How to recover a sophos tamper protected system

This tip applies to Sophos Security admins or anyone managing a Sophos security service or feature such as Sophos Antivirus available at Sophos home or Central. Sophos Home is a business grade cybersecurity and is available to every Zambian home users for free.

If you do not have access to Sophos Central the following steps can be used. To recover a tamper protected system, you must disable Enhanced Tamper Protection.

The following procedure will work:

  1. Boot the system into Safe Mode.
    Click Start > Run > type services.msc > right-click Sophos Anti-Virus service > Properties > set the Startup type to Disabled > then click OK.
    Click Start > Run > type regedit and then click OK.
  2. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004.
  3. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0 .
  4. Go to the following location in the registry editor:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORD Enabled to 0.
  5. Reboot the system in normal mode.

 

Enhanced Tamper Protection is now disabled and you should now be able to access the system and make the necessary changes desired.

 

Feedback

If you have tips and suggestions don’t hesitate to contact me

9

Design

9.0/10

Feel and Look

9.0/10

Performance

9.0/10

Ease of Use

9.0/10

Relevancy

9.0/10

Post Author: Funashi Mwamba

Funashi knows about everything and a lot about something and usually writes about those somethings.