Using Safe Mode to remove Sophos Tamper Protection

Removing Sophos Tamper Protection Without Access to the Cloud Portal

I hit this after a migration away from Sophos. Some machines never checked in after Tamper Protection was disabled centrally, and they still blocked local uninstall. The practical fix was to check what was actually happening, then use Safe Mode and other offline steps where needed.

What you see

The symptoms are usually obvious. The local uninstall fails. Programs and Features still shows Sophos components, but the uninstall button does nothing or throws a tamper error. In logs, you may see lines like Tamper protection is enabled. Uninstall blocked. You may also see the quote others use: Zap doesn’t work if Tamper Protection is enabled.

Common signs:

  • Uninstall blocked dialogs or greyed out uninstall controls.
  • Sophos services still present and restarting themselves.
  • Sophos tray icons that ignore local controls.

Exact log lines vary by version. If you can read the Windows Event Log, search for entries from Sophos or SAVService around the time you tried the uninstall. If you can get to the Sophos logs folder, check recent .log files for Tamper or TamperProtection.

Basic checks:

sc queryex | findstr /i sophos

Expected: a list of Sophos services with STATE: RUNNING or STOPPED. If the agent is broken, services may restart straight away or SERVICE_NAME may not be found.

reg query "HKLM\SOFTWARE\Sophos" /s

Expected: Sophos keys present and readable. The problem case is keys that still show tamper flags, or registry access denied.

If the uninstall gives a specific error code, keep that line. It is useful later if you have to contact support.

Where it happens

This tends to show up on endpoints that never checked in after a policy change. The usual cases are machines left offline during migration, or devices cloned from old snapshots. It also turns up on standalone laptops where an admin set local Tamper Protection.

Typical cases:

  • Machines that were powered off or offline when Tamper Protection was removed centrally.
  • Devices with broken outbound connectivity to Sophos Central. DNS and proxy rules are common causes.
  • Workstations and servers where the Sophos agent drifted out of sync after an OS restore.

If a device cannot check in, it will not receive the central setting that disables Tamper Protection. A change in Sophos Central does nothing on those endpoints until they phone home. Zap failures are common here. Zap is meant as a last resort, and active Tamper Protection blocks it unless you have the tamper code.

A practical check is the agent’s last check-in time. If it says never or shows an old timestamp, the cloud change has not reached the machine.

Find the cause

Do not guess. Test it. The cause is usually one of three things: Tamper Protection stayed enabled centrally but the endpoint never got the change; local policy or registry flags turned it back on; or network issues stop cloud communication.

Checks to run:

  • Network connectivity: ping the Sophos Central endpoints or check DNS resolution for the management URLs. If DNS fails, the agent will not check in.
  • Local policy and permissions: confirm the logged-on user is not blocked from changing security settings. Tamper is there to stop local admin changes.
  • Corrupted agent: if files or services are missing or keep failing, the agent may be half-installed and ignore commands.

Evidence to gather:

ipconfig /all
nslookup <your-sophos-central-host>
sc queryex | findstr /i sophos
netstat -ano | findstr :443

That should tell you whether DNS, service state, or outbound HTTPS is the real problem.

Common examples I have seen:

  • The endpoint stayed on an old image with Tamper Protection active and no route to Central.
  • A proxy or firewall blocked the agent from checking in.
  • The tamper code was unknown because the admin who enabled it had gone.

If the device can check in, fix the network and let it receive the change. If it cannot, use the offline path below.

Fix

I used a two-track approach. Try the clean online route first. If that is not possible, use Safe Mode removal and, if needed, go to Sophos support for a tamper code or remote unlock.

Online-first

  1. Restore connectivity so the endpoint can reach Sophos Central. Check DNS and proxy rules.
  2. Force a check-in from the device or run the Sophos diagnostics agent if you have it.
  3. From Sophos Central, re-apply the Tamper Protection disable policy and wait for check-in. Check that Last check-in updates.

Offline removal with Safe Mode

  1. Reboot into Safe Mode. Use F8 or hold Shift and restart. On newer Windows versions, use Settings > Recovery > Advanced startup.
  2. In Safe Mode, many Sophos drivers and services do not load. Open an elevated command prompt.
  3. Run sc queryex | findstr /i sophos to confirm services are inactive. In Safe Mode, the expected result is no Sophos services running.
  4. Find the Sophos installation folder, usually C:\Program Files\Sophos or C:\Program Files (x86)\Sophos. Move or rename the folder to break service paths.
  5. Run the vendor uninstaller if it is present, or run msiexec /x {product-GUID} if you know the GUID. If you do not, remove the files and clean related registry keys under HKLM\SOFTWARE\Sophos and HKLM\SYSTEM\CurrentControlSet\Services<sophos-service>.
  6. Reboot normally and confirm Sophos components are gone.

Safe Mode removal is not perfect. Some tamper components can still hang around. It is a blunt fix, but it works when the cloud is unreachable.

If SophosZap is available and you have the tamper code, run SophosZap in Safe Mode with the code. Without the code, Zap will fail when Tamper is active.

When you need Sophos support or the tamper code

If you cannot get the tamper code and Safe Mode fails, raise a case with Sophos. Give them the machine serial, agent ID and the exact log lines you collected. They can often provide a tamper reset or a one-time code after identity checks.

Check it’s fixed

Do not trust the missing tray icon. Verify the agent is actually gone.

After removal, check:

  • Reboot and run sc queryex | findstr /i sophos. Expected: no Sophos services, or SERVICE_NAME not found.
  • Check Programs and Features. Expected: no Sophos entries tied to the old agent.
  • Look in ProgramData and Program Files for leftover Sophos folders. Remove any residual files.
  • Confirm network: if the device should move to another product, make sure the new agent installs and registers.

Then check the machine itself.

  • Run a full network check: ping, DNS, and test the service that was being blocked.
  • Watch for Sophos processes coming back. If they restart, Tamper may still be present or the machine may still be linked to Central and pulling policy.
  • Write down the changes you made, with timestamps and command output. Keep that with the device record.

Tamper Protection blocks local removal. It has to be disabled centrally or bypassed with the tamper code or Safe Mode. If the device can check in, fix that first. If not, the offline route is the one that works.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes