Thanks to this post about how to add a domain user to a local group, we can programmatically add our account into this group with the following commands: $Computer Name = Read-Host "Computer name:" $Group = 'Sophos Administrator' $domain = 'name.domain.com' $user = 'domainusername' ([ADSI]"Win NT://$Computer Name/$Group,group").psbase.Invoke("Add",([ADSI]"Win NT://$domain/$user").path)Once we add the account, we can disable the tamper-protection feature." $Message Title = "Confirm to Continue Sophos Uninstall" $Result = [System. Message Box]:: Show($Message Body,$Message Title,$Button Type,$Message Icon) Write-Host "$Result has been selected, continuing Sophos Uninstall"Next, we’ll want to call a batch file script from Power Shell to run the uninstallers.I wanted to run a batch file from a Power Shell script, because testing and running inside of Power Shell is overly complicated.There is nothing to configure in this add-on for these logs.The add-on collects Sophos Endpoint Security patching logs using the Splunk Add-on for Windows.While it may not be the most efficient and elegant script, it does bring the uninstall time down significantly, removes potential mistakes during uninstallation, and teaches us a few things about Power Shell. I like to include hyperlinks for sources of code that I did not write explicitly in the comments preceding the command.#Stop AV services before modifying file only if service is running Get-Service SAVService,'Sophos Agent', SAVAdmin Service | where | Stop-Service -force #Replace default tamper-proof user password hash with known password hash that is equal to 'password'.
Get-Service 'Sophos Auto Update Service' | where | Stop-Service -force #Run application uninstallers in correct order according to Sophos Docs.He also is an avid Linux administrator and currently works in the finance Industry. Normally you would only disable tamper protection if you wanted to make a change to the local Sophos configuration or uninstall an existing Sophos product. However, if you are not the administrator who installed it and who has the password, you will need to obtain the password before you can carry out the procedure.Note: If enabled, the Sophos Tamper Protection policy must be disabled on the endpoints involved before attempting to uninstall any component of Sophos Endpoint Security and Control. Before writing code, either build a virtual machine (VM) and take a snapshot, or use something like Clonezilla to take an image of the test system’s hard drive.#Silent uninstall, suppress Reboot, and create log file.#https:// 'c:\Admin\SAV-msi-uninstall.bat'The file contains the following lines that uninstall the Sophos components in a particular order as defined by the Sophos article linked earlier.Be sure to close the Sophos AV Console window after disabling Tamper-Protect." Read-Host "Press ENTER to continue" #Open Sophos Endpoint AV Console for the user.Use the call operator (&) to open the & 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVmain.exe' #Prompt user to confirm tamper protection has been disabled./X /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_/X /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_/X /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_/X /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_/X /qn REBOOT=SUPPRESS /L*v %windir%\Logs\Uninstall_SAV_shutdown /r /t 15Finally, we copy our Remove Sophos With Tamper Enabled.ps1 file, file, and into a single folder.The file has the following instructions for running the scripts.#https://community.sophos.com/products/free-antivirus-tools-for-desktops/f/17/t/9776 (Get-Content 'C:\Program Data\Sophos\Sophos Anti-Virus\Config\machine.xml'). Replace('8E8A6A6DB780D559929D042743DC97BCF6D1AD02', 'E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73') | Set-Content 'C:\Program Data\Sophos\Sophos Anti-Virus\Config\machine.xml' #Start AV services in order to run uninstall get-service SAVService,'Sophos Agent', SAVAdmin Service | Foreach #Get the computer name and add admin user account to Sophos Administrator local computer group $Computer Name = Read-Host "Computer name:" $Group = 'Sophos Administrator' $domain = 'contoso.domain.com' $user = 'admin_username' ([ADSI]"Win NT://$Computer Name/$Group,group").psbase.Invoke("Add",([ADSI]"Win NT://$domain/$user").path) #Need to open Sophos AV, manually remove tamper protection "Open Sophos Endpoint AV, go to the Configure menu - enter the password 'password' and then go into 'Configure Tamper Protection' and uncheck 'Enable Tamper Protection'.