qBiJaBbM

1:: ---------------------- PREREQUISITES --------------------------
2
3echo Ready to run this script?
4REM pause
5
6@setlocal EnableDelayedExpansion
7:: Script cannot be run on servers
8FOR /F "TOKENS=1,* DELIMS==" %%u IN ('WMIC OS GET CAPTION /VALUE') DO IF /I "%%u"=="Caption" SET vers=%%v
9ECHO.%vers% | FIND /I "Microsoft Windows Server">Nul && (echo You cannot run this script on a server&pause)
10@setlocal DisableDelayedExpansion
11
12:: Script must be run with elevation
13openfiles>nul 2>&1
14if %errorlevel% EQU 0 goto ElevatedTrue
15echo Script NOT executed with administrative elevation
16REM pause
17exit
18:ElevatedTrue
19echo Script executed with administrative elevation
20
21
22
23:: ----------------------- MAIN INDEX ----------------------------
24:: This script is constructed to apply an order of operation for Sophos components and services as defined by Sophos company, as best as possible, from https://community.sophos.com/kb/en-us/122126 and https://community.sophos.com/kb/en-us/109668 . The application of this OOO in this script is not 100% perfect, but I tried my best to match the words of the Sophos company. Here is the OOO list that I have assembled based on these resources and some educated guesses (some Sophos products are missing from this list because I was unable to find resources on them):
25::	Sophos Patch Agent
26::	Sophos Compliance Agent / NAC / Network Access Compliance
27::	Sophos Network Threat Protection / NTP / Endpoint / Server
28::	Sophos System Protection / SSP
29::	Sophos Client Firewall / SCF
30::	Sophos Endpoint Firewall / Endpoint / Server
31::	Sophos Anti-Virus Endpoint
32::	Sophos Anti-Virus Server
33::	Sophos Anti-Virus / SAV
34::	Sophos Exploit Prevention / SEP
35::	Sophos Remote Management System / RMS
36::	Sophos Health / Endpoint / Server
37::	Sophos Diagnostic Utility / Endpoint / Server
38::	Sophos Management Communications System / MCS / Server
39::	Sophos Management Communications System Endpoint
40::	Sophos Management Console
41::	Sophos Management Server
42::	Sophos Management Database
43::	Sophos [MCS?] Heartbeat
44::	Sophos Endpoint Self Help / Endpoint / Server
45::	Sophos Lockdown
46::	Sophos File Scanner / Endpoint / Server
47::	Sophos Standalone Engine / Endpoint / Server
48::	Sophos ML Engine
49::	Sophos Endpoint
50::	Sophos Endpoint Agent
51::	Sophos Clean / Endpoint / Server
52::	Sophos AutoUpdate XG / Endpoint / Server
53::	Sophos AutoUpdate / SAU
54::	Sophos Endpoint Defense / SED / Endpoint / Server
55::	HitmanPro / HMPA managed
56::	HitmanPro
57::	Others - Sophos Message Router
58::	Others - Sophos Cache Manager / Update Manager
59::	Others - Sophos Certification Manager
60::	Others - Sophos Cloud AD Sync Utility
61::	Others - Sophos Data Recorder
62::	Others - Sophos File Integrity Monitoring
63::	Others - Sophos Management Host
64::	Others - Sophos Management Service
65::	Others - Sophos Patch Endpoint Communicator
66::	Others - Sophos Patch Endpoint Orchestrator
67::	Others - Sophos Patch Server Communicator
68::	Others - Sophos Policy Evaluation Service
69::	Others - Sophos PureMessage
70::	Others - Sophos PureMessage Web Agent
71::	Others - Sophos PureMessage Running Object Table (ROT)
72::	Others - Sophos PureMessage Content Extractor
73::	Others - Sophos PureMessage Watchdog Agent
74::	Others - Sophos PureMessage Scanner
75::	Others - Sophos Encryption For Cloud Storage
76::	Others - Sophos Central AD Sync Utility
77::	Others - Sophos Virus Removal Tool
78::	Others - Unknown
79
80
81
82:: This script is not specifically targetting HitmanPro but includes some entries because of someone's Sophos removal script
83
84
85
86:: Here is the general procedure we are following for removal of Sophos:
87::	1.	Disable, gracefully stop, and forcefully stop "Sophos AutoUpdate Service" service (as advised at ttps://community.sophos.com/kb/en-us/109668)
88::	2.	Perform graceful Sophos MSI/EXE uninstalls to allow the product the opportunity to properly remove itself
89::	3.	Set all Sophos services to disabled
90::	4.	Stop all Sophos services gracefully
91::	5.	Kill all Sophos services by force
92::	6.	Set all Sophos driver services to disabled
93::	7.	Stop all Sophos driver services gracefully
94::	8.	Kill all Sophos driver services by force
95::	9.	Uninstall all Sophos driver services via INF files
96::	10. Kill all Sophos processes by force
97::	11. Repeat steps 1-10 (we attempted graceful uninstall outright, this time we will retry gracefull uninstall but with all services and processes stopped and some drivers unhooked. We haven't deleted anything yet!)
98::	12. Delete all Sophos services
99::	13. Delete all Sophos driver services
100::	14. Unregister EXEs to known Sophos files (/UnRegServer and -Uninstall methods)
101::	15.	Unregister DLLs to known Sophos files (REGSVR32 method)
102::	16. Kill all Sophos processes by force
103::	17. Delete all Sophos registry keys and values
104::	18. Nuke all Sophos folders and files from orbit
105::	19. Repeat steps 1-18 (if something still lingers on the system by this point in time then there is a possibility that rerunning all the steps one last time will annihilate them. Ultimately, a reboot will be necessary to confirm that the system comes back online and to allow PendingFileRenameOperations to do its thing for remaining files)
106
107
108
109:: This script was put together through extremely thorough research and analysis of/using:
110::	-	SysInternals Autoruns, Process Explorer, and Process Monitor
111::	-	Search Everything
112::	-	RevoUninstaller Pro install/uninstall logs
113::	-	MSI GUID, Service Name, Service Display Name, Install Path, and Uninstall String search from RMM system of 11000 agents
114::	-	Probably more than 10 different Sophos removal scripts found via Googling
115::	-	More than 40 hours of time
116
117
118
119set TryAgain=TRUE
120set OneLastTime=TRUE
121:TryAgain
122call :proxy Prerequisites
123call :proxy Uninstall
124call :proxy Services
125if "%TryAgain%"=="TRUE" (set TryAgain=FALSE&goto :TryAgain)
126:: Uncomment the next two lines + the 'pause' under labels :proxy and :proxytwo to aide with debugging
127::echo You should have seen MSI stuff happen twice
128::pause
129call :proxytwo Unregister
130call :proxytwo Deletion
131:: The purpose of OneLastTime is to do one last round for the absolutely stubborn files
132if "%OneLastTime%"=="TRUE" (set OneLastTime=FALSE&goto :TryAgain)
133
134echo Script is at the end of the line and has finished
135REM pause
136exit
137
138
139
140:: ---------------------------- CHAPTERS -----------------------------
141:Prerequisites
142:: The first order of operation is to stop and cripple the AutoUpdate service as instructed at https://community.sophos.com/kb/en-us/109668
143:: Sophos AutoUpdate Service
144sc config "Sophos AutoUpdate Service" start= disabled
145net stop "Sophos AutoUpdate Service"
146taskkill /T /F /IM "ALsvc.exe"
147sc delete "Sophos AutoUpdate Service"
148reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service" /f
149exit /b 0
150
151
152
153:Uninstall
154:: The second thing we are going to do is try to uninstall all Sophos products gracefully and let them complete most of the removal work.
155:: The sources of some GUIDs (not in any particular order):
156::	(1) https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/93514/endpoint-agent-installation/338867?pi2147=246
157::	(2) https://www.itninja.com/software/sophos/anti-virus/7-201
158::	(3) https://kc.mcafee.com/corporate/index?page=content&id=KB85522&locale=en_SG&viewlocale=en_SG
159::	(4) https://gist.github.com/Coopeh/8470068
160::	(5) https://rmccurdy.com/scripts/SOSO.txt
161::	(6) Personally examining a virtual machine with Sophos Endpoint Agent installed using tools RevoUninstaller, Autoruns, Everything, Process Explorer
162::	(7) And scripts written by others
163
164:: Sophos Patch Agent
165call :msiexec "{2FB80981-C6B6-4FCA-BC65-24437DF4C8CB}"
166call :msiexec "{29006785-9EF7-4E84-ABE8-6244D12E7909}"
167call :msiexec "{391530CF-3500-404D-867C-42514304917A}"
168call :msiexec "{5565E71F-091B-42B8-8514-7E8944860BFD}"
169
170:: Sophos Compliance Agent / NAC / Network Access Compliance
171call :msiexec "{486FEABF-70EB-48C1-9C35-700B74A8EBE6}"
172call :msiexec "{8BCFF7E3-E241-4230-BB5D-A6676E840F65}"
173call :msiexec "{79406B81-26C4-4EAA-8CE2-5637B3279AC2}"
174call :msiexec "{53613148-723B-4EF2-B45E-21F2BE0C0DB3}"
175call :msiexec "{1A7EE8FF-391D-4030-8021-5F560189B87F}"
176call :msiexec "{8BD17D77-227B-4CF6-BC9A-4304F569D8E9}"
177
178:: Sophos Network Threat Protection / NTP / Endpoint / Server
179call :msiexec "{604350BF-BE9A-4F79-B0EB-B1C22D889E2D}"
180call :msiexec "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ntp64\Sophos Network Threat Protection.msi"
181call :msiexec "{66967E5F-43E8-4402-87A4-04685EE5C2CB}"
182
183:: Sophos System Protection / SSP
184call :msiexec "{934BEF80-B9D1-4A86-8B42-D8A6716A8D27}"
185call :msiexec "{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}"
186
187:: Sophos Client Firewall / SCF
188call :msiexec "{12C00299-B8B4-40D3-9663-66ABEA3198AB}"
189call :msiexec "{17071117-5BB2-4737-B05B-C5FABD367313}"
190
191:: Sophos Endpoint Firewall / Endpoint / Server
192call :msiexec "{2831282D-8519-4910-B339-2302840ABEF3}"
193call :msiexec "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\efw64\Sophos Endpoint Firewall.msi"
194
195::	Sophos Anti-Virus Endpoint
196call :msiexec "{8123193C-9000-4EEB-B28A-E74E779759FA}"
197call :msiexec "{36333618-1CE1-4EF2-8FFD-7F17394891CE}"
198call :msiexec "{DFDA2077-95D0-4C5F-ACE7-41DA16639255}"
199call :msiexec "{CA3CE456-B2D9-4812-8C69-17D6980432EF}"
200call :msiexec "{CA524364-D9C5-4804-92DE-2800BDAC1AA4}"
201call :msiexec "{3B998572-90A5-4D61-9022-00B288DD755D}"
202call :msiexec "{4BAF6F55-FFE4-4A3A-8367-CC2EBB0F11C3}"
203call :msiexec "{BA8752FE-75E5-43DD-9913-23509EFEB409}"
204call :msiexec "{034759DA-E21A-4795-BFB3-C66D17FAD183}"
205call :msiexec "{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}"
206::	Sophos Anti-Virus Server
207call :msiexec "{72E30858-FC95-4C87-A697-670081EBF065}"
208call :msiexec "{2519A41E-5D7C-429B-B2DB-1E943927CB3D}"
209call :msiexec "{6654537D-935E-41C0-A18A-C55C2BF77B7E}"
210:: Sophos Anti-Virus / SAV
211call :msiexec "{6CA90A07-433B-4859-A785-006771D72109}"
212call :msiexec "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\Sophos Anti-Virus.msi"
213call :msiexec "{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}"
214call :msiexec "{09863DA9-7A9B-4430-9561-E04D178D7017}"
215call :msiexec "{23E4E25E-E963-4C62-A18A-49C73AA3F963}"
216call :msiexec "{65323B2D-83D4-470D-A209-D769DB30BBDB}"
217call :msiexec "{C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB}"
218call :msiexec "{D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4}"
219
220:: Sophos Exploit Prevention / SEP
221
222:: Sophos Remote Management System / RMS
223call :msiexec "{FED1005D-CBC8-45D5-A288-FFC7BB304121}"
224call :msiexec "{FF11005D-CBC8-45D5-A288-25C7BB304121}"
225
226:: Sophos Health / Endpoint / Server
227call :msiexec "{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745}"
228call :msiexec "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\shs\Sophos Health.msi"
229call :msiexec "{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E}"
230call :msiexec "{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44}"
231
232:: Sophos Diagnostic Utility / Endpoint / Server
233call :msiexec "{4627F5A1-E85A-4394-9DB3-875DF83AF6C2}"
234call :msiexec "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sdu\Sophos Diagnostic Utility.msi"
235:: "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\setup.exe" remove
236:: "C:\Program Files\Sophos\Sophos Diagnostic Utility\setup.exe" remove
237
238:: Sophos Management Communications System / MCS / Server
239call :msiexec "{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B}"
240call :msiexec "{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179}"
241call :msiexec "{D875F30C-B469-4998-9A08-FE145DD5DC1A}"
242call :msiexec "{2C14E1A2-C4EB-466E-8374-81286D723D3A}"
243:: Sophos Management Communications System Endpoint
244"C:\Program Files\Sophos\Management Communication System\Endpoint\uninstall.exe" /uninstall /quiet
245"C:\Program Files\Sophos\Management Communications System\Endpoint\uninstall.exe" /uninstall /quiet
246"C:\Program Files (x86)\Sophos\Management Communication System\Endpoint\uninstall.exe" /uninstall /quiet
247"C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\uninstall.exe" /uninstall /quiet
248:: Sophos Management Console
249call :msiexec "{6D313E00-539A-4EDC-913B-0B1B349D1860}"
250call :msiexec "{FC2876E5-3698-4534-A126-52792C4F0350}"
251:: Sophos Management Server
252call :msiexec "{9BCC5C9E-94B6-40CA-A025-2A33C78256C6}"
253call :msiexec "{E9366D3F-ED09-42D1-BAFF-1EF2E3BF8A37}"
254:: Sophos Management Database
255call :msiexec "{8A911FCC-F927-4CEA-8B0B-C72BEFEA1034}"
256call :msiexec "{E3C70B2C-0549-4F4C-87BE-B3D0EBDDAF26}"
257
258:: Sophos [MCS?] Heartbeat
259call :msiexec "{DFFA9361-3625-4219-82C2-9EF011E433B1}"
260
261:: Sophos Endpoint Self Help / Endpoint / Server
262call :msiexec "{9F69FA12-E3FE-4754-B7E3-B4DEEC8F6B5D}"
263call :msiexec "{4EFCDD15-24A2-4D89-84A4-857D1BF68FA8}"
264call :msiexec "{BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8}"
265
266:: Sophos Lockdown
267call :msiexec "{77F92E90-ED4F-4CFF-8F60-3E3E4AEB705C}"
268
269:: Sophos File Scanner / Endpoint / Server
270"C:\Program Files\Sophos\Sophos File Scanner\Uninstall.exe"
271"C:\Program Files (x86)\Sophos\Sophos File Scanner\Uninstall.exe"
272
273:: Sophos Standalone Engine / Endpoint / Server
274"C:\Program Files\Sophos\Sophos Standalone Engine\uninstall.exe"
275"C:\Program Files (x86)\Sophos\Sophos Standalone Engine\uninstall.exe"
276
277:: Sophos ML Engine
278"C:\Program Files\Sophos\Sophos ML Engine\uninstall.exe"
279"C:\Program Files (x86)\Sophos\Sophos ML Engine\uninstall.exe"
280
281:: Sophos Endpoint
282call :msiexec "{D29542AE-287C-42E4-AB28-3858E13C1A3E}"
283:: Sophos Endpoint Agent
284call :msiexec "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ui64\Sophos UI.msi"
285:: This pops up a GUI message + the message may be "The computer must be restarted before Sophos Endpoint Agent can be uninstalled."
286::"C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe"
287::"C:\Program Files (x86)\Sophos\Sophos Endpoint Agent\uninstallgui.exe"
288:: This is better! If we temporarily remove PendingFileRenameOperations AND use uninstallcli.exe, no GUI + removal succeeds!
289(reg copy "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "HKLM\SYSTEM\CurrentControlSet\Control\_TMP_SMGR")&&((for /f "tokens=1" %%a in ('reg query "HKLM\SYSTEM\CurrentControlSet\Control\_TMP_SMGR" ^| find /V "PendingFileRenameOperations" ^| find /V "HKEY_LOCAL_MACHINE"') do @(reg delete "HKLM\SYSTEM\CurrentControlSet\Control\_TMP_SMGR" /v "%%~a" /f))&reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations /f)||(echo Could not copy registry key)
290"C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallcli.exe"
291"C:\Program Files (x86)\Sophos\Sophos Endpoint Agent\uninstallcli.exe"
292reg copy "HKLM\SYSTEM\CurrentControlSet\Control\_TMP_SMGR" "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /f
293reg delete "HKLM\SYSTEM\CurrentControlSet\Control\_TMP_SMGR" /f
294
295:: Sophos Clean / Endpoint / Server
296"C:\Program Files\Sophos\Clean\uninstall.exe"
297"C:\Program Files (x86)\Sophos\Clean\uninstall.exe"
298
299:: Sophos AutoUpdate XG / Endpoint / Server
300
301:: Sophos AutoUpdate / SAU
302call :msiexec "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sau\Sophos AutoUpdate.msi"
303call :msiexec "{72E136F7-3751-422E-AC7A-1B2E46391909}"
304call :msiexec "{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16}"
305call :msiexec "{BCF53039-A7FC-4C79-A3E3-437AE28FD918}"
306call :msiexec "{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520}"
307call :msiexec "{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54}"
308call :msiexec "{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E}"
309call :msiexec "{15C418EB-7675-42be-B2B3-281952DA014D}"
310call :msiexec "{C12953C2-4F15-4A6C-91BC-511B96AE2775}"
311call :msiexec "{856A0B42-457D-4BD9-B795-6F942370CA6D}"
312
313:: Sophos Endpoint Defense / SED / Endpoint / Server
314"C:\Program Files\Sophos\Endpoint Defense\uninstall.exe"
315"C:\Program Files (x86)\Sophos\Endpoint Defense\uninstall.exe"
316
317:: HitmanPro / HMPA managed
318"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet
319"C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet
320
321:: HitmanPro
322"C:\Program Files\HitmanPro.Alert\uninstall.exe"
323"C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe"
324"C:\Program Files\HitmanPro\HitmanPro.exe" /uninstall /quiet
325"C:\Program Files (x86)\HitmanPro\HitmanPro.exe" /uninstall /quiet
326
327:: Others - Sophos Message Router
328
329:: Others - Sophos Cache Manager / Update Manager
330call :msiexec "{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}"
331
332:: Others - Sophos Certification Manager
333
334:: Others - Sophos Cloud AD Sync Utility
335call :msiexec "{94A64BF2-0EFC-47EE-9376-0D14E67A2696}"
336
337:: Others - Sophos Data Recorder
338
339:: Others - Sophos File Integrity Monitoring
340
341:: Others - Sophos Management Host
342
343:: Others - Sophos Management Service
344
345:: Others - Sophos Patch Endpoint Communicator
346
347:: Others - Sophos Patch Endpoint Orchestrator
348
349:: Others - Sophos Patch Server Communicator
350
351:: Others - Sophos Policy Evaluation Service
352
353:: Others - Sophos PureMessage
354call :msiexec "{946A74A2-D92E-40CE-B3C5-C6174EC6287D}"
355
356:: Others - Sophos PureMessage Web Agent
357
358:: Others - Sophos PureMessage Running Object Table (ROT)
359
360:: Others - Sophos PureMessage Content Extractor
361
362:: Others - Sophos PureMessage Watchdog Agent
363
364:: Others - Sophos PureMessage Scanner
365
366:: Others - Sophos Encryption For Cloud Storage
367
368:: Others - Sophos Central AD Sync Utility
369call :msiexec "{84791325-FCDA-429C-85E1-4167EFB2708F}"
370
371:: Others - Sophos SafeGuard (THIS IS THE ONLY ENTRY FOR THIS APPLICATION IN THIS SCRIPT)
372call :msiexec "{957BE63D-2202-4618-BA64-12115A1F8C93}"
373call :msiexec "{23140C44-685A-4525-B0E1-FCAA33E89805}"
374call :msiexec "{7AA09D93-47ED-470F-BE41-53E0D9D8D87F}"
375call :msiexec "{67090957-0E4D-4CE2-93E6-22F98DCE1D26}"
376call :msiexec "{E42A36EA-F3F8-49C8-9E0E-0E87CDACAF69}"
377call :msiexec "{D102EA66-BFC5-44B6-A371-54FAF5A1B27B}"
378
379:: Others - Sophos SSL VPN Client 2.1 (THIS IS THE ONLY ENTRY FOR THIS APPLICATION IN THIS SCRIPT)
380:: "C:\Program Files\Sophos\Sophos SSL VPN Client\Uninstall.exe"
381:: "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\Uninstall.exe"
382
383:: Others - Sophos Virus Removal Tool
384call :msiexec "{B829E117-D072-41EA-9606-9826A38D34C1}"
385
386:: Others - Unknown
387
388timeout /t 15 /nobreak
389exit /b 0
390
391
392
393:Services
394call :proxy Services_Disable
395call :proxy Services_Stop
396call :proxy Services_StopForce
397call :proxy Drivers
398if "%TryAgain%"=="TRUE" (exit /b 0)
399call :proxy Services_Deletion
400exit /b 0
401
402
403
404:Drivers
405call :proxy DriverServices_Disable
406call :proxy DriverServices_Stop
407call :proxy ProcessesAll_StopForce
408call :proxy DriverServices_Uninstall
409if "%TryAgain%"=="TRUE" (exit /b 0)
410call :proxy DriverServices_Deletion
411call :proxy ProcessesAll_StopForce
412exit /b 0
413
414
415
416:Unregister
417call :proxytwo Uninstall_Unreg
418call :proxytwo Uninstall_Regsvr
419call :proxytwo ProcessesAll_StopForce
420exit /b 0
421
422
423
424:Deletion
425call :proxytwo Registry_Deletion
426call :proxytwo Filesystem_Deletion
427exit /b 0
428
429
430
431:: --------------------------- SUBCHAPTERS ---------------------------
432:Services_Disable
433:: Graceful attempts of removal are now over. *cracks knuckles* You had your chance, Sophos! The next step is to disable services.
434
435:: Sophos Patch Agent
436call :sc_disable "Sophos Patch Agent"
437
438:: Sophos Compliance Agent / NAC / Network Access Compliance
439call :sc_disable "Sophos Compliance Agent API"
440
441:: Sophos Network Threat Protection / NTP / Endpoint / Server
442call :sc_disable "SntpService"
443call :sc_disable "Sophos Network Threat Protection"
444
445:: Sophos System Protection / SSP
446call :sc_disable "Sophos System Protection Service"
447call :sc_disable "sophossps"
448
449:: Sophos Client Firewall / SCF
450call :sc_disable "Sophos Client Firewall Manager"
451call :sc_disable "Sophos Client Firewall"
452
453:: Sophos Endpoint Firewall / Endpoint / Server
454
455:: Sophos Anti-Virus / SAV / Endpoint / Server
456call :sc_disable "SAVAdminService"
457call :sc_disable "Sophos Anti-Virus status reporter"
458call :sc_disable "SAVService"
459call :sc_disable "Sophos Device Control Service"
460call :sc_disable "Sophos Safestore Service"
461call :sc_disable "Sophos Safestore"
462call :sc_disable "Sophos Web Control Service"
463:: Didn't really fall anywhere else - Sophos Web Filter
464call :sc_disable "swi_filter"
465call :sc_disable "swi_fc"
466:: Didn't really fall anywhere else - Sophos Web Intelligence Service
467call :sc_disable "swi_service"
468call :sc_disable "Sophos Web Intelligence Service"
469:: Didn't really fall anywhere else - Sophos Web Intelligence Updater
470call :sc_disable "Sophos Web Intelligence Updater"
471call :sc_disable "Sophos Web Intelligence Update"
472call :sc_disable "swi_update"
473call :sc_disable "swi_update_64"
474:: Extras
475call :sc_disable "Sophos Anti-Virus"
476
477:: Sophos Exploit Prevention / SEP
478
479:: Sophos Remote Management System / RMS
480
481:: Sophos Health / Endpoint / Server
482call :sc_disable "Sophos Health Service"
483
484:: Sophos Diagnostic Utility / Endpoint / Server
485
486:: Sophos Management Communications System / MCS / Endpoint / Server
487call :sc_disable "Sophos MCS Agent"
488call :sc_disable "Sophos MCS Client"
489
490:: Sophos [MCS?] Heartbeat
491call :sc_disable "Sophos MCS Heartbeat"
492
493:: Sophos Endpoint Self Help / Endpoint / Server
494
495:: Sophos Lockdown
496
497:: Sophos File Scanner / Endpoint / Server
498call :sc_disable "Sophos File Scanner Service"
499
500:: Sophos Standalone Engine / Endpoint / Server
501
502:: Sophos ML Engine
503
504:: Sophos Endpoint / Agent
505call :sc_disable "Sophos Agent"
506
507:: Sophos Clean / Endpoint / Server
508call :sc_disable "Sophos Clean Service"
509call :sc_disable "Sophos Clean"
510
511:: Sophos AutoUpdate XG / Endpoint / Server
512
513:: Sophos AutoUpdate / SAU
514call :sc_disable "Sophos AutoUpdate Service"
515
516:: Sophos Endpoint Defense / SED / Endpoint / Server
517call :sc_disable "Sophos Endpoint Defense Service"
518
519:: HitmanPro / HMPA managed
520
521:: HitmanPro
522
523:: Others - Sophos Message Router
524call :sc_disable "Sophos Message Router"
525
526:: Others - Sophos Cache Manager / Update Manager
527call :sc_disable "Sophos Cache Manager"
528call :sc_disable "Sophos Update Cache"
529call :sc_disable "SUM"
530
531:: Others - Sophos Certification Manager
532call :sc_disable "Sophos Certification Manager"
533
534:: Others - Sophos Cloud AD Sync Utility
535call :sc_disable "Sophos Cloud AD Sync Utility"
536
537:: Others - Sophos Data Recorder
538call :sc_disable "SophosDataRecorderService"
539
540:: Others - Sophos File Integrity Monitoring
541call :sc_disable "SophosFIM"
542
543:: Others - Sophos Management Host
544call :sc_disable "SophosManagementHostService"
545
546:: Others - Sophos Management Service
547call :sc_disable "Sophos Management Service"
548
549:: Others - Sophos Patch Endpoint Communicator
550call :sc_disable "SophosPatchEndpointCommunicator"
551
552:: Others - Sophos Patch Endpoint Orchestrator
553call :sc_disable "SophosPatchOrchestratorService"
554
555:: Others - Sophos Patch Server Communicator
556call :sc_disable "SophosPatchServerCommunicator"
557
558:: Others - Sophos Policy Evaluation Service
559call :sc_disable "Sophos Policy Evaluation Service"
560
561:: Others - Sophos PureMessage
562call :sc_disable "SavexSrvc"
563
564:: Others - Sophos PureMessage Web Agent
565call :sc_disable "SavexWebAgent"
566
567:: Others - Sophos PureMessage Running Object Table (ROT)
568call :sc_disable "MMRot"
569
570:: Others - Sophos PureMessage Content Extractor
571call :sc_disable "PMContExtrSvc"
572
573:: Others - Sophos PureMessage Watchdog Agent
574call :sc_disable "PMEVizsla"
575
576:: Others - Sophos PureMessage Scanner
577call :sc_disable "PMScanner"
578
579:: Others - Sophos Encryption For Cloud Storage
580call :sc_disable "SGNCloudEncService"
581
582:: Others - Sophos Central AD Sync Utility
583call :sc_disable "Sophos Central AD Sync Utility"
584
585:: Others - Unknown
586call :sc_disable "sweepupdate"
587call :sc_disable "sweepnet"
588
589timeout /t 15 /nobreak
590exit /b 0
591
592
593
594:Services_Stop
595:: The next step is to stop services
596:: Sophos Patch Agent
597sc stop "Sophos Patch Agent"
598
599:: Sophos Compliance Agent / NAC / Network Access Compliance
600sc stop "Sophos Compliance Agent API"
601
602:: Sophos Network Threat Protection / NTP / Endpoint / Server
603sc stop "SntpService"
604sc stop "Sophos Network Threat Protection"
605
606:: Sophos System Protection / SSP
607sc stop "Sophos System Protection Service"
608sc stop "sophossps"
609
610:: Sophos Client Firewall / SCF
611sc stop "Sophos Client Firewall Manager"
612sc stop "Sophos Client Firewall"
613
614:: Sophos Endpoint Firewall / Endpoint / Server
615
616:: Sophos Anti-Virus / SAV / Endpoint / Server
617sc stop "SAVAdminService"
618sc stop "Sophos Anti-Virus status reporter"
619sc stop "SAVService"
620sc stop "Sophos Device Control Service"
621sc stop "Sophos Safestore Service"
622sc stop "Sophos Safestore"
623sc stop "Sophos Web Control Service"
624:: Didn't really fall anywhere else - Sophos Web Filter
625sc stop "swi_filter"
626sc stop "swi_fc"
627:: Didn't really fall anywhere else - Sophos Web Intelligence Service
628sc stop "swi_service"
629sc stop "Sophos Web Intelligence Service"
630:: Didn't really fall anywhere else - Sophos Web Intelligence Updater
631sc stop "Sophos Web Intelligence Updater"
632sc stop "Sophos Web Intelligence Update"
633sc stop "swi_update"
634sc stop "swi_update_64"
635:: Extras
636sc stop "Sophos Anti-Virus"
637
638:: Sophos Exploit Prevention / SEP
639
640:: Sophos Remote Management System / RMS
641
642:: Sophos Health / Endpoint / Server
643sc stop "Sophos Health Service"
644
645:: Sophos Diagnostic Utility / Endpoint / Server
646
647:: Sophos Management Communications System / MCS / Endpoint / Server
648sc stop "Sophos MCS Agent"
649sc stop "Sophos MCS Client"
650
651:: Sophos [MCS?] Heartbeat
652sc stop "Sophos MCS Heartbeat"
653
654:: Sophos Endpoint Self Help / Endpoint / Server
655
656:: Sophos Lockdown
657
658:: Sophos File Scanner / Endpoint / Server
659sc stop "Sophos File Scanner Service"
660
661:: Sophos Standalone Engine / Endpoint / Server
662
663:: Sophos ML Engine
664
665:: Sophos Endpoint / Agent
666sc stop "Sophos Agent"
667
668:: Sophos Clean / Endpoint / Server
669sc stop "Sophos Clean Service"
670sc stop "Sophos Clean"
671
672:: Sophos AutoUpdate XG / Endpoint / Server
673
674:: Sophos AutoUpdate / SAU
675sc stop "Sophos AutoUpdate Service"
676
677:: Sophos Endpoint Defense / SED / Endpoint / Server
678sc stop "Sophos Endpoint Defense Service"
679
680:: HitmanPro / HMPA managed
681
682:: HitmanPro
683
684:: Others - Sophos Message Router
685sc stop "Sophos Message Router"
686
687:: Others - Sophos Cache Manager / Update Manager
688sc stop "Sophos Cache Manager"
689sc stop "Sophos Update Cache"
690sc stop "SUM"
691
692:: Others - Sophos Certification Manager
693sc stop "Sophos Certification Manager"
694
695:: Others - Sophos Cloud AD Sync Utility
696sc stop "Sophos Cloud AD Sync Utility"
697
698:: Others - Sophos Data Recorder
699sc stop "SophosDataRecorderService"
700
701:: Others - Sophos File Integrity Monitoring
702sc stop "SophosFIM"
703
704:: Others - Sophos Management Host
705sc stop "SophosManagementHostService"
706
707:: Others - Sophos Management Service
708sc stop "Sophos Management Service"
709
710:: Others - Sophos Patch Endpoint Communicator
711sc stop "SophosPatchEndpointCommunicator"
712
713:: Others - Sophos Patch Endpoint Orchestrator
714sc stop "SophosPatchOrchestratorService"
715
716:: Others - Sophos Patch Server Communicator
717sc stop "SophosPatchServerCommunicator"
718
719:: Others - Sophos Policy Evaluation Service
720sc stop "Sophos Policy Evaluation Service"
721
722:: Others - Sophos PureMessage
723sc stop "SavexSrvc"
724
725:: Others - Sophos PureMessage Web Agent
726sc stop "SavexWebAgent"
727
728:: Others - Sophos PureMessage Running Object Table (ROT)
729sc stop "MMRot"
730
731:: Others - Sophos PureMessage Content Extractor
732sc stop "PMContExtrSvc"
733
734:: Others - Sophos PureMessage Watchdog Agent
735sc stop "PMEVizsla"
736
737:: Others - Sophos PureMessage Scanner
738sc stop "PMScanner"
739
740:: Others - Sophos Encryption For Cloud Storage
741sc stop "SGNCloudEncService"
742
743:: Others - Sophos Central AD Sync Utility
744sc stop "Sophos Central AD Sync Utility"
745
746:: Others - Unknown
747sc stop "sweepupdate"
748sc stop "sweepnet"
749
750timeout /t 15 /nobreak
751exit /b 0
752
753
754
755:Services_StopForce
756:: The next step is to forcibly terminate running services
757:: Others - Unknown (moved to be the first item as a special exception because a lot of these are executables not found anywhere)
758taskill /T /F /IM "sweepupdate.exe" /IM "sweepnet.exe" /IM "backgroundscanclient.exe" /IM "sav32cli.exe" /IM "savcleanupservice.exe" /IM "savmain.exe" /IM "savprogress.exe" /IM "savproxy.exe" /IM "sdcdevcon.exe" /IM "wscclient.exe" /IM "clientmrinit.exe" /IM "emlibupdateagentnt.exe" /IM "agentapi.exe" /IM "autoupdateagentnt.exe" /IM "agentasst.exe" /IM "alupdate.exe" /IM "scfmanager.exe"
759
760:: Sophos Patch Agent
761taskkill /T /F /IM "spa.exe"
762
763:: Sophos Compliance Agent / NAC / Network Access Compliance
764
765:: Sophos Network Threat Protection / NTP / Endpoint / Server
766taskkill /T /F /IM "SntpService.exe"
767
768:: Sophos System Protection / SSP
769taskkill /T /F /IM "SSPService.exe" /IM "ssp.exe"
770
771:: Sophos Client Firewall / SCF
772taskkill /T /F /IM "SCFManager.exe" /IM "SCFService.exe"
773
774:: Sophos Endpoint Firewall / Endpoint / Server
775
776:: Sophos Anti-Virus / SAV / Endpoint / Server
777taskkill /T /F /IM "SAVAdminService.exe" /IM "SavService.exe" /IM "sdcservice.exe" /IM "Safestore.exe" /IM "Safestore64.exe" /IM "swc_service.exe" /IM "swi_filter.exe" /IM "swi_service.exe" /IM "swi_update.exe" /IM "swi_update_64.exe" /IM "swi_fc.exe"
778
779:: Sophos Exploit Prevention / SEP
780
781:: Sophos Remote Management System / RMS
782
783:: Sophos Health / Endpoint / Server
784taskkill /T /F /IM "Health.exe"
785
786:: Sophos Diagnostic Utility / Endpoint / Server
787
788:: Sophos Management Communications System / MCS / Endpoint / Server
789taskkill /T /F /IM "McsAgent.exe" /IM "McsClient.exe"
790
791:: Sophos [MCS?] Heartbeat
792taskkill /T /F /IM "Heartbeat.exe"
793
794:: Sophos Endpoint Self Help / Endpoint / Server
795
796:: Sophos Lockdown
797
798:: Sophos File Scanner / Endpoint / Server
799taskkill /T /F /IM "SophosFS.exe"
800
801:: Sophos Standalone Engine / Endpoint / Server
802
803:: Sophos ML Engine
804
805:: Sophos Endpoint / Agent
806taskkill /T /F /IM "Sophos UI.exe" /IM "ManagementAgentNT.exe"
807
808:: Sophos Clean / Endpoint / Server
809taskkill /T /F /IM "Clean.exe"
810
811:: Sophos AutoUpdate XG / Endpoint / Server
812
813:: Sophos AutoUpdate / SAU
814taskkill /T /F /IM "ALsvc.exe" /IM "almon.exe"
815
816:: Sophos Endpoint Defense / SED / Endpoint / Server
817taskkill /T /F /IM "SEDService.exe"
818
819:: HitmanPro / HMPA managed
820
821:: HitmanPro
822
823:: Others - Sophos Message Router
824taskkill /T /F /IM "RouterNT.exe"
825
826:: Others - Sophos Cache Manager / Update Manager
827taskkill /T /F /IM "UpdateCacheService.exe" /IM "SUMService.exe"
828
829:: Others - Sophos Certification Manager
830taskkill /T /F /IM "CertificationManagerServiceNT.exe"
831
832:: Others - Sophos Cloud AD Sync Utility
833taskkill /T /F /IM "SophosADSyncService.exe"
834
835:: Others - Sophos Data Recorder
836taskkill /T /F /IM "SDRService.exe"
837
838:: Others - Sophos File Integrity Monitoring
839taskkill /T /F /IM "SophosFIMService.exe"
840
841:: Others - Sophos Management Host
842taskkill /T /F /IM "Sophos.FrontEnd.Service.exe"
843
844:: Others - Sophos Management Service
845taskkill /T /F /IM "MgntSvc.exe"
846
847:: Others - Sophos Patch Endpoint Communicator
848taskkill /T /F /IM "PatchEndpointCommunicator.exe"
849
850:: Others - Sophos Patch Endpoint Orchestrator
851taskkill /T /F /IM "PatchEndpointOrchestrator.exe"
852
853:: Others - Sophos Patch Server Communicator
854taskkill /T /F /IM "PatchServerCommunicator.exe"
855
856:: Others - Sophos Policy Evaluation Service
857taskkill /T /F /IM "Sophos.PolicyEvaluation.Service.exe"
858
859:: Others - Sophos PureMessage
860taskkill /T /F /IM "SavexSrvc.exe"
861
862:: Others - Sophos PureMessage Web Agent
863taskkill /T /F /IM "SavexWebAgent.exe"
864
865:: Others - Sophos PureMessage Running Object Table (ROT)
866taskkill /T /F /IM "MMRot.exe"
867
868:: Others - Sophos PureMessage Content Extractor
869taskkill /T /F /IM "PMContExtrSvc.exe"
870
871:: Others - Sophos PureMessage Watchdog Agent
872taskkill /T /F /IM "PMEVizsla.exe"
873
874:: Others - Sophos PureMessage Scanner
875taskkill /T /F /IM "PMScanner.exe"
876
877:: Others - Sophos Encryption For Cloud Storage
878taskkill /T /F /IM "SGN_MasterServicen.exe"
879
880:: Others - Sophos Central AD Sync Utility
881taskkill /T /F /IM "SophosADSyncService.exe"
882exit /b 0
883
884
885
886:Services_Deletion
887:: The next step is to delete all Sophos services
888:: Sophos Patch Agent
889call :sc_delete "Sophos Patch Agent"
890
891:: Sophos Compliance Agent / NAC / Network Access Compliance
892call :sc_delete "Sophos Compliance Agent API"
893
894:: Sophos Network Threat Protection / NTP / Endpoint / Server
895call :sc_delete "SntpService"
896call :sc_delete "Sophos Network Threat Protection"
897
898:: Sophos System Protection / SSP
899call :sc_delete "Sophos System Protection Service"
900call :sc_delete "sophossps"
901
902:: Sophos Client Firewall / SCF
903call :sc_delete "Sophos Client Firewall Manager"
904call :sc_delete "Sophos Client Firewall"
905
906:: Sophos Endpoint Firewall / Endpoint / Server
907
908:: Sophos Anti-Virus / SAV / Endpoint / Server
909call :sc_delete "SAVAdminService"
910call :sc_delete "Sophos Anti-Virus status reporter"
911call :sc_delete "SAVService"
912call :sc_delete "Sophos Device Control Service"
913call :sc_delete "Sophos Safestore Service"
914call :sc_delete "Sophos Safestore"
915call :sc_delete "Sophos Web Control Service"
916:: Didn't really fall anywhere else - Sophos Web Filter
917call :sc_delete "swi_filter"
918call :sc_delete "swi_fc"
919:: Didn't really fall anywhere else - Sophos Web Intelligence Service
920call :sc_delete "swi_service"
921call :sc_delete "Sophos Web Intelligence Service"
922:: Didn't really fall anywhere else - Sophos Web Intelligence Updater
923call :sc_delete "Sophos Web Intelligence Updater"
924call :sc_delete "Sophos Web Intelligence Update"
925call :sc_delete "swi_update"
926sc delete "swi_update_64"
927call :sc_delete "swi_update_64"
928:: Extras
929call :sc_delete "Sophos Anti-Virus"
930
931:: Sophos Exploit Prevention / SEP
932
933:: Sophos Remote Management System / RMS
934
935:: Sophos Health / Endpoint / Server
936call :sc_delete "Sophos Health Service"
937
938:: Sophos Diagnostic Utility / Endpoint / Server
939
940:: Sophos Management Communications System / MCS / Endpoint / Server
941call :sc_delete "Sophos MCS Agent"
942call :sc_delete "Sophos MCS Client"
943
944:: Sophos [MCS?] Heartbeat
945call :sc_delete "Sophos MCS Heartbeat"
946
947:: Sophos Endpoint Self Help / Endpoint / Server
948
949:: Sophos Lockdown
950
951:: Sophos File Scanner / Endpoint / Server
952call :sc_delete "Sophos File Scanner Service"
953
954:: Sophos Standalone Engine / Endpoint / Server
955
956:: Sophos ML Engine
957
958:: Sophos Endpoint / Agent
959call :sc_delete "Sophos Agent"
960
961:: Sophos Clean / Endpoint / Server
962call :sc_delete "Sophos Clean Service"
963call :sc_delete "Sophos Clean"
964
965:: Sophos AutoUpdate XG / Endpoint / Server
966
967:: Sophos AutoUpdate / SAU
968call :sc_delete "Sophos AutoUpdate Service"
969
970:: Sophos Endpoint Defense / SED / Endpoint / Server
971call :sc_delete "Sophos Endpoint Defense Service"
972
973:: HitmanPro / HMPA managed
974
975:: HitmanPro
976
977:: Others - Sophos Message Router
978call :sc_delete "Sophos Message Router"
979
980:: Others - Sophos Cache Manager / Update Manager
981call :sc_delete "Sophos Cache Manager"
982call :sc_delete "Sophos Update Cache"
983call :sc_delete "SUM"
984
985:: Others - Sophos Certification Manager
986call :sc_delete "Sophos Certification Manager"
987
988:: Others - Sophos Cloud AD Sync Utility
989call :sc_delete "Sophos Cloud AD Sync Utility"
990
991:: Others - Sophos Data Recorder
992call :sc_delete "SophosDataRecorderService"
993
994:: Others - Sophos File Integrity Monitoring
995call :sc_delete "SophosFIM"
996
997:: Others - Sophos Management Host
998call :sc_delete "SophosManagementHostService"
999
1000:: Others - Sophos Management Service
1001call :sc_delete "Sophos Management Service"
1002
1003:: Others - Sophos Patch Endpoint Communicator
1004call :sc_delete "SophosPatchEndpointCommunicator"
1005
1006:: Others - Sophos Patch Endpoint Orchestrator
1007call :sc_delete "SophosPatchOrchestratorService"
1008
1009:: Others - Sophos Patch Server Communicator
1010call :sc_delete "SophosPatchServerCommunicator"
1011
1012:: Others - Sophos Policy Evaluation Service
1013call :sc_delete "Sophos Policy Evaluation Service"
1014
1015:: Others - Sophos PureMessage
1016call :sc_delete "SavexSrvc"
1017
1018:: Others - Sophos PureMessage Web Agent
1019call :sc_delete "SavexWebAgent"
1020
1021:: Others - Sophos PureMessage Running Object Table (ROT)
1022call :sc_delete "MMRot"
1023
1024:: Others - Sophos PureMessage Content Extractor
1025call :sc_delete "PMContExtrSvc"
1026
1027:: Others - Sophos PureMessage Watchdog Agent
1028call :sc_delete "PMEVizsla"
1029
1030:: Others - Sophos PureMessage Scanner
1031call :sc_delete "PMScanner"
1032
1033:: Others - Sophos Encryption For Cloud Storage
1034call :sc_delete "SGNCloudEncService"
1035
1036:: Others - Sophos Central AD Sync Utility
1037call :sc_delete "Sophos Central AD Sync Utility"
1038
1039:: Others - Unknown
1040call :sc_delete "sweepupdate"
1041call :sc_delete "sweepnet"
1042exit /b 0
1043
1044
1045
1046:DriverServices_Disable
1047:: The next step is to disable driver services
1048:: Sophos Network Threat Protection Driver (Sophos Network Threat Protection / NTP / Endpooint / Server)
1049call :sc_disable "sntp"
1050
1051:: SAV on-access mini-filter driver (Sophos Anti-Virus)
1052call :sc_disable "SAVOnAccess"
1053
1054:: Sophos Web Intelligence callout driver (Sophos Anti-Virus)
1055call :sc_disable "swi_callout"
1056
1057:: Sophos Early Launch AntiMalware Driver (Sophos Anti-Virus?)
1058call :sc_disable "Sophos ELAM"
1059
1060:: Sophos Boot Driver (Sophos Anti-Virus)
1061call :sc_disable "SophosBootDriver"
1062
1063:: Sophos CD-Rom Class filter driver (Sophos Device Control?)
1064call :sc_disable "sdcfilter"
1065
1066:: Sophos Endpoint Defense
1067call :sc_disable "Sophos Endpoint Defense"
1068exit /b 0
1069
1070
1071
1072:DriverServices_Stop
1073:: The next step is to stop driver services
1074:: Sophos Network Threat Protection Driver (Sophos Network Threat Protection / NTP / Endpooint / Server)
1075call :scd_stop "sntp"
1076
1077:: SAV on-access mini-filter driver (Sophos Anti-Virus)
1078call :scd_stop "SAVOnAccess"
1079
1080:: Sophos Web Intelligence callout driver (Sophos Anti-Virus)
1081call :scd_stop "swi_callout"
1082
1083:: Sophos Early Launch AntiMalware Driver (Sophos Anti-Virus?)
1084call :scd_stop "Sophos ELAM"
1085
1086:: Sophos Boot Driver (Sophos Anti-Virus)
1087call :scd_stop "SophosBootDriver"
1088
1089:: Sophos CD-Rom Class filter driver (Sophos Device Control?)
1090call :scd_stop "sdcfilter"
1091
1092:: Sophos Endpoint Defense
1093call :scd_stop "Sophos Endpoint Defense"
1094
1095timeout /t 15 /nobreak
1096exit /b 0
1097
1098
1099
1100:DriverServices_Uninstall
1101:: The next step is to uninstall all Sophos driver services via INF files
1102:: Sophos Network Threat Protection Driver (Sophos Network Threat Protection / NTP / Endpooint / Server)
1103wmic sysdriver where name="sntp" call delete
1104
1105:: SAV on-access mini-filter driver (Sophos Anti-Virus)
1106wmic sysdriver where name="SAVOnAccess" call delete
1107
1108:: Sophos Web Intelligence callout driver (Sophos Anti-Virus)
1109wmic sysdriver where name="swi_callout" call delete
1110
1111:: Sophos Early Launch AntiMalware Driver (Sophos Anti-Virus?)
1112if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf")
1113if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf")
1114if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf",UnInstall)
1115if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosEL.inf")
1116
1117if exist "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf")
1118if exist "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf")
1119if exist "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf" (rundll32 advpack.dll,LaunchINFSection "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf",UnInstall)
1120if exist "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\Program Files\Sophos\Endpoint Defense\SophosEL.inf")
1121
1122wmic sysdriver where name="SophosEL" call delete
1123wmic sysdriver where name="Sophos ELAM" call delete
1124
1125:: Sophos Boot Driver (Sophos Anti-Virus)
1126if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf")
1127if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf")
1128if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf",UnInstall)
1129if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_amd64\SophosBootDriver.inf")
1130
1131if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf")
1132if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf")
1133if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf",UnInstall)
1134if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\win7_i386\SophosBootDriver.inf")
1135
1136if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf")
1137if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf")
1138if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf",UnInstall)
1139if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wxp_i386\SophosBootDriver.inf")
1140
1141if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf")
1142if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf")
1143if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf",UnInstall)
1144if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\drivers\boottasks\wnet_amd64\SophosBootDriver.inf")
1145
1146wmic sysdriver where name="SophosBootDriver" call delete
1147
1148:: Sophos CD-Rom Class filter driver (Sophos Device Control?)
1149wmic sysdriver where name="sdcfilter" call delete
1150
1151:: Sophos Endpoint Defense
1152if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1153if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1154if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf",UnInstall)
1155if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1156
1157if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win8Uninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1158if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win8Uninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1159if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf",UnInstall)
1160if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1161
1162if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win7Uninstall 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1163if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win7Uninstall.Services 132 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1164if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (rundll32 advpack.dll,LaunchINFSection "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf",UnInstall)
1165if exist "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SophosED.inf")
1166
1167if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1168if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultUninstall.Services 132 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1169if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (rundll32 advpack.dll,LaunchINFSection "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf",UnInstall)
1170if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1171
1172if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win8Uninstall 132 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1173if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win8Uninstall.Services 132 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1174if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (rundll32 advpack.dll,LaunchINFSection "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf",UnInstall)
1175if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1176
1177if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win7Uninstall 132 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1178if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (RUNDLL32 SETUPAPI.DLL,InstallHinfSection Win7Uninstall.Services 132 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1179if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (rundll32 advpack.dll,LaunchINFSection "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf",UnInstall)
1180if exist "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf" (rundll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 "C:\Program Files\Sophos\Endpoint Defense\SophosED.inf")
1181
1182wmic sysdriver where name="SophosED" call delete
1183wmic sysdriver where name="Sophos Endpoint Defense" call delete
1184exit /b 0
1185
1186
1187
1188:DriverServices_Deletion
1189:: The next step is to delete all Sophos driver services
1190:: We will add a handful of driver files to the PendingFileRenameOperations registry value using a script from https://gallery.technet.microsoft.com/scriptcenter/Register-FileToDelete-0cbb00bb developed by Boe Prox. This script must exist in the same directory as this batch script.
1191:: These couple magic one-liners will basically create the script for us if it does not exist, further allowing this batch script as being the only file to handle
1192if not exist "%~dp0Register-FileToDelete.ps1" (call :PoShScript&if not exist "%~dp0Register-FileToDelete.ps1" (echo Failed to create Register-FileToDelete.ps1 script) else (echo Successfully created Register-FileToDelete.ps1 script&echo Executing Register-FileToDelete.ps1 script)) else (echo Executing Register-FileToDelete.ps1 script)
1193if exist "%~dp0Register-FileToDelete.ps1" ((powershell -NoProfile -ExecutionPolicy Bypass -Command "Import-Module '%~dp0Register-FileToDelete.ps1';Register-FileToDelete -Source 'C:\Windows\System32\drivers\SophosEL.sys';Register-FileToDelete -Source 'C:\Windows\System32\drivers\SophosED.sys';Register-FileToDelete -Source 'C:\Windows\System32\drivers\SophosED.man';Register-FileToDelete -Source 'C:\Windows\System32\drivers\SophosBootDriver.sys';Register-FileToDelete -Source 'C:\Windows\System32\SophosNA.exe';Register-FileToDelete -Source 'C:\Windows\System32\SophosBootTasks.exe'") 2> nul&echo Register-FileToDelete.ps1 script executed&(del /Q /S "%~dp0Register-FileToDelete.ps1")>nul 2>&1&call :DriverServices_Deletion_Sub) else (echo Failed to execute Register-FileToDelete.ps1 script&(del /Q /S "%~dp0Register-FileToDelete.ps1")>nul 2>&1)
1194exit /b 0
1195
1196
1197
1198:DriverServices_Deletion_Sub
1199:: This label will only be executed if we can successfully mark files for deletion-on-reboot
1200:: We won't use the 'reg delete' because 'sc delete' will schedule the service for deletion on reboot of the Operating System. We don't want to delete these services if the drivers are actively operating live.
1201
1202:: SAV on-access mini-filter driver
1203sc delete "SAVOnAccess"
1204:: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SAVOnAccess" /f
1205
1206:: Sophos CD-Rom Class filter driver
1207sc delete "sdcfilter"
1208:: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\sdcfilter" /f
1209
1210:: Sophos Network Threat Protection Driver
1211sc delete "sntp"
1212:: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\sntp" /f
1213
1214:: Sophos Early Launch AntiMalware Driver
1215sc delete "Sophos ELAM"
1216:: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos ELAM" /f
1217
1218:: Sophos 
1219sc delete "Sophos Endpoint Defense"
1220:: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense" /f
1221
1222:: Sophos Web Intelligence callout driver
1223sc delete "swi_callout"
1224:: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\swi_callout" /f
1225
1226:: Sophos Boot Driver
1227sc delete "SophosBootDriver"
1228:: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SophosBootDriver" /f
1229
1230:: Setting PendingReboot flag
1231reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" /f
1232exit /b 0
1233
1234
1235
1236:Uninstall_Unreg
1237:: The next step is to unregister EXEs to known Sophos files (/UnRegServer and -Uninstall methods)
1238:: https://www.itninja.com/software/sophos/anti-virus/7-201
1239:: https://www.experts-exchange.com/questions/23058062/Sophos-Anti-Virus-Uninstall-Script.html
1240:: https://community.sophos.com/kb/en-us/127805
1241
1242:: Sophos Patch Agent
1243
1244:: Sophos Compliance Agent / NAC / Network Access Compliance
1245
1246:: Sophos Network Threat Protection / NTP / Endpoint / Server
1247
1248:: Sophos System Protection / SSP
1249
1250:: Sophos Client Firewall / SCF
1251if exist "C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe" "C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe" /UnregServer
1252if exist "C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFManager.exe" "C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFManager.exe" /UnregServer
1253if exist "C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe" "C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe" /UnregServer
1254if exist "C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFService.exe" "C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFService.exe" /UnregServer
1255
1256:: Sophos Endpoint Firewall / Endpoint / Server
1257
1258:: Sophos Anti-Virus / SAV / Endpoint / Server
1259if exist "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" /unregserver
1260if exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" /unregserver
1261if exist "C:\Program Files\Sophos\Sophos Anti-Virus\SavAdminService.exe" "C:\Program Files\Sophos\Sophos Anti-Virus\SavAdminService.exe" /unregserver
1262if exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavAdminService.exe" "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavAdminService.exe" /unregserver
1263if exist "C:\Program Files\Sophos\Sophos Anti-Virus\sdcservice.exe" "C:\Program Files\Sophos\Sophos Anti-Virus\sdcservice.exe" /unregserver
1264if exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sdcservice.exe" "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sdcservice.exe" /unregserver
1265if exist "C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" "C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" /unregserver
1266if exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe" /unregserver
1267
1268:: Sophos Exploit Prevention / SEP
1269
1270:: Sophos Remote Management System / RMS
1271if exist "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -uninstall
1272if exist "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" -uninstall
1273if exist "C:\Program Files\Sophos\Remote Management System\AutoUpdateAgentNT.exe" "C:\Program Files\Sophos\Remote Management System\AutoUpdateAgentNT.exe" -uninstall
1274if exist "C:\Program Files (x86)\Sophos\Remote Management System\AutoUpdateAgentNT.exe" "C:\Program Files (x86)\Sophos\Remote Management System\AutoUpdateAgentNT.exe" -uninstall
1275if exist "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -uninstall
1276if exist "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" -uninstall
1277
1278:: Sophos Health / Endpoint / Server
1279
1280:: Sophos Diagnostic Utility / Endpoint / Server
1281
1282:: Sophos Management Communications System / MCS / Endpoint / Server
1283
1284:: Sophos [MCS?] Heartbeat
1285
1286:: Sophos Endpoint Self Help / Endpoint / Server
1287
1288:: Sophos Lockdown
1289
1290:: Sophos File Scanner / Endpoint / Server
1291
1292:: Sophos Standalone Engine / Endpoint / Server
1293
1294:: Sophos ML Engine
1295
1296:: Sophos Endpoint / Agent
1297
1298:: Sophos Clean / Endpoint / Server
1299
1300:: Sophos AutoUpdate XG / Endpoint / Server
1301
1302:: Sophos AutoUpdate / SAU
1303if exist "C:\Program Files\Sophos\AutoUpdate\ALSvc.exe" "C:\Program Files\Sophos\AutoUpdate\ALSvc.exe" /unregserver
1304if exist "C:\Program Files (x86)\Sophos\AutoUpdate\ALSvc.exe" "C:\Program Files (x86)\Sophos\AutoUpdate\ALSvc.exe" /unregserver
1305if exist "C:\Program Files\Sophos\AutoUpdate\ALMon.exe" "C:\Program Files\Sophos\AutoUpdate\ALMon.exe" /unregserver
1306if exist "C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe" "C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe" /unregserver
1307
1308:: Sophos Endpoint Defense / SED / Endpoint / Server
1309
1310:: HitmanPro / HMPA managed
1311
1312:: HitmanPro
1313
1314:: Others - Sophos Message Router
1315
1316:: Others - Sophos Cache Manager / Update Manager
1317
1318:: Others - Sophos Certification Manager
1319
1320:: Others - Sophos Cloud AD Sync Utility
1321
1322:: Others - Sophos Data Recorder
1323
1324:: Others - Sophos File Integrity Monitoring
1325
1326:: Others - Sophos Management Host
1327
1328:: Others - Sophos Management Service
1329
1330:: Others - Sophos Patch Endpoint Communicator
1331
1332:: Others - Sophos Patch Endpoint Orchestrator
1333
1334:: Others - Sophos Patch Server Communicator
1335
1336:: Others - Sophos Policy Evaluation Service
1337
1338:: Others - Sophos PureMessage
1339
1340:: Others - Sophos PureMessage Web Agent
1341
1342:: Others - Sophos PureMessage Running Object Table (ROT)
1343
1344:: Others - Sophos PureMessage Content Extractor
1345
1346:: Others - Sophos PureMessage Watchdog Agent
1347
1348:: Others - Sophos PureMessage Scanner
1349
1350:: Others - Sophos Encryption For Cloud Storage
1351
1352:: Others - Sophos Central AD Sync Utility
1353
1354:: Others - Unknown
1355
1356exit /b 0
1357
1358
1359
1360:Uninstall_Regsvr
1361:: The next step is to unregister DLLs to known Sophos files (REGSVR32 method)
1362:: https://www.labtechgeek.com/topic/4274-sophos-removal-script/
1363:: https://rmccurdy.com/scripts/SOSO.txt
1364:: https://www.experts-exchange.com/questions/23058062/Sophos-Anti-Virus-Uninstall-Script.html
1365
1366:: Nuke everything
1367for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files\Sophos\*.dll"') do @(regsvr32 /U /S "%%~a")
1368for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files\Common Files\Sophos\*.dll"') do @(regsvr32 /U /S "%%~a")
1369for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files (x86)\Sophos\*.dll"') do @(regsvr32 /U /S "%%~a")
1370for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files (x86)\Common Files\Sophos\*.dll"') do @(regsvr32 /U /S "%%~a")
1371for /f "tokens=*" %%a in ('dir /S /B "C:\ProgramData\Sophos\*.dll"') do @(regsvr32 /U /S "%%~a")
1372for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files\Sophos\*.exe"') do @(regsvr32 /U /S "%%~a")
1373for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files\Common Files\Sophos\*.exe"') do @(regsvr32 /U /S "%%~a")
1374for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files (x86)\Sophos\*.exe"') do @(regsvr32 /U /S "%%~a")
1375for /f "tokens=*" %%a in ('dir /S /B "C:\Program Files (x86)\Common Files\Sophos\*.exe"') do @(regsvr32 /U /S "%%~a")
1376for /f "tokens=*" %%a in ('dir /S /B "C:\ProgramData\Sophos\*.exe"') do @(regsvr32 /U /S "%%~a")
1377exit /b 0
1378
1379
1380
1381:Registry_Deletion
1382:: The next step is to delete all Sophos registry keys and values
1383
1384:: Autoruns
1385reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Sophos UI.exe" /f
1386
1387:: Context menus
1388reg delete "HKLM\SOFTWARE\Classes\SavSecurity.SecurityManager" /f
1389reg delete "HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SavShellExt" /f
1390reg delete "HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\SavShellExt" /f
1391reg delete "HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SavShellExt" /f
1392reg delete "HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SavShellExt" /f
1393
1394:: Check if any Sophos providers are registered with WinSock
1395(netsh winsock show catalog | find /I "Sophos")>nul && (call :proxy WinSock) || (echo.)
1396
1397:: We are flagging some miscellaneous files for deletion on boot due to their extra stubbornness for clinging on to the system
1398if not exist "%~dp0Register-FileToDelete.ps1" (call :PoShScript&if not exist "%~dp0Register-FileToDelete.ps1" (echo Failed to create Register-FileToDelete.ps1 script) else (echo Successfully created Register-FileToDelete.ps1 script&echo Executing Register-FileToDelete.ps1 script)) else (echo Executing Register-FileToDelete.ps1 script)
1399if exist "%~dp0Register-FileToDelete.ps1" ((powershell -NoProfile -ExecutionPolicy Bypass -Command "Import-Module '%~dp0Register-FileToDelete.ps1';Register-FileToDelete -Source 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll';Register-FileToDelete -Source 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll';Register-FileToDelete -Source 'C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll';Register-FileToDelete -Source 'C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll';Register-FileToDelete -Source 'C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll';Register-FileToDelete -Source 'C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll';Register-FileToDelete -Source 'C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll';Register-FileToDelete -Source 'C:\ProgramData\Sophos';Register-FileToDelete -Source 'C:\Program Files\Sophos';Register-FileToDelete -Source 'C:\Program Files (x86)\Sophos';Register-FileToDelete -Source 'C:\Program Files\Common Files\Sophos';Register-FileToDelete -Source 'C:\Program Files (x86)\Common Files\Sophos';Register-FileToDelete -Source 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos';Get-ChildItem -Recurse 'C:\Program Files (x86)\Common Files\Sophos' | ForEach-Object {Register-FileToDelete -Source $_.FullName};Get-ChildItem -Recurse 'C:\Program Files (x86)\Sophos' | ForEach-Object {Register-FileToDelete -Source $_.FullName};Get-ChildItem -Recurse 'C:\Program Files\Common Files\Sophos' | ForEach-Object {Register-FileToDelete -Source $_.FullName};Get-ChildItem -Recurse 'C:\Program Files\Sophos' | ForEach-Object {Register-FileToDelete -Source $_.FullName};") 2> nul&echo Register-FileToDelete.ps1 script executed&(del /Q /S "%~dp0Register-FileToDelete.ps1")>nul 2>&1) else (echo Failed to execute Register-FileToDelete.ps1 script&(del /Q /S "%~dp0Register-FileToDelete.ps1")>nul 2>&1)
1400
1401:: Others
1402reg delete "HKCU\SOFTWARE\Sophos" /f
1403reg delete "HKCU\SOFTWARE\Wow6432Node\Sophos" /f
1404reg delete "HKLM\SOFTWARE\Sophos" /f
1405reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos" /f
1406for /f "tokens=*" %%a in ('reg query HKU') do @(reg delete "HKU\%%~a\SOFTWARE\Sophos" /f)
1407for /f "tokens=*" %%a in ('reg query HKU') do @(reg delete "HKU\%%~a\SOFTWARE\Wow6432Node\Sophos" /f)
1408for /f "tokens=*" %%a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| find "Sophos"') do @(reg delete "%%~a" /f)
1409for /f "tokens=*" %%a in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| find "Sophos"') do @(reg delete "%%~a" /f)
1410for /f "tokens=1 delims=*" %%a in ('net localgroup ^| find "Sophos"') do @(net localgroup "%%~a" /DELETE)2> nul
1411
1412:: As undesirable it may be to touch the AppInit_DLLs registry value, we have to because it presents a security risk to the system by leaving Sophos in the registry data of this registry value. We will make a registry key backup and save it to "C:\Windows\Temp\AppInitDLLs_*.reg" before making modifications.
1413:: Microsoft does not recommend that vendors use this registry value (https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dlls-registry-value)
1414(reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs | find /I "Sophos")>nul&&(call :AppInit_DLLs_x86)||((reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs | find /I "Sophos")>nul&&(call :AppInit_DLLs_x64)||(echo AppInit_DLLs is clean))
1415exit /b 0
1416
1417
1418
1419:WinSock
1420:: Backup WinSock entries for Sophos
1421(for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(echo.)) && (for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(for /f "tokens=*" %%c in ('reg query "HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64" /d /s /f "Sophos" ^| find "HKEY_LOCAL_MACHINE"') do @(for /f "tokens=9 delims=\" %%d in ('echo %%~c') do @(reg export "%%~c" "C:\Windows\Temp\Winsock64_%%~d_%%~b.reg")))) || (for /f "tokens=*" %%c in ('reg query "HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64" /d /s /f "Sophos" ^| find "HKEY_LOCAL_MACHINE"') do @(for /f "tokens=9 delims=\" %%d in ('echo %%~c') do @(echo reg export "%%~c" "C:\Windows\Temp\Winsock64_%%~d_00000000000000.reg")))&(for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(echo.)) && (for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(for /f "tokens=*" %%c in ('reg query "HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries" /d /s /f "Sophos" ^| find "HKEY_LOCAL_MACHINE"') do @(for /f "tokens=9 delims=\" %%d in ('echo %%~c') do @(reg export "%%~c" "C:\Windows\Temp\Winsock32_%%~d_%%~b.reg")))) || (for /f "tokens=*" %%c in ('reg query "HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries" /d /s /f "Sophos" ^| find "HKEY_LOCAL_MACHINE"') do @(for /f "tokens=9 delims=\" %%d in ('echo %%~c') do @(echo reg export "%%~c" "C:\Windows\Temp\Winsock32_%%~d_00000000000000.reg")))
1422
1423:: Deletion of WinSock entries for Sophos via registry
1424:: Commented out because I believe "netsh winsock remove provider #" is the proper and graceful way of removing the providers and I have not been successful in putting together PoSh magic to parse the output of "netsh winsock show catalog" to select the Catalog Entry ID for Descriptions containing Sophos ... to feed into the "netsh winsock remove provider #" command
1425:: See https://stackoverflow.com/questions/54083702/parsing-the-output-of-a-legacy-console-application-with-powershell-to-select-val
1426::(for /f "tokens=*" %%b in ('reg query "HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9" /d /s /f "Sophos" ^| find "HKEY_LOCAL_MACHINE"') do @(reg delete "%%~b" /f))
1427
1428:: Reset WinSock /should/ clear out providers
1429:: Uncommented for public-developmental release
1430netsh winsock reset
1431exit /b 0
1432
1433
1434
1435:AppInit_DLLs_x64
1436:: Backup the parent registry key where AppInit_DLLs exists
1437(for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(echo.)) && (for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" "C:\Windows\Temp\AppInitDLLs_%%~b.reg")) || (reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" "C:\Windows\Temp\AppInitDLLs_00000000000000.reg")
1438:: Clear the registry data for registry value AppInit_DLLs
1439reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /f
1440exit /b 0
1441
1442
1443
1444:AppInit_DLLs_x86
1445:: Backup the parent registry key where AppInit_DLLs exists
1446(for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(echo.)) && (for /f "tokens=1 delims=. skip=1" %%b in ('wmic os get localdatetime ^| findstr "."') do @(reg export "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" "C:\Windows\Temp\AppInitDLLs_%%~b.reg")) || (reg export "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" "C:\Windows\Temp\AppInitDLLs_00000000000000.reg")
1447:: Clear the registry data for registry value AppInit_DLLs
1448reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /f
1449exit /b 0
1450
1451
1452
1453:Filesystem_Deletion
1454:: The next step is to nuke all Sophos folders and files from orbit
1455
1456rd /Q /S "C:\Program Files (x86)\Common Files\Sophos" || ((for /f %%a in ('dir /B /S "C:\Program Files (x86)\Common Files\Sophos"') do @(takeown /f "%%~a" /r /d y&del /Q /S "%%~a"&rd /Q /S "%%~a"))&rd /Q /S "C:\Program Files (x86)\Common Files\Sophos")
1457rd /Q /S "C:\Program Files (x86)\Sophos" || ((for /f %%a in ('dir /B /S "C:\Program Files (x86)\Sophos"') do @(takeown /f "%%~a" /r /d y&del /Q /S "%%~a"&rd /Q /S "%%~a"))&rd /Q /S "C:\Program Files (x86)\Sophos")
1458rd /Q /S "C:\Program Files\Common Files\Sophos" || ((for /f %%a in ('dir /B /S "C:\Program Files\Common Files\Sophos"') do @(takeown /f "%%~a" /r /d y&del /Q /S "%%~a"&rd /Q /S "%%~a"))&rd /Q /S "C:\Program Files\Common Files\Sophos")
1459rd /Q /S "C:\Program Files\Sophos" || ((for /f %%a in ('dir /B /S "C:\Program Files\Sophos"') do @(takeown /f "%%~a" /r /d y&del /Q /S "%%~a"&rd /Q /S "%%~a"))&rd /Q /S "C:\Program Files\Sophos")
1460rd /Q /S "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos" || ((for /f %%a in ('dir /B /S "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos"') do @(takeown /f "%%~a" /r /d y&del /Q /S "%%~a"&rd /Q /S "%%~a"))&rd /Q /S "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos")
1461rd /Q /S "C:\ProgramData\Sophos" || ((for /f %%a in ('dir /B /S "C:\ProgramData\Sophos"') do @(takeown /f "%%~a" /r /d y&del /Q /S "%%~a"&rd /Q /S "%%~a"))&rd /Q /S "C:\ProgramData\Sophos")
1462exit /b 0
1463
1464
1465
1466:: --------------------------- SUBROUTINES ---------------------------
1467
1468:: The proxy and proxytwo labels are here to help with inserting 'pause' for controlled debugging and analysis of command outputs
1469:proxy
1470call :%1
1471::pause
1472exit /b 0
1473
1474:proxytwo
1475call :%1
1476::pause
1477exit /b 0
1478
1479:msiexec
1480:: Subroutine for silent MSI uninstallation
1481msiexec /X %1 /qn /norestart REBOOT=REALLYSUPPRESS
1482exit /b 0
1483
1484:sc_disable
1485:: Subroutine for disabling a service
1486(sc config %1 start= disabled)2> nul
1487exit /b 0
1488
1489:sc_delete
1490:: Subroutine for deleting a service
1491(sc delete %1)2> nul
1492
1493:: Stripping surrounding quotes
1494set scvar=%1
1495
1496:: The [commented] command below will print the value of the variable
1497::set scvar
1498
1499:: The command below will strip the surrounding quotes
1500set scvar=%scvar:"=%
1501
1502::set scvar
1503
1504:: Deleting services via registry to be extra sure
1505(reg delete "HKLM\SYSTEM\CurrentControlSet\Services\%scvar%" /f&reg delete "HKLM\SYSTEM\ControlSet000\Services\%scvar%" /f&reg delete "HKLM\SYSTEM\ControlSet001\Services\%scvar%" /f&reg delete "HKLM\SYSTEM\ControlSet002\Services\%scvar%" /f&reg delete "HKLM\SYSTEM\ControlSet003\Services\%scvar%" /f)2> nul
1506
1507:: The command below will clear the value of the variable
1508set scvar=
1509exit /b 0
1510
1511:scd_stop
1512:: Subroutine for attempting to stop File System Driver filters
1513fltmc detach %1 A:
1514fltmc detach %1 B:
1515fltmc detach %1 C:
1516fltmc detach %1 D:
1517fltmc detach %1 E:
1518fltmc detach %1 F:
1519fltmc detach %1 G:
1520fltmc detach %1 H:
1521fltmc detach %1 I:
1522fltmc detach %1 J:
1523fltmc detach %1 K:
1524fltmc detach %1 L:
1525fltmc detach %1 M:
1526fltmc detach %1 N:
1527fltmc detach %1 O:
1528fltmc detach %1 P:
1529fltmc detach %1 Q:
1530fltmc detach %1 R:
1531fltmc detach %1 S:
1532fltmc detach %1 T:
1533fltmc detach %1 U:
1534fltmc detach %1 V:
1535fltmc detach %1 W:
1536fltmc detach %1 X:
1537fltmc detach %1 Y:
1538fltmc detach %1 Z:
1539fltmc detach %1 \Device\Mup
1540fltmc detach %1 \Device\NamedPipe
1541fltmc unload %1
1542sc stop %1
1543exit /b 0
1544
1545:ProcessesAll_StopForce
1546:: Subroutine for killing all Sophos processes by force
1547(taskkill /T /F /IM "sweepupdate.exe" /IM "sweepnet.exe" /IM "backgroundscanclient.exe" /IM "sav32cli.exe" /IM "savcleanupservice.exe" /IM "savmain.exe" /IM "savprogress.exe" /IM "savproxy.exe" /IM "sdcdevcon.exe" /IM "wscclient.exe" /IM "clientmrinit.exe" /IM "emlibupdateagentnt.exe" /IM "almon.exe" /IM "agentapi.exe" /IM "autoupdateagentnt.exe" /IM "agentasst.exe" /IM "alupdate.exe" /IM "scfmanager.exe" /IM "SCFService.exe" /IM "spa.exe" /IM "SntpService.exe" /IM "SSPService.exe" /IM "ssp.exe" /IM "SAVAdminService.exe" /IM "SavService.exe" /IM "sdcservice.exe" /IM "Safestore.exe" /IM "Safestore64.exe" /IM "swc_service.exe" /IM "swi_filter.exe" /IM "swi_service.exe" /IM "swi_update.exe" /IM "swi_update_64.exe" /IM "swi_fc.exe" /IM "swi_*" /IM "Health.exe" /IM "McsAgent.exe" /IM "McsClient.exe" /IM "Heartbeat.exe" /IM "SophosFS.exe" /IM "Sophos UI.exe" /IM "ManagementAgentNT.exe" /IM "Clean.exe" /IM "ALsvc.exe" /IM "SEDService.exe" /IM "RouterNT.exe" /IM "UpdateCacheService.exe" /IM "SUMService.exe" /IM "CertificationManagerServiceNT.exe" /IM "SophosADSyncService.exe" /IM "SDRService.exe" /IM "SophosFIMService.exe" /IM "Sophos.FrontEnd.Service.exe" /IM "MgntSvc.exe" /IM "PatchEndpointCommunicator.exe" /IM "PatchEndpointOrchestrator.exe" /IM "PatchServerCommunicator.exe" /IM "Sophos.PolicyEvaluation.Service.exe" /IM "SavexSrvc.exe" /IM "SavexWebAgent.exe" /IM "MMRot.exe" /IM "PMContExtrSvc.exe" /IM "PMEVizsla.exe" /IM "PMScanner.exe" /IM "SGN_MasterServicen.exe" /IM "SophosADSyncService.exe" /IM "Sophos*")2> nul
1548for /f "tokens=5" %%a in ('dir /S "C:\Program Files\Sophos\*.exe" ^| find "/"') do @(taskkill /T /F /IM "%%~a"2> nul)
1549for /f "tokens=5" %%a in ('dir /S "C:\Program Files\Common Files\Sophos\*.exe" ^| find "/"') do @(taskkill /T /F /IM "%%~a"2> nul)
1550for /f "tokens=5" %%a in ('dir /S "C:\Program Files (x86)\Sophos\*.exe" ^| find "/"') do @(taskkill /T /F /IM "%%~a"2> nul)
1551for /f "tokens=5" %%a in ('dir /S "C:\Program Files (x86)\Common Files\Sophos\*.exe" ^| find "/"') do @(taskkill /T /F /IM "%%~a"2> nul)
1552for /f "tokens=5" %%a in ('dir /S "C:\ProgramData\Sophos\*.exe" ^| find "/"') do @(taskkill /T /F /IM "%%~a"2> nul)
1553exit /b 0
1554
1555
1556
1557:: ----------------------------- SCRIPTS -----------------------------
1558
1559:PoShScript
1560echo Function Register-FileToDelete {>"%~dp0Register-FileToDelete.ps1"
1561echo     ^<#>>"%~dp0Register-FileToDelete.ps1"
1562echo         .SYNOPSIS>>"%~dp0Register-FileToDelete.ps1"
1563echo             Registers a file/s or folder/s for deletion after a reboot.>>"%~dp0Register-FileToDelete.ps1"
1564echo.>>"%~dp0Register-FileToDelete.ps1"
1565echo         .DESCRIPTION>>"%~dp0Register-FileToDelete.ps1"
1566echo             Registers a file/s or folder/s for deletion after a reboot.>>"%~dp0Register-FileToDelete.ps1"
1567echo.>>"%~dp0Register-FileToDelete.ps1"
1568echo         .PARAMETER Source>>"%~dp0Register-FileToDelete.ps1"
1569echo             Collection of Files/Folders which will be marked for deletion after a reboot>>"%~dp0Register-FileToDelete.ps1"
1570echo.>>"%~dp0Register-FileToDelete.ps1"
1571echo         .NOTES>>"%~dp0Register-FileToDelete.ps1"
1572echo             Name: Register-FileToDelete>>"%~dp0Register-FileToDelete.ps1"
1573echo             Author: Boe Prox>>"%~dp0Register-FileToDelete.ps1"
1574echo             Created: 28 SEPT 2013>>"%~dp0Register-FileToDelete.ps1"
1575echo.>>"%~dp0Register-FileToDelete.ps1"
1576echo         .EXAMPLE>>"%~dp0Register-FileToDelete.ps1"
1577echo             Register-FileToDelete -Source 'C:\Users\Administrators\Desktop\Test.txt'>>"%~dp0Register-FileToDelete.ps1"
1578echo             True>>"%~dp0Register-FileToDelete.ps1"
1579echo.>>"%~dp0Register-FileToDelete.ps1"
1580echo             Description>>"%~dp0Register-FileToDelete.ps1"
1581echo             ----------->>"%~dp0Register-FileToDelete.ps1"
1582echo             Marks the file Test.txt for deletion after a reboot.>>"%~dp0Register-FileToDelete.ps1"
1583echo.>>"%~dp0Register-FileToDelete.ps1"
1584echo         .EXAMPLE>>"%~dp0Register-FileToDelete.ps1"
1585echo             Get-ChildItem -File -Filter *.txt ^| Register-FileToDelete -WhatIf>>"%~dp0Register-FileToDelete.ps1"
1586echo             What if: Performing operation ^"Mark for deletion^" on Target ^"C:\Users\Administrator\Des>>"%~dp0Register-FileToDelete.ps1"
1587echo             ktop\SQLServerReport.ps1.txt^".>>"%~dp0Register-FileToDelete.ps1"
1588echo             What if: Performing operation ^"Mark for deletion^" on Target ^"C:\Users\Administrator\Des>>"%~dp0Register-FileToDelete.ps1"
1589echo             ktop\test.txt^".>>"%~dp0Register-FileToDelete.ps1"
1590echo.>>"%~dp0Register-FileToDelete.ps1"
1591echo.>>"%~dp0Register-FileToDelete.ps1"
1592echo             Description>>"%~dp0Register-FileToDelete.ps1"
1593echo             ----------->>"%~dp0Register-FileToDelete.ps1"
1594echo             Uses a WhatIf switch to show what files would be marked for deletion.>>"%~dp0Register-FileToDelete.ps1"
1595echo     #^>>>"%~dp0Register-FileToDelete.ps1"
1596echo     [cmdletbinding(>>"%~dp0Register-FileToDelete.ps1"
1597echo         SupportsShouldProcess = $True>>"%~dp0Register-FileToDelete.ps1"
1598echo     )]>>"%~dp0Register-FileToDelete.ps1"
1599echo     Param (>>"%~dp0Register-FileToDelete.ps1"
1600echo         [parameter(ValueFromPipeline=$True,>>"%~dp0Register-FileToDelete.ps1"
1601echo                   ValueFromPipelineByPropertyName=$True)]>>"%~dp0Register-FileToDelete.ps1"
1602echo         [Alias('FullName','File','Folder')]>>"%~dp0Register-FileToDelete.ps1"
1603echo         $Source = 'C:\users\Administrator\desktop\test.txt'    >>"%~dp0Register-FileToDelete.ps1"
1604echo     )>>"%~dp0Register-FileToDelete.ps1"
1605echo     Begin {>>"%~dp0Register-FileToDelete.ps1"
1606echo         Try {>>"%~dp0Register-FileToDelete.ps1"
1607echo             $null = [File]>>"%~dp0Register-FileToDelete.ps1"
1608echo         } Catch { >>"%~dp0Register-FileToDelete.ps1"
1609echo             Write-Verbose 'Compiling code to create type'   >>"%~dp0Register-FileToDelete.ps1"
1610echo             Add-Type ^@^">>"%~dp0Register-FileToDelete.ps1"
1611echo             using System;>>"%~dp0Register-FileToDelete.ps1"
1612echo             using System.Collections.Generic;>>"%~dp0Register-FileToDelete.ps1"
1613echo             using System.Linq;>>"%~dp0Register-FileToDelete.ps1"
1614echo             using System.Text;>>"%~dp0Register-FileToDelete.ps1"
1615echo             using System.Runtime.InteropServices;>>"%~dp0Register-FileToDelete.ps1"
1616echo.>>"%~dp0Register-FileToDelete.ps1"
1617echo             public class Posh>>"%~dp0Register-FileToDelete.ps1"
1618echo             {>>"%~dp0Register-FileToDelete.ps1"
1619echo                 public enum MoveFileFlags>>"%~dp0Register-FileToDelete.ps1"
1620echo                 {>>"%~dp0Register-FileToDelete.ps1"
1621echo                     MOVEFILE_REPLACE_EXISTING           = 0x00000001,>>"%~dp0Register-FileToDelete.ps1"
1622echo                     MOVEFILE_COPY_ALLOWED               = 0x00000002,>>"%~dp0Register-FileToDelete.ps1"
1623echo                     MOVEFILE_DELAY_UNTIL_REBOOT         = 0x00000004,>>"%~dp0Register-FileToDelete.ps1"
1624echo                     MOVEFILE_WRITE_THROUGH              = 0x00000008,>>"%~dp0Register-FileToDelete.ps1"
1625echo                     MOVEFILE_CREATE_HARDLINK            = 0x00000010,>>"%~dp0Register-FileToDelete.ps1"
1626echo                     MOVEFILE_FAIL_IF_NOT_TRACKABLE      = 0x00000020>>"%~dp0Register-FileToDelete.ps1"
1627echo                 }>>"%~dp0Register-FileToDelete.ps1"
1628echo.>>"%~dp0Register-FileToDelete.ps1"
1629echo                 [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]>>"%~dp0Register-FileToDelete.ps1"
1630echo                 static extern bool MoveFileEx(string lpExistingFileName, string lpNewFileName, MoveFileFlags dwFlags);>>"%~dp0Register-FileToDelete.ps1"
1631echo                 public static bool MarkFileDelete (string sourcefile)>>"%~dp0Register-FileToDelete.ps1"
1632echo                 {>>"%~dp0Register-FileToDelete.ps1"
1633echo                     bool brc = false;>>"%~dp0Register-FileToDelete.ps1"
1634echo                     brc = MoveFileEx(sourcefile, null, MoveFileFlags.MOVEFILE_DELAY_UNTIL_REBOOT);          >>"%~dp0Register-FileToDelete.ps1"
1635echo                     return brc;>>"%~dp0Register-FileToDelete.ps1"
1636echo                 }>>"%~dp0Register-FileToDelete.ps1"
1637echo             }>>"%~dp0Register-FileToDelete.ps1"
1638echo ^"^@>>"%~dp0Register-FileToDelete.ps1"
1639echo         }>>"%~dp0Register-FileToDelete.ps1"
1640echo     }>>"%~dp0Register-FileToDelete.ps1"
1641echo     Process {>>"%~dp0Register-FileToDelete.ps1"
1642echo         ForEach ($item in $Source) {>>"%~dp0Register-FileToDelete.ps1"
1643echo             Write-Verbose ('Attempting to resolve {0} to full path if not already' -f $item)>>"%~dp0Register-FileToDelete.ps1"
1644echo             $item = (Resolve-Path -Path $item).ProviderPath>>"%~dp0Register-FileToDelete.ps1"
1645echo             If ($PSCmdlet.ShouldProcess($item,'Mark for deletion')) {>>"%~dp0Register-FileToDelete.ps1"
1646echo                 If (-NOT [Posh]::MarkFileDelete($item)) {>>"%~dp0Register-FileToDelete.ps1"
1647echo                     Try {>>"%~dp0Register-FileToDelete.ps1"
1648echo                         Throw (New-Object System.ComponentModel.Win32Exception)>>"%~dp0Register-FileToDelete.ps1"
1649echo                     } Catch {Write-Warning $_.Exception.Message}>>"%~dp0Register-FileToDelete.ps1"
1650echo                 }>>"%~dp0Register-FileToDelete.ps1"
1651echo             }>>"%~dp0Register-FileToDelete.ps1"
1652echo         }>>"%~dp0Register-FileToDelete.ps1"
1653echo     }>>"%~dp0Register-FileToDelete.ps1"
1654echo }>>"%~dp0Register-FileToDelete.ps1"
1655exit /b 0