Remove Sophos Antivirus in favour of SCEP with ConfigMgr

I was recently tasked with removing Sophos Antivirus in favour of System Center Endpoint Protection (hereafter referred to as SCEP) using System Centre Configuration Manager (hereafter referred to as ConfigMgr).  I was hoping it could simply be deployed and that when SCEP installs it would automatically remove Sophos.  Unfortunately Sophos isn’t on the list of supported antivirus installations for auto-uninstall so I had to go about it a slightly different way.  Here is how I did it.

Preparation
First I did some research on SCEP and ConfigMgr clients and discovered that when pushing out Endpoint Protection the following Antivirus products are supported for uninstall:

Symantec AntiVirus Corporate Edition version 10
Symantec Endpoint Protection version 11
Symantec Endpoint Protection Small Business Edition version 12
McAfee VirusScan Enterprise version 8
Trend Micro OfficeScan
Microsoft Forefront Codename Stirling Beta 2
Microsoft Forefront Codename Stirling Beta 3
Microsoft Forefront Client Security v1
Microsoft Security Essentials v1
Microsoft Security Essentials 2010
Microsoft Forefront Endpoint Protection 2010
Microsoft Security Center Online v1

This presented a problem as Sophos is not on the list so it looks like I’ll have to uninstall Sophos using a script.

Sophos Setup
Sophos is normally pushed out from a management console.  It can be installed on your workstations in a variety of ways.  We have some settings pushed out via group policy on our domains with a batch file script that checks to see if Sophos is installed by testing to see if a folder exists and if not, pulling the installation msi from a shared folder.  This first thing I wanted to do was to unlink this group policy we’d made.  This will ensure that when I deploy SCEP from ConfigMgr, Sophos will not forcefully install on the next reboot and undo my work.  Once that’s done I need to do some testing on some VMs.  First I built two VMs, one with Windows 7 and one with Windows 10.  I manually add them onto the domain and install Sophos.  Next I create a checkpoint so that we have a point to refer back to should our test not be successful.

Preparing & Testing Uninstall Script
Sophos comes with a few services and a couple of programs to uninstall.  First lets create a few lines of code that will stop the services.   
Here is the batch file commands I found by searching around the web:

   1: net stop "Sophos AutoUpdate Service"
   2: net stop "Sophos Agent"
   3: net stop "SAVService"
   4: net stop "SAVAdminService"
   5: net stop "Sophos Message Router"
   6: net stop "Sophos Web Control Service"
   7: net stop "swi_service"
   8: net stop "swi_update"

Converted to PowerShell

   1: Get-Service | Where-Object {$_.DisplayName -Like "Sophos*"} | Stop-Service

Not all of these services will exist or be running, this just covers everything off.  Once the services are stopped, the Sophos knowledgebase article states you must uninstall elements of Sophos in a particular order like so:

  1. Sophos Patch Agent
  2. Sophos Compliance Agent
  3. Sophos Remote Management System
  4. Sophos Client Firewall
  5. Sophos Anti-Virus
  6. Sophos AutoUpdate

You can explore the following registry key to locate your uninstall commands

32bit Machines
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
64 Bit Machines.  Note: On a 64-bit computer you will need to check both the key above and the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Under these keys you will see a folder structure, each folder contains a different program and details about it you need to scroll through them all in order to find the ones related to Sophos and extract the uninstall command:

image

Take note of the DisplayName and the UninstallString you’ll notice the uninstall command, in this case MsiExec.exe /X{15C418EB-7675-42be-B2B3-281952DA014D}, will need extra switches on the end to make it a silent command.  I have added /qn REBOOT=SUPPRESS /PASSIVE to each one I found

Once you have them all ready you’re ready to create your script.   Create it so that the first section of the script stops all the services and the second part uninstalls the program in the order specified above.  Run this on your test VM and study the results.  Are all the programs uninstalled?  Are all the services removed?  If not why not?  Go back to the top and see if there’s something you missed.

Folder Condition
Supposing all of the above works properly in the test phase you may wish to now add some form of try/catch to your script to create a conditional folder which will be used in the ConfigMgr deployment.  If my script completes successfully and Sophos is removed I have built in that my script will create the folder “C:\Windows\Logs\SophosRemoved”.  You must be careful not to create this folder unless everything worked, you will see why in the next step.

ConfigMgr
I added my script into ConfigMgr as an application.  The idea being I will deploy this application to clients silently, making it required which will essentially remove Sophos.  In the applications section I have a scripts folder so I browse to Software Library \ Overview \ Application Management \ Applications \ Scripts and create a new application..

imageimage

I select “Manually specify the application information” then give it a name.

imageimage

I don’t need to specify an Application Catalog entry, so I click Next but I will specify a deployment type by clicking on Add…

imageimage

Again I will select to “Manually specify the deployment type information”, click Next and then give it a name.

imageimage

I will specify the network path location of my script and the command line to run it in the boxes highlighted and click Next.  Next I will need to specify a clause for installation.  In this instance I will set it to be the folder “SophosRemoved” I talked about earlier.  What will happen is the application will check for this folder before running.  If it exists it will not run.  You are required to have this clause and it doesn’t have to be a folder it could be a log file or anything you want.  As long as its properly built into your script to be created only if the script (or application) runs successfully.

imageimage

I will specify some conditions for the clause and then select some for the user experience.   In my case I want it to be hidden from the user as I don’t want them knowing the AV is changing they don’t need to be bothered with that.  The next two panes in the wizard ask you to specify and hardware requirement needed for the app alongside any special dependencies which I don’t need to the rest of the process is Next, Next, Finish.

Deployment
When the app is created, distribute the content to any DPs you need it on and then deploy it to your collections as normal.  If you then deploy SCEP to the same collection you’ll soon find that Sophos Antivirus has been removed and SCEP is installed.  You can obviously check any deployments by going to Monitoring \ Overview \ Deployments

Links
https://technet.microsoft.com/en-us/library/gg682067.aspx – About client settings in ConfigMgr
https://www.sophos.com/en-us/support/knowledgebase/109668.aspx – Uninstall Sophos with a Script

 

I hope this has been useful to you. 

Jonathan.

Comments (2) -

Just wondering what you put in your PowerShell script as a check for successful removal (e.g. Success Code 0) that then created the "SophosRemoved" folder for the Detection Method?

A friend of mine Chris (@serbitor) re-wrote this recently for me.  Here is the code:

# Stop all Sophos Services
Get-Service | Where-Object {$_.DisplayName -Like "Sophos*"} | Stop-Service

# Array of GUIDs for MSI uninstalls
$UninstallGUIDS = @("7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16",
                    "BCF53039-A7FC-4C79-A3E3-437AE28FD918",
                    "9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520",
                    "AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54",
                    "E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E",
                    "8123193C-9000-4EEB-B28A-E74E779759FA",
                    "36333618-1CE1-4EF2-8FFD-7F17394891CE",
                    "DFDA2077-95D0-4C5F-ACE7-41DA16639255",
                    "CA3CE456-B2D9-4812-8C69-17D6980432EF",
                    "3B998572-90A5-4D61-9022-00B288DD755D",
                    "72E30858-FC95-4C87-A697-670081EBF065",
                    "934BEF80-B9D1-4A86-8B42-D8A6716A8D27",
                    "1093B57D-A613-47F3-90CF-0FD5C5DCFFE6",
                    "66967E5F-43E8-4402-87A4-04685EE5C2CB",
                    "A5CCEEF1-B6A7-4EB4-A826-267996A62A9E",
                    "D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44",
                    "E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745",
                    "4627F5A1-E85A-4394-9DB3-875DF83AF6C2",
                    "DFFA9361-3625-4219-82C2-9EF011E433B1",
                    "A1DC5EF8-DD20-45E8-ABBD-F529A24D477B",
                    "1FFD3F20-5D24-4C9A-B9F6-A207A53CF179",
                    "D875F30C-B469-4998-9A08-FE145DD5DC1A",
                    "2C14E1A2-C4EB-466E-8374-81286D723D3A",
                    "D29542AE-287C-42E4-AB28-3858E13C1A3E",
                    "FED1005D-CBC8-45D5-A288-FFC7BB304121")

# Run MSIEXEC uninstall for each GUID in array
$ErrorsOccured = 0
foreach ($GUID in $UninstallGUIDS) {
    $exitcode = (Start-Process -FilePath "msiexec.exe" -ArgumentList "/qn /X{$GUID} REBOOT=ReallySuppress" -Wait -PassThru).ExitCode
    if ($exitcode -ne 0 -or $exitcode -ne 1605) {
        $ErrorsOccured++
    }
}

# Mop up non MSI uninstalls
# SED
$cmd = 'C:\Program Files\Sophos\Endpoint Defense\uninstall.exe'
$arg = '/quiet'
& $cmd $arg

if ($ErrorsOccured -eq 0) {
    New-Item -Path "C:\Windows\Logs" -Name SophosRemoved -ItemType directory
}

Add comment