Unsuccessful removal of Sophos antivirus application

[mac_in_tosh]

I used Sophos' own app (in the Applications/Sophos folder) to uninstall the antivirus program from my MacBook Pro. It went through some steps and ended by saying the uninstall was unsuccessful. If I check Applications, the Sophos folder is no longer there, nor is its icon on the top of the Mac window. However, if I run Activity Monitor, there are still several Sophos items shown, such as SophosMCSAgentD, SophosScanD, SophosAgent, Sophos Home, etc. At least when I checked, no one item was taking up more than 0.2% CPU.

There are some technical support items on Sophos' website dealing with this failure to uninstall, which are not very straightforward. My question is whether I could just ignore the remaining Sophos items or do I have to go through the task of removing them?

Thanks.

 

[bogdanw]

"Removing com.sophos.endpoint.scanextension" https://forums.macrumors.com/threads/removing-com-sophos-endpoint-scanextension.2337752/
"How to force uninstall an unwanted (left over) Sophos system extension?" https://forums.macrumors.com/thread...ed-left-over-sophos-system-extension.2281138/

 

[mac_in_tosh]

The first link has a method that appears to assume you still have Sophos' uninstall program available, which I don't as the Sophos folder in Applications is gone. So I used the second method shown below. However, when I entered "systemextensionsctl uninstall - com.sophos.endpoint.networkextension" into Terminal the response was
There is no installed extension with bundle ID 'com.sophos.endpoint.networkextension' and team ID "-'
When I entered "uninstall - com.sophos.endpoint.scanextension" into Terminal the response was
Uninstall: Command not found. So that method doesn't appear to work.

Now when I run Activity Monitor and search for Sophos only two items show up as opposed to the previous ~10:
com.sophos.endpoint.scanextension
SophosCBR

Questions:
1. Any harm to just keep these running? They are using minuscule amounts of CPU.
2. I also have Malwarebytes on my machine (which is why I wanted to remove Sophos). Could that be interfering with the attempt to remove the Sophos items?
3. The same reference quoted below proposes an alternate method involving reinstalling Sophos and dragging extension hosting software to trash then running their Sophos removing application. Should I just do that?


Disable SIP:

• Reboot into the recovery partition by holding the command (⌘) key and (R) key down while rebooting
• Select the volume that contains your copy of Big Sur
• Enter credentials as requested
• In the “Recovery” application that comes up, choose the menu item “Utilities | Terminal”
• Enter the command: “csrutil disable”
• Restart the Mac and log in

• Open the Terminal application
  
  • Enter the command “systemextensionsctl uninstall - com.sophos.endpoint.networkextension”
  • Enter credentials to the dialog that says “systemextensionctl is trying to modify a System Extension”
  • Enter the command “uninstall - com.sophos.endpoint.scanextension”
  • Enter credentials to the dialog that says “systemextensionctl is trying to modify a System Extension”
• Enable SIP:
  
  • Reboot into the recovery partition by holding the command (⌘) key and (R) key down while rebooting
  • Select the volume that contains your copy of Big Sur
  • Enter credentials as requested
  • In the “Recovery” application that comes up, choose the menu item “Utilities | Terminal”
  • Enter the command: “csrutil enable”
  • Restart the Mac

 

[Fishrrman]

I have no experience with Sophos.
However, I'll offer this (may or may NOT be of help):

When I need to "get rid of" an app, I use the free "AppCleaner".
Get it here:

AppCleaner

Then, do this:
1. Open AppCleaner
2. Open your Applications folder (in the finder)
3. Grab the app you want to delete, and "drag and drop" it into AppCleaner's window.
4. AppCleaner will "look around" and gather up all the files related to the app.
5. If any are "unchecked", put a check into them.
6. Click the "remove" button, and they're ALL moved to the trash.
7. Close AppCleaner and empty the trash.
8. Gone!

I'm guessing there might be a few applications that AppCleaner can't "clean out" (perhaps Adobe stuff, Microsoft stuff, etc.). Those software publishers usually make available a standalone "uninstall" utility to get rid of them.

 

[mac_in_tosh]

I have no experience with Sophos.
However, I'll offer this (may or may NOT be of help):

When I need to "get rid of" an app, I use the free "AppCleaner".

I have AppCleaner but thought it better to use the Sophos provided uninstall. Now that the Sophos program is gone I can't use AppCleaner.

 

[einsteinbqat]

You could just reinstall the whole thing, and uninstall again.

 

[Fishrrman]

OP wrote:
"Now that the Sophos program is gone I can't use AppCleaner."

OK, here's another approach to try.

Download "EasyFind" if you don't have it. It's small and free:

DEVONtechnologies | Needful Things

A little collection of free utilities for the Mac to make your life easier.

www.devontechnologies.com

(One of the better utilities out there)

Open EasyFind.
Set it up like this:
Search for -- files & folders
Operator -- all words
Comparison -- ignore case
Include -- invisible files & folders

We need to define WHERE to search.
Look to the right, below the text entry box.
There's a popup menu that will let you define where you want the search conducted.
I'd select the entire boot volume.

In the text entry bar, enter "sophos", then hit return or click the "magnifying glass" on the right side.

Let EasyFind do its thing. It may take a little time.

Does if find anything that is "still there"?

 

[mac_in_tosh]

Download "EasyFind"....

I downloaded the app and did as you suggested (the location popup menu is to the left of the text entry box and I selected all volumes).

It found about 20 Sophos items. So I should just delete them? If I try to move them to trash a message comes up that it can't be done but asks if I want to delete them immediately. Just never saw such a message before.

Ok I figured you would say to delete them so I tried. When I chose delete immediately I hear a beep and nothing happens, the files are still there. What now? I notice that all the items found are in /Library... If I pick out one file and show it in Finder and try to delete it, I'm told I don't have permission.

 

[Fishrrman]

OP wrote:
"It found about 20 Sophos items. So I should just delete them? If I try to move them to trash a message comes up that it can't be done but asks if I want to delete them immediately. Just never saw such a message before."

OK, here's what to do with those "undelete-able" items.

You have to go back to EasyFind and do that search again.
Get to the point where all the items are displayed in EasyFind in front of you.

Now, do this:
Click on the topmost item, so that it's selected.

Type "command-R". This will reveal its location in the finder (in a new window).

You now see the item in the finder.
Click on it, and type "Command-Delete" (this is the keyboard command to move it to the trash).

A dialog box should pop up requesting your password.
Enter it and hit return.

The item should disappear from the finder window (as it's now moved to the trash).

Empty the trash (you can control-click or right-click on the trash icon to do this).

Now close the finder window so that you can see EasyFind again.

The item will still "be there" (in EasyFind).
IGNORE this.

Click on the second item in the list.
Repeat just what you did above.

And so on with the third item, etc. -- until you've done every one.

YES... this is tedious.
But it's how you get rid of them.

When they've all been moved to the trash and the trash has been emptied, REPEAT the original search with EasyFind.

If nothing comes up... you're done!

Try this and get back to us.

 

[mac_in_tosh]

I started with this first item in EasyFind:

but when I followed your steps I got this message after entering my password:

"The operation can’t be completed because you don’t have permission to access some of the items."

Same thing happened with the next two items at which point I stopped trying. I appreciate your help, so what now? I found the following on the Sophos Community. This is all getting a bit over my head. Is procedure #1 there relevant to my situation?

Reinstall and drag extension hosting software to trash

 

[KaliYoni]

My question is whether I could just ignore the remaining Sophos items or do I have to go through the task of removing them?

If I were facing the same situation I would use Activity Monitor (on most Macs, it's in Applications > Utilities) to see if Sopho's leftovers are using a lot of CPU resources or Memory resources. If the impact is minimal, there probably isn't much harm to just leaving things as they are.

(I just reread your OP and you said the CPU hit is only 0.2%. So have a look at the memory load and use that to help you decide what to do.)

Something else to think about is that Malwarebytes and Sophos are not identical in function. Malwarebytes scans specific places on your HD/SSD for threats it defines as malware. Sophos can do whole-disk scans for a wider set of threats. A previous discussion is here if you're interested: https://forums.macrumors.com/threads/how-safe-is-malwarebytes-for-mac.2378702/post-31934584

 

[Fishrrman]

OP:

I'm going to GUESS that you have "system integrity protection" enabled on your Mac.

You can turn it off if you wish, and then try again.

You said you have a MacBook Pro, but I didn't see as to whether it has an intel or m-series CPU.
That matters as to how you get to "recovery".

You need to do this.
First, get a piece of paper and write this down:
csrutil disable
There's a single space between the two words

Next, you need to boot to the recovery partition.
How you do that depends on which CPU you have.
For intel, boot and hold down "command-R".
For m-series, I think you need to press and HOLD the power on button for about 4 seconds, then let the startup options load, and then click "options".

When you get to recovery, open terminal.

Enter:
csrutil disable

Now exit terminal and reboot.

Now try the procedure I outlined above as to getting rid of the files one-by-one.

Does that work?

If you get it done, you can re-enable SIP by repeating the process above, but entering
csrutil enable
in terminal.

Good luck.

 

[minik]

Not sure if this is the same edition of Sophos Anti-virus, but I usually run the command in the Terminal to remove it

 

[mac_in_tosh]

Now try the procedure I outlined above as to getting rid of the files one-by-one.

Does that work?

Yes ! EasyFind shows no items with "sophos" nor does Activity Monitor.

Thank you !