 /f

reg add “HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection” /v Enabled /t REG_DWORD /d 0 /f

REM — Begin uninstall Sophos Components

REM — Sophos Network Threat Protection

start /wait MsiExec.exe /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} /qn REBOOT=SUPPRESS /L*v %windir%TempUninstall_SOPH-NTPLog.txt

REM — Sophos System Protection

start /wait MsiExec.exe /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /qn REBOOT=SUPPRESS /L*v %windir%TempUninstall_SOPH-SPLog.txt

REM — Sophos Anti-Virus

start /wait MsiExec.exe /X{23E4E25E-E963-4C62-A18A-49C73AA3F963} /qn REBOOT=SUPPRESS /L*v %windir%TempUninstall_SOPH-AVLog.txt

REM — Sophos Anti-Virus 10.7

start /wait MsiExec.exe /X{65323B2D-83D4-470D-A209-D769DB30BBDB} /qn REBOOT=SUPPRESS /L*v %windir%TempUninstall_SOPH-SAVlog.txt

REM — Sophos Anti-Virus 10.8

start /wait MsiExec.exe /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} /qn REBOOT=SUPPRESS /L*v %windir%TempUninstall_SOPH-SAVlog.txt

REM — Sophos Remote Management System

start /wait MsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn REBOOT=SUPPRESS /L*v %windir%TempUninstall_SOPH-RMSLog.txt

REM — Sophos AutoUpdate

taskkill /im ALsvc.exe /f

start /wait MsiExec.exe /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /qn REBOOT=SUPPRESS /L*v %windir%TempUninstall_SOPH-AULog.txt

REM — Sophos Endpoint Defense

“C:Program FilesSophosEndpoint Defenseuninstall.exe”

REM — End of the script

:_End

———————————————————————————————————————————————–

Here are also a few useful items that I had to document during the process of developing the command above

List of Services and Executable Locations

Service Name	Display Name	Path to executable
Sophos Agent	Sophos Agent	“C:Program Files (x86)SophosRemote Management SystemManagementAgentNT.exe” -service -name Agent -ORBListenEndpoints iiop://127.0.0.1
SAVService	Sophos Anti-Virus	“C:Program Files (x86)SophosSophos Anti-VirusSavService.exe”
SAVAdminService	Sophos Anti-Virus status reporter	“C:Program Files (x86)SophosSophos Anti-VirusSAVAdminService.exe”
Sophos AutoUpdate Service	Sophos AutoUpdate Service	“C:Program Files (x86)SophosAutoUpdateALsvc.exe”
Sophos Message Router	Sophos Message Router	“C:Program Files (x86)SophosRemote Management SystemRouterNT.exe” -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
SntpService	Sophos Network Threat Protection	“C:Program FilesSophosSophos Network Threat ProtectionbinSntpService.exe”
sophossps	Sophos System Protection Service	“C:Program Files (x86)SophosSophos System Protectionssp.exe”
Sophos Web Control Service	Sophos Web Control Service	“C:Program Files (x86)SophosSophos Anti-VirusWeb Controlswc_service.exe”
swi_service	Sophos Web Intelligence Service	“C:Program Files (x86)SophosSophos Anti-VirusWeb Intelligenceswi_service.exe”
swi_update_64	Sophos Web Intelligence Update	“C:ProgramDataSophosWeb Intelligenceswi_update_64.exe”

Obtaining the GUIDs of Applications

You can obtain the GUID applications using the PowerShell cmdlet:

wmic product get > C:InstalledPrograms.txt

Locate the GUID of the application that needs to be removed and modify the script to include correct GUID.