Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to force uninstall an unwanted (left over) Sophos system extension?

M

Mork

macrumors 6502a
Original poster
Jan 9, 2009
539
34
I have a problem where a program I wrote is not accessing its end port. I believe the problem may be a former installation of Sophos where an extension is still in place. I ran the antivirus uninstaller program that reported it stopped all services, but this "com.sophos.endpoint.scanextension.systemextension" is still running in /Library/SystemExtensions/51AC3210-2B6F-4C40-B44A-39DA33A0FE53.

Logged in as root, I'm unable to "rm -R -f" this directory.

So, my question is...how do I get rid of this extension?

It does not show up in Preferences under Extensions.

As you can see below, it's definitely still running and probably causing problems for me.

Trying to force quit this process does not work...
1611156107454.png


Thanks very much in advance.

Mac OS 11.1
 

Attachments

  • 1611156103519.png
    1611156103519.png
    71.5 KB · Views: 121
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,702
7,264
Mork said:
I have a problem where a program I wrote is not accessing its end port. I believe the problem may be a former installation of Sophos where an extension is still in place. I ran the antivirus uninstaller program that reported it stopped all services, but this "com.sophos.endpoint.scanextension.systemextension" is still running in /Library/SystemExtensions/51AC3210-2B6F-4C40-B44A-39DA33A0FE53.

Logged in as root, I'm unable to "rm -R -f" this directory.

So, my question is...how do I get rid of this extension?

It does not show up in Preferences under Extensions.

As you can see below, it's definitely still running and probably causing problems for me.

Trying to force quit this process does not work...
View attachment 1716311

Thanks very much in advance.

Mac OS 11.1
Click to expand...
I did a Google search for "uninstall com.sophos.endpoint.scanextension.systemextension" and found this page: https://community.sophos.com/interc...-reads/124391/how-to-remove-system-extensions
 
  • Like
Reactions: Mork
M

Mork

macrumors 6502a
Original poster
Jan 9, 2009
539
34
Thanks. I had actually done the same search, but just not with the big "G".

I was able to uninstall that extension, but the problem remains.

Next ....

Thanks again!
 
M

Mork

macrumors 6502a
Original poster
Jan 9, 2009
539
34
Probably a good idea. I ended up hosing my machine and had to rebuild from scratch...
 
bogdanw

bogdanw

macrumors 603
Mar 10, 2009
6,099
3,011
There is another way to disable third party extensions: kmutil trigger-panic-medic from Terminal in Recovery. Works with SIP enabled.
trigger-panic-medic Delete and disable loading of third party kexts in order to safely boot into a target volume. (can only be triggered in Recovery mode) eg usage: `kmutil trigger-panic-medic --volume-root /Volumes/<VolumeName>`
Click to expand...

Example
Code: 
kmutil trigger-panic-medic --volume-root "/Volumes/Macintosh HD"
or
Code: 
kmutil trigger-panic-medic --volume-root /Volumes/Macintosh\ HD

Another thread about Sophos https://forums.macrumors.com/threads/removing-com-sophos-endpoint-scanextension.2337752/
 
K

KALLT

macrumors 603
Sep 23, 2008
5,380
3,415
bogdanw said:
There is another way to disable third party extensions: kmutil trigger-panic-medic from Terminal in Recovery. Works with SIP enabled.


Example
Code: 
kmutil trigger-panic-medic --volume-root "/Volumes/Macintosh HD"
or
Code: 
kmutil trigger-panic-medic --volume-root /Volumes/Macintosh\ HD

Another thread about Sophos https://forums.macrumors.com/threads/removing-com-sophos-endpoint-scanextension.2337752/
Click to expand...
Are you sure that this resolves this issue? At issue is a system extension, not a kernel extension.

A system extension like the one mentioned by the OP should be deactivated and deleted automatically when the app bundle that contains the system extension is deleted, albeit after a reboot. If this does not happen, then the issue may be outside of the developer’s control. The only other way seems to be systemextensionsctl uninstall <teamId> <bundleId>, which (still) requires SIP to be turned off (which is not something a user should do).
 
bogdanw

bogdanw

macrumors 603
Mar 10, 2009
6,099
3,011
KALLT said:
Are you sure that this resolves this issue? At issue is a system extension, not a kernel extension.

A system extension like the one mentioned by the OP should be deactivated and deleted automatically when the app bundle that contains the system extension is deleted, albeit after a reboot. If this does not happen, then the issue may be outside of the developer’s control. The only other way seems to be systemextensionsctl uninstall <teamId> <bundleId>, which (still) requires SIP to be turned off (which is not something a user should do).
Click to expand...
Actually, there is a simpler way from Recovery: delete the extensions & rebuild the cache.
EndPoint.jpg

This is from a Monterey virtual machine that didn’t have other extensions besides Sophos in /Library/SystemExtensions, so I deleted the whole folder. :)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom