Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

southerndoc

Contributor
Original poster
May 15, 2006
1,852
523
USA
I've tried numerous ways to remove this extension (com.sophos.endpoint.scanextension). I've disabled SIP, but when I rebooted and tried to delete it, I'm giving a file not found error. When I reboot, it still shows up in the activity monitor app as loading.

Does anyone know how to delete this from my MacBook Air M1? It drives me crazy how when you use a removal tool, remnants still remain (I had previously used the removal tool).
 
I was able to remove it, but it was difficult for sure.

Because of how difficult it is to remove, I would highly recommend that nobody install Sophos until they fix the removal process.
 
Because of how difficult it is to remove, I would highly recommend that nobody install Sophos until they fix the removal process.

It's not an issue fixable by Sophos. Apple made changes to the way extensions are added/removed which forces this convoluted procedure. Have encountered this problem with another program as well.
 
It's not an issue fixable by Sophos. Apple made changes to the way extensions are added/removed which forces this convoluted procedure.
That is not true. Install and uninstall LuLu to see how a proper system extension should behave https://objective-see.com/products/lulu.html
LuLu.jpg
 
Install and uninstall LuLu to see how a proper system extension should behave

Not sure how the extensions list above is relevant. It is not a question of how an extension behaves. It is a question of how to install or remove them. This changed in recent OS releases. Per an OWC Softraid forum "You cannot load an extension by just copying it to /Library/extensions. There are security measures in place to prevent that from working." See your point though if Lulu can install/remove its own extensions.

The Sophos instructions are in the link above. For SoftRaid you normally have to remove the program to get rid of the extension, or reinstall the program to get it reinstalled. When that doesn't work you have to fall back to the Sophos instructions changing the extensions to the SoftRaid ones. Sounds like Lulu may do its extensions install like SoftRaid. Not sure about why SoftRaid can do it and Sophos can't. Having dealt with Sophos on a number of issues I trust their technical expertise.
 
Last edited:
Not sure how the extensions list above is relevant. It is not a question of how an extension behaves. It is a question of how to install or remove them. This changed in recent OS releases. Per an OWC Softraid forum "You cannot load an extension by just copying it to /Library/extensions. There are security measures in place to prevent that from working." See your point though if Lulu can install/remove its own extensions
Sophos’s extensions are not in /Library/Extensions.
The “Remove Sophos Endpoint” app does not stop the extensions and does not trigger the rebuild of the AuxKC (Auxiliary Kernel Collection). That's the problem.
Here is before and after running the “Remove Sophos Endpoint” app
Sophos.jpg
 
What I had to do (from memory, so hopefully I don't miss a step):

  1. Reinstall Sophos
  2. Authorize "Installer" (with the Sophos logo) for full disk access
  3. Go to the Sophos folder in Applications and find the SophosNetwork (the website referenced below said "SophosWebNetworkExtension" but it was actually something slightly different); drag this to the trash
  4. Right click on Sophos Scan and show package contents.
  5. Go to Contents/MacOS
  6. Drag the SophosScanD app to the trash (it was also named something slightly different)
  7. Run /Applications/Sophos/Remove Sophos Endpoint (I think this was just named Uninstall)
After this is disabled/deleted it. I did not have to disable SIP for the above process to work.

 
  • Like
Reactions: HansCS
at MMU we have identified an issue with Sophos and MDM's (in our case JAMF) where the Sophos can beachball the Mac during boot/login and this has been isolated by us as being the crypto setting on the local Sophos client. Took a while to get Sophos to take us seriously but it seems they are now admitting there is a major issue with their current sophos enterprise suite and MDM's. Sophos are gping to try and fix this, but are not giving an ETA as this is a big issue they might need to do a re-write to make it work better. In the interim, disabling the Crypto setting on the Sophos client would fix the beachball issue.
 
Sophos are gping to try and fix this, but are not giving an ETA as this is a big issue they might need to do a re-write to make it work better.

Code rewrites take a lot of time. Took something like 9 months for them to fix a network bug (LAN speed to a NAS limited to 1 GbE rather than 10 GbE). Luckily they were rewriting the code so it probably happened sooner that it would have otherwise. They gave me regular updates. Exceptional service.

It's basically malware with the amount of difficulty for it to be removed.

Malware (short for “malicious software”) is a file or code, typically delivered over a network, that infects, explores, steals or conducts virtually any behavior an attacker wants.

Doesn't meet the definition.

A serious company would not deliver installers in this way.

If a product is used in enterprise environments isn't serious then I don't know what a "serious company" is.

In any case if it is an issue for you just don't use it. In most cases you install Sophos and you never need to uninstall it. Don't understand all of the fuss.
 
  • Like
Reactions: weird_method
Sophos is horrible. It's basically malware with the amount of difficulty for it to be removed. I will never install it again.
This seems to be burning up my wife's computer. Can't uninstall (uninstall fails) and constantly runs scans until the computer gets so hot it shuts down (via Activity Monitor). Preferences won't open to make any changes. I installed this years ago on a 2011 15" MacBook Pro and my wife inherited it for light, but vital, work. If a program has a mind of its own, and won't uninstall, how is this not itself malware? Horrible.
 
  • Like
Reactions: southerndoc
It's not an issue fixable by Sophos. Apple made changes to the way extensions are added/removed which forces this convoluted procedure. Have encountered this problem with another program as well.
Sorry, but this doesn't seem like a good excuse. Sophos needs to be able to help users to be able to easily uninstall their products. Otherwise, ironically in this case, the software seems just like malware. I will avoid this company's products in the future.
 
  • Like
Reactions: southerndoc
What I had to do (from memory, so hopefully I don't miss a step):

  1. Reinstall Sophos
  2. Authorize "Installer" (with the Sophos logo) for full disk access
  3. Go to the Sophos folder in Applications and find the SophosNetwork (the website referenced below said "SophosWebNetworkExtension" but it was actually something slightly different); drag this to the trash
  4. Right click on Sophos Scan and show package contents.
  5. Go to Contents/MacOS
  6. Drag the SophosScanD app to the trash (it was also named something slightly different)
  7. Run /Applications/Sophos/Remove Sophos Endpoint (I think this was just named Uninstall)
After this is disabled/deleted it. I did not have to disable SIP for the above process to work.

I created an account just say thank you for this, filenames were a little different in my case, but close enough, worked perfectly. THANK YOU! And yeah, never going near Sophos again.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.