#!/bin/bash # ======================================================================================= # # Copyright 2013 Sophos Ltd. All rights reserved. # # Sophos and Sophos Anti-Virus are registered trademarks of Sophos Ltd. # # All other product and company names mentioned are trademarks or registered # trademarks of their respective owners. # # ======================================================================================= # this script will remove an existing installation of Sophos Anti-Virus for Mac version 9 # probably not a good idea to run it on a version 8 installation if [ "`whoami`" != "root" ] ; then echo "error: must be root" ; exit ; fi echo "" echo "WARNING: this script permenantly removes Sophos Anti-Virus for Mac version 9" echo " it should NOT be used on a version 8 installation" echo "" echo "if there are errors reported by this script, run it again (it fixes itself)" echo "" # run with -f to skip the 5 second delay if [ "$1" != "-f" ]; then echo "press control-C now to abort (automatically continues in 5 seconds)" echo "run with -f (next time) to skip the 5 second delay" sleep 1 for i in 1 2 3 4 5 ; do echo -n "." sleep 1 done echo "" fi function delete_from_filesystem # path { if [ -e "$1" ] ; then echo "removing $1" rm -rf "$1" fi } function stop_uiserver { while [ 1 -eq 1 ] ; do COUNT=`ps -ef | grep SophosUIServer | grep -v grep | wc -l` if [ $COUNT -ne 0 ] ; then UISERVER_USERID=`ps -ef | grep SophosUIServer | grep -v grep | head -n 1 | cut -c 3-5` if [ "$UISERVER_USERID" != "" ] ; then echo "removing launchagent com.sophos.uiserver for user $UISERVER_USERID" for i in 1 2 3 4 5 6 7 8 9 10 ; do if [ $i -eq 10 ] ; then echo "error: failed to remove launchagent com.sophos.uiserver for user $UISERVER_USERID" exit -1 fi sudo -u "#$UISERVER_USERID" launchctl remove com.sophos.uiserver > /dev/null 2>&1 sleep 2 sudo -u "#$UISERVER_USERID" launchctl list | grep -q com.sophos.uiserver if [ $? -ne 0 ] ; then break fi sudo -u "#$UISERVER_USERID" killall -9 SophosUIServer done fi else # no more UIServer instances break fi done delete_from_filesystem "/Library/LaunchAgents/com.sophos.uiserver.plist" } function stop_and_remove_ui { COUNT=`ps -ef | grep "Sophos Anti-Virus" | grep -v grep | wc -l` if [ $COUNT -ne 0 ] ; then echo "stopping Sophos Anti-Virus.app" killall "Sophos Anti-Virus" > /dev/null 2>&1 fi delete_from_filesystem "/Applications/Sophos Anti-Virus.app" } function stop_kext # kextname { KEXTINFO=`kextstat -l -b "$1"` if [ "$KEXTINFO" != "" ] ; then echo "removing kext $1" kextunload -b "$1" fi KEXTINFO=`kextstat -l -b "$1"` if [ "$KEXTINFO" != "" ] ; then echo "error: failed to remove kext $1" exit -1 fi } function stop_launch_daemon # daemon { launchctl list | grep -q "$1" if [ $? -eq 0 ] ; then echo "removing launchdaemon $1" for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do if [ $i -eq 20 ] ; then echo "error: failed to remove launchdaemon $1" exit -1 fi launchctl remove "$1" > /dev/null 2>&1 sleep 2 launchctl list | grep -q "$1" if [ $? -ne 0 ] ; then break fi done fi } function verify_path_not_there # path { while [ "$1" != "" ] ; do if [ -e "$1" ] ; then echo "error: leftover path $1 needs to be removed" fi shift done } function verify_ocelot_gone { verify_path_not_there "/System/Library/Extensions/SAVDeviceController.kext" verify_path_not_there "/Applications/Sophos Anti-Virus.app/" verify_path_not_there "/Library/Frameworks/SAVI.framework/" verify_path_not_there "/Library/Frameworks/SUMScanKit.framework/" verify_path_not_there "/Library/Sophos Anti-Virus/" # can't put quotes around the wildcard * verify_path_not_there /Library/Caches/com.sophos.*/ verify_path_not_there /Library/LaunchAgents/com.sophos.*.plist verify_path_not_there /Library/LaunchDaemons/com.sophos.*.plist } trap "verify_ocelot_gone" EXIT for i in driver.devctrl macendpoint.nke.swi sophos.kext.sav ; do stop_kext "com.sophos.$i" done for i in autoupdate configuration devicecontrol intercheck notification scan webd sxld managementagent messagerouter; do stop_launch_daemon "com.sophos.$i" done for i in autoupdate configuration devicecontrol intercheck notification scan webd sxld managementagent messagerouter; do delete_from_filesystem /Library/LaunchDaemons/com.sophos.$i.plist done stop_uiserver stop_and_remove_ui delete_from_filesystem "/System/Library/Extensions/SAVDeviceController.kext" delete_from_filesystem "/Library/Sophos Anti-Virus" delete_from_filesystem "/Library/Frameworks/SAVI.framework" delete_from_filesystem "/Library/Frameworks/SUMScanKit.framework" delete_from_filesystem "/Applications/Sophos Anti-Virus.app" delete_from_filesystem "/Library/Application Support/Sophos" delete_from_filesystem "/Library/Caches/com.sophos.rms" delete_from_filesystem "/Library/Caches/com.sophos.sav" delete_from_filesystem "/Library/Caches/com.sophos.sau" delete_from_filesystem "/Library/Caches/com.sophos.sxld" delete_from_filesystem "/Library/Caches/com.sophos.installer" delete_from_filesystem "/Library/Preferences/com.sophos.sau.plist" delete_from_filesystem "/usr/bin/SophosUpdate" delete_from_filesystem "/usr/bin/sweep" security delete-generic-password -l SophosAUPrimaryServer -D "Sophos AutoUpdate" > /dev/null 2>&1 security delete-generic-password -l SophosAUPrimaryProxy -D "Sophos AutoUpdate" > /dev/null 2>&1 security delete-generic-password -l SophosAUSecondaryServer -D "Sophos AutoUpdate" > /dev/null 2>&1 security delete-generic-password -l SophosAUSecondaryProxy -D "Sophos AutoUpdate" > /dev/null 2>&1 echo "done"