Sophos Removal

1. #Sophos Endpoint Removal Script
2.  
3. #Usage examples:
4. # .\removesophos.ps1 # Just logs all messages to screen and file.
5. # .\removesophos.ps1 -Remove YES # Removes all Sophos components and logs all messages to screen and file.
6. # .\removesophos.ps1 -Password 1234567 -Remove YES # Password will be provided to SEDCli.exe if TP is on and SEDCLi.exe exists.
7. # .\removesophos.ps1 -ErrorOnly YES # Only print items that exist (errors) on screen. Still logs all to file.
8. # .\removesophos.ps1 -Remove YES -Restart YES # At the end of the process restart the computer. 10 seconds delay by default intDelaySecondsRestart.
9. # .\removesophos.ps1 -NoLogFile YES # No log file will be created. Messages will still be output to screen. Will run quicker.
10. # .\removesophos.ps1 -Debug YES # Outputs a little more data to screen for debugging purposes. Not expected to be used in normal use.
11.  
12. #Will exit if the following are present and in "remove" mode:
13. # SafeGuard
14. # Update Cache
15. # RMS as a Server/Relay
16. # SLD
17. # AD Sync Tool
18. # SAV for NetApp
19. # PMEX
20. # SEC
21. # SAVDI
22. # Sophos Transparent Authentication Suite (STAS)
23. # Sophos IPsec Client
24. # Sophos Connect
25. # Sophos Connect Admin
26. # Sophos Update Manager (SUM)
27. # Central Message Relay
28.  
29. param(
30. [String]$Password,
31. [String]$Remove,
32. [String]$ErrorOnly,
33. [String]$Restart,
34. [String]$NoLogFile,
35. [String]$Debug,
36. [String]$Silent
37. )
38.  
39. #Version of script
40. $strVer = "7.11"
41. #Start time of script.
42. $StartTime = $(get-date)
43. #Log file location
44. $global:strLogFile = $env:TMP+"\SophosRemoval.txt"
45. $global:blNoLogFile = $false
46. #Global Counters
47. $global:intRegKeysFound = 0
48. $global:intMSIsRun = 0
49. $global:intDetoursUpdated = 0
50. $global:intUninstallCMDsRun = 0
51. $global:intFileFolderExists = 0
52. $global:intFolderFilesAttemptDelete = 0
53. $global:intDriversExist = 0
54. $global:intServicesExist = 0
55. $global:intServicesAttemptedToStop = 0
56. $global:intServicesAttemptedToDelete = 0
57. $global:intProcessTryKill = 0
58. $global:intFilesMarkedForDelete = 0
59. $global:intRemoveUpgradeCodeKey = 0
60. $global:intDriversTriedToStop = 0
61. $global:intRegKeysTryDelete = 0
62. $global:intSophosSurfrightCachedMSIsFound = 0
63. $global:intProcessesFound = 0
64. $global:intLocalSAUUsersFound = 0
65. $global:intLocalSAVGroupsFound = 0
66. $global:intLocalSAUUsersAttemptDelete = 0
67. $global:intLocalSAVGroupsAttemptDelete = 0
68. $global:IFEOWithDebuggerValue = 0
69. $global:IFEOToDelete = 0
70.  
71. #Pre-Checks state
72. $global:blnPastPrechecks = $false
73. #Force mode on, off by default
74. $global:boolForceMode = $false
75. #If one PFRO is created, set this to true for reboot message to display at end
76. $global:boolPFRONeedReboot = $false
77. #Services that should be running if exist
78. $aBFE = "BFE","Base Filtering Engine"
79. $aCryptSvc = "CryptSvc", "Cryptographic Services"
80. $aRPC = "RpcSs", "Remote Procedure Call (RPC)"
81. $aTaskShed = "Schedule", "Task Scheduler"
82. #MSI backup location to be super safe when deleting cached Sophos MSIs
83. $strBackupMSILocation = $env:TMP+"\SophosRemovalMSIs"
84. #Default time in seconds before shutting down
85. $intDelaySecondsRestart = 10
86. #Binary to check for, when checking scheduled scans
87. $strSAVSchedScanExe = "BackgroundScanClient.exe"
88. #Uninstaller Keys
89. $UninstallerKeys = "HKLM:\Software\wow6432node\microsoft\Windows\Currentversion\uninstall","HKLM:\Software\microsoft\Windows\Currentversion\uninstall"
90. $UninstallerKeys2 = "HKLM:\Software\wow6432node\microsoft\Windows\Currentversion\uninstall\*","HKLM:\Software\microsoft\Windows\Currentversion\uninstall\*"
91. #EarlyLaunch key
92. $strEarlyLaunchKey = "HKLM:\SYSTEM\CurrentControlSet\Control\EarlyLaunch"
93. #Registry named value for ELAM backup
94. $strELAMBackupPath = "BackupPath"
95. #Drivers not to stop
96. $DriversNotToStop = "hmpalert","sdcfilter","scfdriver"
97. #process fail to get path or signature
98. $aProcessesToCheck = "sedservice.exe","SophosAgentUI.exe","SophosAgentRelay.exe","SophosCertMgr.exe","SophosCWGScannerAutoUpdater.exe"
99. #Router path and client config value checks
100. $strRouterKey = "32|HKLM|SOFTWARE|Sophos\Messaging System\Router"
101. $strRouterKeyName = "ConnectionCache"
102. $strRouterEPCC = 10
103. #SEC Checks
104. $strSECKey = "32|HKLM|SOFTWARE|Sophos\EE"
105. #SAVDI Checks
106. $strSAVDI = "32|HKLM|SOFTWARE|Sophos\SAVDI"
107. #SAU Updating/Installing Process
108. $strSAUUpdatingProcess = "SophosUpdate.exe","Alupdate.exe"
109. $intRetryCounter = 10
110. #SafeGuard checks
111. $strSafeGuardKeys = "NATIVE|HKLM|SOFTWARE|Policies\Utimaco","NATIVE|HKLM|SOFTWARE|Utimaco"
112. $strSafeGuardFolders = "NATIVE|PROGRAMDATA|Utimaco"
113. #Block on Server Lock Down (SLD)
114. $strSLDKey = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sldsvc"
115. $strSLDDir = "NATIVE|PROGRAMFILES|Sophos\SLD"
116. #Block on STAS
117. $strSTASKey = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\STAS","32|HKLM|SOFTWARE|Sophos\Sophos Transparent Authentication Suite"
118. $strSTASDir = "32|PROGRAMFILES|Sophos\Sophos Transparent Authentication Suite"
119. #Block on Sophos IPsec Client
120. $strIPsecClientKeys = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\ncprwsnt","NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\ncpsec","NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\ncpclcfg","NATIVE|HKLM|SOFTWARE|NCP engineering GmbH"
121. $strIPsecDir = "NATIVE|PROGRAMFILES|Sophos\sophos ipsec client"
122. #Block on Sophos Connect
123. $strSophosConnectKeys = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\scvpn"
124. $strSophosConnectDir = "32|PROGRAMFILES|Sophos\Connect"
125. #Block on Sophos Central Relay
126. $strSophosCentRKeys = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosMessageRelayService","32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\MR"
127. $strSophosCentDir = "NATIVE|PROGRAMFILES|Sophos\messagerelay", "NATIVE|PROGRAMDATA|Sophos\messagerelay"
128. #Block on Sophos Connect Admin
129. $strSophosConnectAdDir = "32|PROGRAMFILES|Sophos\ConnectAdmin"
130. #Block on Sophos Central AD Sync Tool
131. $strADSyncKey = "NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Central AD Sync Utility"
132. $strADSyncDir = "32|PROGRAMFILES|Sophos\Cloud\AD Sync"
133. #Block on Update Cache
134. $strUpdateCachedDir = "NATIVE|PROGRAMDATA|Sophos\UpdateCache"
135. $strUpdateCachedReg = "32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\UC"
136. #Block on SAV for NetApp
137. $strSAVNetAppDir = "32|PROGRAMFILES|Sophos\SAV for NetApp"
138. $strSAVNetAppKey = "32|HKLM|SOFTWARE|Sophos\SAV for NetApp"
139. #Block on SUM
140. $strSUMDir = "NATIVE|PROGRAMDATA|Sophos\Update Manager"
141. $strSUMKey = "32|HKLM|SOFTWARE|Sophos\UpdateManager","NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SUM"
142. #Block on SAV for PMEX
143. $strPMEXKey = "32|HKLM|SOFTWARE|Sophos\MMEx"
144. $aPMEXDirs = "NATIVE|PROGRAMFILES|Sophos\PureMessage","32|PROGRAMFILES|Sophos\PureMessage"
145. #Path to the Central uninstaller, will favour this first for best chance of a clean removal
146. $strUninstallAllCommand = $env:ProgramFiles+"\Sophos\Sophos Endpoint Agent\uninstallcli.exe"
147. #Windows Installer Cache
148. $strInstallerCacheDir = "NATIVE|WINDOWS|Installer"
149. #SAU (no XG) has a local user account
150. $strSAULocalUserPrefix = "SophosSAU"
151. #Key for TP state
152. $strSEDStateKey = "hklm:system\currentcontrolset\services\sophos endpoint defense\tamperprotection\config"
153. #SEDCli tool, file, switch and location
154. $strSEDCli = "sedcli.exe"
155. $strSEDOffSwitch = "-TPoff"
156. $strSEDDirectory = "NATIVE|PROGRAMFILES|Sophos\Endpoint Defense"
157. $strSEDEnabled = "SEDEnabled"
158. #Sophos AppInit_DLLs data
159. $strDetoursNative = "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
160. $strDetoursWow = "HKLM:SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows"
161. $strAppInitName = "AppInit_DLLs"
162. $strSophosDetours = "\\sophos~"
163. #LSP config information
164. $strWebIntKey = "32|HKLM|SOFTWARE|Sophos\Web Intelligence"
165. $strSWIName = "SwiUpdateAction"
166. $strValueToSet = 3
167. $strSwiUpdate = "swi_update","swi_update_64"
168. $strLSPFileName64 = "swi_ifslsp_64.dll"
169. $strLSPFileName32 = "swi_ifslsp.dll"
170. $strUnregLSPCommandPath = "NATIVE|PROGRAMDATA|Sophos\Web Intelligence"
171. $strUnregLSPCommandBin = "swi_update_64.exe","swi_update.exe"
172. $strUnregLSPCommandPar = "/forceDisableLsp"
173. #SED Service Disable
174. $strSophosEPDServiceKey = "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service"
175. $intStartupType = "4"
176. #List of SAV local groups
177. $aSAVGroups = "SophosUser", "SophosAdministrator", "SophosPowerUser", "SophosOnAccess"
178. #Data - UpgradeCodes
179. $aUGCdSCF = "7EDA9D28-FF94-4FC8-938F-98BE1E3D7F76"
180. $aUGCdMCS = "7A6045EF-603A-4648-B227-2221E4A931BB"
181. $aUGCdSPA = "5D2115BD-C9DA-4824-B652-0C40854D0B87"
182. $aUGCdSSP = "54AA7E32-35B0-46F6-B2BD-8540035852FF"
183. $aUGCdSAU = "3B8886D0-98A2-4992-A0AC-893AEDBB494B"
184. $aUGCdSHS = "CB7EF0DC-8D31-461A-B347-C43F9EB23F33"
185. $aUGCdSHB = "5E565706-8F76-4B09-85E1-CBEB34008839"
186. $aUGCdSDU = "509DE7F3-3276-4D09-95F3-27FD21009F87"
187. $aUGCdNTP = "A6CF693D-C171-4DF5-AE49-223B66F65A1A"
188. $aUGCdSAV = "597B239E-3032-491A-A322-817737925E8A"
189. $aUGCdSVRT = "85c95869-44ad-473e-a0af-839dfda60f91"
190. $aUGCdFIM = "B96143BD-1693-4DD6-B4AE-C7F765794E14"
191. $aUGCdNACA = "6C9D648C-7DF5-4F66-960F-16064CD6B86A"
192. $aUGCdRMS = "875FCE2A-79F9-4561-BC5B-74964678E049"
193. $aUGCdCWGAV = "1B29598D-871A-4DF5-9762-ACC7567194AC"
194. $aUGCdCWGCD = "B9A8CD2A-3AFA-4995-8ADD-2B8DC853502F"
195. $aUGCdCWGRT = "10F0CB89-66F0-4DEE-8709-93325C07A84D"
196. $aUGCdCWGNA = "BE5B7E7B-1E6E-4819-929A-52800A41BBC8"
197. $aUGCdCWGMON = "EEF8EA12-FFDF-4129-8C3C-2A071B164BA9"
198. $aUGCDPA = "A2A22F15-1B15-4C23-A9F5-2B9AD5D72E84"
199. $aUGCESH = "CE66E855-6160-4106-88ED-A94A805EDDA7"
200. $aUGCSEF = "8682C52C-8CC7-4923-9F32-920AF207A2C6"
201. $aUGCSUI = "D7FA14A7-AEB7-449D-8176-A0A2C0F5DFE9"
202. $aUGCSH = "FF75EB1E-7115-4D1A-A5FF-B0F23B7789FE"
203. #All EP UG Codes Data
204. $aUGCDataAll = $aUGCdSCF,$aUGCdMCS,$aUGCdSPA,$aUGCdSSP,$aUGCdSAU,$aUGCdSHS,$aUGCdSHB,$aUGCdSDU,$aUGCdNTP,$aUGCdSAV,$aUGCdSVRT,$aUGCdFIM,$aUGCdNACA,$aUGCdRMS,$aUGCdCWGAV,$aUGCdCWGCD,$aUGCdCWGRT,$aUGCdCWGNA,$aUGCdCWGMON,$aUGCDPA,$aUGCESH,$aUGCSEF,$aUGCSUI,$aUGCSH
205. #Commands not to count in stats as always run
206. $aCommandsNotToCount = "netcfg.exe"
207. #Windows Installer "Folders" key
208. $WIFoldersKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\'
209. #Partial path matches for items to remove from the Windows Installer "Folders" registry key
210. $toFindInFoldersKey = "\\Programdata\\Sophos\\", `
211. "\\Program Files\\Sophos\\", `
212. "\\Program Files \(x86\)\\Sophos\\", `
213. "\\Program Files\\common files\\Sophos\\", `
214. "\\Program Files \(x86\)\\common files\\Sophos\\"
215. #IFEO keys
216. $strNagiveIFEO = "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
217. $strNagiveIFEOWow = "HKLM:Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
218. $strIFEOAll = $strNagiveIFEO, $strNagiveIFEOWow
219. $strToSkipForIFEO = "ConfigTool.exe","Uploader.exe","install.exe","Uninstall.exe"
220. #Prevent Processing XML entries twice.
221. $strFirstGroupAvoidDups = "Hosting and Hardcoded Processes"
222. #NDIS Checks
223. $strMaxFiltersKey = "HKLM:\SYSTEM\CurrentControlSet\Control\Network\"
224. $strMaxNumFilters = "MaxNumFilters" #Reg key to find, Only exists on Win 7
225. $intDefaultMaxFilters = 8 #The default reg value is 8. (max is 14)
226. $intFiltersRequired = 2 #Suggest 2. SCF and NTP install a NDIS filter.
227. #Other vendor names
228. $aOtherVendors = "AVG","Symantec","Microsoft Security Client","McAfee","Zscaler","Bitdefender","Kaspersky","Microsoft Endpoint Protection","Avast","GriSoft AVG","Crowdstrike","Cylance","Malwarebytes","Panda","Webroot","Trend Micro","F-Secure","Trend OfficeScan","Avira","ClamAV","Comodo","ESET","SentinelOne","VIPRE"
229. #AuthenticodeFlags check for MTD and SCF
230. $AuthenticodeFlagsDWORDProb = 2
231. $strDWORDAuthenticodeValue = "AuthenticodeFlags"
232. $strFlagsTrustedPublisherKeys = "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer", "HKLM:\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Safer"
233. #Data to derive logic from, could be an external resource.
234. #XML over JSON to avoid PowerShell 3 and better legacy support.
235. #if statements allows the data to be collapsed in editors.
236.  
237. if($true){
238. $xmlComponents = [xml]@"
239. <?xml version="1.0" encoding="UTF-8"?>
240. <RemovalData>
241. <Components>
242. <HOSTING>
243. <FridendlyName>
244. <element>Hosting and Hardcoded Processes</element>
245. </FridendlyName>
246. <Processes>
247. <element>sophosupdate.exe</element>
248. <element>alsvc.exe</element>
249. <element>almon.exe</element>
250. <element>alupdate.exe</element>
251. <element>ManagementAgentNT.exe</element>
252. <element>mcsagent.exe</element>
253. <element>sophosui.exe</element>
254. <element>sophos ui.exe</element>
255. <element>SophosAgentUI.exe</element>
256. <element>savmain.exe</element>
257. <element>sophos-cwg-monitor.exe</element>
258. <element>SophosAgentRelay.exe</element>
259. <element>SophosCertMgr.exe</element>
260. <element>SophosCWGScannerAutoUpdater.exe</element>
261. </Processes>
262. <UserModeService>
263. <element>Sophos AutoUpdate Service</element>
264. <element>Sophos MCS Agent</element>
265. <element>Sophos Agent</element>
266. <element>SAVService</element>
267. <element>SAVAdminService</element>
268. <element>swi_service</element>
269. </UserModeService>
270. </HOSTING>
271. <RMS>
272. <FoldersFiles>
273. <element>32|PROGRAMFILES|Sophos\Remote Management System</element>
274. <element>NATIVE|PROGRAMDATA|Sophos\Remote Management System</element>
275. </FoldersFiles>
276. <FridendlyName>
277. <element>Sophos Remote Management System (RMS)</element>
278. </FridendlyName>
279. <MSIProductCodes>
280. <element>FED1005D-CBC8-45D5-A288-FFC7BB304121</element>
281. <element>FF11005D-CBC8-45D5-A288-25C7BB304121</element>
282. <element>15C418EB-7675-42BE-B2B3-281952DA014D</element>
283. <element>D924231F-D02D-4E0B-B511-CC4A0E3ED547</element>
284. </MSIProductCodes>
285. <Processes>
286. <element>ManagementAgentNT.exe</element>
287. <element>RouterNT.exe</element>
288. <element>ClientMRInit.exe</element>
289. </Processes>
290. <RegKeys>
291. <element>32|HKLM|SOFTWARE|Sophos\Messaging System</element>
292. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System</element>
293. </RegKeys>
294. <UserModeService>
295. <element>Sophos Message Router</element>
296. <element>Sophos Agent</element>
297. </UserModeService>
298. </RMS>
299. <MCS>
300. <FoldersFiles>
301. <element>32|PROGRAMFILES|Sophos\Management Communications System</element>
302. <element>NATIVE|PROGRAMDATA|Sophos\Management Communications System\Endpoint\channels\EDR</element>
303. <element>NATIVE|PROGRAMDATA|Sophos\Management Communications System</element>
304. <element>NATIVE|PROGRAMDATA|Sophos\Remote Management System</element>
305. <element>NATIVE|PROGRAMDATA|Sophos\Certificates\Management Communications System</element>
306. <element>NATIVE|PROGRAMDATA|Sophos\Certificates</element>
307. </FoldersFiles>
308. <FridendlyName>
309. <element>Sophos Management Communication System (MCS)</element>
310. </FridendlyName>
311. <MSIProductCodes>
312. <element>A1DC5EF8-DD20-45E8-ABBD-F529A24D477B</element>
313. <element>1FFD3F20-5D24-4C9A-B9F6-A207A53CF179</element>
314. <element>D875F30C-B469-4998-9A08-FE145DD5DC1A</element>
315. <element>2C14E1A2-C4EB-466E-8374-81286D723D3A</element>
316. </MSIProductCodes>
317. <UninstallCMDs>
318. <element>32|PROGRAMFILES|Sophos\Management Communications System\Endpoint\Uninstall.exe!/quiet</element>
319. </UninstallCMDs>
320. <PFRO>
321. <element>NATIVE|PROGRAMDATA|Sophos\Certificates</element>
322. </PFRO>
323. <Processes>
324. <element>mcsagent.exe</element>
325. <element>mcsclient.exe</element>
326. </Processes>
327. <RegKeys>
328. <element>32|HKLM|SOFTWARE|Sophos\Management Communications System</element>
329. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System</element>
330. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\MCS</element>
331. <element>NATIVE|HKCU|SOFTWARE|Sophos\Management Communications System\Registration</element>
332. <element>NATIVE|HKCU|SOFTWARE|Sophos\Management Communications System</element>
333. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Management Communications System</element>
334. </RegKeys>
335. <UserModeService>
336. <element>Sophos MCS Agent</element>
337. <element>Sophos MCS Client</element>
338. </UserModeService>
339. </MCS>
340. <NTP>
341. <UninstallCMDs>
342. <element>NATIVE|WINDOWS|SYSTEM32\netcfg.exe!/u SOPHOS_SOPHOSNTPLWF</element>
343. </UninstallCMDs>
344. <Driver>
345. <element>sntp</element>
346. <element>sophosntplwf</element>
347. </Driver>
348. <FoldersFiles>
349. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Network Threat Protection</element>
350. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Network Threat Protection</element>
351. <element>NATIVE|PROGRAMDATA|Sophos\Heartbeat</element>
352. <element>NATIVE|WINDOWS|System32\Drivers|sophosntplwf.sys</element>
353. <element>NATIVE|WINDOWS|System32\Drivers|sntp.sys</element>
354. </FoldersFiles>
355. <FridendlyName>
356. <element>Sophos Network Threat Protection</element>
357. </FridendlyName>
358. <MSIProductCodes>
359. <element>604350BF-BE9A-4F79-B0EB-B1C22D889E2D</element>
360. <element>66967E5F-43E8-4402-87A4-04685EE5C2CB</element>
361. <element>2D2A1891-4657-4E6F-9373-BFCE4C9AC5BA</element>
362. </MSIProductCodes>
363. <Processes>
364. <element>sntpservice.exe</element>
365. <element>SophosNtpTelemetry.exe</element>
366. <element>SophosNtpService.exe</element>
367. <element>SophosSnort.exe</element>
368. </Processes>
369. <RegKeys>
370. <element>NATIVE|HKLM|SOFTWARE|Sophos\Sophos Network Threat Protection</element>
371. <element>32|HKLM|SOFTWARE|Sophos\Heartbeat</element>
372. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sntpservice</element>
373. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sntp</element>
374. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sophosntplwf</element>
375. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\NTP</element>
376. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos Network Threat Protection Diagnostics</element>
377. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{04aa2cbe-7547-4bd8-b629-381b838565fb}</element>
378. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\Sophos-NetworkThreatProtection-Driver</element>
379. <element>NATIVE|HKLM|SOFTWARE|Classes\AppID\{C092D533-8791-42F8-8EBE-DB116F79B4B7}</element>
380. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{6886D7DB-850A-4C92-A2F7-CBD741F825E5}</element>
381. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\SntpService</element>
382. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\Sophos Network Threat Protection</element>
383. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SNTP</element>
384. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SOPHOSNTPLWF</element>
385. </RegKeys>
386. <UserModeService>
387. <element>sntpservice</element>
388. </UserModeService>
389. </NTP>
390. <SCF>
391. <Driver>
392. <element>SFWCallout</element>
393. </Driver>
394. <FoldersFiles>
395. <element>32|PROGRAMFILES|Sophos\Sophos Client Firewall</element>
396. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Client Firewall</element>
397. <element>NATIVE|WINDOWS|SYSTEM32\DRIVERS\SFWCallout.sys</element>
398. <element>NATIVE|WINDOWS|SYSTEM32\DRIVERS\scfdriver.sys</element>
399. <element>NATIVE|WINDOWS|SYSTEM32\DRIVERS\scfndis.sys</element>
400. <element>32|COMMONPROGRAMFILES|Sophos\Sophos Client Firewall</element>
401. </FoldersFiles>
402. <FridendlyName>
403. <element>Sophos Client Firewall</element>
404. </FridendlyName>
405. <UninstallCMDs>
406. <element>32|PROGRAMFILES|Sophos\Sophos Client Firewall\DriverHelper_x64.exe!/uninstall /legacy_ndis</element>
407. <element>32|PROGRAMFILES|Sophos\Sophos Client Firewall\DriverHelper_Win32.exe!/uninstall /legacy_ndis</element>
408. </UninstallCMDs>
409. <MSIProductCodes>
410. <element>17071117-5BB2-4737-B05B-C5FABD367313</element>
411. <element>12C00299-B8B4-40D3-9663-66ABEA3198AB</element>
412. <element>A805FB2A-A844-4cba-8088-CA64087D59E1</element>
413. <element>12C00299-B8B4-40D3-9663-66ABEA3198AB</element>
414. </MSIProductCodes>
415. <Processes>
416. <element>DriverHelper_x64.exe</element>
417. <element>DriverHelper_Win32.exe</element>
418. <element>op_viewer.exe</element>
419. <element>SCFManager.exe</element>
420. <element>SCFService.exe</element>
421. <element>ConfigTool.exe</element>
422. <element>CustomLogViewWrapper.exe</element>
423. </Processes>
424. <RegKeys>
425. <element>32|HKLM|SOFTWARE|Sophos\Sophos Client Firewall</element>
426. <element>32|HKLM|SOFTWARE|Sophos\Heartbeat</element>
427. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Client Firewall</element>
428. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Client Firewall Manager</element>
429. <element>NATIVE|HKLM|SYSTEM|ControlSet001\Services\Sophos Client Firewall</element>
430. <element>NATIVE|HKLM|SYSTEM|ControlSet001\Services\Sophos Client Firewall Manager</element>
431. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\Sophos Client Firewall</element>
432. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\Sophos Client Firewall Manager</element>
433. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SFWCallout</element>
434. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SCF</element>
435. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\services\scfndis</element>
436. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\services\scfdriver</element>
437. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{AACC1E53-F734-42C2-A5D0-649E4A59AC5D}</element>
438. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Client Firewall</element>
439. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Client Firewall Manager</element>
440. <element>NATIVE|HKLM|SOFTWARE|Classes\AppID\{387EF71D-9F19-4059-B6E5-B29E521AF040}</element>
441. <element>NATIVE|HKLM|SOFTWARE|Classes\AppID\{B75ECD8A-5E2B-4D7E-8034-4E91B4FC6E26}</element>
442. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{0AE20EE6-FC5C-42A4-9F0C-502D98EA0073}</element>
443. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{5960078F-7D29-4A18-8493-749E10B37215}</element>
444. <element>32|HKLM|SOFTWARE|Classes\CLSID\{0C7ECBE2-1386-4B21-BF29-6233C07AFF8C}</element>
445. <element>32|HKLM|SOFTWARE|Classes\CLSID\{3F3D6947-500C-40A3-9F45-893CED400B41}</element>
446. <element>32|HKLM|SOFTWARE|Classes\CLSID\{4AC2AB2B-CA79-4BBB-B351-DAFE860DA4F5}</element>
447. <element>32|HKLM|SOFTWARE|Classes\CLSID\{6BD002D1-C42B-4B20-9F88-6E20D03EEBF8}</element>
448. <element>32|HKLM|SOFTWARE|Classes\CLSID\{93AAF04C-6BD4-4210-8C18-45B8A833B011}</element>
449. <element>32|HKLM|SOFTWARE|Classes\CLSID\{95A59E09-93B9-4F0B-8A79-2247E04B5012}</element>
450. <element>32|HKLM|SOFTWARE|Classes\CLSID\{A6AA093B-944F-4C03-B9CF-4C762D161736}</element>
451. <element>32|HKLM|SOFTWARE|Classes\CLSID\{C02FEE90-2FA0-4B78-8608-5982D85B219E}</element>
452. <element>32|HKLM|SOFTWARE|Classes\CLSID\{DA05E01D-91D7-4E6C-949C-C8DBF7B80865}</element>
453. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SCFNDIS</element>
454. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SCFDRIVER</element>
455. </RegKeys>
456. <UnRegModules>
457. <element>32|PROGRAMFILES|Sophos\Sophos Client Firewall</element>
458. </UnRegModules>
459. <UserModeService>
460. <element>Sophos Client Firewall</element>
461. <element>Sophos Client Firewall Manager</element>
462. </UserModeService>
463. </SCF>
464. <SFS>
465. <FoldersFiles>
466. <element>NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner\logs\sophosfilescanner.log</element>
467. <element>NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner\logs</element>
468. <element>NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner</element>
469. <element>NATIVE|PROGRAMFILES|Sophos\Sophos File Scanner</element>
470. </FoldersFiles>
471. <FridendlyName>
472. <element>Sophos File Scanner</element>
473. </FridendlyName>
474. <PFRO>
475. <element>NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner</element>
476. <element>NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner</element>
477. </PFRO>
478. <Processes>
479. <element>SophosFS.exe</element>
480. <element>SophosFileScanner.exe</element>
481. <element>SophosFSTelemetry.exe</element>
482. </Processes>
483. <RegKeys>
484. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos File Scanner Service</element>
485. <element>NATIVE|HKLM|SOFTWARE|Sophos\Sophos File Scanner</element>
486. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\{CD39E739-F480-4AC4-B0C9-68CA731D8AC6}</element>
487. </RegKeys>
488. <TakeOwn>
489. <element>NATIVE|PROGRAMDATA|Sophos\Sophos File Scanner</element>
490. </TakeOwn>
491. <UninstallCMDs>
492. <element>NATIVE|PROGRAMFILES|Sophos\Sophos File Scanner\Uninstall.exe!/quiet</element>
493. </UninstallCMDs>
494. <UserModeService>
495. <element>Sophos File Scanner Service</element>
496. </UserModeService>
497. </SFS>
498. <SED>
499. <Driver>
500. <element>sophosed</element>
501. <element>sophosel</element>
502. </Driver>
503. <FoldersFiles>
504. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Logs|sed.log</element>
505. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action\tmp</element>
506. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action</element>
507. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming</element>
508. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy\tmp</element>
509. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy</element>
510. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event\tmp</element>
511. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event</element>
512. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing</element>
513. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status\tmp</element>
514. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status</element>
515. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing</element>
516. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS</element>
517. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection</element>
518. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\http</element>
519. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\DirectoryChanges</element>
520. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryChanges</element>
521. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads</element>
522. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataReads</element>
523. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileHashes</element>
524. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges</element>
525. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherReads</element>
526. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileProperties</element>
527. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image</element>
528. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process</element>
529. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Registry</element>
530. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\System</element>
531. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Thread</element>
532. <element>NATIVE|PROGRAMFILES|Sophos\Endpoint Defense|sedservice.exe</element>
533. <element>NATIVE|WINDOWS|System32|SophosNA.exe</element>
534. <element>NATIVE|WINDOWS|System32|drivers\sophosed.man</element>
535. <element>NATIVE|WINDOWS|System32|drivers\sophosel.sys</element>
536. <element>NATIVE|WINDOWS|System32|drivers\Sophosed.sys</element>
537. <element>32|PROGRAMFILES|Sophos\Endpoint Defense</element>
538. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense</element>
539. <element>NATIVE|WINDOWS|ELAMBKUP\sophosel.sys</element>
540. </FoldersFiles>
541. <FridendlyName>
542. <element>Sophos Endpoint Defense</element>
543. </FridendlyName>
544. <PFRO>
545. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action\tmp</element>
546. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Action</element>
547. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming</element>
548. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy\tmp</element>
549. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Incoming\Policy</element>
550. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event\tmp</element>
551. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Event</element>
552. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing</element>
553. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status\tmp</element>
554. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing\Status</element>
555. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS\Outgoing</element>
556. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection\MCS</element>
557. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection</element>
558. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\http</element>
559. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\DirectoryChanges</element>
560. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryChanges</element>
561. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryReads</element>
562. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataReads</element>
563. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileHashes</element>
564. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges</element>
565. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherReads</element>
566. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileProperties</element>
567. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Image</element>
568. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process</element>
569. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Registry</element>
570. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\System</element>
571. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense\Data\Event Journals\SophosED\Thread</element>
572. <element>NATIVE|PROGRAMFILES|Sophos\Endpoint Defense\sedservice.exe</element>
573. <element>NATIVE|WINDOWS|System32|drivers\sophosed.man</element>
574. <element>NATIVE|WINDOWS|System32|drivers\sophosel.sys</element>
575. <element>NATIVE|WINDOWS|System32|drivers\Sophosed.sys</element>
576. <element>32|PROGRAMFILES|Sophos\Endpoint Defense</element>
577. <element>NATIVE|PROGRAMFILES|Sophos\Endpoint Defense</element>
578. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense</element>
579. </PFRO>
580. <Processes>
581. <element>SEDService.exe</element>
582. <element>FileAnalyzerSubmitterTool.exe</element>
583. <element>SEDcli.exe</element>
584. <element>SophosNA.exe</element>
585. <element>SspEdr.exe</element>
586. <element>SSPService.exe</element>
587. <element>Telemetry.exe</element>
588. <element>TelemetryPlugin.exe</element>
589. <element>Uninstall.exe</element>
590. <element>SSPService.exe</element>
591. </Processes>
592. <RegKeys>
593. <element>32|HKLM|SOFTWARE|Sophos\SystemProtection</element>
594. <element>32|HKLM|SOFTWARE|Sophos\SAVClients</element>
595. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Elam</element>
596. <element>NATIVE|HKLM|SOFTWARE|Sophos\EndpointDefense</element>
597. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Endpoint Defense Service</element>
598. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Endpoint Defense</element>
599. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\CORE</element>
600. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\CORC</element>
601. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense</element>
602. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SOPHOS_ENDPOINT_DEFENSE</element>
603. </RegKeys>
604. <TakeOwn>
605. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Defense</element>
606. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection</element>
607. </TakeOwn>
608. <UninstallCMDs>
609. <element>NATIVE|PROGRAMFILES|Sophos\Endpoint Defense\uninstall.exe!/quiet</element>
610. <element>32|PROGRAMFILES|Sophos\Sophos Endpoint Defense\uninstall.exe!/quiet</element>
611. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Endpoint Defense\uninstall.exe!/quiet</element>
612. </UninstallCMDs>
613. <UserModeService>
614. <element>Sophos Endpoint Defense Service</element>
615. <element>Sophos System Protection Service</element>
616. </UserModeService>
617. </SED>
618. <SAV>
619. <Detours>
620. <element>NATIVE</element>
621. <element>WOW</element>
622. </Detours>
623. <Driver>
624. <element>savonaccess</element>
625. <element>sdcfilter</element>
626. <element>sophosbootdriver</element>
627. <element>swi_callout</element>
628. </Driver>
629. <FoldersFiles>
630. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus</element>
631. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Anti-Virus</element>
632. <element>NATIVE|PROGRAMDATA|Sophos\Web Intelligence</element>
633. <element>NATIVE|PROGRAMDATA|Sophos Web Intelligence</element>
634. <element>NATIVE|PROGRAMDATA|Sophos\Web Control</element>
635. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Device Control</element>
636. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Control</element>
637. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Tamper Protection</element>
638. <element>NATIVE|WINDOWS|System32\Drivers|savonaccess.sys</element>
639. <element>NATIVE|WINDOWS|System32\Drivers|swi_callout.sys</element>
640. <element>NATIVE|WINDOWS|System32\Drivers|sdcfilter.sys</element>
641. <element>NATIVE|WINDOWS|System32\Drivers|SophosBootDriver.sys</element>
642. <element>NATIVE|WINDOWS|System32\Drivers|skmscan.sys</element>
643. <element>NATIVE|WINDOWS|System32|SophosBootTasks.exe</element>
644. <element>NATIVE|WINDOWS|System32|sdccoinstaller.dll</element>
645. <element>32|COMMONPROGRAMFILES|Sophos\Web Control</element>
646. <element>32|COMMONPROGRAMFILES|Sophos\Web Intelligence</element>
647. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Control</element>
648. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|scf.dat</element>
649. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|swi_fc.exe</element>
650. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|swi_fc.exe.0</element>
651. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence</element>
652. <element>NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp.dll</element>
653. <element>NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp_64.dll</element>
654. <element>NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured_x64.dll</element>
655. <element>NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured.dll</element>
656. <element>32|WINDOWS|SYSWOW64\SophosAV|sophos_detoured.dll</element>
657. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf|Channel_0.xml</element>
658. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf</element>
659. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus</element>
660. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos</element>
661. </FoldersFiles>
662. <FridendlyName>
663. <element>Sophos Anti-Virus</element>
664. </FridendlyName>
665. <MSIProductCodes>
666. <element>3A3908E1-F410-48AC-BBDA-1468E7F17AD0</element>
667. <element>23E4E25E-E963-4C62-A18A-49C73AA3F963</element>
668. <element>6CA90A07-433B-4859-A785-006771D72109</element>
669. <element>D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4</element>
670. <element>577896A8-08F6-47E2-B2EB-DE5265701F39</element>
671. <element>095BB5FF-C89D-449B-9D6D-3B9CCB3BEFD8</element>
672. <element>034759DA-E21A-4795-BFB3-C66D17FAD183</element>
673. <element>9ACB414D-9347-40B6-A453-5EFB2DB59DFA</element>
674. <element>6654537D-935E-41C0-A18A-C55C2BF77B7E</element>
675. <element>2519A41E-5D7C-429B-B2DB-1E943927CB3D</element>
676. <element>66967E5F-43E8-4402-87A4-04685EE5C2CB</element>
677. <element>72E30858-FC95-4C87-A697-670081EBF065</element>
678. <element>8123193C-9000-4EEB-B28A-E74E779759FA</element>
679. <element>36333618-1CE1-4EF2-8FFD-7F17394891CE</element>
680. <element>DFDA2077-95D0-4C5F-ACE7-41DA16639255</element>
681. <element>CA3CE456-B2D9-4812-8C69-17D6980432EF</element>
682. <element>CA524364-D9C5-4804-92DE-2800BDAC1AA4</element>
683. <element>3B998572-90A5-4D61-9022-00B288DD755D</element>
684. <element>4BAF6F55-FFE4-4A3A-8367-CC2EBB0F11C3</element>
685. <element>BA8752FE-75E5-43DD-9913-23509EFEB409</element>
686. <element>C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB</element>
687. <element>9ACB414D-9347-40B6-A453-5EFB2DB59DFA</element>
688. <element>4320988A-7DE0-478D-A38B-CE9509BCE320</element>
689. <element>320CD9AF-3E73-453F-A11D-C4DBE23D5476</element>
690. <element>65C68E09-B673-491F-AB36-2EBD8DDA91F3</element>
691. <element>5A13E01A-1161-4FAC-ADAF-36AD8FFADF14</element>
692. </MSIProductCodes>
693. <PFRO>
694. <element>NATIVE|WINDOWS|System32\Drivers|savonaccess.sys</element>
695. <element>NATIVE|WINDOWS|System32\Drivers|swi_callout.sys</element>
696. <element>NATIVE|WINDOWS|System32\Drivers|sdcfilter.sys</element>
697. <element>NATIVE|WINDOWS|System32\Drivers|SophosBootDriver.sys</element>
698. <element>NATIVE|WINDOWS|System32\Drivers|skmscan.sys</element>
699. <element>NATIVE|WINDOWS|System32|SophosBootTasks.exe</element>
700. <element>NATIVE|WINDOWS|System32|sdccoinstaller.dll</element>
701. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll</element>
702. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured_x64.dll</element>
703. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll.stf00</element>
704. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured_x64.dll.stf00</element>
705. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus|SavShellExtX64.dll</element>
706. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus|SophosOfficeAVx64.dll</element>
707. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|scf.dat</element>
708. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence|swi_fc.exe</element>
709. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Control</element>
710. <element>NATIVE|COMMONPROGRAMFILES|Sophos\Web Intelligence</element>
711. <element>32|COMMONPROGRAMFILES|Sophos\Web Control</element>
712. <element>32|COMMONPROGRAMFILES|Sophos\Web Intelligence</element>
713. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus</element>
714. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Anti-Virus</element>
715. <element>NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp.dll</element>
716. <element>NATIVE|PROGRAMDATA|Sophos\Web Intelligence|swi_ifslsp_64.dll</element>
717. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf|Channel_0.xml</element>
718. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus\Perf</element>
719. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos\AntiVirus</element>
720. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Applications and Services Logs\Sophos</element>
721. </PFRO>
722. <Processes>
723. <element>savservice.exe</element>
724. <element>swi_service.exe</element>
725. <element>swi_fc.exe</element>
726. <element>savadminservice.exe</element>
727. <element>swc_service.exe</element>
728. <element>SAVMain.exe</element>
729. <element>BackgroundScanClient.exe</element>
730. <element>sav32cli.exe</element>
731. <element>savcleanupservice.exe</element>
732. <element>SAVProxy.exe</element>
733. <element>SAVProgress.exe</element>
734. <element>WSCClient.exe</element>
735. <element>sdcdevcon.exe</element>
736. <element>SAVTelem.exe</element>
737. <element>ForceUpdateAlongSideSGN.exe</element>
738. <element>swi_di.exe</element>
739. <element>swi_lsp32_util.exe</element>
740. <element>swi_lspdiag.exe</element>
741. <element>swi_lspdiag_64.exe</element>
742. <element>swi_update_64.exe</element>
743. <element>swi_filter.exe</element>
744. <element>ssr32.exe</element>
745. <element>ssr64.exe</element>
746. </Processes>
747. <RegKeys>
748. <element>32|HKLM|SOFTWARE|Sophos\SAVService</element>
749. <element>32|HKLM|SOFTWARE|Sophos\SAVService\TamperProtection</element>
750. <element>32|HKLM|SOFTWARE|Sophos\SweepNT</element>
751. <element>32|HKLM|SOFTWARE|Sophos\Web Intelligence</element>
752. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SAV</element>
753. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SWC</element>
754. <element>NATIVE|HKCU|SOFTWARE|SOPHOS</element>
755. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SAVService</element>
756. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\savadminservice</element>
757. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Device Control Service</element>
758. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_service</element>
759. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sophos web control service</element>
760. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_filter</element>
761. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\savonaccess</element>
762. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sdcfilter</element>
763. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_update_64</element>
764. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_update</element>
765. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\sophosbootdriver</element>
766. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\swi_callout</element>
767. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos_AntiVirus-Perf/Comms</element>
768. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/BehaviourIntercept</element>
769. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/Cache</element>
770. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/JournalTracker</element>
771. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/OnAccess</element>
772. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/ProcessFilter</element>
773. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/Scan</element>
774. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Channels\Sophos-AntiVirus-Perf/Web</element>
775. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{788a31a2-9d77-4994-a1c5-6c3036f56141}</element>
776. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos Anti-Virus</element>
777. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\SophosAntiVirus</element>
778. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SAVOnAccess</element>
779. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SAVOnAccessControl</element>
780. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SAVOnAccessFilter</element>
781. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SDCFilter</element>
782. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SfwCallout</element>
783. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SophosBootDriver</element>
784. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\System\SKMScan</element>
785. <element>NATIVE|HKLM|SOFTWARE|Classes\AppID\{752B5BD1-9128-47B7-9934-E6DE5C5397D0}</element>
786. <element>NATIVE|HKLM|SOFTWARE|Classes\AppID\{F4C3F607-CA7A-4725-AB4E-9B4FF6788ECA}</element>
787. <element>NATIVE|HKLM|SOFTWARE|Classes\Sophos.WebControl</element>
788. <element>NATIVE|HKLM|SOFTWARE|Classes\Sophos.WebControl.1</element>
789. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{5123D78B-3CEF-4748-9ABA-20B7150D69C6}</element>
790. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{675AB458-79EE-4F3B-8BC5-1A424B5628AF}</element>
791. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{88E6FEF8-9F4F-49E3-9A75-1870C6339F25}</element>
792. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{946278E5-E994-40B3-AD9E-09BD3F9F2B5E}</element>
793. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{E8EB0E47-C0D4-4AA5-B872-51BFDBF243FE}</element>
794. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{F09ED691-830E-11D4-91D7-009027CAC227}</element>
795. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{F733BA71-46D0-47F8-87ED-B2343DDD9BB7}</element>
796. <element>32|HKLM|SOFTWARE|Classes\CLSID\{0237D9EB-DC1E-4581-AC00-DA9A76F8A50F}</element>
797. <element>32|HKLM|SOFTWARE|Classes\CLSID\{0350EF7B-C70F-4BA6-B9A2-C0A466BAA09F}</element>
798. <element>32|HKLM|SOFTWARE|Classes\CLSID\{12A7F0EC-33F7-4968-9AFD-34D37215184E}</element>
799. <element>32|HKLM|SOFTWARE|Classes\CLSID\{24DC0815-9D82-47FD-81B3-11DE033EF7A3}</element>
800. <element>32|HKLM|SOFTWARE|Classes\CLSID\{486EAD99-06D8-42A2-AEC8-353720B02F5D}</element>
801. <element>32|HKLM|SOFTWARE|Classes\CLSID\{81671ADE-A2EA-412C-8A7D-D0931AE9B02A}</element>
802. <element>32|HKLM|SOFTWARE|Classes\CLSID\{A0229167-33FE-4B1C-A5DC-E04312B4E967}</element>
803. <element>32|HKLM|SOFTWARE|Classes\CLSID\{AE5ECDC9-5970-47C0-B0C7-A5F0CC22FD60}</element>
804. <element>32|HKLM|SOFTWARE|Classes\CLSID\{BD7A8CBB-8AAE-49D3-A042-A6A8AB8B1F52}</element>
805. <element>32|HKLM|SOFTWARE|Classes\CLSID\{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}</element>
806. <element>32|HKLM|SOFTWARE|Classes\CLSID\{dda4847c-c939-4c07-8d6a-5869cd694a1c}</element>
807. <element>32|HKLM|SOFTWARE|Classes\CLSID\{E0577DBF-0123-41F6-BBC7-9E1C94630FD9}</element>
808. <element>32|HKLM|SOFTWARE|Classes\CLSID\{F2A81486-DE28-4FAF-962A-9836B6C9A06F}</element>
809. <element>32|HKLM|SOFTWARE|Microsoft\Security Center\Monitoring\SophosAntiVirus</element>
810. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Control\SafeBoot\Network\SAVService</element>
811. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Enum\Root\LEGACY_SAVONACCESS</element>
812. </RegKeys>
813. <UnRegModules>
814. <element>32|PROGRAMFILES|Sophos\Sophos Anti-Virus</element>
815. </UnRegModules>
816. <UserModeService>
817. <element>SAVService</element>
818. <element>SAVAdminService</element>
819. <element>swi_service</element>
820. <element>Sophos Web Control Service</element>
821. <element>swi_filter</element>
822. <element>Sophos Device Control Service</element>
823. <element>swi_update_64</element>
824. <element>swi_update</element>
825. <element>swi_config</element>
826. </UserModeService>
827. </SAV>
828. <SAU>
829. <FoldersFiles>
830. <element>32|PROGRAMFILES|Sophos\AutoUpdate</element>
831. <element>NATIVE|PROGRAMDATA|Sophos\Certificates\AutoUpdate</element>
832. <element>NATIVE|PROGRAMDATA|Sophos\AutoUpdate</element>
833. </FoldersFiles>
834. <FridendlyName>
835. <element>Sophos AutoUpdate</element>
836. </FridendlyName>
837. <MSIProductCodes>
838. <element>5F3F87F0-7FDF-4776-8951-4E8A0F6B1864</element>
839. <element>7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16</element>
840. <element>BCF53039-A7FC-4C79-A3E3-437AE28FD918</element>
841. <element>9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520</element>
842. <element>AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54</element>
843. <element>E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E</element>
844. <element>72E136F7-3751-422E-AC7A-1B2E46391909</element>
845. <element>856A0B42-457D-4BD9-B795-6F942370CA6D</element>
846. </MSIProductCodes>
847. <Processes>
848. <element>alsvc.exe</element>
849. <element>almon.exe</element>
850. <element>SophosUpdate.exe</element>
851. <element>Alupdate.exe</element>
852. <element>AUTelem.exe</element>
853. <element>GatherTelem.exe</element>
854. <element>SubmitTelem.exe</element>
855. </Processes>
856. <RegKeys>
857. <element>32|HKLM|SOFTWARE|Sophos\AutoUpdate</element>
858. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos AutoUpdate Service</element>
859. <element>32|HKLM|SOFTWARE|Sophos\Telemetry</element>
860. <element>32|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Run!Sophos AutoUpdate Monitor</element>
861. <element>NATIVE|HKLM|SOFTWARE|Classes\AppID\{CFC5C7CA-DA4C-4CFB-B16A-65193004E9C2}</element>
862. <element>NATIVE|HKLM|SOFTWARE|Classes\TypeLib\{CE94B62D-25F3-4430-AA85-A22C2888EE65}</element>
863. <element>32|HKLM|SOFTWARE|Classes\CLSID\{07723A69-B7C8-4113-88F9-F18FB917A82F}</element>
864. <element>32|HKLM|SOFTWARE|Classes\CLSID\{7CBCADE4-7AA7-43AE-BD20-D88223B6353E}</element>
865. <element>32|HKLM|SOFTWARE|Classes\CLSID\{ACB50159-5EFF-47D5-B93F-5433C1BD2F3A}</element>
866. <element>32|HKLM|SOFTWARE|Classes\CLSID\{BF515489-25C1-472D-8F02-378E6CC06B3C}</element>
867. <element>32|HKLM|SOFTWARE|Classes\CLSID\{DDF239DC-0DCC-45BD-906E-2B283534234E}</element>
868. </RegKeys>
869. <UnRegModules>
870. <element>32|PROGRAMFILES|Sophos\AutoUpdate</element>
871. </UnRegModules>
872. <UserModeService>
873. <element>Sophos Autoupdate Service</element>
874. </UserModeService>
875. </SAU>
876. <SSP>
877. <FoldersFiles>
878. <element>NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|ssp.exe</element>
879. <element>NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|SspAdapter.dll</element>
880. <element>NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|TelemetryPlugin.exe</element>
881. <element>NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|integrity.dat</element>
882. <element>NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|NOTICE.txt</element>
883. <element>NATIVE|PROGRAMFILES|Sophos\Sophos System Protection|scf.dat</element>
884. <element>NATIVE|PROGRAMFILES|Sophos\Sophos System Protection</element>
885. <element>32|PROGRAMFILES|Sophos\Sophos System Protection</element>
886. <element>NATIVE|PROGRAMDATA|Sophos\Sophos System Protection</element>
887. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Data Recorder|SDRService.exe</element>
888. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Data Recorder</element>
889. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Recorder</element>
890. </FoldersFiles>
891. <FridendlyName>
892. <element>Sophos System Protection</element>
893. </FridendlyName>
894. <MSIProductCodes>
895. <element>934BEF80-B9D1-4A86-8B42-D8A6716A8D27</element>
896. <element>1093B57D-A613-47F3-90CF-0FD5C5DCFFE6</element>
897. <element>5EC8210A-38F2-4E76-9836-1B48EFDDA3FA</element>
898. </MSIProductCodes>
899. <Processes>
900. <element>ssp.exe</element>
901. <element>sdrservice.exe</element>
902. <element>TelemetryPlugin.exe</element>
903. </Processes>
904. <RegKeys>
905. <element>NATIVE|HKLM|SOFTWARE|Sophos\SystemProtection</element>
906. <element>32|HKLM|SOFTWARE|Sophos\SystemProtection</element>
907. <element>32|HKLM|SOFTWARE|Sophos\SAVClients</element>
908. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Data Recorder</element>
909. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\services\sophossps</element>
910. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\services\SophosDataRecorderService</element>
911. <element>32|HKLM|SOFTWARE|Sophos\Telemetry</element>
912. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\EventLog\Application\Sophos System Protection</element>
913. </RegKeys>
914. <UserModeService>
915. <element>Sophos Data Recorder</element>
916. <element>SophosDataRecorderService</element>
917. <element>sophossps</element>
918. </UserModeService>
919. </SSP>
920. <SHS>
921. <FoldersFiles>
922. <element>32|PROGRAMFILES|Sophos\Health</element>
923. <element>NATIVE|PROGRAMDATA|Sophos\Health</element>
924. <element>NATIVE|PROGRAMDATA|Sophos\Health\logs|shsadapter.log</element>
925. <element>NATIVE|PROGRAMDATA|Sophos\Health\logs</element>
926. </FoldersFiles>
927. <FridendlyName>
928. <element>Sophos Health Service</element>
929. </FridendlyName>
930. <MSIProductCodes>
931. <element>80D18B7B-8DF1-4BCA-901F-BEC86BAE2774</element>
932. <element>A5CCEEF1-B6A7-4EB4-A826-267996A62A9E</element>
933. <element>D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44</element>
934. <element>E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745</element>
935. </MSIProductCodes>
936. <Processes>
937. <element>Health.exe</element>
938. <element>SophosHealth.exe</element>
939. <element>SophosHealthClient.exe</element>
940. </Processes>
941. <RegKeys>
942. <element>32|HKLM|SOFTWARE|Sophos\Health</element>
943. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\SHS</element>
944. </RegKeys>
945. <UserModeService>
946. <element>Sophos Health Service</element>
947. </UserModeService>
948. </SHS>
949. <SEF>
950. <FoldersFiles>
951. <element>NATIVE|PROGRAMFILES|Sophos\Endpoint Firewall</element>
952. <element>NATIVE|PROGRAMDATA|Sophos\Endpoint Firewall</element>
953. </FoldersFiles>
954. <FridendlyName>
955. <element>Sophos Endpoint Firewall</element>
956. </FridendlyName>
957. <MSIProductCodes>
958. <element>2831282D-8519-4910-B339-2302840ABEF3</element>
959. </MSIProductCodes>
960. <Processes>
961. <element>EfwTelemetryPlugin.exe</element>
962. </Processes>
963. <RegKeys>
964. <element>NATIVE|HKLM|SOFTWARE\Sophos\Endpoint Firewall</element>
965. </RegKeys>
966. </SEF>
967. <ESH>
968. <FoldersFiles>
969. <element>NATIVE|PROGRAMFILES|Sophos\Endpoint Self Help</element>
970. </FoldersFiles>
971. <FridendlyName>
972. <element>Sophos Endpoint Self Help</element>
973. </FridendlyName>
974. <MSIProductCodes>
975. <element>9F69FA12-E3FE-4754-B7E3-B4DEEC8F6B5D</element>
976. <element>4EFCDD15-24A2-4D89-84A4-857D1BF68FA8</element>
977. <element>BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8</element>
978. </MSIProductCodes>
979. <Processes>
980. <element>SophosDiag.exe</element>
981. <element>SophosESH.exe</element>
982. <element>Telemetry.exe</element>
983. </Processes>
984. <RegKeys>
985. <element>NATIVE|HKLM|SOFTWARE|Sophos\Endpoint Self Help</element>
986. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{c207e3ed-c0f0-4981-89fc-d756f0d08273}</element>
987. </RegKeys>
988. </ESH>
989. <SDU>
990. <FoldersFiles>
991. <element>32|PROGRAMFILES|Sophos\Sophos Diagnostic Utility</element>
992. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Diagnostic Utility</element>
993. </FoldersFiles>
994. <FridendlyName>
995. <element>Sophos Diagnostic Utility</element>
996. </FridendlyName>
997. <MSIProductCodes>
998. <element>4627F5A1-E85A-4394-9DB3-875DF83AF6C2</element>
999. <element>E4853018-0364-49B8-9ADD-691C425D7B5A</element>
1000. </MSIProductCodes>
1001. <Processes>
1002. <element>sducli.exe</element>
1003. <element>uploader.exe</element>
1004. <element>sdugui.exe</element>
1005. </Processes>
1006. <RegKeys>
1007. <element>32|HKLM|SOFTWARE|Sophos\Diagnose</element>
1008. <element>NATIVE|HKCU|SOFTWARE|Sophos\Diagnose</element>
1009. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\App Paths\sducli.exe</element>
1010. </RegKeys>
1011. </SDU>
1012. <SUI>
1013. <FoldersFiles>
1014. <element>NATIVE|PROGRAMFILES|Sophos\Sophos UI</element>
1015. <element>NATIVE|PROGRAMDATA|Sophos\Sophos UI</element>
1016. </FoldersFiles>
1017. <FridendlyName>
1018. <element>Sophos Endpoint UI</element>
1019. </FridendlyName>
1020. <MSIProductCodes>
1021. <element>D29542AE-287C-42E4-AB28-3858E13C1A3E</element>
1022. </MSIProductCodes>
1023. <Processes>
1024. <element>Sophos ui.exe</element>
1025. <element>SophosUITelemetry.exe</element>
1026. </Processes>
1027. <RegKeys>
1028. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Run!Sophos UI.exe</element>
1029. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\UI</element>
1030. <element>NATIVE|HKCU|SOFTWARE|Sophos\Sophos UI</element>
1031. <element>NATIVE|HKLM|SOFTWARE|Sophos\Sophos UI</element>
1032. <element>NATIVE|HKCU|Software|Microsoft\SophosUI</element>
1033. <element>NATIVE|HKLM|SOFTWARE|Classes\sophosui</element>
1034. </RegKeys>
1035. </SUI>
1036. <HBT>
1037. <FridendlyName>
1038. <element>Sophos Heartbeat</element>
1039. </FridendlyName>
1040. <MSIProductCodes>
1041. <element>DFFA9361-3625-4219-82C2-9EF011E433B1</element>
1042. </MSIProductCodes>
1043. <Processes>
1044. <element>heartbeat.exe</element>
1045. </Processes>
1046. <UserModeService>
1047. <element>Sophos Heartbeat Service</element>
1048. </UserModeService>
1049. </HBT>
1050. <SEP>
1051. <FoldersFiles>
1052. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Endpoint Agent</element>
1053. </FoldersFiles>
1054. <FridendlyName>
1055. <element>Sophos Endpoint</element>
1056. </FridendlyName>
1057. <MSIProductCodes>
1058. <element>A5CCEEF1-B6A7-4EB4-A826-267996A62A9E</element>
1059. <element>D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44</element>
1060. <element>E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745</element>
1061. </MSIProductCodes>
1062. <Processes>
1063. <element>uninstallcli.exe</element>
1064. <element>uninstallgui.exe</element>
1065. </Processes>
1066. <RegKeys>
1067. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Agent</element>
1068. </RegKeys>
1069. </SEP>
1070. <HMPA>
1071. <Driver>
1072. <element>hmpalert</element>
1073. </Driver>
1074. <FoldersFiles>
1075. <element>NATIVE|WINDOWS|System32|hmpalert.dll</element>
1076. <element>32|WINDOWS|SYSWOW64|hmpalert.dll</element>
1077. <element>NATIVE|WINDOWS|System32\Drivers|hmpalert.sys</element>
1078. <element>NATIVE|WINDOWS|System32\Drivers|hmpalert.sys.off</element>
1079. <element>32|PROGRAMFILES|HitmanPro.Alert</element>
1080. <element>32|PROGRAMFILES|HitmanPro.Alert|hmpalert.exe</element>
1081. <element>32|PROGRAMFILES|HitmanPro.Alert|bpaif.dll</element>
1082. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert\drop</element>
1083. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert\logs</element>
1084. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert\mcs</element>
1085. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert\reports</element>
1086. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert|excalibur.db</element>
1087. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert|hmpalert.bf</element>
1088. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert</element>
1089. <element>NATIVE|PROGRAMDATA|Microsoft\Event Viewer\Views|hmpalert.xml</element>
1090. </FoldersFiles>
1091. <FridendlyName>
1092. <element>Hitman Pro.Alert</element>
1093. </FridendlyName>
1094. <MSIProductCodes>
1095. <element>866151B2-E14E-40E0-B6D9-64B1D428F5CB</element>
1096. </MSIProductCodes>
1097. <PFRO>
1098. <element>NATIVE|PROGRAMDATA|HitmanPro.Alert</element>
1099. <element>NATIVE|WINDOWS|System32|hmpalert.dll</element>
1100. <element>32|WINDOWS|SYSWOW64|hmpalert.dll</element>
1101. <element>NATIVE|WINDOWS|System32\Drivers|hmpalert.sys</element>
1102. <element>NATIVE|WINDOWS|System32\Drivers|hmpalert.old</element>
1103. </PFRO>
1104. <Processes>
1105. <element>hmpalert.exe</element>
1106. <element>EXPTelem.exe</element>
1107. <element>Uninstall.exe</element>
1108. </Processes>
1109. <RegKeys>
1110. <element>NATIVE|HKLM|SOFTWARE|HitmanPro.Alert</element>
1111. <element>NATIVE|HKCU|SOFTWARE|HitmanPro.Alert</element>
1112. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\hmpalert</element>
1113. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\hmpalertsvc</element>
1114. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\HMPA</element>
1115. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\HitmanPro.Alert</element>
1116. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}</element>
1117. </RegKeys>
1118. <UninstallCMDs>
1119. <element>32|PROGRAMFILES|HitmanPro.alert\uninstall.exe!--quiet</element>
1120. <element>32|PROGRAMFILES|HitmanPro.alert\HitmanPro.exe!/uninstall /quiet</element>
1121. <element>32|PROGRAMFILES|HitmanPro\HitmanPro.exe!/uninstall /quiet</element>
1122. </UninstallCMDs>
1123. <UserModeService>
1124. <element>hmpalertsvc</element>
1125. </UserModeService>
1126. </HMPA>
1127. <SDE>
1128. <FoldersFiles>
1129. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection</element>
1130. <element>32|PROGRAMFILES|Sophos\Sophos Data Protection</element>
1131. </FoldersFiles>
1132. <FridendlyName>
1133. <element>Sophos Data Protection Agent</element>
1134. </FridendlyName>
1135. <MSIProductCodes>
1136. <element>6AA8FE12-9958-4E3B-99AD-7AEF6BF7122F</element>
1137. <element>B38CEDCD-4B99-42A5-A430-3946FFCA229A</element>
1138. </MSIProductCodes>
1139. <PFRO>
1140. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Data Protection</element>
1141. </PFRO>
1142. <Processes>
1143. <element>Sophos.Encryption.BitLockerService.exe</element>
1144. <element>Sophos.Encryption.BitLockerApplication.exe</element>
1145. <element>Sophos.Encryption.HtmlEncrypter.exe</element>
1146. </Processes>
1147. <RegKeys>
1148. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Device Encryption Service</element>
1149. <element>32|HKLM|SOFTWARE|Sophos\DataProtection\McsQueues</element>
1150. <element>32|HKLM|SOFTWARE|Sophos\DataProtection\Status\Volumes</element>
1151. <element>32|HKLM|SOFTWARE|Sophos\DataProtection\Status</element>
1152. <element>32|HKLM|SOFTWARE|Sophos\DataProtection</element>
1153. </RegKeys>
1154. <UserModeService>
1155. <element>Sophos Device Encryption Service</element>
1156. </UserModeService>
1157. </SDE>
1158. <CLEAN>
1159. <FoldersFiles>
1160. <element>32|PROGRAMFILES|Sophos\Safestore|safestore64.dll</element>
1161. <element>32|PROGRAMFILES|Sophos\Safestore|SophosSafestore64.exe</element>
1162. <element>32|PROGRAMFILES|Sophos\Safestore|ssr64.exe</element>
1163. <element>32|PROGRAMFILES|Sophos\clean|sophoscleanm.exe</element>
1164. <element>NATIVE|PROGRAMFILES|Sophos\Safestore|safestore64.dll</element>
1165. <element>NATIVE|PROGRAMFILES|Sophos\Safestore|SophosSafestore64.exe</element>
1166. <element>NATIVE|PROGRAMFILES|Sophos\Safestore|ssr64.exe</element>
1167. <element>NATIVE|PROGRAMFILES|Sophos\Safestore</element>
1168. <element>NATIVE|PROGRAMFILES|Sophos\Clean</element>
1169. <element>32|PROGRAMFILES|Sophos\Safestore</element>
1170. <element>32|PROGRAMFILES|Sophos\Clean</element>
1171. <element>NATIVE|PROGRAMDATA|Sophos\Clean</element>
1172. <element>NATIVE|PROGRAMDATA|Sophos\Safestore</element>
1173. <element>NATIVE|PROGRAMFILES|Sophos\Home Clean</element>
1174. </FoldersFiles>
1175. <FridendlyName>
1176. <element>Sophos Clean-M</element>
1177. </FridendlyName>
1178. <PFRO>
1179. <element>32|PROGRAMFILES|Sophos\Clean|Sophoscleanm.exe</element>
1180. <element>32|PROGRAMFILES|Sophos\Clean</element>
1181. <element>32|PROGRAMFILES|Sophos\Safestore</element>
1182. <element>NATIVE|PROGRAMFILES|Sophos\Clean</element>
1183. <element>NATIVE|PROGRAMFILES|Sophos\Safestore</element>
1184. <element>NATIVE|PROGRAMDATA|Sophos\Clean</element>
1185. <element>NATIVE|PROGRAMDATA|Sophos\Safestore</element>
1186. </PFRO>
1187. <Processes>
1188. <element>SophosClean.exe</element>
1189. <element>SophosCleanM.exe</element>
1190. <element>Clean.exe</element>
1191. <element>SophosSafestore64.exe</element>
1192. <element>ssr64.exe</element>
1193. <element>Uninstall.exe</element>
1194. <element>SophosHomeClean.exe</element>
1195. </Processes>
1196. <RegKeys>
1197. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Clean Service</element>
1198. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Safestore Service</element>
1199. <element>NATIVE|HKLM|SOFTWARE|Sophos\Clean</element>
1200. <element>NATIVE|HKLM|SOFTWARE|SophosClean</element>
1201. <element>NATIVE|HKLM|SOFTWARE|Sophos\HomeClean</element>
1202. <element>NATIVE|HKLM|SOFTWARE|SophosHomeClean</element>
1203. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Clean</element>
1204. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\SophosClean</element>
1205. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Home Clean</element>
1206. <element>NATIVE|HKLM|SOFTWARE|Sophos\SophosHomeClean</element>
1207. </RegKeys>
1208. <UninstallCMDs>
1209. <element>32|PROGRAMFILES|Sophos\Clean\uninstall.exe</element>
1210. </UninstallCMDs>
1211. <UserModeService>
1212. <element>Sophos Clean</element>
1213. <element>Sophos Clean Service</element>
1214. <element>Sophos Safestore Service</element>
1215. </UserModeService>
1216. </CLEAN>
1217. <SCI>
1218. <FoldersFiles>
1219. <element>NATIVE|PROGRAMDATA|Sophos\CloudInstaller</element>
1220. </FoldersFiles>
1221. <FridendlyName>
1222. <element>Sophos Cloud Installer</element>
1223. </FridendlyName>
1224. <Processes>
1225. <element>SophosInstall.exe</element>
1226. <element>SophosSetup.exe</element>
1227. <element>SophosSetup_Stage2.exe</element>
1228. </Processes>
1229. </SCI>
1230. <SSE>
1231. <FoldersFiles>
1232. <element>32|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1</element>
1233. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1</element>
1234. <element>32|PROGRAMFILES|Sophos\Sophos Standalone Engine</element>
1235. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine</element>
1236. </FoldersFiles>
1237. <FridendlyName>
1238. <element>Sophos Standalone Engine</element>
1239. </FridendlyName>
1240. <PFRO>
1241. <element>32|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1</element>
1242. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine\engine1</element>
1243. <element>32|PROGRAMFILES|Sophos\Sophos Standalone Engine</element>
1244. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine</element>
1245. </PFRO>
1246. <Processes>
1247. <element>validator.exe</element>
1248. <element>Uninstall.exe</element>
1249. </Processes>
1250. <RegKeys>
1251. <element>32|HKLM|SOFTWARE|Sophos\Sophos Standalone Engine</element>
1252. <element>NATIVE|HKLM|SOftware|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Standalone Engine</element>
1253. </RegKeys>
1254. <UninstallCMDs>
1255. <element>32|PROGRAMFILES|Sophos\Sophos Standalone Engine\uninstall.exe</element>
1256. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Standalone Engine\uninstall.exe</element>
1257. </UninstallCMDs>
1258. </SSE>
1259. <SMLE>
1260. <FoldersFiles>
1261. <element>32|PROGRAMFILES|Sophos\Sophos ML Engine</element>
1262. </FoldersFiles>
1263. <FridendlyName>
1264. <element>Sophos ML Engine</element>
1265. </FridendlyName>
1266. <Processes>
1267. <element>Uninstall.exe</element>
1268. </Processes>
1269. <RegKeys>
1270. <element>32|HKLM|SOFTWARE|Sophos\Sophos ML Engine</element>
1271. <element>NATIVE|HKLM|SOftware|Microsoft\Windows\CurrentVersion\Uninstall\Sophos ML Engine</element>
1272. </RegKeys>
1273. <UninstallCMDs>
1274. <element>32|PROGRAMFILES|Sophos\Sophos ML Engine\uninstall.exe</element>
1275. </UninstallCMDs>
1276. </SMLE>
1277. <STE>
1278. <FoldersFiles>
1279. <element>32|PROGRAMFILES|Sophos\Sophos Tester</element>
1280. </FoldersFiles>
1281. <FridendlyName>
1282. <element>Sophos Tester</element>
1283. </FridendlyName>
1284. <Processes>
1285. <element>SophosTester.exe</element>
1286. </Processes>
1287. <RegKeys>
1288. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\Sophos Tester</element>
1289. <element>NATIVE|HKCU|SOFTWARE|Sophos\Tester</element>
1290. </RegKeys>
1291. </STE>
1292. <SPA>
1293. <FoldersFiles>
1294. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Patch Agent</element>
1295. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Patch Agent</element>
1296. </FoldersFiles>
1297. <FridendlyName>
1298. <element>Sophos Patch Agent</element>
1299. </FridendlyName>
1300. <MSIProductCodes>
1301. <element>5565E71F-091B-42B8-8514-7E8944860BFD</element>
1302. <element>29006785-9EF7-4E84-ABE8-6244D12E7909</element>
1303. <element>2FB80981-C6B6-4FCA-BC65-24437DF4C8CB</element>
1304. </MSIProductCodes>
1305. <PFRO>
1306. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Patch Agent</element>
1307. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Patch Agent</element>
1308. </PFRO>
1309. <Processes>
1310. <element>spa.exe</element>
1311. <element>LM.Detection.exe</element>
1312. <element>LM.Detection_x64.exe</element>
1313. <element>PatchChecker.exe</element>
1314. </Processes>
1315. <RegKeys>
1316. <element>NATIVE|HKLM|SOFTWARE|Patchlink.com</element>
1317. <element>NATIVE|HKLM|SOFTWARE|Sophos\Sophos Patch Agent</element>
1318. <element>32|HKLM|SOFTWARE|Sophos\Sophos Patch Agent</element>
1319. <element>32|HKLM|SOFTWARE|Sophos\Remote Management System\ManagementAgent\Adapters\PATCH</element>
1320. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\Sophos Patch Agent</element>
1321. </RegKeys>
1322. <UnRegModules>
1323. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Patch Agent</element>
1324. </UnRegModules>
1325. <UserModeService>
1326. <element>Sophos Patch Agent</element>
1327. </UserModeService>
1328. </SPA>
1329. <CWG>
1330. <FoldersFiles>
1331. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\sbin</element>
1332. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent</element>
1333. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav\Database</element>
1334. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav</element>
1335. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc</element>
1336. <element>NATIVE|WINDOWS|System32|drivers\SophosTrafficRedirectorCalloutDriver.sys</element>
1337. </FoldersFiles>
1338. <FridendlyName>
1339. <element>Sophos Cloud Web Gateway</element>
1340. </FridendlyName>
1341. <MSIProductCodes>
1342. <element>B6D7C122-053F-4DCD-AFCC-877B9236E787</element>
1343. <element>4F73E3E1-FDC7-4CE7-9ACA-0BAA09226688</element>
1344. <element>64139960-C92D-4DB1-9385-0D2DC75B245C</element>
1345. <element>8132D712-5F53-4EAB-9624-4A24EA10EC74</element>
1346. <element>D6B5BD3E-41BE-4714-9514-41EB96975238</element>
1347. </MSIProductCodes>
1348. <PFRO>
1349. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\sbin</element>
1350. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav\Database</element>
1351. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc\clamav</element>
1352. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent\etc</element>
1353. <element>NATIVE|PROGRAMFILES|Sophos\Cloud Network Agent</element>
1354. </PFRO>
1355. <Processes>
1356. <element>SophosAgentUI.exe</element>
1357. <element>installer.exe</element>
1358. <element>SophosAgentRelay.exe</element>
1359. <element>sophos-cwg-monitor.exe</element>
1360. <element>SophosCWGScannerAutoUpdater.exe</element>
1361. </Processes>
1362. <RegKeys>
1363. <element>NATIVE|HKLM|SOFTWARE|Microsoft\Windows\CurrentVersion\Uninstall\e676025c-1f8e-469b-9136-1a5101eb10b6</element>
1364. <element>NATIVE|HKLM|SOFTWARE|Sophos\CloudAgent</element>
1365. <element>NATIVE|HKLM|SOFTWARE|Sophos\CWG</element>
1366. <element>NATIVE|HKCU|SOFTWARE|Sophos\CloudAgent</element>
1367. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosCWGMonitor</element>
1368. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosNetworkTrafficRelay</element>
1369. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosRedirectorCallouts</element>
1370. <element>NATIVE|HKLM|SOftware|Microsoft\Windows\CurrentVersion\Run|Sophos Cloud Web Gateway</element>
1371. </RegKeys>
1372. <UninstallCMDs>
1373. <element>NATIVE|PROGRAMFILES|Sophos\Sophos Network Agent\sbin\installer.exe!-r</element>
1374. </UninstallCMDs>
1375. <UserModeService>
1376. <element>SophosNetworkTrafficRelay</element>
1377. <element>SophosCWGMonitor</element>
1378. </UserModeService>
1379. </CWG>
1380. <SH>
1381. <FoldersFiles>
1382. <element>32|PROGRAMFILES|Sophos\Sophos Home</element>
1383. <element>32|PROGRAMFILES|Sophos\Sophos Home|SophosUI.exe</element>
1384. <element>32|PROGRAMFILES|Sophos\Sophos Home|SophosHomeShellExtX64.dll</element>
1385. <element>32|PROGRAMFILES|Sophos\Sophos Home|SophosHomeShellExt.dll</element>
1386. <element>32|PROGRAMFILES|Sophos\Sophos Home|SophosHomeDesktopMessaging.dll</element>
1387. <element>32|PROGRAMFILES|Sophos\Sophos Home|adapter.dll</element>
1388. </FoldersFiles>
1389. <FridendlyName>
1390. <element>Sophos Home</element>
1391. </FridendlyName>
1392. <MSIProductCodes>
1393. <element>D812F3D2-990A-47C6-AA92-24EB383500CF</element>
1394. <element>E28B49D0-58B4-4387-ADBB-E7F8E57B1322</element>
1395. <element>FF6214A9-8892-4ADD-81EB-327098A9B328</element>
1396. </MSIProductCodes>
1397. <PFRO>
1398. <element>32|PROGRAMFILES|Sophos\Sophos Home</element>
1399. </PFRO>
1400. <Processes>
1401. <element>SophosUI.exe</element>
1402. <element>SophosInstall.exe</element>
1403. </Processes>
1404. <RegKeys>
1405. <element>32|HKLM|SOFTWARE|SOPHOS\Home</element>
1406. </RegKeys>
1407. </SH>
1408. <FIM>
1409. <FoldersFiles>
1410. <element>NATIVE|PROGRAMDATA|Sophos\File Integrity Monitoring</element>
1411. <element>NATIVE|PROGRAMFILES|Sophos\file Integrity Monitoring</element>
1412. <element>NATIVE|PROGRAMDATA|Sophos\File Integrity Monitoring</element>
1413. </FoldersFiles>
1414. <FridendlyName>
1415. <element>Sophos File Integrity Monitor (FIM)</element>
1416. </FridendlyName>
1417. <MSIProductCodes>
1418. <element>425063CE-9566-43B8-AC61-F8D182828634</element>
1419. </MSIProductCodes>
1420. <PFRO>
1421. <element>NATIVE|PROGRAMDATA|Sophos\File Integrity Monitoring</element>
1422. <element>NATIVE|PROGRAMFILES|Sophos\File Integrity Monitoring</element>
1423. </PFRO>
1424. <Processes>
1425. <element>SophosFIMService.exe</element>
1426. <element>SophosFIMTelemetry.exe</element>
1427. </Processes>
1428. <RegKeys>
1429. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosFIM</element>
1430. <element>NATIVE|HKLM|SOFTWARE|SOPHOS\File Integrity Monitoring</element>
1431. </RegKeys>
1432. <UserModeService>
1433. <element>Sophos File Integrity Monitoring</element>
1434. </UserModeService>
1435. </FIM>
1436. <SVRT>
1437. <FridendlyName>
1438. <element>Sophos Virus Removal Tool</element>
1439. </FridendlyName>
1440. <Processes>
1441. <element>SVRTgui.exe</element>
1442. </Processes>
1443. <MSIProductCodes>
1444. <element>B829E117-D072-41EA-9606-9826A38D34C1</element>
1445. </MSIProductCodes>
1446. <FoldersFiles>
1447. <element>32|PROGRAMFILES|Sophos\Sophos Virus Removal Tool</element>
1448. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\config</element>
1449. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\localrep</element>
1450. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\logs</element>
1451. </FoldersFiles>
1452. <PFRO>
1453. <element>32|PROGRAMFILES|Sophos\Sophos Virus Removal Tool</element>
1454. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\config</element>
1455. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\localrep</element>
1456. <element>NATIVE|PROGRAMDATA|Sophos\Sophos Virus Removal Tool\logs</element>
1457. </PFRO>
1458. <UserModeService>
1459. <element>SophosVirusRemovalTool</element>
1460. </UserModeService>
1461. <RegKeys>
1462. <element>NATIVE|HKLM|SYSTEM|CurrentControlSet\Services\SophosVirusRemovalTool</element>
1463. <element>32|HKLM|SOFTWARE|SOPHOS\SophosVirusRemovalTool</element>
1464. </RegKeys>
1465. </SVRT>
1466. <SCA>
1467. <FridendlyName>
1468. <element>Sophos Compliance Agent</element>
1469. </FridendlyName>
1470. <MSIProductCodes>
1471. <element>1A7EE8FF-391D-4030-8021-5F560189B87F</element>
1472. <element>b0472397-2e3a-465f-9a08-be9d7d7a8767</element>
1473. <element>8bd17d77-227b-4cf6-bc9a-4304f569d8e9</element>
1474. <element>39837471-4a8b-4355-b85d-45c57c8e8c09</element>
1475. <element>0d30a753-5d4e-475f-8bce-82f024adb33c</element>
1476. <element>f564ca58-9d9f-4047-a583-c30eb0f95167</element>
1477. <element>9c04e644-43ea-447a-90a2-ad7e63abb843</element>
1478. </MSIProductCodes>
1479. </SCA>
1480. <SOPHOS>
1481. <FoldersFiles>
1482. <element>NATIVE|PROGRAMFILES|Sophos</element>
1483. <element>32|PROGRAMFILES|Sophos</element>
1484. <element>NATIVE|PROGRAMDATA|Sophos</element>
1485. <element>32|COMMONPROGRAMFILES|Sophos</element>
1486. <element>NATIVE|COMMONPROGRAMFILES|Sophos</element>
1487. <element>NATIVE|WINDOWS|SYSTEM32\SophosAV</element>
1488. <element>NATIVE|WINDOWS|SYSWOW64\SophosAV</element>
1489. </FoldersFiles>
1490. <FridendlyName>
1491. <element>Sophos Cleanup Routine</element>
1492. </FridendlyName>
1493. <PFRO>
1494. <element>NATIVE|PROGRAMDATA|Sophos</element>
1495. <element>NATIVE|PROGRAMFILES|Sophos</element>
1496. <element>32|PROGRAMFILES|Sophos</element>
1497. <element>32|COMMONPROGRAMFILES|Sophos</element>
1498. <element>NATIVE|WINDOWS|SYSTEM32\SophosAV</element>
1499. <element>NATIVE|WINDOWS|SYSWOW64\SophosAV</element>
1500. </PFRO>
1501. <RegKeys>
1502. <element>NATIVE|HKLM|SOFTWARE|SOPHOS</element>
1503. <element>32|HKLM|SOFTWARE|SOPHOS</element>
1504. </RegKeys>
1505. <TakeOwn>
1506. <element>32|PROGRAMFILES|Sophos</element>
1507. <element>NATIVE|PROGRAMFILES|Sophos</element>
1508. <element>NATIVE|PROGRAMDATA|Sophos</element>
1509. <element>32|COMMONPROGRAMFILES|Sophos</element>
1510. </TakeOwn>
1511. </SOPHOS>
1512. </Components>
1513. </RemovalData>
1514. "@
1515. #End of data
1516. #=====================================================================================================
1517. }
1518. #=====================================================================================================
1519. function Main()
1520. {
1521. cls
1522. Write-Host "====================================================================================================================="
1523. Write-Host "SOPHOS ENDPOINT SOFTWARE REMOVAL SCRIPT - Version $($strVer)" -foregroundcolor Red
1524. Write-Host "====================================================================================================================="
1525. Write-Host "Notes:"
1526. Write-Host " - Supported methods should be tried before running this script."
1527. Write-Host " - This script is not supported by Sophos support."
1528. Write-Host " - This script automates a number of manual steps typically carried out by Sophos support."
1529. Write-Host " - This script should not be modified or redistributed."
1530. Write-Host " - This script is designed to provide feedback via support to enhance the supported uninstaller."
1531. Write-Host " - This script is designed to be a last resort."
1532. Write-Host " - No guarantees can be made that 'unexpected' data in Sophos locations will not be removed."
1533. Write-Host " - It is recommended the computer is restarted after running in removal mode."
1534. Write-Host " - It is recommended a suitable backup of important data is made before running in removal mode."
1535. Write-Host "====================================================================================================================="
1536. if($Remove -eq "YES")
1537. {
1538. $global:boolForceMode = $true
1539. Write-Host "REMOVAL MODE" -foregroundcolor Red
1540. Write-Host " - It is recommended that you close any web browsers that may be open before continuing."
1541. if(-not $Silent)
1542. {
1543. Write-Host ""
1544. Read-Host -Prompt "Press enter to continue in 'Remove' mode or CTRL+C to quit."
1545. }
1546. }
1547. else
1548. {
1549. $global:boolForceMode = $false #default to off anyway when declared globally
1550. Write-Host "REPORT MODE" -foregroundcolor Yellow
1551. Write-Host " - To run in 'Remove' mode use the command line switch: -Remove YES"
1552. if(-not $Silent)
1553. {
1554. Write-Host ""
1555. Read-Host -Prompt "Press enter to continue in 'Report' mode or CTRL+C to quit."
1556. }
1557. }
1558. if($Restart -eq "YES")
1559. {
1560. $boolRestart = $true
1561. Write-Host "IMPORTANT: The option to RESTART the computer at the end of the script has been set." -foregroundcolor RED
1562. Write-Host "IMPORTANT: There will be a $($intDelaySecondsRestart) seconds countdown prior to restarting." -foregroundcolor RED
1563. Write-Host "IMPORTANT: To abort shutdown in that time, run: shutdown /a" -foregroundcolor RED
1564. Write-Host "============================================================================================"
1565. if(-not $Silent)
1566. {
1567. Read-Host -Prompt "Press enter to confirm you wish to run the script and restart or CTRL+C to quit."
1568. }
1569. }
1570. if($NoLogFile -eq "YES")
1571. {
1572. $global:blNoLogFile = $true
1573. }
1574. $DebugLog = $false
1575. if($Debug -eq "YES")
1576. {
1577. $DebugLog = $true
1578. }
1579.  
1580. #For computer information.
1581. $TimeStamp = Get-Date
1582. #Get product type
1583. switch((Get-WmiObject Win32_OperatingSystem).ProductType)
1584. {
1585. 1{$strOSType = "Workstation"}
1586. 2{$strOSType = "Domain Controller"}
1587. 3{$strOSType = "Server"}
1588. default{$strOSType = "Unknown"}
1589. }
1590.  
1591. #Get Architecture
1592. if(Is64bitOS){$strArch = "64-bit"}else{$strArch = "32-bit"}
1593.  
1594. #Print Banner
1595. Log-Write "============================================================================================" "HEAD"
1596. Log-Write "Script Version: $($strVer)" "INFO"
1597. Log-Write "============================================================================================" "HEAD"
1598. Log-Write "Environment" "HEAD"
1599. Log-Write "============================================================================================" "HEAD"
1600. Log-Write "Computer Name: $($env:computername)" "INFO"
1601. Log-Write "Operating System: $((Get-WmiObject Win32_OperatingSystem).Name)" "INFO"
1602. Log-Write "Role: $($strOSType)" "INFO"
1603. Log-Write "Domain Member: $((Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain)" "INFO"
1604. Log-Write "Logon Server: $($env:LOGONSERVER)" "INFO"
1605. Log-Write "User Name: $($env:USERNAME)" "INFO"
1606. Log-Write "UTC Time: $($TimeStamp.ToUniversalTime())" "INFO"
1607. Log-Write "Local Time: $($TimeStamp)" "INFO"
1608. if($PSVersionTable.PSVersion.Major -ge 5 -and $PSVersionTable.PSVersion.Minor -ge 1)
1609. {
1610. Log-Write "Timezone: $(get-timezone)" "INFO"
1611. }
1612. Log-Write "PowerShell Major Version $($PSVersionTable.PSVersion.Major)" "INFO"
1613. Log-Write "PowerShell Minor Version $($PSVersionTable.PSVersion.Minor)" "INFO"
1614. Log-Write "Windows Dir: $($env:windir)" "INFO"
1615. Log-Write "Architecture: $($strArch)" "INFO"
1616. Log-Write "============================================================================================" "HEAD"
1617.  
1618. $InstalledSoftware = (Get-ItemProperty -ErrorAction SilentlyContinue $UninstallerKeys2 | Where { $_.Publisher -match "sophos" -or $_.Publisher -match "surfright" })
1619.  
1620. Log-Write "Installed Sophos Software" "HEAD"
1621. Log-Write "============================================================================================" "HEAD"
1622. if ($InstalledSoftware)
1623. {
1624. foreach ($a in $InstalledSoftware)
1625. {
1626. Log-Write "$($a.DisplayName) - $($a.DisplayVersion)" "ERROR"
1627. }
1628. }
1629. else
1630. {
1631. Log-Write "Checking the 'uninstall' keys, there doesn't appear to be any Sophos software installed." "PASS"
1632. }
1633. Log-Write "============================================================================================" "HEAD"
1634.  
1635. Log-Write "Pre-Checks" "HEAD"
1636. Log-Write "============================================================================================" "HEAD"
1637.  
1638. #Start of Pre-Checks
1639. #1 Check if admin, needs to be checked in Report and Remove
1640. If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
1641. [Security.Principal.WindowsBuiltInRole] "Administrator"))
1642. {
1643. Log-Write "Administrative rights are required in both 'Report' and 'Remove' mode. Will Exit." "ERROR"
1644. Log-Exit
1645. break
1646. }
1647. Log-Write "User is an administrator." "PASS"
1648.  
1649. #2 Check if RMS Server
1650. if(IsRMSServer)
1651. {
1652. if ($global:boolForceMode)
1653. {
1654. Log-Write "Remote Management System (RMS) is configured as a management server or message relay, will not continue." "ERROR"
1655. Log-Exit
1656. break
1657. }
1658. else
1659. {
1660. Log-Write "Remote Management System (RMS) is configured as a management server or message relay, will continue as not 'Remove' Mode." "WARN"
1661. }
1662. }
1663. else
1664. {
1665. Log-Write "RMS is not configured as a management server or message relay." "PASS"
1666. }
1667.  
1668. #3 Check if SafeGuard is installed and if so exit.
1669. if (CheckComponent "SafeGuard" $strSafeGuardKeys $strSafeGuardFolders)
1670. {
1671. if ($global:boolForceMode)
1672. {
1673. Log-Write "SafeGuard looks to be installed on this computer, will not continue." "ERROR"
1674. Log-exit
1675. break
1676. }
1677. else
1678. {
1679. Log-Write "SafeGuard might be installed on this computer, will continue as not 'Remove' Mode." "WARN"
1680. }
1681. }
1682. else
1683. {
1684. Log-Write "SafeGuard is not installed." "PASS"
1685. }
1686.  
1687. #4 Update cache check
1688. if (CheckComponent "Update Cache" $strUpdateCachedReg $strUpdateCachedDir)
1689. {
1690. if ($global:boolForceMode)
1691. {
1692. Log-Write "Computer is a Sophos Update Cache, will not continue." "ERROR"
1693. Log-exit
1694. break
1695. }
1696. else
1697. {
1698. Log-Write "Computer is a Sophos Update Cache, will continue as not 'Remove' Mode." "WARN"
1699. }
1700. }
1701. else
1702. {
1703. Log-Write "Computer is not running a Sophos Update Cache." "PASS"
1704. }
1705.  
1706. #5 SLD check
1707. if (CheckComponent "Server Lockdown" $strSLDKey $strSLDDir)
1708. {
1709. if ($global:boolForceMode)
1710. {
1711. Log-Write "Computer is running Sophos Lockdown, will not continue." "ERROR"
1712. Log-exit
1713. break
1714. }
1715. else
1716. {
1717. Log-Write "Computer is running Sophos Lockdown, will continue as not 'Remove' Mode." "WARN"
1718. }
1719. }
1720. else
1721. {
1722. Log-Write "Computer is not running Server Lockdown (SLD)." "PASS"
1723. }
1724.  
1725. #6 AD Sync check
1726. if (CheckComponent "AD Sync" $strADSyncKey $strADSyncDir)
1727. {
1728. if ($global:boolForceMode)
1729. {
1730. Log-Write "Computer is running Sophos AD Sync, will not continue." "ERROR"
1731. Log-exit
1732. break
1733. }
1734. else
1735. {
1736. Log-Write "Computer is running Sophos AD Sync, will continue as not 'Remove' Mode." "WARN"
1737. }
1738. }
1739. else
1740. {
1741. Log-Write "Computer is not running Sophos AD Sync." "PASS"
1742. }
1743.  
1744. #7 SAV NetAPP
1745. if (CheckComponent "SAV NetApp" $strSAVNetAppKey $strSAVNetAppDir)
1746. {
1747. if ($global:boolForceMode)
1748. {
1749. Log-Write "Computer is running Sophos NetApp, will not continue." "ERROR"
1750. Log-exit
1751. break
1752. }
1753. else
1754. {
1755. Log-Write "Computer is running Sophos NetApp, will continue as not 'Remove' Mode." "WARN"
1756. }
1757. }
1758. else
1759. {
1760. Log-Write "Computer is not running Sophos NetApp." "PASS"
1761. }
1762.  
1763. #8 PMEX check
1764. if (CheckComponent "PMEX" $strPMEXKey $aPMEXDirs)
1765. {
1766. if($global:boolForceMode)
1767. {
1768. Log-Write "Computer is running Sophos PureMessage, will not continue." "ERROR"
1769. Log-exit
1770. break
1771. }
1772. else
1773. {
1774. Log-Write "Computer is running Sophos PureMessage, will continue as not 'Remove' Mode." "WARN"
1775. }
1776. }
1777. else
1778. {
1779. Log-Write "Computer is not running Sophos PureMessage." "PASS"
1780. }
1781.  
1782. #9 SAVDI check
1783. if (CheckComponent "SAVDI" $strSAVDI "")
1784. {
1785. if($global:boolForceMode)
1786. {
1787. Log-Write "Computer is running SAVDI, will not continue." "ERROR"
1788. Log-exit
1789. break
1790. }
1791. else
1792. {
1793. Log-Write "Computer is running SAVDI, will continue as not 'Remove' Mode." "WARN"
1794. }
1795. }
1796. else
1797. {
1798. Log-Write "Computer is not running SAVDI." "PASS"
1799. }
1800.  
1801. #10 SEC check
1802. if (CheckComponent "SEC" $strSECKey "")
1803. {
1804. if($global:boolForceMode)
1805. {
1806. Log-Write "Computer is running SEC, will not continue." "ERROR"
1807. Log-exit
1808. break
1809. }
1810. else
1811. {
1812. Log-Write "Computer is running SEC, will continue as not 'Remove' Mode." "WARN"
1813. }
1814. }
1815. else
1816. {
1817. Log-Write "Computer is not running SEC." "PASS"
1818. }
1819.  
1820. #11 STAS check
1821. if (CheckComponent "Sophos Transparent Authentication Suite" $strSTASKey $strSTASDir)
1822. {
1823. if($global:boolForceMode)
1824. {
1825. Log-Write "Computer is running Sophos Transparent Authentication Suite (STAS), will not continue." "ERROR"
1826. Log-exit
1827. break
1828. }
1829. else
1830. {
1831. Log-Write "Computer is running Sophos Transparent Authentication Suite (STAS), will continue as not 'Remove' Mode." "WARN"
1832. }
1833. }
1834. else
1835. {
1836. Log-Write "Computer is not running Sophos Transparent Authentication Suite (STAS)." "PASS"
1837. }
1838.  
1839. #12 Sophos IPsec Client check
1840. if (CheckComponent "Sophos IPsec Client" $strIPsecClientKeys $strIPsecDir)
1841. {
1842. if($global:boolForceMode)
1843. {
1844. Log-Write "Computer maybe running Sophos IPsec Client, will not continue." "ERROR"
1845. Log-exit
1846. break
1847. }
1848. else
1849. {
1850. Log-Write "Computer maybe running Sophos IPsec Client, will continue as not 'Remove' Mode." "WARN"
1851. }
1852. }
1853. else
1854. {
1855. Log-Write "Computer is not running Sophos IPsec Client." "PASS"
1856. }
1857.  
1858. #13 Sophos Connect check
1859. if (CheckComponent "Sophos Connect" $strSophosConnectKeys $strSophosConnectDir)
1860. {
1861. if($global:boolForceMode)
1862. {
1863. Log-Write "Computer maybe running Sophos Connect, will not continue." "ERROR"
1864. Log-exit
1865. break
1866. }
1867. else
1868. {
1869. Log-Write "Computer maybe running Sophos Connect, will continue as not 'Remove' Mode." "WARN"
1870. }
1871. }
1872. else
1873. {
1874. Log-Write "Computer is not running Sophos Connect." "PASS"
1875. }
1876.  
1877. #14 Sophos Connect Admin check
1878. if (CheckComponent "Sophos Connect Admin" "" $strSophosConnectAdDir)
1879. {
1880. if($global:boolForceMode)
1881. {
1882. Log-Write "Computer maybe running Sophos Connect Admin, will not continue." "ERROR"
1883. Log-exit
1884. break
1885. }
1886. else
1887. {
1888. Log-Write "Computer maybe running Sophos Connect Admin, will continue as not 'Remove' Mode." "WARN"
1889. }
1890. }
1891. else
1892. {
1893. Log-Write "Computer is not running Sophos Connect Admin." "PASS"
1894. }
1895.  
1896. #15 Sophos Update Manager (SUM)
1897. if (CheckComponent "Sophos Update Manager" $strSUMKey $strSUMDir)
1898. {
1899. if($global:boolForceMode)
1900. {
1901. Log-Write "Computer maybe running Sophos Update Manager, will not continue." "ERROR"
1902. Log-exit
1903. break
1904. }
1905. else
1906. {
1907. Log-Write "Computer maybe running Sophos Update Manager, will continue as not 'Remove' Mode." "WARN"
1908. }
1909. }
1910. else
1911. {
1912. Log-Write "Computer is not running Sophos Update Manager." "PASS"
1913. }
1914.  
1915. #16 Block on Sophos Central Relay
1916. if (CheckComponent "Sophos Central Message Relay" $strSophosCentRKeys $strSophosCentDir)
1917. {
1918. if($global:boolForceMode)
1919. {
1920. Log-Write "Computer maybe running Sophos Central Message Relay, will not continue." "ERROR"
1921. Log-exit
1922. break
1923. }
1924. else
1925. {
1926. Log-Write "Computer maybe running Sophos Central Message Relay, will continue as not 'Remove' Mode." "WARN"
1927. }
1928. }
1929. else
1930. {
1931. Log-Write "Computer is not running Sophos Central Message Relay." "PASS"
1932. }
1933.  
1934. #17 Check if Tamper Protection is enabled using reg key query
1935. $SEDState = Get-ItemProperty -Path $strSEDStateKey -Name $strSEDEnabled -ErrorAction silentlycontinue
1936. if($SEDState.$strSEDEnabled -gt 0)
1937. {
1938. Log-Write "Tamper Protection (SED) appears to be enabled based on SEDEnabled registry value being $($SEDState.$strSEDEnabled)." "INFO"
1939. if ($global:boolForceMode)
1940. {
1941. Log-Write "Checking if the SED registry value can just be set to 0 as we are in 'Remove' mode..." "INFO"
1942. set-ItemProperty -Path $strSEDStateKey -Name $strSEDEnabled -Value 0 -ErrorAction silentlycontinue
1943. #Re-test
1944. $SEDState = Get-ItemProperty -Path $strSEDStateKey -Name $strSEDEnabled -ErrorAction silentlycontinue
1945. if($SEDState.$strSEDEnabled -eq 0)
1946. {
1947. Log-Write "Tamper Protection (SED) was not protecting the computer. Tamper Protection is now disabled, SEDEnabled: $($SEDState.$strSEDEnabled)" "PASS"
1948. }
1949. else
1950. {
1951. Log-Write "Tamper Protetion (SED) is enabled. SEDEnabled value is $($SEDState.$strSEDEnabled)." "INFO"
1952. if (-not $Password)
1953. {
1954. Log-Write "No password supplied, run with -Password [password] if Tamper Protection is enabled and you can obtain the password." "ERROR"
1955. Log-Write "The password should be available in Sophos Central or Enterprise Console." "WARN"
1956. Log-Write "If Sophos Home is installed you will need to disable Tamper Protection via the local interface." "WARN"
1957. Log-Write "If required, see Sophos article 124377." "WARN"
1958. Log-Exit
1959. break
1960. }
1961. Log-Write "Checking if $($strSEDCli) is available..." "INFO"
1962. #If tamper protection enabled, does sedcli exist?
1963. $strLocalPath = GetLocalPathFolder ($strSEDDirectory)
1964. $strPathToSEDCLI = $strLocalPath + "\" + $strSEDCli
1965. if (Test-Path -Path $strPathToSEDCLI)
1966. {
1967. Log-Write "Tool $($strSEDCli) exists." "PASS"
1968. $strCommandParameters = @($strSEDOffSwitch, $Password)
1969. #Pass password to it. Held in Password if passed in.
1970. & $strPathToSEDCLI $strCommandParameters
1971. if ($LastExitCode -eq 0)
1972. {
1973. Log-Write "Tamper Protecton password is correct." "PASS"
1974. }
1975. else
1976. {
1977. Log-Write "Tamper Protection password is incorrect." "ERROR"
1978. Log-Exit
1979. break
1980. }
1981. }
1982. else
1983. {
1984. Log-Write "SED is enabled, no SEDCLI.exe. Will exit." "WARN"
1985. Log-Exit
1986. break
1987. }
1988. }
1989. }
1990. else
1991. {
1992. Log-Write "SED is enabled but we are running in 'REPORT' mode, will continue..." "PASS"
1993. }
1994. }
1995. if ($global:boolForceMode)
1996. {
1997. Log-Write "Tamper Protection is disabled." "PASS"
1998. }
1999. #End of Tamper Check
2000.  
2001. #18 Check if SAU Is updating or installing and back off
2002. for ($intRetry=1; $intRetry -le $intRetryCounter; $intRetry++)
2003. {
2004. if(IsUpdatingOrInstalling)
2005. {
2006. Log-Write "Computer is updating or installing. Check $($intRetry) of $($intRetryCounter)." "WARN"
2007. if ($intRetry -ge $intRetryCounter)
2008. {
2009. Log-Write "Computer is still updating or installing, will carry on regardless as updating could be broken." "ERROR"
2010. break
2011. }
2012. $intToWait = 10 * $intRetry
2013. Log-Write "Waiting $($intToWait) seconds. Please wait for all retries to complete." "WARN"
2014. start-sleep -s $intToWait
2015. }
2016. else
2017. {
2018. Log-Write "Computer is not updating or installing" "PASS"
2019. break
2020. }
2021. }
2022.  
2023. if ($global:boolForceMode)
2024. {
2025. Log-Write "START REMOVAL" "INFO"
2026. #Prefer the SAV uninstaller took care of this but then a restart would always be required to allow the
2027. #swi_update service to cleanup at startup. Also if the service is deleted before the restart this would not happen.
2028. #Also, processes that start before the swi_update service can still load the LSP.
2029. #Let the swi_update service delete the LSP from Winsock catalog. To check: (netsh winsock show catalog | more)
2030. Log-Write "Try removing Sophos LSP if exists in Winsock Catalog" "INFO"
2031. RemoveLSP
2032. #Try to set the startup type of "Sophos Endpoint Defense Service" to 4.
2033. #This will be possible if TP is disabled.
2034. #If SEDService.exe is running it will see this and then disable itself so it can be removed.
2035. Log-Write "Try disabling Sophos Endpoint Defense Service" "INFO"
2036. if (ExistRegKey($strSophosEPDServiceKey))
2037. {
2038. #Try and set start to $intStartupType (4)
2039. Log-Write "`t Will set SED Service 'Start' value to 4 (disabled) if possible." "INFO"
2040. Set-ItemProperty -Path $strSophosEPDServiceKey -Name "start" -Value $intStartupType -ErrorAction silentlycontinue
2041. }
2042. if (-Not (Test-Path $strUninstallAllCommand))
2043. {
2044. Log-Write "Sophos Central Uninstaller does not exist." "WARN"
2045. }
2046. else
2047. {
2048. Log-Write "Running $($strUninstallAllCommand)." "INFO"
2049. Log-Write "Note: This could take 5 minutes. Please wait..." "WARN"
2050. try
2051. {
2052. & $strUninstallAllCommand
2053. }
2054. catch{}
2055. Log-Write "Exited with $($LastExitCode)." "INFO"
2056. #What to do if it asks for a restart to run? Currently continues, as will run MSIs and Uninstall CMDs
2057. #If the official uninstaller worked, prompt for reboot to ensure
2058. #services and pending file renames operations can complete.
2059. if ($LastExitCode -eq 0)
2060. {
2061. Log-Write "Removal was successful. Please restart and re-run this script for further checks" "WARN"
2062. Log-Exit
2063. break
2064. }
2065. }
2066. }
2067. else
2068. {
2069. Log-Write "Running in 'REPORT' mode, will not remove software but will display found items." "INFO"
2070. }
2071.  
2072. $global:blnPastPrechecks = $true
2073.  
2074. $xmlComponents | Select-Xml -XPath "//RemovalData/Components" | foreach {
2075. foreach ($itemToProcess in $_.node.ChildNodes)
2076. {
2077. Log-Write "============================================================================================" "HEAD"
2078. Log-Write "$($itemToProcess.FridendlyName.element)" "HEAD"
2079. Log-Write "============================================================================================" "HEAD"
2080. #MSI PRODUCT CODES#####################################################
2081. if($itemToProcess.MSIProductCodes)
2082. {
2083. Log-Write "MSI product codes:" "INFO"
2084.  
2085. foreach ($msiProductCode in $itemToProcess.MSIProductCodes.element)
2086. {
2087. #For each MSI
2088. ActionMSICode $msiProductCode "data"
2089. }
2090. }
2091. #######################################################################
2092. #UNINSTALL CMDS########################################################
2093. if($itemToProcess.UninstallCMDs)
2094. {
2095. Log-Write "Uninstall commands:" "INFO"
2096.  
2097. foreach ($UninstallCMD in $itemToProcess.UninstallCMDs.element)
2098. {
2099. #For each uninstall command
2100. $strCommandToRemove = GetLocalPathFolder($UninstallCMD)
2101. Log-Write "`t $($strCommandToRemove)" "INFO"
2102. if ($global:boolForceMode)
2103. {
2104. #Data has commands with arguments separated by a !
2105. $CMDAndArgs = $strCommandToRemove.split("!")
2106. Log-Write "`t Running: $($strCommandToRemove)" "INFO"
2107. if ($CMDAndArgs[1])
2108. {
2109. Log-Write "`t Running command with arguments if exists..." "DEBG"
2110. Log-Write "`t FilePath: $($CMDAndArgs[0]) and ArgumentList: $($CMDAndArgs[1])" "INFO"
2111. try
2112. {
2113. Start-Process -Wait -NoNewWindow -FilePath $CMDAndArgs[0] -ArgumentList $CMDAndArgs[1] -ErrorAction SilentlyContinue -RedirectStandardOutput "NUL"
2114. foreach($strCommandNotToCount in $aCommandsNotToCount)
2115. {
2116. if ($CMDAndArgs[0] -match $strCommandNotToCount)
2117. {
2118. Log-Write "`t This command does not count against the total commands run." "DEBG"
2119. }
2120. else
2121. {
2122. #One to count.
2123. $global:intUninstallCMDsRun++
2124. }
2125. }
2126. }
2127. catch
2128. {
2129. Log-Write "Start-Process failed for the uninstall of the component." "DEBG"
2130. }
2131. }
2132. else
2133. {
2134. Log-Write "`t Running command without arguments if exists..." "DEBG"
2135. try
2136. {
2137. Start-Process -Wait -NoNewWindow -FilePath $CMDAndArgs[0] -ErrorAction SilentlyContinue
2138. $global:intUninstallCMDsRun++
2139. }
2140. catch{}
2141. }
2142. }
2143. }
2144. }
2145. #######################################################################
2146. #USER MODE SERVICES####################################################
2147. if($itemToProcess.UserModeService)
2148. {
2149. Log-Write "Services:" "INFO"
2150.  
2151. foreach ($ServiceToStop in $itemToProcess.UserModeService.element)
2152. {
2153. if (ExistService($ServiceToStop))
2154. {
2155. $global:intServicesExist++
2156. if ($global:boolForceMode)
2157. {
2158. Log-Write "`t Stopping: $($ServiceToStop)" "INFO"
2159. if($PSVersionTable.PSVersion.Major -ge 5)
2160. {
2161. $null = stop-service -name $ServiceToStop -force -NoWait -ErrorAction silentlycontinue
2162. $global:intServicesAttemptedToStop++
2163. }
2164. else
2165. {
2166. $null = stop-service -name $ServiceToStop -force -ErrorAction silentlycontinue
2167. $global:intServicesAttemptedToStop++
2168. }
2169. start-Sleep -s 2
2170. Log-Write "`t Deleting service key." "INFO"
2171. $arrCommand = ("delete",$ServiceToStop)
2172. $global:intServicesAttemptedToDelete++
2173. sc.exe $arrCommand >$null 2>&1
2174. }
2175. }
2176. }
2177. }
2178. #######################################################################
2179. #USER MODE PROCESSES###################################################
2180. if($itemToProcess.Processes)
2181. {
2182. Log-Write "Processes:" "INFO"
2183.  
2184. foreach ($processToKill in $itemToProcess.Processes.element)
2185. {
2186. #For each user mode process, kill it if in force mode
2187. $exist = ExistProcess $processToKill $global:boolForceMode
2188. }
2189. }
2190. #######################################################################
2191. #DRIVERS###############################################################
2192. if($itemToProcess.Driver)
2193. {
2194. Log-Write "Drivers:" "INFO"
2195.  
2196. foreach ($driverToStop in $itemToProcess.Driver.element)
2197. {
2198. #For each kernel mode driver
2199. Log-Write "`t $($driverToStop)" "DEBG"
2200. if (ExistService($driverToStop))
2201. {
2202. $global:intDriversExist++
2203. #Check the list of drivers that can't be unloaded.
2204. if (-not ($DriversNotToStop -contains $driverToStop ))
2205. {
2206. if ($global:boolForceMode)
2207. {
2208. Log-Write "`t Stopping: $($driverToStop)" "INFO"
2209. $global:intDriversTriedToStop++
2210. try
2211. {
2212. $null = stop-service -Force -name $driverToStop -ErrorAction silentlycontinue
2213. Log-Write "`t Running: fltmc unload $($driverToStop)" "INFO"
2214. fltmc.exe unload $driverToStop | out-null
2215. }
2216. catch{}
2217. }
2218. }
2219. else
2220. {
2221. Log-Write "`t Skipping issuing a stop for: $($driverToStop)" "INFO"
2222. }
2223. }
2224. }
2225. }
2226. #######################################################################
2227. #UNREG MODULES#########################################################
2228. if ($itemToProcess.UnRegModules)
2229. {
2230. Log-Write "Directories of modules to unregister (this could take a minute):" "INFO"
2231.  
2232. foreach ($strModDir in $itemToProcess.UnRegModules.element)
2233. {
2234. #For each unreg directory
2235. $strLocalPathModules = GetLocalPathFolder($strModDir)
2236. Log-Write "`t $($strLocalPathModules)" "DEBG"
2237. if(FileFolderExists($strLocalPathModules))
2238. {
2239. $strFiles = Get-ChildItem $strLocalPathModules -Filter *.dll -ErrorAction silentlycontinue
2240. Foreach ($fileToUnreg in $strFiles)
2241. {
2242. $strUnregCommandPath = """"+$strLocalPathModules+"\"+$fileToUnreg+""""
2243. Log-Write "`t Unregister command: regsvr32.exe /u /s $($strUnregCommandPath)" "DEBG"
2244. if ($global:boolForceMode)
2245. {
2246. Start-Process -wait -NoNewWindow -FilePath "regsvr32.exe" -ArgumentList "/u","/s",$strUnregCommandPath -RedirectStandardOutput "NUL"
2247. }
2248. }
2249. }
2250. }
2251. }
2252. #######################################################################
2253. #REG KEYS##############################################################
2254. if($itemToProcess.RegKeys)
2255. {
2256. Log-Write "Registry:" "INFO"
2257.  
2258. foreach ($RegKeyToRemove in $itemToProcess.RegKeys.element)
2259. {
2260. #For each reg key to remove
2261. $strKeyLocal = GetLocalPathRegKey($RegKeyToRemove)
2262. Log-Write "`t $($strKeyLocal)" "DEBG"
2263. if (ExistRegKey ($strKeyLocal))
2264. {
2265. $global:intRegKeysFound++
2266. if ($global:boolForceMode)
2267. {
2268. $arrKey = $strKeyLocal.split("!")
2269. if($arrKey.Count -gt 1)
2270. {
2271. #Reg Value to delete
2272. Log-Write "`t Removing: $($arrKey[0]) name value $($arrKey[1])" "INFO"
2273. $null = Remove-ItemProperty -Path $arrKey[0] -name $arrKey[1] -Force -ErrorAction silentlycontinue
2274. $global:intRegKeysTryDelete++
2275. }
2276. else
2277. {
2278. #Reg key to remove.
2279. Log-Write "`t Removing: $($strKeyLocal)" "INFO"
2280. $null = Remove-Item -Path $strKeyLocal -Force -Recurse -ErrorAction silentlycontinue
2281. $global:intRegKeysTryDelete++
2282. }
2283. }
2284. }
2285. }
2286. }
2287. #######################################################################
2288. #TAKE OWN##############################################################
2289. if($itemToProcess.TakeOwn)
2290. {
2291. Log-Write "Take ownership:" "INFO"
2292.  
2293. foreach ($FolderORFileTakeOwn in $itemToProcess.TakeOwn.element)
2294. {
2295. #For each file or folder to take ownership
2296. $strLocalPathTakeOwn = GetLocalPathFolder($FolderORFileTakeOwn)
2297. Log-Write "`t $($strLocalPathTakeOwn)" "DEBG"
2298. if(FileFolderExists($strLocalPathTakeOwn))
2299. {
2300. if($global:boolForceMode)
2301. {
2302. Log-Write "`t Taking ownership of: $($strLocalPathTakeOwn)" "INFO"
2303. takeown.exe /f $strLocalPathTakeOwn /r /d y >$null 2>&1
2304. }
2305. }
2306. }
2307. }
2308. #######################################################################
2309. #FOLDER OR FILE########################################################
2310. if($itemToProcess.FoldersFiles)
2311. {
2312. Log-Write "Folders/Files:" "INFO"
2313.  
2314. foreach ($FolderORFile in $itemToProcess.FoldersFiles.element)
2315. {
2316. $strLocalPath = GetLocalPathFolder($FolderORFile)
2317. if(FileFolderExists($strLocalPath))
2318. {
2319. Log-Write "`t $($strLocalPath) exists" "DEBG"
2320. $global:intFileFolderExists++
2321. if($global:boolForceMode)
2322. {
2323. Log-Write "`t Removing: $($strLocalPath)" "INFO"
2324. $global:intFolderFilesAttemptDelete++
2325. $null = Remove-Item -Path $strLocalPath -Force -Recurse -ErrorAction silentlycontinue
2326. }
2327. }
2328. }
2329. }
2330. #######################################################################
2331. #Detours###############################################################
2332. if($itemToProcess.Detours)
2333. {
2334. Log-Write "Detours entries:" "INFO"
2335. if ($global:boolForceMode)
2336. {
2337. RemoveSophosDetours 1 #update reg key values by removing Sophos entries
2338. }
2339. else
2340. {
2341. RemoveSophosDetours 0 #just display what would be changed
2342. }
2343. }
2344. #######################################################################
2345. #PFRO##################################################################
2346. if($itemToProcess.PFRO)
2347. {
2348. Log-Write "Pending File Rename Operation (PRFO):" "INFO"
2349.  
2350. Log-Write "`t $($strLocalPath)" "DEBG"
2351. foreach ($PF in $itemToProcess.PFRO.element)
2352. {
2353. #For each file or folder to PFRO on
2354. $strLocalPath = GetLocalPathFolder($PF)
2355. Log-Write "`t $($strLocalPath)" "DEBG"
2356. if( FileFolderExists($strLocalPath))
2357. {
2358. if ($global:boolForceMode)
2359. {
2360. #set PFRO
2361. if([Posh]::MarkFileDelete($strLocalPath))
2362. {
2363. Log-Write "`t $($strLocalPath) marked for deletion at next startup" "INFO"
2364. $global:intFilesMarkedForDelete++
2365. $global:boolPFRONeedReboot = $true
2366. }
2367. }
2368. }
2369. }
2370. }
2371. #######################################################################
2372. #END OF COMPONENT
2373. }
2374. }
2375.  
2376. #As cleaning the Windows Installer data needs "Sophos" Product codes. Other than the included data which will go stale.
2377. #Check the cached MSIs, if they are Sophos/Surfright get the productcode and use that to cleanup.
2378. Log-Write "============================================================================================" "HEAD"
2379. Log-Write "Processing Windows Installer directory. This could take a minute." "HEAD"
2380. Log-Write "============================================================================================" "HEAD"
2381. $null = RemoveFromInstallerCache
2382.  
2383. Log-Write "============================================================================================" "HEAD"
2384. Log-Write "Processing Uninstaller registry keys for Sophos Product Codes." "HEAD"
2385. Log-Write "============================================================================================" "HEAD"
2386. $null = RemoveUsingUninstallKeys
2387.  
2388. Log-Write "============================================================================================" "HEAD"
2389. Log-Write "Processing NDIS FilterList values for Sophos entries" "HEAD"
2390. Log-Write "============================================================================================" "HEAD"
2391. #Note: "DriverHelper_x64.exe /uninstall /legacy_ndis" as run by the SCF uninstaller should remove these.
2392. $null = CheckSCFFilterListRegKey
2393.  
2394. Log-Write "============================================================================================" "HEAD"
2395. Log-Write "Processing Upgrade Codes from data." "HEAD"
2396. Log-Write "============================================================================================" "HEAD"
2397. $null = RemoveUpgradeCodesFromData
2398.  
2399. Log-Write "============================================================================================" "HEAD"
2400. Log-Write "Processing IFEO Registry keys" "HEAD"
2401. Log-Write "============================================================================================" "HEAD"
2402. $null = CheckSophosIFEO
2403.  
2404. Log-Write "============================================================================================" "HEAD"
2405. Log-Write "Processing entries under $($WIFoldersKey)" "HEAD"
2406. Log-Write "============================================================================================" "HEAD"
2407. $null = TidyInstallerFoldersKey
2408.  
2409. #Checks that are easier with a higher version of PowerShell
2410. if($PSVersionTable.PSVersion.Major -ge 5 -and $PSVersionTable.PSVersion.Minor -ge 1)
2411. {
2412. Log-Write "============================================================================================" "HEAD"
2413. Log-Write "Processing local SAV user groups" "HEAD"
2414. Log-Write "============================================================================================" "HEAD"
2415. foreach ($strSAVUser in $aSAVGroups)
2416. {
2417. Log-Write "Checking for local SAV group: $($strSAVUser)" "DEBG"
2418. $null = DeleteSAVLocalGroup $strSAVUser
2419. }
2420. Log-Write "============================================================================================" "HEAD"
2421. Log-Write "Processing local SAU updating users" "HEAD"
2422. Log-Write "============================================================================================" "HEAD"
2423. $null = DeleteSAUUsers $strSAULocalUserPrefix
2424.  
2425. Log-Write "============================================================================================" "HEAD"
2426. Log-Write "Processing Sophos Anti-Virus scheduled tasks" "HEAD"
2427. Log-Write "============================================================================================" "HEAD"
2428. $null = RemoveSAVScheduledScan
2429. }
2430. else
2431. {
2432. Log-Write "Skipping 'SophosSAU' user, SAV groups and SAV scheduled tasks checks due to older PowerShell version." "DEBG"
2433. }
2434. if($boolRestart)
2435. {
2436. #Restart has been set will call restart
2437. Log-Write "Restart Mode was set. Will restart in $($intDelaySecondsRestart) seconds." "WARN"
2438. Log-Write "Run: 'Shutdown /a' to abort if needed." "WARN"
2439. &shutdown /r /t $intDelaySecondsRestart
2440. }
2441. } #End of main
2442. #=====================================================================================================
2443.  
2444. #=====================================================================================================
2445. function RemoveUpgradeCodesFromData
2446. {
2447. Log-Write "RemoveUpgradeCodesFromData" "DEBG"
2448. #The data for this stage of removal comes from the global $aUGCDataAll
2449. foreach ($UpgradeCodeFromData in $aUGCDataAll)
2450. {
2451. Log-Write "Processing (data) Upgrade Code: $($UpgradeCodeFromData)" "INFO"
2452. $strConvertedUGCData = Convert-GUIDtoPID ($UpgradeCodeFromData)
2453. Log-Write "Converted Upgrade Code: $($strConvertedUGCData)" "DEBG"
2454. $strUGCKey = "HKLM:\SOFTWARE\Classes\Installer\UpgradeCodes\"+$strConvertedUGCData
2455. $strUGCKey2 = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\"+$strConvertedUGCData
2456. $strUpgradeCodeKeyLocations = $strUGCKey,$strUGCKey2
2457. foreach ($strUGCPath in $strUpgradeCodeKeyLocations)
2458. {
2459. Log-Write "Upgrade Code key to check: $($strUGCPath)" "INFO"
2460. if (ExistRegKey($strUGCPath))
2461. {
2462. if ($global:boolForceMode)
2463. {
2464. #Will attemt to remove the key as we are in remove mode
2465. Log-Write "Deleting Upgrade Code Key: $($strUGCPath)" "INFO"
2466. $global:intRemoveUpgradeCodeKey++
2467. $null = Remove-Item -Path $strUGCPath -Force -Recurse -ErrorAction silentlycontinue
2468. }
2469. }
2470. }
2471. }
2472. }
2473. #=====================================================================================================
2474. #=====================================================================================================
2475. function GetLocalPathRegKey([string]$regPath)
2476. {
2477. Log-Write "GetLocalPathRegKey: $($regPath)" "DEBG"
2478. $regComponents = $regPath.split("|")
2479. $strbitness = $regComponents[0]
2480. $strParentKey = $regComponents[1]
2481. $strSubKey = $regComponents[2]
2482. $strPath = $regComponents[3]
2483. $strRegValue = $regComponents[4]
2484. $strFullPath = ""
2485. if (Is64bitOS)
2486. {
2487. if ($strbitness -eq "32")
2488. {
2489. #32-bit on 64-bit OS
2490. $strFullPath = $strParentKey + ":" + $strSubKey + "\WOW6432Node\" + $strPath
2491. }
2492. else
2493. {
2494. #64-bit on 64-bit OS
2495. $strFullPath = $strParentKey + ":" + $strSubKey + "\" + $strPath
2496. }
2497. }
2498. else
2499. {
2500. #32-bit OS so applications are "native"
2501. $strFullPath = $strParentKey + ":" + $strSubKey + "\" + $strPath
2502. }
2503. if ($strRegValue)
2504. {
2505. #Value, not just key
2506. return $strFullPath + "!" + $strRegValue
2507. }
2508. return $strFullPath
2509. }
2510. #=====================================================================================================
2511. #=====================================================================================================
2512. function GetLocalPathFolder([string]$FolderPath)
2513. {
2514. Log-Write "GetLocalPathFolder: $($FolderPath)" "DEBG"
2515. $folderComponents = $FolderPath.split("|")
2516. $strbitness = $folderComponents[0] #NATIVE|32
2517. $strParentFolder = $folderComponents[1] #PROGRAMDATA|PROGRAMFILES
2518. $strPath = $folderComponents[2] #Sophos\\Test
2519. $strFile = $folderComponents[3] #File.exe
2520. $strFullPath = ""
2521. if($strParentFolder -eq "PROGRAMDATA")
2522. {
2523. $strParentFolderResolved = $env:ProgramData
2524. }
2525. if($strParentFolder -eq "WINDOWS")
2526. {
2527. $strParentFolderResolved = $env:SystemRoot
2528. }
2529. if (Is64bitOS)
2530. {
2531. if ($strbitness -eq "32")
2532. {
2533. #32-bit on 64-bit OS
2534. if($strParentFolder -eq "PROGRAMFILES")
2535. {
2536. $strParentFolderResolved = ${env:ProgramFiles(x86)}
2537. }
2538. if($strParentFolder -eq "COMMONPROGRAMFILES")
2539. {
2540. $strParentFolderResolved = ${env:CommonProgramFiles(x86)}
2541. }
2542. $strFullPath = $strParentFolderResolved + "\" + $strPath
2543. }
2544. else
2545. {
2546. #Native
2547. if($strParentFolder -eq "PROGRAMFILES")
2548. {
2549. $strParentFolderResolved = ${env:ProgramFiles}
2550. }
2551. if($strParentFolder -eq "COMMONPROGRAMFILES")
2552. {
2553. $strParentFolderResolved = ${env:CommonProgramFiles}
2554. }
2555. $strFullPath = $strParentFolderResolved + "\" + $strPath
2556. }
2557. }
2558. else
2559. {
2560. #Native
2561. if($strParentFolder -eq "PROGRAMFILES")
2562. {
2563. $strParentFolderResolved = ${env:ProgramFiles}
2564. }
2565. $strFullPath = $strParentFolderResolved + "\" + $strPath
2566. }
2567. if ($strFile)
2568. {
2569. #File, not just folder
2570. return $strFullPath + "\" + $strFile
2571. }
2572. return $strFullPath
2573. }
2574. #=====================================================================================================
2575. #=====================================================================================================
2576. function Is64bitOS()
2577. {
2578. if ([System.IntPtr]::Size -eq 4)
2579. {
2580. return $false
2581. }
2582. return $true
2583. }
2584. #=====================================================================================================
2585. #=====================================================================================================
2586. function ExistService([string]$strServiceName)
2587. {
2588. Log-Write "ExistService: $($strServiceName)" "DEBG"
2589. try
2590. {
2591. $service = Get-Service $strServiceName -ErrorAction SilentlyContinue
2592. }
2593. catch
2594. {}
2595. If ($service)
2596. {
2597. Log-Write "`t $($strServiceName) (EXISTS)" "ERROR"
2598. return $true
2599. }
2600. else
2601. {
2602. Log-Write "`t $($strServiceName) (NOT RUNNING)" "PASS"
2603. return $false
2604. }
2605. }
2606. #=====================================================================================================
2607. #=====================================================================================================
2608. function ExistProcess([string]$strProcessName, [bool]$ActionKill)
2609. {
2610. Log-Write "ExistProcess: $($strProcessName) ActionKill $($ActionKill)" "DEBG"
2611. $StrSubject = ""
2612. $strJustProcess = $strProcessName.Substring(0, $strProcessName.lastIndexOf('.'))
2613. #Special cases as cannot get the path using Get-Process or check if they are signed
2614. foreach ($strHardCoded in $aProcessesToCheck)
2615. {
2616. if($strHardCoded -eq $strProcessName)
2617. {
2618. Log-Write "`t Checking for hardcoded process: $($strProcessName)" "INFO"
2619. if ($global:boolForceMode)
2620. {
2621. Log-Write "`t Killing if exists: $($strProcessName)" "INFO"
2622. #$global:intProcessTryKill++
2623. #technically we are trying to kill processes here but the stats will always show the number, better to be 0 if clear so will not count these.
2624. taskkill.exe /F /IM $strProcessName >$null 2>&1
2625. }
2626. return $true
2627. }
2628. }
2629. #Get full path to process with given name
2630. $paths = Get-Process $strJustProcess -ErrorAction SilentlyContinue | Select-Object Path
2631. foreach ($processpaths in $paths)
2632. {
2633. if ($processpaths.Path)
2634. {
2635. #Get signature of process by that name
2636. try
2637. {
2638. $strSig = get-AuthenticodeSignature -ErrorAction SilentlyContinue -filepath $processpaths.Path
2639. $StrSubject = $strSig.SignerCertificate.Subject
2640. }
2641. catch
2642. {
2643. Log-Write "`t Can not get Authenticode Signature from file." "WARN"
2644. }
2645. if($StrSubject)
2646. {
2647. if ($StrSubject.ToLower() -match "sophos" -or $StrSubject.ToLower() -match "surfright" -or $processpaths.Path -match "\Sophos\\")
2648. {
2649. Log-Write "Sophos/Surfright Signed or path contains '\Sophos\': $($processpaths.Path)" "DEBG"
2650. Log-Write "`t Process: $($processpaths.Path) (EXISTS)" "ERROR"
2651. $global:intProcessesFound++
2652. #Could just be a check for updating.
2653. If(-not $ActionKill)
2654. {
2655. #Just return true, do not kill
2656. return $true
2657. }
2658. #Try to kill and return $true
2659. if ($global:boolForceMode)
2660. {
2661. Log-Write "`t Terminating: $($strProcessName)" "INFO"
2662. $global:intProcessTryKill++
2663. taskkill.exe /F /IM $strProcessName >$null 2>&1
2664. }
2665. return $true
2666. }
2667. else
2668. {
2669. Log-Write "`t A Process that matches is running but it is not ours based on signature." "WARN"
2670. }
2671. }
2672. else
2673. {
2674. Log-Write "`t No subject from signature of file." "WARN"
2675. }
2676. }
2677. }
2678. Log-Write "`t Sophos process: $($strProcessName) (NOT RUNNING)" "PASS"
2679. return $false
2680. }
2681. #=====================================================================================================
2682. #=====================================================================================================
2683. function ExistRegKey([string]$strRegKey)
2684. {
2685. Log-Write "ExistRegKey: $($strRegKey)" "DEBG"
2686. if ($strRegKey -match "!")
2687. {
2688. Log-Write "Processing reg value and key" "DEBG"
2689. #Potential reg value as well as key, keys could have a ! in the path but we don't have any
2690. $arrKey = $strRegKey.split("!")
2691. Log-Write "0 = $($arrKey[0])" "DEBG"
2692. Log-Write "1 = $($arrKey[1])" "DEBG"
2693. $exist = Get-ItemProperty $arrKey[0] $arrKey[1] -ErrorAction SilentlyContinue
2694. if ($exist)
2695. {
2696. Log-Write "`t Key: $($arrKey[0]) Value: $($arrKey[1]) (EXISTS)" "ERROR"
2697. return $true
2698. }
2699. else
2700. {
2701. Log-Write "`t Key: $($arrKey[0]) Value: $($arrKey[1]) (NOT FOUND)" "PASS"
2702. return $false
2703. }
2704. }
2705. else
2706. {
2707. Log-Write "Processing just key" "DEBG"
2708. If (Test-Path -Path $strRegKey -ErrorAction SilentlyContinue)
2709. {
2710. Log-Write "`t $($strRegKey) (EXISTS)" "ERROR"
2711. return $true
2712. }
2713. Log-Write "`t $($strRegKey) (NOT FOUND)" "PASS"
2714. return $false
2715. }
2716. }
2717. #=====================================================================================================
2718. #=====================================================================================================
2719. function FileFolderExists([string]$strFolderFile)
2720. {
2721. Log-Write "FileFolderExists: $($strFolderFile)" "DEBG"
2722. If (Test-Path -Path $strFolderFile -ErrorAction SilentlyContinue)
2723. {
2724. Log-Write "`t $($strFolderFile) (EXISTS)" "ERROR"
2725. return $true
2726. }
2727. else
2728. {
2729. Log-Write "`t $($strFolderFile) (NOT FOUND)" "PASS"
2730. return $false
2731. }
2732. }
2733. #=====================================================================================================
2734. #=====================================================================================================
2735. Add-Type @"
2736. using System;
2737. using System.Text;
2738. using System.Runtime.InteropServices;
2739. public class Posh
2740. {
2741. public enum MoveFileFlags
2742. {
2743. MOVEFILE_REPLACE_EXISTING = 0x00000001,
2744. MOVEFILE_COPY_ALLOWED = 0x00000002,
2745. MOVEFILE_DELAY_UNTIL_REBOOT = 0x00000004,
2746. MOVEFILE_WRITE_THROUGH = 0x00000008,
2747. MOVEFILE_CREATE_HARDLINK = 0x00000010,
2748. MOVEFILE_FAIL_IF_NOT_TRACKABLE = 0x00000020
2749. }
2750. [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
2751. static extern bool MoveFileEx(string lpExistingFileName, string lpNewFileName, MoveFileFlags dwFlags);
2752. public static bool MarkFileDelete (string sourcefile)
2753. {
2754. bool brc = false;
2755. brc = MoveFileEx(sourcefile, null, MoveFileFlags.MOVEFILE_DELAY_UNTIL_REBOOT);
2756. return brc;
2757. }
2758. }
2759. "@
2760. #=====================================================================================================
2761. #=====================================================================================================
2762. Function Convert-GUIDtoPID ([string]$strGUID)
2763. {
2764. Log-Write "Convert-GUIDtoPID: $($strGUID)" "DEBG"
2765. $pidc = [regex]::replace($strGUID, "[^a-zA-Z0-9]", "")
2766. #Reverse first 8 characters, next 4, next 4. For the remaining reverse every two characters.
2767. $ri = 7,6,5,4,3,2,1,0,11,10,9,8,15,14,13,12,17,16,19,18,21,20,23,22,25,24,27,26,29,28,31,30
2768. [string]$toret = -join ($ri | ForEach-Object{$pidc[$_]})
2769. Log-Write "Convert-GUIDtoPID returning: $($toret.ToUpper())" "DEBG"
2770. return $toret.ToUpper()
2771. }
2772. #=====================================================================================================
2773. #=====================================================================================================
2774. function GetUpgradeCodeRegKey([string]$strPackage)
2775. {
2776. Log-Write "GetUpgradeCodeRegKey: $($strPackage)" "DEBG"
2777. gci "HKLM:\software\classes\Installer\UpgradeCodes" -rec -ea SilentlyContinue |
2778. % {
2779. if((get-itemproperty -Path $_.PsPath) -match $strPackage)
2780. {
2781. return $_.PsPath
2782. }
2783. }
2784. }
2785. #=====================================================================================================
2786. #=====================================================================================================
2787. function RemoveSophosDetours([bool]$remove)
2788. {
2789. Log-Write "RemoveSophosDetours: Remove $($remove)" "DEBG"
2790. $strNew = ""
2791. $strNewWow = ""
2792. $NativeOut = ""
2793. $DetoursState1 = Get-ItemProperty -Path $strDetoursNative -Name $strAppInitName -ErrorAction silentlycontinue
2794. $strNativeValue = $DetoursState1.$strAppInitName
2795. # Special case, if 8.3 has been disabled, we may have a full path to our DLLs in the appinit_dlls values, E.g.
2796. # 64-bit computer:
2797. # 32-bit key:
2798. # HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs
2799. # C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll
2800. # Native key:
2801. # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs
2802. # C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll
2803. # 32-bit computer:
2804. # Native key:
2805. # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs
2806. # C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll
2807. # In this case, although we already have a problem that the paths are incorrect,
2808. # splitting the path by the spaces and re-writing them would split the wrong entries into multiple wrong entries.
2809. # Therefore, match on the above specific strings and remove them from the considered values to re-write.
2810. #3 Possible full paths for both 32 and 64-bit platforms:
2811. $str64Disabled8Dot3Key1 = "NATIVE|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured_x64.dll" #64-bit computer 1
2812. $str64Disabled8Dot3Key2 = "32|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll" #64-bit computer 2
2813. $str32Disabled8Dot3Key1 = "NATIVE|PROGRAMFILES|Sophos\Sophos Anti-Virus|sophos_detoured.dll" #32-bit computer
2814. $strNewKey1 = "NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured_x64.dll" #64-bit computer 1
2815. $strNewKey2 = "NATIVE|WINDOWS|SYSWOW64\SophosAV|sophos_detoured.dll" #64-bit computer 2
2816. $strNewKey3 = "NATIVE|WINDOWS|SYSTEM32\SophosAV|sophos_detoured.dll" #32-bit computer
2817. #Localise them:
2818. $str64Disabled8Dot3KeyResolved = GetLocalPathFolder($str64Disabled8Dot3Key1) #64-bit computer 1
2819. $str64Disabled8Dot3Key2Resolved = GetLocalPathFolder($str64Disabled8Dot3Key2) #64-bit computer 2
2820. $str32Disabled8Dot3Key1Resolved = GetLocalPathFolder($str32Disabled8Dot3Key1) #32-bit computer
2821. #New 10.8.4 paths to detours
2822. $strNewKey1Resolved = GetLocalPathFolder($strNewKey1) #64-bit computer 1
2823. $strNewKey2Resolved = GetLocalPathFolder($strNewKey2) #64-bit computer 2
2824. $strNewKey3Resolved = GetLocalPathFolder($strNewKey3) #32-bit computer
2825. Log-Write "Paths to also check for:" "DEBG"
2826. Log-Write "`t $($strNewKey1Resolved)" "DEBG"
2827. Log-Write "`t $($strNewKey2Resolved)" "DEBG"
2828. Log-Write "`t $($strNewKey3Resolved)" "DEBG"
2829. #Array of the possible paths for both platforms, both old and new locations.
2830. $aDetoursPaths = $str64Disabled8Dot3KeyResolved, $str64Disabled8Dot3Key2Resolved, $str32Disabled8Dot3Key1Resolved, $strNewKey1Resolved, $strNewKey2Resolved, $strNewKey3Resolved
2831. #HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows!AppInit_DLLs
2832. if($strNativeValue)
2833. {
2834. Log-Write "`t Native Key: $($strDetoursNative)" "INFO"
2835. Log-Write "`t Native AppInit_DLLs: [$($strNativeValue)]" "INFO"
2836. foreach ($strDetourPath in $aDetoursPaths)
2837. {
2838. Log-Write "`t Possible path: [$($strDetourPath)]" "DEBG"
2839. if ($strNativeValue -match [Regex]::Escape($strDetourPath))
2840. {
2841. #Remove occurance of incorrect full detours path from strNativeValue
2842. Log-Write "`t Removing invalid non 8.3 AppInit_DLLs path: [$($strDetourPath)] from considered values. (EXISTS)" "ERROR"
2843. $strNativeValue = $strNativeValue.replace($strDetourPath, "")
2844. }
2845. }
2846. #split native detours key by command and space
2847. $splitNative = $strNativeValue.split(", ")
2848. #for each detours entry
2849. foreach ($detourNative in $splitNative)
2850. {
2851. if ($detourNative -match $strSophosDetours)
2852. {
2853. #Sophos detours entry
2854. Log-Write "`t Found Sophos (native) 8.3 entry: [$($detourNative)] (EXISTS)" "ERROR"
2855. }
2856. else
2857. {
2858. Log-Write "`t Found non Sophos (native) 8.3 entry: [$($detourNative)]" "INFO"
2859. if ([string]::IsNullOrEmpty($detourNative))
2860. {
2861. Log-Write "`t Empty string, will not add." "DEBG"
2862. }
2863. else
2864. {
2865. #Preserve non Sophos values
2866. $strNew = $strNew + $detourNative + ","
2867. }
2868. }
2869. }
2870. #Remove any trailing space or comma on the string.
2871. $NativeOut = $strNew.TrimEnd(',')
2872. $NativeOut = $NativeOut.trim()
2873. Log-Write "`t New (Native) value: [$($NativeOut)]" "INFO"
2874. #Update the registry value
2875. if ($remove)
2876. {
2877. Log-Write "`t Will update detours key." "INFO"
2878. Set-ItemProperty -Path $strDetoursNative -Name $strAppInitName -Value $NativeOut -ErrorAction silentlycontinue
2879. $global:intDetoursUpdated++
2880. }
2881. }
2882. else
2883. {
2884. Log-Write "`t $($strAppInitName) under: $($strDetoursNative) has no value, will skip." "PASS"
2885. }
2886. #######################################################################
2887. ##WOW
2888. $DetoursState2 = Get-ItemProperty -Path $strDetoursWow -Name $strAppInitName -ErrorAction silentlycontinue
2889. $strWOWValue = $DetoursState2.$strAppInitName
2890. Log-Write "`t WOW3264 Key: $($strDetoursWow)" "INFO"
2891. Log-Write "`t WOW3264 AppInit_DLLs: [$($strWOWValue)]" "INFO"
2892. if($strWOWValue)
2893. {
2894. foreach ($strDetourPath in $aDetoursPaths)
2895. {
2896. Log-Write "`t Possible detours paths if 8.3 is disabled: $($strDetourPath)" "DEBG"
2897. if ($strWOWValue -match [Regex]::Escape($strDetourPath))
2898. {
2899. #Remove occurance of incorrect full detours path from strWOWValue
2900. Log-Write "`t Removing invalid non 8.3 AppInit_DLLs path: $($strDetourPath) from considered values. (EXISTS)" "ERROR"
2901. $strWOWValue = $strWOWValue.replace($strDetourPath, "")
2902. }
2903. }
2904. #split native detours key by command and space
2905. $splitWoW = $strWOWValue.split(", ")
2906. #for each detours entry
2907. foreach ($detwow in $splitWoW )
2908. {
2909. if ($detwow -match $strSophosDetours)
2910. {
2911. #Sophos detours entry
2912. Log-Write "`t Found Sophos (wow6432node) 8.3 entry: [$($detwow)] (EXISTS)" "ERROR"
2913. }
2914. else
2915. {
2916. Log-Write "`t Found non Sophos (wow6432node) 8.3 entry: [$($detwow)]" "INFO"
2917. if ([string]::IsNullOrEmpty($detwow))
2918. {
2919. Log-Write "`t Empty string, will not add." "DEBG"
2920. }
2921. else
2922. {
2923. #Preserve non Sophos values
2924. $strNewWow = $strNewWow + $detwow + ","
2925. }
2926. }
2927. }
2928. #Remove any trailing space or comma on the string.
2929. $WowOut = $strNewWow.TrimEnd(',')
2930. $WowOut = $WowOut.Trim()
2931. Log-Write "`t New (Wow6432node) value: [$($WowOut)]" "INFO"
2932. if ($remove)
2933. {
2934. Log-Write "`t Will update detours key." "INFO"
2935. #Update the registry value
2936. set-ItemProperty -Path $strDetoursWow -Name $strAppInitName -Value $WowOut -ErrorAction silentlycontinue
2937. $global:intDetoursUpdated++
2938. }
2939. }
2940. else
2941. {
2942. Log-Write "`t $($strAppInitName) under: $($strDetoursWow) has no value, will skip." "PASS"
2943. }
2944. }
2945. #=====================================================================================================
2946. #=====================================================================================================
2947. function Get-TimeStamp()
2948. {
2949. return "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date)
2950. }
2951. #=====================================================================================================
2952. #=====================================================================================================
2953. Function Log-Write([string]$strLogLine, [string]$Level)
2954. {
2955. if (-not $global:blNoLogFile)
2956. {
2957. Write-Output "$(Get-TimeStamp) - $Level - $strLogLine" | Out-file $global:strLogFile -append
2958. }
2959. switch ($level)
2960. {
2961. "PASS" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " P " $strLogLine -ForegroundColor Green}}
2962. "WARN" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " W " $strLogLine -ForegroundColor Yellow}}
2963. "ERROR" {If($ErrorOnly -eq "YES" -or $ErrorOnly -eq ""){Write-Host $(Get-TimeStamp) " E " $strLogLine -ForegroundColor Red}}
2964. "INFO" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " I " $strLogLine}}
2965. "HEAD" {If($ErrorOnly -eq "YES"){}else{Write-Host $(Get-TimeStamp) " B " $strLogLine -ForegroundColor Cyan}}
2966. "DEBG" {If($DebugLog -eq "YES"){Write-Host $(Get-TimeStamp) " D " $strLogLine -BackgroundColor white -foregroundcolor black}}
2967. default {If($ErrorOnly -eq "YES" -or $ErrorOnly -eq ""){Write-Host $(Get-TimeStamp) " E "$strLogLine}}
2968. }
2969. }
2970. #=====================================================================================================
2971. #=====================================================================================================
2972. function Log-Exit()
2973. {
2974. #Print the time to run
2975. $elapsedTime = $(get-date) - $StartTime
2976. $totalTime = "{0:HH:mm:ss}" -f ([datetime]$elapsedTime.Ticks)
2977. Log-Write "============================================================================================" "INFO"
2978. if($blnPastPrechecks)
2979. {
2980. Log-Write "============================================================================================" "HEAD"
2981. Log-Write "Summary" "HEAD"
2982. Log-Write "============================================================================================" "HEAD"
2983. Log-Write "Registry keys found: $($intRegKeysFound)" "INFO"
2984. Log-Write "Registry keys to delete: $($intRegKeysTryDelete)" "INFO"
2985. Log-Write "UpgradeCodes removed: $($intRemoveUpgradeCodeKey)" "INFO"
2986. Log-Write "File/folders found: $($intFileFolderExists)" "INFO"
2987. Log-Write "File/folders to delete: $($intFolderFilesAttemptDelete)" "INFO"
2988. Log-Write "MSIs run: $($intMSIsRun)" "INFO"
2989. Log-Write "Uninstall commands: $($intUninstallCMDsRun)" "INFO"
2990. Log-Write "AppInit_DLLs updated: $($intDetoursUpdated)" "INFO"
2991. Log-Write "Drivers found: $($intDriversExist)" "INFO"
2992. Log-Write "Drivers tried to stop: $($intDriversTriedToStop)" "INFO"
2993. Log-Write "Services found: $($intServicesExist)" "INFO"
2994. Log-Write "Services stop issued: $($intServicesAttemptedToStop)" "INFO"
2995. Log-Write "Services to delete: $($intServicesAttemptedToDelete)" "INFO"
2996. Log-Write "Verified processes found: $($intProcessesFound)" "INFO"
2997. Log-Write "Processes attempted to kill: $($intProcessTryKill)" "INFO"
2998. Log-Write "File/folders PFROs created: $($intFilesMarkedForDelete)" "INFO"
2999. Log-Write "Cached Sophos/Surfright MSIs: $($intSophosSurfrightCachedMSIsFound)" "INFO"
3000. Log-Write "Local SAU users found: $($global:intLocalSAUUsersFound)" "INFO"
3001. Log-Write "Local SAU users attempted to delete: $($global:intLocalSAUUsersAttemptDelete)" "INFO"
3002. Log-Write "Local SAV groups found: $($global:intLocalSAVGroupsFound)" "INFO"
3003. Log-Write "Local SAV groups attempted to delete: $($global:intLocalSAVGroupsAttemptDelete)" "INFO"
3004. Log-Write "IFEO Keys with Debugger entries: $($global:IFEOWithDebuggerValue)" "INFO"
3005. Log-Write "IFEO Keys with Debugger entries to remove: $($global:IFEOToDelete)" "INFO"
3006.  
3007. Log-Write "============================================================================================" "INFO"
3008. Log-Write "============================================================================================" "HEAD"
3009. Log-Write "Checking for potential installation problems if reinstalled" "HEAD"
3010. Log-Write "============================================================================================" "HEAD"
3011.  
3012. #Make system checks for future installs
3013. $null = CheckServiceStatusRunning($aBFE)
3014. $null = CheckServiceStatusRunning($aCryptSvc)
3015. $null = CheckServiceStatusRunning($arpc)
3016. $null = CheckServiceStatusRunning($aTaskShed)
3017. $null = CheckThirdParty
3018.  
3019. #Check the max number of NDIS filter that can be installed and how many are installed.
3020. $null = CheckNDISFilters
3021.  
3022. #Check AuthenticodeFlags For TrustedPublisher settings
3023. $null = CheckAuthenticodeFlagsForTrustedPublisher
3024.  
3025. #Check ELAMBKUP directory exists as referenced in the reg valuye BackupPath under the key:
3026. #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch
3027. $null = CheckELAMDirOK
3028.  
3029. if ($global:boolForceMode)
3030. {
3031. Log-Write "Checking Service Control Manager (SCM) for Sophos drivers and services" "INFO"
3032. Log-Write "Checking drivers registry state v.s. the Service Control Manager" "DEBG"
3033. $null = IsSCMOutOfSyncWithRegistry "Driver"
3034.  
3035. Log-Write "Checking services (user mode) registry state v.s. the Service Control Manager" "DEBG"
3036. $null = IsSCMOutOfSyncWithRegistry "UserModeService"
3037.  
3038. #Double Check the Winsock catalog to see if we are still present, being referenced here with no DLL on disk can break neworking.
3039. if (CheckLSPInWinsock)
3040. {
3041. Log-Write "Sophos LSP $($strLSPFileName64) and/or $($strLSPFileName32) is still referenced in the Winsock catalog despite efforts to remove it." "ERROR"
3042. Log-Write "You may need to run the following command: 'netsh winsock reset' in an administrative command prompt and reboot to restore network connectivity." "ERROR"
3043. Log-Write "Important: Running the above reset command will remove other third party DLLs from the Winsock catalog if they exist." "WARN"
3044. Log-Write "Programs that access or monitor the Internet such as antivirus, firewall, or proxy clients may be negatively affected when you run the netsh winsock reset command." "WARN"
3045. Log-Write "If you have a program that no longer functions correctly after you use this resolution, reinstall the program to restore functionality." "WARN"
3046. Log-Write "Running the command 'netsh winsock show catalog | more' will allow you to view other non default DLLs if they are referenced to identify these other applications." "WARN"
3047. }
3048. }
3049. else
3050. {
3051. #In Report mode, if we have found some Sophos processes with IFEO keys with debugger values hightlight it.
3052. Log-Write "Checking 'Image File Execution Options' (IFEO) registry keys" "INFO"
3053.  
3054. if ($global:IFEOWithDebuggerValue -gt 0)
3055. {
3056. Log-Write "`t There are $($global:IFEOWithDebuggerValue) 'Image File Execution Options' (IFEO) for Sophos processes with 'Debugger' values set. See 'Processing IFEO Registry keys' section above." "ERROR"
3057. Log-Write "`t Possible sign of active or previous malicious code having been run." "WARN"
3058. }
3059. else
3060. {
3061. Log-Write "`t There are $($global:IFEOWithDebuggerValue) 'Image File Execution Options' (IFEO) for Sophos processes with 'Debugger' values set." "PASS"
3062. }
3063. }
3064. Log-Write "=============================================================================================" "INFO"
3065. }
3066. if ($global:boolForceMode)
3067. {
3068. #print if PFROs have been created.
3069. if ($global:boolPFRONeedReboot)
3070. {
3071. Log-Write "Pending File Rename Operations (PFROs) have been created. Please reboot and optionally re-run the script to re-check." "WARN"
3072. }
3073. else
3074. {
3075. Log-Write "No Pending File Rename Operations (PFROs) have been created." "DEBG"
3076. }
3077. }
3078. Log-Write "Time to run: $($totalTime)" "INFO"
3079. #If we are logging to a file, show the location at the end.
3080. if(-not $global:blNoLogFile)
3081. {
3082. Log-Write "Log file: $($global:strLogFile)" "INFO"
3083. }
3084. Log-Write "=============================================================================================" "INFO"
3085. }
3086. #=====================================================================================================
3087. #=====================================================================================================
3088. function RemoveLSP()
3089. {
3090. Log-Write "RemoveLSP" "DEBG"
3091. $strLocalPathSWIReg = GetLocalPathRegKey($strWebIntKey)
3092. Log-Write "Sophos Web Intelligence key: $($strLocalPathSWIReg)" "INFO"
3093. #Set swiupdateaction to 3 to remove LSP
3094. Set-ItemProperty -Path $strLocalPathSWIReg -Name $strSWIName -Value $strValueToSet -ErrorAction silentlycontinue
3095. start-Sleep -s 1
3096. foreach ($swiUpdateSer in $strSwiUpdate)
3097. {
3098. if (CheckServiceStartupIsDisabled($swiUpdateSer))
3099. {
3100. SetServiceToManual $swiUpdateSer
3101. }
3102. $null = start-service $swiUpdateSer -ErrorAction silentlycontinue
3103. }
3104. #Try also using swi_update binary directly as the logged on user as a backup to remove the LSP from the Winsock Catalog:
3105. $strLocalPathToSWIUpdate = GetLocalPathFolder ($strUnregLSPCommandPath)
3106. Log-Write "swi_update executable path to directory: $($strLocalPathToSWIUpdate)" "INFO"
3107. foreach ($strSWIUpdateProcessName in $strUnregLSPCommandBin)
3108. {
3109. $strCommandToRunSWI = $strLocalPathToSWIUpdate + "\" + $strSWIUpdateProcessName
3110. Log-Write "swi_update executable path: $($strCommandToRunSWI)" "INFO"
3111. try
3112. {
3113. Start-Process -Wait -NoNewWindow -FilePath $strCommandToRunSWI -ArgumentList $strUnregLSPCommandPar -RedirectStandardOutput "NUL"
3114. }
3115. catch {}
3116. start-Sleep -s 1
3117. }
3118. }
3119. #=====================================================================================================
3120. #=====================================================================================================
3121. Function CheckServiceStartupIsDisabled([string]$strServiceName)
3122. {
3123. Log-Write "CheckServiceStartupIsDisabled - $($strServiceName)" "DEBG"
3124. $ServiceStartup = Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$strServiceName'" -ErrorAction silentlycontinue
3125. if ($ServiceStartup)
3126. {
3127. Log-Write "Service: $($strServiceName) : start-up mode is: $($ServiceStartup.StartMode)" "INFO"
3128. if($ServiceStartup.StartMode -eq "Disabled")
3129. {
3130. return $true
3131. }
3132. else
3133. {
3134. return $false
3135. }
3136. }
3137. else
3138. {
3139. Log-Write "Service: $($strServiceName) does not exist" "INFO"
3140. }
3141. }
3142. #=====================================================================================================
3143. #=====================================================================================================
3144. function SetServiceToManual([string]$strServiceName)
3145. {
3146. Log-Write "Setting service: $($strServiceName) to 'Manual' start-up" "INFO"
3147. $null = set-service $strServiceName -startupType manual -ErrorAction silentlycontinue
3148. }
3149. #=====================================================================================================
3150. #=====================================================================================================
3151. function IsRMSServer()
3152. {
3153. Log-Write "IsRMSServer" "DEBG"
3154. $strLocalRouterKey = GetLocalPathRegKey($strRouterKey)
3155. Log-Write "Checking Sophos RMS Router key: $($strLocalRouterKey)" "INFO"
3156. $strRouterCC = Get-ItemProperty -Path $strLocalRouterKey -Name $strRouterKeyName -ErrorAction silentlycontinue
3157. Log-Write "`t$($strRouterKeyName) = $($strRouterCC.$strRouterKeyName)" "DEBG"
3158. if($strRouterCC.$strRouterKeyName -gt $strRouterEPCC)
3159. {
3160. return $true
3161. }
3162. return $false
3163. }
3164. #=====================================================================================================
3165. #=====================================================================================================
3166. function IsUpdatingOrInstalling()
3167. {
3168. Log-Write "IsUpdatingOrInstalling" "DEBG"
3169. foreach ($strSAUProcess in $strSAUUpdatingProcess)
3170. {
3171. Log-Write "Checking if $($strSAUProcess) is running..." "INFO"
3172. #not in kill mode for process, just check
3173. $isUpdating = ExistProcess $strSAUProcess $false
3174. if ($isUpdating)
3175. {
3176. Log-Write "$($strSAUProcess) is running..." "WARN"
3177. return $true
3178. }
3179. }
3180. return $false
3181. }
3182. #=====================================================================================================
3183. #=====================================================================================================
3184. function ActionMSICode([string]$strMSIPC, [string]$method)
3185. {
3186. Log-Write "Product Code: $($strMSIPC) - Method: $($method)" "DEBG"
3187. $ProductIDFromProductCodeGUID = (Convert-GUIDtoPID $strMSIPC)
3188. Log-Write "`t Derived Windows Installer Code: $($ProductIDFromProductCodeGUID)" "DEBG"
3189. $strCodeBraces = "{"+$strMSIPC.trim()+"}"
3190. $strX = "/X"+$strCodeBraces
3191. $strLog = "/L*V """ + $env:temp +"\Sophos-MSI-Uninstall-"+$strMSIPC+".txt"""
3192. $strKeyProdCode = "HKLM:\SOFTWARE\Classes\Installer\Products\"+$ProductIDFromProductCodeGUID
3193. $strKeyFeatureCode = "HKLM:\SOFTWARE\Classes\Installer\Features\"+$ProductIDFromProductCodeGUID
3194. $arrInstallerCodes = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\"+$ProductIDFromProductCodeGUID
3195. $strUninstallKeyNative = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"+$strCodeBraces
3196. $strUninstallKey32 = "HKLM:\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Uninstall\"+$strCodeBraces
3197. $WindowsInstallerKeys = $strKeyProdCode, $arrInstallerCodes, $strKeyFeatureCode, $strUninstallKeyNative, $strUninstallKey32
3198. #Try running the MSI installer.
3199. if ($global:boolForceMode)
3200. {
3201. #Only run the msi if from data not from GUIDs from cached MSIs
3202. if($method -eq "data")
3203. {
3204. if (ExistRegKey($strKeyProdCode))
3205. {
3206. Log-Write "`t 'Product' key $($strKeyProdCode) exists, will try MSI command to uninstall..." "INFO"
3207. $global:intMSIsRun++
3208. Start-Process -Wait -NoNewWindow -FilePath "msiexec.exe" -ArgumentList "/qn",$strX,$strLog,"REBOOT=ReallySuppress" -RedirectStandardOutput "NUL"
3209. }
3210. else
3211. {
3212. Log-Write "`t No 'product' key will not run MSI" "DEBG"
3213. }
3214. }
3215. }
3216. #Ensure Windows Installer reg keys are gone, based on the Product Code
3217. foreach ($key in $WindowsInstallerKeys)
3218. {
3219. Log-Write "`t Installer key: $($key)" "DEBG"
3220. if (ExistRegKey ($key))
3221. {
3222. #Product Code exists.
3223. if($global:boolForceMode)
3224. {
3225. Log-Write "`t Removing: $($key)" "INFO"
3226. $global:intRegKeysTryDelete++
3227. $null = Remove-Item -Path "$key" -Force -Recurse -ErrorAction silentlycontinue
3228. }
3229. }
3230. else
3231. {
3232. Log-Write "`t 'Product Code' does not exist" "DEBG"
3233. }
3234. }
3235. #Delete the upgrade code key
3236. $ugc = GetUpgradeCodeRegKey($ProductIDFromProductCodeGUID)
3237. if ($ugc)
3238. {
3239. Log-Write "`t $($ugc) (EXISTS)" "ERROR"
3240. if ($global:boolForceMode)
3241. {
3242. Log-Write "`t Removing: $($ugc)" "INFO"
3243. $global:intRemoveUpgradeCodeKey++
3244. $null = Remove-Item -Path $ugc -Force -Recurse -ErrorAction silentlycontinue
3245. }
3246. }
3247. else
3248. {
3249. Log-Write "`t $($ProductIDFromProductCodeGUID) upgrade code (NOT FOUND)" "PASS"
3250. }
3251. }
3252. #=====================================================================================================
3253. #=====================================================================================================
3254. Function RemoveUsingUninstallKeys()
3255. {
3256. Log-Write "RemoveUsingUninstallKeys" "DEBG"
3257. #for each msi product under the uninstall keys where the publisher is Sophos or Surfright
3258. foreach ($UninstallKey in $UninstallerKeys)
3259. {
3260. if (test-path -path $UninstallKey)
3261. {
3262. Log-Write "Enumerating key: $($UninstallKey) for Publisher = Sophos or Surfright" "INFO"
3263. $Keys = gci $UninstallKey -ErrorAction SilentlyContinue
3264. $Items = $Keys | Foreach-Object {Get-ItemProperty $_.PsPath }
3265. ForEach ($Item in $Items)
3266. {
3267. if($Item.Publisher -match "Sophos" -or $Item.Publisher -match "Surfright")
3268. {
3269. Log-Write "Check if the 'UninstallString' value contains msiexec.exe" "DEBG"
3270. if ($Item.QuietUninstallString -match "msiexec.exe" -or $Item.UninstallString -match "msiexec.exe")
3271. {
3272. #This is a MSI install, log the name and productcode (key name)
3273. Log-Write "$($Item.DisplayName) - $($item.pschildname)" "INFO"
3274. #remove braces for ActionMSICode
3275. $strCodeStrippedDown = $item.pschildname -replace "{",""
3276. $strCodeStrippedDown = $strCodeStrippedDown -replace "}",""
3277. Log-Write "Checking $($strCodeStrippedDown)" "INFO"
3278. ActionMSICode $strCodeStrippedDown.trim() "data"
3279. }
3280. }
3281. }
3282. }
3283. }
3284. }
3285. #=====================================================================================================
3286. #=====================================================================================================
3287. Function RemoveFromInstallerCache()
3288. {
3289. Log-Write "RemoveFromInstallerCache" "DEBG"
3290. #For Each .msi file in \windows\installer, get the subject of the cert.
3291. #Check if it belongs to Sophos/Surfright
3292. #If it is, get the ProductCode from the MSI File and run cleanup for it.
3293. #at the end delete the msi?
3294. $strLocalInstallerCacheDir = GetLocalPathFolder($strInstallerCacheDir)
3295. Get-ChildItem $strLocalInstallerCacheDir -Filter *.msi | Foreach-Object {
3296. try
3297. {
3298. $strSig = get-AuthenticodeSignature -ErrorAction SilentlyContinue -filepath $_.FullName
3299. $StrSubject = $strSig.SignerCertificate.Subject
3300. }
3301. catch
3302. {
3303. Log-Write "Unable to get Authenticode Signature of file, could be in use." "WARN"
3304. }
3305. if($StrSubject)
3306. {
3307. if ($StrSubject.ToLower() -match "sophos" -or $StrSubject.ToLower() -match "surfright")
3308. {
3309. Log-Write "Sophos/Surfright signed file $($_.FullName)" "INFO"
3310. $global:intSophosSurfrightCachedMSIsFound++
3311. $ProductCodeFromMSI = ProductCodeFromMSI ($_.FullName)
3312. if ($ProductCodeFromMSI -notmatch "-1")
3313. {
3314. Log-Write "Product Code: $($ProductCodeFromMSI)" "INFO"
3315. $strCodeStrippedDown = $ProductCodeFromMSI -replace "{",""
3316. $strCodeStrippedDown = $strCodeStrippedDown -replace "}",""
3317. Log-Write "$($strCodeStrippedDown) is to be checked as it is in installer cache." "INFO"
3318. ActionMSICode $strCodeStrippedDown "cache"
3319. }
3320. else
3321. {
3322. Log-Write "No Product Code from MSI file." "INFO"
3323. }
3324. #Move the MSI if in force mode to a backup location
3325. if($global:boolForceMode)
3326. {
3327. if(!(Test-Path -path $strBackupMSILocation))
3328. {
3329. $null = New-Item $strBackupMSILocation -Type Directory
3330. }
3331. Log-Write "Copying the found Sophos/Surfright cached MSI: $($_.FullName), to backup location: $($strBackupMSILocation)" "INFO"
3332. copy-item -path $_.FullName -destination $strBackupMSILocation -force -ErrorAction SilentlyContinue
3333. if([Posh]::MarkFileDelete($_.FullName))
3334. {
3335. Log-Write "`t $($_.FullName) marked for deletion at next startup" "INFO"
3336. $global:intFilesMarkedForDelete++
3337. $global:boolPFRONeedReboot = $true
3338. }
3339. }
3340. }
3341. }
3342. } #end of GCI
3343. }
3344. #=====================================================================================================
3345. #=====================================================================================================
3346. function ProductCodeFromMSI([string]$strPathToMSI)
3347. {
3348. Log-Write "ProductCodeFromMSI: $($strPathToMSI)" "DEBG"
3349. $comObjWI = New-Object -ComObject WindowsInstaller.Installer
3350. $MSIDatabase = $comObjWI.GetType().InvokeMember("OpenDatabase","InvokeMethod",$Null,$comObjWI,@($strPathToMSI,0))
3351. $Query = "SELECT Value FROM Property WHERE Property = 'ProductCode'"
3352. $View = $MSIDatabase.GetType().InvokeMember("OpenView","InvokeMethod",$null,$MSIDatabase,($Query))
3353. $View.GetType().InvokeMember("Execute", "InvokeMethod", $null, $View, $null)
3354. $Record = $View.GetType().InvokeMember("Fetch","InvokeMethod",$null,$View,$null)
3355. $Value = $Record.GetType().InvokeMember("StringData","GetProperty",$null,$Record,1)
3356. # Commit database and close view
3357. $MSIDatabase.GetType().InvokeMember("Commit", "InvokeMethod", $null, $MSIDatabase, $null)
3358. $View.GetType().InvokeMember("Close", "InvokeMethod", $null, $View, $null)
3359. $MSIDatabase = $null
3360. $View = $null
3361. if($value)
3362. {
3363. return $value.trim()
3364. }
3365. return "-1"
3366. }
3367. #=====================================================================================================
3368. #=====================================================================================================
3369. function CheckComponent($strComponentName, $aKeys, $aFolders )
3370. {
3371. Log-Write "Checking for component $($strComponentName)" "INFO"
3372. if ($aKeys)
3373. {
3374. #Reg checks
3375. foreach($strKeyToCheck in $aKeys)
3376. {
3377. $strLocalKey = GetLocalPathRegKey ($strKeyToCheck)
3378. if (test-path -Path $strLocalKey -ErrorAction silentlycontinue)
3379. {
3380. Log-Write "Found marker - $($strLocalKey)" "ERROR"
3381. return $true
3382. }
3383. else
3384. {
3385. Log-Write "Marker not found - $($strLocalKey)" "PASS"
3386. }
3387. }
3388. }
3389. else
3390. {
3391. Log-Write "No registry markers to check for $($strComponentName)" "PASS"
3392. }
3393. #Folder checks
3394. if($aFolders)
3395. {
3396. foreach($strFolders in $aFolders)
3397. {
3398. $strLocalFolder = GetLocalPathFolder($strFolders)
3399. if (test-path -Path $strLocalFolder -ErrorAction silentlycontinue)
3400. {
3401. Log-Write "Found marker - $($strLocalFolder)" "ERROR"
3402. return $true
3403. }
3404. else
3405. {
3406. Log-Write "Marker not found - $($strLocalFolder)" "PASS"
3407. }
3408. }
3409. }
3410. else
3411. {
3412. Log-Write "No folder markers to check for $($strComponentName)" "PASS"
3413. }
3414. Log-Write "$($strComponentName) component not found" "DEBG"
3415. return $false
3416. }
3417. #=====================================================================================================
3418. #=====================================================================================================
3419. function DeleteSAUUsers ([string] $strUserName)
3420. {
3421. Log-Write "DeleteSAUUsers $($strUserName)" "DEBG"
3422.  
3423. Log-Write "Checking for local accounts by name prefixed with $($strUserName) and Sophos in the description." "INFO"
3424.  
3425. $localUsers = Get-LocalUser -name $strUserName"*" -ErrorAction SilentlyContinue | where {$_.Description -like "*Sophos*"}
3426. if ($localUsers)
3427. {
3428. Log-Write "List of local SAU users starting $($strUserName):" "INFO"
3429. foreach ($user in $localUsers)
3430. {
3431. Log-Write "`t Found local user: $($user.name) (EXISTS)" "ERROR"
3432. $global:intLocalSAUUsersFound++
3433. if($global:boolForceMode)
3434. {
3435. Log-Write "`t In Remove Mode, will delete local user: $($user.name)" "INFO"
3436. $global:intLocalSAUUsersAttemptDelete++
3437. try
3438. {
3439. $null = Remove-LocalUser -Name $user.name -ErrorAction SilentlyContinue
3440. }
3441. catch{}
3442. }
3443. }
3444. }
3445. else
3446. {
3447. Log-Write "No local SAU users starting $($strUserName)" "PASS"
3448. }
3449. }
3450. #=====================================================================================================
3451. #=====================================================================================================
3452. function CheckThirdParty
3453. {
3454. #Using DisplayName and $aOtherVendors
3455. Log-Write "CheckThirdParty" "DEBG"
3456.  
3457. Log-Write "Checking for other security software using basic string matching" "INFO"
3458.  
3459. $InstalledCSoftware = (Get-ItemProperty -ErrorAction SilentlyContinue $UninstallerKeys2)
3460.  
3461. if ($InstalledCSoftware)
3462. {
3463. foreach ($SoftwareName in $InstalledCSoftware)
3464. {
3465. if ($null -ne ($aOtherVendors | ? { $SoftwareName.DisplayName -match "\b$($_)\b" }))
3466. {
3467. Log-Write "`t $(convert-path $($SoftwareName.pspath))" "INFO"
3468.  
3469. if ($SoftwareName.DisplayVersion)
3470. {
3471. Log-Write "`t $($SoftwareName.DisplayName) - Version: $($SoftwareName.DisplayVersion)" "ERROR"
3472. }
3473. else
3474. {
3475. Log-Write "`t $($SoftwareName.DisplayName) - Version: N/A" "ERROR"
3476. }
3477. #If the regular uninstall string exists always print
3478. if ($SoftwareName.UninstallString)
3479. {
3480. Log-Write "`t`t Uninstall Command: $($SoftwareName.UninstallString)" "INFO"
3481. }
3482. #If that doesn't exist only then check for the less common quiet one.
3483. else
3484. {
3485. If($SoftwareName.QuietUninstallString)
3486. {
3487. Log-Write "`t Quiet Uninstall Command: $($SoftwareName.QuietUninstallString)" "INFO"
3488. }
3489. else
3490. {
3491. Log-Write "`t No UninstallString or QuietUninstallString" "WARN"
3492. }
3493. }
3494. }
3495. }
3496. }
3497. else
3498. {
3499. Log-Write "`t No entries from the 'Uninstall' keys" "WARN"
3500. }
3501. }
3502. #=====================================================================================================
3503. #=====================================================================================================
3504. function DeleteSAVLocalGroup ([string] $SAVGroup)
3505. {
3506. Log-Write "Checking for local group $($SAVGroup)." "INFO"
3507. $LocalSAVGroup = Get-LocalGroup -Name $SAVGroup -ErrorAction SilentlyContinue
3508. if($LocalSAVGroup)
3509. {
3510. Log-Write "`tLocal SAV Group: $($LocalSAVGroup) (EXISTS)" "ERROR"
3511. $global:intLocalSAVGroupsFound++
3512. if($global:boolForceMode)
3513. {
3514. Log-Write "`t In 'Remove' mode, will delete local group: $($LocalSAVGroup.name)" "INFO"
3515. $global:intLocalSAVGroupsAttemptDelete++
3516. try
3517. {
3518. $null = Remove-LocalGroup -Name $LocalSAVGroup.name -ErrorAction SilentlyContinue
3519. }
3520. catch{}
3521. }
3522. }
3523. else
3524. {
3525. Log-Write "No local SAV group named: $($SAVGroup)" "PASS"
3526. }
3527. }
3528. #=====================================================================================================
3529. #=====================================================================================================
3530. function CheckServiceStatusRunning($aService)
3531. {
3532. Log-Write "Checking for service $($aService[1]) ($($aService[0]))" "INFO"
3533. try
3534. {
3535. $service = Get-Service $aService[0] -ErrorAction SilentlyContinue
3536. }
3537. catch
3538. {
3539. return $false
3540. }
3541. If ($service)
3542. {
3543. Log-Write "`t $($aService[1]) (EXISTS)" "INFO"
3544. if($service.Status -eq "Running")
3545. {
3546. Log-Write "`t $($aService[1]) (RUNNING)" "PASS"
3547. return $true
3548. }
3549. else
3550. {
3551. Log-Write "`t $($aService[1]) (NOT RUNNING)" "ERROR"
3552. return $false
3553. }
3554. }
3555. else
3556. {
3557. Log-Write "`t $($aService[1]) (MISSING)" "ERROR"
3558. return $false
3559. }
3560. }
3561. #=====================================================================================================
3562.  
3563. #=====================================================================================================
3564. function CheckAuthenticodeFlagsForTrustedPublisher()
3565. {
3566. Log-Write "CheckAuthenticodeFlagsForTrustedPublisher" "DEBG"
3567.  
3568. Log-Write "Checking TrustedPublisher AuthenticodeFlags for value 2" "INFO"
3569.  
3570. foreach ($TrustedPublisherKey in $strFlagsTrustedPublisherKeys)
3571. {
3572. Log-Write "Checking $($TrustedPublisherKey)" "DEBG"
3573.  
3574. $AuthenticodeFlagsValue = Get-ItemProperty -Path $TrustedPublisherKey -Name $strDWORDAuthenticodeValue -ErrorAction silentlycontinue
3575.  
3576. If (-not $AuthenticodeFlagsValue)
3577. {
3578. $AuthenticodeFlagsValue = "[Not set]"
3579. }
3580. else
3581. {
3582. $AuthenticodeFlagsValue = $AuthenticodeFlagsValue.$strDWORDAuthenticodeValue
3583. }
3584.  
3585. if($AuthenticodeFlagsValue -eq $AuthenticodeFlagsDWORDProb)
3586. {
3587. Log-Write "`t $($strDWORDAuthenticodeValue) under $($TrustedPublisherKey) is set to $($AuthenticodeFlagsValue)" "WARN"
3588. Log-Write "`t This policy setting can cause certain versions of Sophos NTP and/or SCF to fail installation. Please check Group Policy" "WARN"
3589. }
3590. else
3591. {
3592. Log-Write "`t $($strDWORDAuthenticodeValue) under $($TrustedPublisherKey) is set to $($AuthenticodeFlagsValue)" "DEBG"
3593. }
3594. }
3595. }
3596. #=====================================================================================================
3597.  
3598. #=====================================================================================================
3599. function CheckNDISFilters()
3600. {
3601. Log-Write "CheckNDISFilters" "DEBG"
3602. Log-Write "Number required for Sophos: $($intFiltersRequired)" "DEBG"
3603. $intMaxNumFilters = Get-ItemProperty -Path $strMaxFiltersKey -Name $strMaxNumFilters -ErrorAction silentlycontinue
3604.  
3605. if ($intMaxNumFilters)
3606. {
3607. Log-Write "Checking for NDIS filter space" "INFO"
3608.  
3609. $intMaxFilters = $intMaxNumFilters.$strMaxNumFilters
3610.  
3611. Log-Write "`t Checking maximum number of NDIS Filter drivers registry value 'MaxNumFilters': $($intMaxFilters)" "INFO"
3612.  
3613. if ($intMaxFilters -gt $intDefaultMaxFilters)
3614. {
3615. Log-Write "`t 'MaxNumFilters' has been increased from the default of $($intDefaultMaxFilters)" "INFO"
3616. }
3617. if ($intMaxFilters -lt $intDefaultMaxFilters)
3618. {
3619. Log-Write "`t 'MaxNumFilters' has been decreased from the default of $($intDefaultMaxFilters)" "WARN"
3620. }
3621. if ($intMaxFilters -eq $intDefaultMaxFilters)
3622. {
3623. Log-Write "`t 'MaxNumFilters' is unchanged from the default ($($intDefaultMaxFilters))" "INFO"
3624. }
3625. }
3626. else
3627. {
3628. #Using the reg key as a test for Windows 7 and platforms which have a limit.
3629. #I assume on Win 7, if the key doesn't exist the default is 8 but then it seems
3630. #unlikley someone would have deleted the registry value.
3631. Log-Write "($strMaxNumFilters) registry value does not exist. Assuming not a limitation on this platform." "DEBG"
3632. return 0
3633. }
3634. #Count in use
3635. $strRegPath = $strMaxFiltersKey+"{4d36e974-e325-11ce-bfc1-08002be10318}"
3636. Log-Write "NDIS registry path: $($strRegPath)" "DEBG"
3637. $children = get-childitem -path $strRegPath -ErrorAction SilentlyContinue | get-childitem | where-object {$_.PSChildName -eq "Ndi"} | get-itemproperty | where-object {$_.FilterClass} | get-itemproperty -name FilterClass
3638. if ($children)
3639. {
3640. Log-Write "`t Number of NDIS Filter drivers installed $($children.count)" "INFO"
3641. if ($children.count -gt 0)
3642. {
3643. foreach ($filter in $children)
3644. {
3645. $strDesc = (get-itemproperty -path $filter.PSParentPath).Description
3646. if($strDesc -match "sophos")
3647. {
3648. Log-Write "`t $($strDesc)" "WARN"
3649. }
3650. else
3651. {
3652. Log-Write "`t $($strDesc)" "INFO"
3653. }
3654. }
3655. }
3656. $intSpaceLeft = $intMaxFilters - $children.count
3657. Log-Write "`t Number of NDIS drivers that still can be installed on computer: $($intSpaceLeft)" "INFO"
3658. if ($intSpaceLeft -ge $intFiltersRequired)
3659. {
3660. Log-Write "`t $($intFiltersRequired) NDIS filters can be installed for Sophos (based on required number of $($intFiltersRequired))" "PASS"
3661. }
3662. else
3663. {
3664. Log-Write "`t You need to increase the value of $($strMaxNumFilters) under:" "ERROR"
3665. Log-Write "`t $($strMaxFiltersKey)" "ERROR"
3666. Log-Write "`t 14 is the maximum and a reboot is required for the change to take effect. See KBA 133450." "ERROR"
3667. }
3668. }
3669. else
3670. {
3671. Log-Write "$($strRegPath) did not exist. Failed to determine number of NDIS filters installed." "WARN"
3672. }
3673. }
3674. #=====================================================================================================
3675. function CheckELAMDirOK()
3676. {
3677. Log-Write "CheckELAMDirOK" "DEBG"
3678. #Check 'EarlyLaunch' registy key exists as a check for the platform supporting ELAM.
3679. if (test-path $strEarlyLaunchKey)
3680. {
3681. Log-Write "Checking registry key: '$($strEarlyLaunchKey)' exists. Assume platform supports ELAM" "DEBG"
3682. #Get location, probably windir + ELAMBKUP
3683. $strELAMBackupLocation = Get-ItemProperty -Path $strEarlyLaunchKey -Name $strELAMBackupPath -ErrorAction silentlycontinue
3684. if ($strELAMBackupLocation)
3685. {
3686. $strPathToCheck = $strELAMBackupLocation.$strELAMBackupPath
3687. #Check if the path found in the registry exists
3688. Log-Write "Checking Windows 'EarlyLaunch' backup directory" "INFO"
3689. if (test-path $strPathToCheck)
3690. {
3691. Log-Write "`t $($strPathToCheck) exists." "PASS"
3692. return $true
3693. }
3694. else
3695. {
3696. Log-Write "`t $($strPathToCheck) does not exists. It is suggested that you create this directory." "ERROR"
3697. return $false
3698. }
3699. }
3700. else
3701. {
3702. Log-Write "Checking Windows 'EarlyLaunch' registry value" "INFO"
3703. $WindowsELAMDirSuggestion = $env:windir +"\ELAMBKUP"
3704. Log-Write "'$($strELAMBackupPath)' registry value does not exist." "ERROR"
3705. Log-Write "It is suggested that you create this REG_SZ under the registry key '$($strEarlyLaunchKey)' and set it to be: $($WindowsELAMDirSuggestion)" "ERROR"
3706. return $false
3707. }
3708. }
3709. else
3710. {
3711. Log-Write "$($strEarlyLaunchKey) does not exist, assume platform does not support ELAM" "DEBG"
3712. }
3713. return $true
3714. }
3715. #=====================================================================================================
3716. #=====================================================================================================
3717. function CheckSCFFilterListRegKey
3718. {
3719. Log-Write "CheckSCFFilterListRegKey" "DEBG"
3720. $key = "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}"
3721. $NetCfgInstanceId = "AACC1E53-F734-42C2-A5D0-649E4A59AC5D"
3722. $regValueName = "FilterList"
3723. #For each key look for a "FilterList" registry value
3724. Get-ChildItem $key -recurse -ea SilentlyContinue | ForEach-Object {
3725. if($_.Property -eq $regValueName)
3726. {
3727. #Key has a FilterList
3728. $counter = 0
3729. Log-Write "Found $($regValueName) under registry key:" "INFO"
3730. Log-Write "`t $($_.PsPath)" "INFO"
3731. $FilterListItems = (get-itemproperty $_.PsPath).$regValueName
3732. #Array to hold values.
3733. $newArray = New-Object System.Collections.ArrayList
3734. Log-Write "All existing entries in $regValueName registry value:" "DEBG"
3735. foreach ($entry in $FilterListItems)
3736. {
3737. Log-Write "`t $($entry)" "DEBG"
3738. if ($entry -match $NetCfgInstanceId)
3739. {
3740. #Filter out Sophos entries from being added to the new array.
3741. Log-Write "The Sophos value $($entry) is in $($regValueName) reg value under the key:" "ERROR"
3742. Log-Write "`t$($_.PsPath)" "ERROR"
3743. $counter++
3744. }
3745. else
3746. {
3747. $newArray.add($entry) > $null
3748. }
3749. }
3750. if ($counter -gt 0)
3751. {
3752. Log-Write "Found $($counter) Sophos item(s)." "DEBG"
3753. #Print the new values
3754. Log-Write "New values if written would be:" "DEBG"
3755. foreach ($newValueToWrite in $newArray)
3756. {
3757. Log-Write "`t`$($newValueToWrite)" "DEBG"
3758. }
3759. if($global:boolForceMode)
3760. {
3761. Log-Write "`t Attempting to update $($regValueName) registry" "INFO"
3762. try
3763. {
3764. $null = set-ItemProperty -Path $_.PsPath -type multistring -Name $regValueName -Value $newArray -ErrorAction silentlycontinue
3765. }
3766. catch
3767. {
3768. Log-Write "`t Failed to update registry." "ERROR"
3769. }
3770. }
3771. }
3772. else
3773. {
3774. Log-Write "`t No Sophos entries found in ($regValueName) under $($_.PsPath)" "PASS"
3775. }
3776. }
3777. }
3778. }
3779. #=====================================================================================================
3780. #=====================================================================================================
3781. function RemoveSAVScheduledScan
3782. {
3783. Log-Write "RemoveSAVScheduledScan" "DEBG"
3784. $STasks = Get-ScheduledTask -ErrorAction silentlycontinue
3785. $intCountTasks = 0
3786. $intCountTasksRemoved = 0
3787. if ($STasks)
3788. {
3789. foreach ($task in $STasks)
3790. {
3791. if ($task.Actions.Execute -match $strSAVSchedScanExe)
3792. {
3793. $intCountTasks++
3794. Log-Write "Found Sophos scheduled task: $($task.TaskName) - $($task.Actions.Execute)" "ERROR"
3795. if ($global:boolForceMode)
3796. {
3797. Log-Write "Removing Sophos Anti-Virus scheduled task" "INFO"
3798. try
3799. {
3800. Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false -ErrorAction silentlycontinue
3801. $intCountTasksRemoved++
3802. }
3803. catch
3804. {
3805. Log-Write "Error removing task $($task.TaskName)" "WARN"
3806. }
3807. }
3808. }
3809. }
3810. if ($intCountTasks -gt 0)
3811. {
3812. Log-Write "Number of Sophos Anti-Virus scheduled scan tasks found: $($intCountTasks)" "ERROR"
3813. if ($global:boolForceMode)
3814. {
3815. Log-Write "Number of Sophos Anti-Virus scheduled scan tasks removed: $($intCountTasksRemoved)" "INFO"
3816. }
3817. }
3818. else
3819. {
3820. Log-Write "Number of Sophos Anti-Virus scheduled scan tasks found: $($intCountTasks)" "PASS"
3821. }
3822. }
3823. else
3824. {
3825. Log-Write "Unable to get a list of scheduled tasks" "WARN"
3826. }
3827. }
3828. #=====================================================================================================
3829. #=====================================================================================================
3830. function TidyInstallerFoldersKey()
3831. {
3832. Log-Write "TidyInstallerFoldersKey" "DEBG"
3833. #Get just the registry values (folders) where the data value for the path is not 1:
3834.  
3835. $FilteredRegValues = (Get-ItemProperty -ErrorAction SilentlyContinue $WIFoldersKey).psobject.properties | where-object {$_.Value -ne 1}
3836. if ($FilteredRegValues)
3837. {
3838. foreach ($regValue in $FilteredRegValues)
3839. {
3840. if ($null -ne ($toFindInFoldersKey | ? { $regValue -match $_ }) )
3841. {
3842. Log-Write "Found: $($regValue.Name)" "ERROR"
3843. if ($global:boolForceMode)
3844. {
3845. Log-Write "Removing: $($regValue.Name)" "INFO"
3846. remove-itemproperty -path $WIFoldersKey -name $regValue.Name -ErrorAction SilentlyContinue
3847. }
3848. }
3849. else
3850. {
3851. #$regValue.Name would be too much to log to the file.
3852. }
3853. }
3854. }
3855. }
3856. #=====================================================================================================
3857. #=====================================================================================================
3858. function IsSCMOutOfSyncWithRegistry ([string]$toCheck)
3859. {
3860. Log-Write "IsSCMOutOfSyncWithRegistry $($toCheck)" "DEBG"
3861. #Create friendly name for logging
3862. switch ($toCheck)
3863. {
3864. "UserModeService" {$strFriendlyName = "Service"}
3865. "Driver" {$strFriendlyName = "Driver"}
3866. }
3867. $SCMOddState = 0 #If this is > 0 then one or more services are out of sync.
3868. $xmlComponents | Select-Xml -XPath "//RemovalData/Components" | foreach {
3869. foreach ($itemToProcess in $_.node.ChildNodes)
3870. {
3871. #Don't consider the first service group of the data to prevent duplicates.
3872. if ($itemToProcess.FridendlyName.element -ne $strFirstGroupAvoidDups)
3873. {
3874. Log-Write "Component: $($itemToProcess.FridendlyName.element)" "DEBG"
3875. if($itemToProcess.$toCheck)
3876. {
3877. foreach ($indService in $itemToProcess.$toCheck.element)
3878. {
3879. Log-Write "`t $($toCheck): $($indService)" "DEBG"
3880. if ($indService -ne "Sophos System Protection Service") #sophossps and "Sophos System Protection Service" exist, reg key is sophossps
3881. {
3882. try
3883. {
3884. $s = get-service $indService -ErrorAction Stop
3885. if ($s.Status)
3886. {
3887. #We have a status so SCM knows about it but does it have a registry key:
3888. $regService = "HKLM:\SYSTEM\CurrentControlSet\Services\"+$indService
3889. Log-Write "`t Check: $($regService)" "DEBG"
3890. $SvsRegExists = test-path -path $regService
3891. if ($SvsRegExists)
3892. {
3893. Log-Write "`t'$($regService)' exists" "DEBG"
3894. #Check if there is a ImagePath
3895. $regCheck = (get-itemproperty -path $regService).ImagePath
3896. if (-not $regCheck)
3897. {
3898. Log-Write "$($strFriendlyName): '$($indService)', state: '$($s.Status)', a component of: '$($itemToProcess.FridendlyName.element)' has no ImagePath." "WARN"
3899. $SCMOddState++
3900. }
3901. }
3902. else
3903. {
3904. $SCMOddState++
3905. Log-Write "$($strFriendlyName): '$($indService)', state: '$($s.Status)', a component of: '$($itemToProcess.FridendlyName.element)' has no service registry key." "WARN"
3906. }
3907. }
3908. }
3909. catch
3910. {
3911. Log-Write "`t`t$($indService) does not exist according to 'get-service'" "DEBG"
3912. }
3913. }
3914. }
3915. }
3916. }
3917. }
3918. }
3919. if ($SCMOddState -gt 0)
3920. {
3921. Log-Write "The '$($strFriendlyName)' entries listed above have a 'state' according to the Service Control Manager (SCM) but have no/invalid service registry keys. Please reboot before re-installing to resolve." "ERROR"
3922. return $true
3923. }
3924. return $false
3925. }
3926. #=====================================================================================================
3927. #=====================================================================================================
3928. function CheckSophosIFEO()
3929. {
3930. Log-Write "CheckSophosIFEO" "DEBG"
3931.  
3932. $xmlComponents | Select-Xml -XPath "//RemovalData/Components" | foreach {
3933. foreach ($itemToProcess in $_.node.ChildNodes)
3934. {
3935. #Don't consider the first service group of the data to prevent duplicates.
3936. if ($itemToProcess.FridendlyName.element -ne $strFirstGroupAvoidDups)
3937. {
3938. Log-Write "Component: $($itemToProcess.FridendlyName.element)" "DEBG"
3939. if($itemToProcess."Processes")
3940. {
3941. foreach ($inProcess in $itemToProcess."Processes".element)
3942. {
3943. if (-not ($strToSkipForIFEO -contains $inProcess ))
3944. {
3945. foreach ($keyToCheck in $strIFEOAll)
3946. {
3947. $strPathToCheck = $keyToCheck+$inProcess
3948. Log-Write "Checking key: $($strPathToCheck)" "DEBG"
3949.  
3950. if (test-path $strPathToCheck)
3951. {
3952. Log-Write "$($strPathToCheck) exists" "DEBG"
3953. #Check if it has a debugger value
3954. $regCheckDebugger = (get-itemproperty -path $strPathToCheck)."Debugger"
3955.  
3956. if($regCheckDebugger)
3957. {
3958. $global:IFEOWithDebuggerValue++
3959. Log-Write "$($strPathToCheck) has a 'Debugger' value under the key with the value: [$($regCheckDebugger)]" "ERROR"
3960.  
3961. if ($global:boolForceMode)
3962. {
3963. Log-Write "Running in remove mode, will delete key: $($strPathToCheck)" "INFO"
3964. $global:IFEOToDelete++
3965. $null = Remove-Item -Path $strPathToCheck -Force -Recurse -ErrorAction silentlycontinue
3966. }
3967. }
3968. else
3969. {
3970. Log-Write "No 'Debugger' entry" "DEBG"
3971. }
3972. }
3973. Else
3974. {
3975. Log-Write "No IFEO registry key: $($strPathToCheck)" "PASS"
3976. }
3977. }
3978. }
3979. else
3980. {
3981. Log-Write "Skipping process named '$($inProcess)' as too generic." "DEBG"
3982. }
3983. }
3984. }
3985. }
3986. }
3987. }
3988. }
3989. #=====================================================================================================
3990. #=====================================================================================================
3991. function CheckLSPInWinsock()
3992. {
3993. Log-Write "CheckLSPInWinsock" "DEBG"
3994. try
3995. {
3996. Log-Write "Attempting to run the command 'netsh winsock show catalog' to see if our LSP is in the Winsock catalog" "DEBG"
3997. $StringNetshCatOutput = netsh winsock show catalog
3998. if ($StringNetshCatOutput)
3999. {
4000. foreach ($lineInOutPut in $StringNetshCatOutput)
4001. {
4002. if ($lineInOutPut -match $strLSPFileName64 -or $lineInOutPut -match $strLSPFileName32)
4003. {
4004. Log-Write "Found line in catalog: $($lineInOutPut)" "DEBG"
4005. return $true
4006. }
4007. }
4008. }
4009. }
4010. catch
4011. {
4012. Log-Write "Failed to run netsh command." "DEBG"
4013. #will not return true but will default to false as I have tried to remove the LSP in a number of ways
4014. }
4015. Log-Write "Did not find our LSPs: $($strLSPFileName64) and/or $($strLSPFileName32), in the Winsock Catalog" "DEBG"
4016. return $false
4017. }
4018. #=====================================================================================================
4019. Main
4020. Log-Exit