UW-IT is replacing Sophos with CrowdStrike Falcon on UW-owned computers.
Key Dates & Responsibilities
- Before August 30: Departments must uninstall Sophos Enterprise.
- Before September 15: Departments must install CrowdStrike Falcon.
What is CrowdStrike Falcon?
Falcon is UW’s new antivirus and endpoint protection solution, replacing Sophos Enterprise. It uses a lightweight agent and cloud-based AI to detect and respond to threats across Windows, macOS, Linux, and major cloud platforms (Azure, AWS, Google Cloud).
Falcon provides centralized visibility for IT admins and protects tens of thousands of UW-connected devices—on campus and remotely.
Departments can request Falcon at no cost.
Installation & Support Guide
This guide outlines required actions, uninstall instructions, and resources for supporting end users.
Windows Instructions
- Open the Start Menu > Settings > Apps
- Find Sophos Endpoint Agent and click uninstall
Or run SophosUninstall.exe from C:\Program Files\Sophos\Sophos Endpoint Agent
Review Sophos documentation on uninstalling Sophos on Windows for added information.
Mac OSX Instructions
- Press Command + Spacebar and search for “Remove Sophos”
- Run the Remove Sophos utility
- If not available, use the command line uninstall script or contact Sophos support
Review Sophos documentation on uninstalling Sophos on macOSX for added information.
User-managed UW-owned devices
Some user-managed UW-owned devices are running Sophos Home instead of Sophos Enterprise. If one of your users needs to uninstall Sophos Home, you can direct them here for Macs and here for here for Windows or have them email help@uw.edu with “Sophos Home” in the title.
For Windows use the Windows Quick Start Guide (PDF)
For Macs use the macOSX Quick Start Guide (PDF)
- Faculty or staff may have Sophos Enterprise on UW devices and Sophos Home on personal, non-UW-owned devices. Refer them to the Removing Sophos page for uninstall help and antivirus alternatives.
- Users without IT support may ask for help uninstalling Sophos or installing Falcon. Direct them to your team or have them email help@uw.edu with “CrowdStrike Falcon” in the subject line
- Expect increased support requests
- Encourage and take early action to reduce last-minute issues
After CrowdStrike Falcon is installed, your incident response process may shift.
If a user reports connectivity issues first determine whether the device has been contained by CrowdStrike.
Other Recommendations Include:
- Make sure users know how to contact you as their IT admin.
- When a device loses connectivity, check if CrowdStrike Falcon containment is the cause.
- Look for critical escalation or OverWatch alerts in your email.
- If you use UW Connect, search the device name under the “IS EDR Incident” assignment group.
- If containment is confirmed, call UW-IT Service Desk: 206-221-5000 and request escalation for CrowdStrike containment.
FAQs
Each device group will have a designated contact who will be alerted if Falcon takes action. Departments are responsible for keeping these contacts up to date.
If malware is removed and systems are operating normally, no action is needed unless UW-IT follows up.
If Falcon quarantines a critical host, contact the UW-IT Service Desk at 206-221-5000 for immediate escalation.
IT admins will have similar fleet visibility and functionality in the falcon console.
Falcon does not access personal files, monitor online activity, or inspect content. It only acts when a threat is present.
Endpoints are network-connected devices like laptops, mobile devices, tablets, Internet of things (IoT) devices, gaming consoles and printers, among many others. It doesn’t include items like routers, switches and wireless access points.
70% of cyberattacks begin at endpoints. Falcon uses AI to detect and respond to threats in real time, protecting UW’s diverse environments.
Need Help?
Email help@uw.edu with “CrowdStrike Falcon” in the subject line.