MacOS – There is a broken Sophos entry in Keychain Access after uninstalling the program – how to remove it

anti-viruskeychainmacosplist

I've followed the official instructions and also tried running the official removal tool (which btw hangs) for Sophos anti-virus for Mac but I still see a "Sophos" entry in Keychain Access.

I have also see errors in Console when system services try to open /Library/Sophos Anti-Virus/Sophos.keychain which is a non-existant file. I've even tried recreating a file in that path followed by sudo security delete-keychain "/Library/Sophos Anti-Virus/Sophos.keychain" but the entry still remains in the list of keychains.

How can I remove this annoying Sophos leftover?

(can't remember which Sophos edition I originally installed, maybe it was called "Home", maybe that is the only one for Mac)

Best Answer

To fix this you have to manually edit the file /Library/Preferences/com.apple.security-common.plist, as root, and delete the corresponding hardcoded <dict>...Sophos...</dict> entry in there.

Great care must be taken because you can totally screw up ? your system(-keychain) if you leave any errors inside this .plist file. The section that needs to be deleted looks as follows:

...
<dict>
    <key>DbName</key>
    <string>/Library/Sophos Anti-Virus/Sophos.keychain</string>
    <key>GUID</key>
    <string>{some UUID string here}</string>
    <key>SubserviceType</key>
    <integer>6</integer>
</dict>
...

Upon save, there should no longer be any "Sophos" entry in Keychain Access or as output of security list-keychains.

I used vim and deleted the offending lines as (sudo vim /Library/Preferences/com.apple.security-common.plist) but you may use any text or plist editor you like - I frankly don't know with one is the most accessible (recommendations welcome).

Related Question