Sophos Tamper Protection: FAQs including how to disable it

  • N°Id de l'article : 119175
  • Note :
  • 133 clients ont donné une note de 1.7 sur 6 à cet article
  • Mis à jour : 03 mars 2016

Back to Index of FAQs

This article addresses some frequently asked questions about Sophos tamper protection, and describes what you need to do if you want to disable it.

Applies to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control 10.0
Sophos Cloud Managed Endpoint
Sophos Anti-Virus for Mac OS X
Enterprise Console

Sophos tamper protection FAQs

What is tamper protection?

Tamper protection is a feature that prevents unauthorized users and certain types of known malware from uninstalling Sophos security software or disabling it through the Sophos interface. Any attempt to disable tamper protection, either by an unauthorised user or by malware, causes a report/alert to be submitted to the central console.

Is tamper protection enabled by default on Sophos software?

  • Sophos Cloud: Yes
  • UTM: Yes
  • Enterprise Console: No
  • Standalone installations: No

Is tamper protection available on the free Sophos Home software?

Tamper protection is not currently available on the free Sophos Home product. If your home computer is running Sophos Anti-Virus and appears to have tamper protection installed, you will need to ask the person who installed the Sophos software to disable the tamper protection

How does tamper protection get on my computer?

  • Sophos Cloud and UTM: Tamper protection is enabled by default. For Cloud, the password is automatically generated and cannot be manually set.
  • Enterprise Console: Tamper protection can only be enabled on an endpoint computer by applying a tamper protection policy. This is configured centrally from the console along with other policies, typically by the Sophos administrator who installed and set up the Sophos Software.
  • Standalone installations: Tamper protection can be enabled and the password set by a local Administrator. This password will be set for all Users who may log on.

How can I uninstall Sophos when removal is prevented by Tamper Protection?

If you want to uninstall Sophos software from a computer with Tamper protection enabled, not only will you require the tamper protection password as set up by the admin who set or has access to it, but you will also require local administrator permissions to run the uninstaller.

How can I disable Tamper protection?

Normally you would only disable Tamper protection if you wanted to make a change to the local Sophos configuration or uninstall an existing Sophos product. The instructions for this are given below. However, if you are not the administrator who installed it and who has the password, you will need to obtain the password before you can carry out the procedure.

How to disable Sophos tamper protection

On a computer managed by Enterprise Console

You can disable tamper protection by changing the relevant policy. You need the necessary administrative rights and the tamper protection password, as described above.

  1. Open the Tamper protection policy you want to change.
  2. In the Tamper Protection Policy dialog box, clear the Enable tamper protection check box.
  3. Click OK to apply the change.

For more information see the Help guide for your console version.

Locally on a computer managed by Enterprise Console or standalone installation

Windows

You must have Sophos Administrator rights and you will require the tamper protection password that was used when tamper protection was enabled.

  1. Open the Sophos Endpoint Security and Control window, and in the right-hand pane, under Tamper protection, click Authenticate user.
  2. In the Tamper Protection Authentication dialog box, enter the tamper protection password and click OK.
  3. Under Tamper protection, click Configure tamper protection.
  4. In the Tamper Protection Configuration dialog box, clear the Enable tamper protection check box and click OK. 

Mac (There is no tamper protection for standalone installations)

 You must have rights to make changes and you will require the tamper protection password that was used when tamper protection was enabled.

  1. Open the Sophos Anti-Virus Preferences.
  2. Click the padlock and Sophos icon and in the dialog box enter the tamper protection password.
  3. Click OK.

    Note: Tamper protection can only be disabled using this method to allow changes to be made to the local Sophos configuration. It cannot be disabled permanently.

On a computer managed by Sophos Cloud

Before you start, you must retrieve the default tamper protection password from your Sophos Cloud, then follow the instructions for removing it either locally or centrally.

  1. Open the Sophos Cloud interface and login.
  2. From the 'Global Settings' menu select 'Tamper Protection'.
  3. If enabled, click on 'Show' to display the 'Current password' in clear text.
  4. Make a note of this password.

Now follow the instructions for removing tamper protection locally or centrally.

Disable Tamper Protection locally on a Windows computer (You must have Sophos Administrator rights to perform this operation),

  1. Start the main Sophos application by double clicking the Sophos shield in the Taskbar.
  2. When it has loaded, on the Home screen, click the ‘Authenticate user’ button in the ‘Tamper protection’ section.
  3. Enter the tamper protection password that you made a note of earlier and click ‘OK’.
  4. Click on the ‘Configure tamper protection’ button and uncheck the ‘Enable tamper protection’ option, then click ‘OK’ to confirm this change.
  5. You can now close Sophos as tamper protection is disabled.

    Note: Sophos Cloud will automatically enable Tamper protection after a period of two hours.

Disable Tamper Protection locally on a Mac computer (You must have rights to perform this operation).

  1. Open the Sophos Anti-Virus Preferences.
  2. Click the padlock and Sophos icon and in the dialog box enter the tamper protection password.
  3. Click OK.

    Note:
    Tamper protection can only be disabled using this method to allow changes to be made to the local Sophos configuration. It cannot be disabled permanently.
    Note:
    Sophos Cloud will automatically enable Tamper protection after a period of two hours.

Disable Tamper Protection centrally from Sophos Cloud (not recommended)

Important: This will disable Tamper Protection for all computers managed by Sophos Cloud so it is not the recommended option.

  1. Open the Sophos Cloud interface and login.
  2. From the 'Global Settings' menu select 'Tamper Protection'.
  3. Clear the 'Enable Tamper Protection' check-box

All managed computers will implement the configuration change within 20-30 seconds.

On a computer managed by Sophos UTM

Before you start you must retrieve the default tamper protection password from your UTM.

Note: If you have previously changed the default password you can skip the steps below if you know the password.  If you have forgotten the password steps 1 to 3 below will guide you to the section to reset it.

  1. Open the Sophos UTM WebAdmin interface and login.
  2. From the left-hand menu select 'Endpoint Protection' | 'Computer Management'.
  3. On the Computer Management screen select the 'Advanced' tab.
  4. Make a note of the default password shown under the 'Tamper Protection' section on the right-hand side.
  5. Follow the instructions in the above section: Disable Tamper Protection locally on a Windows computer

Disable Tamper Protection centrally from the UTM for a single endpoint computer

  1. Open the Sophos UTM WebAdmin interface and login.
  2. From the left-hand menu select 'Endpoint Protection' | 'Computer Management'.
  3. On the Computer Management screen select the 'Managed Computers' tab.
  4. Locate the correct endpoint computer and click on the 'Edit' button.
  5. In the 'Edit Computer' panel change 'Tamper Protection: Enabled' to 'Disabled'.
  6. Click the 'Save' button.

The computer will implement the configuration change when it next checks with the broker.

Note: Locally Sophos Endpoint Security and Control will still show Tamper Protection as enabled however the uninstaller will allow the software to be removed.

Disable Tamper Protection centrally from the UTM for a group of endpoint computers

  1. Open the Sophos UTM WebAdmin interface and login.
  2. From the left-hand menu select 'Endpoint Protection' | 'Computer Management'.
  3. On the Computer Management screen select the 'Manage Groups' tab.
  4. Locate the correct endpoint group and click on the 'Edit' button.
  5. In the 'Edit Computers Group' panel change 'Tamper Protection: Enabled' to 'Disabled'.
  6. Click the 'Save' button.

The computer will implement the configuration change when it next checks with the broker.

Note: Locally Sophos Endpoint Security and Control will still show Tamper Protection as enabled however the uninstaller will allow the software to be removed.

Additional information

 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires