Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 21 subscribers
  • Views 1670 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Installation Tracking

Cloud Mateo

Hi, I'm using a laptop from our company and there's a Sophos installed. I'm currently working from home and I'm wondering, can Sophos detect any software that I install even if I'm not on the company network? 



This thread was automatically locked due to age.
Parents
  • 0

    It depends on the components/version of Sophos installed. 

    Is it the Sophos Central client or is it the on-premise Sophos Enterprise Console (SEC) managed client?

    If you run services.msc and there is a Sophos MCS Client service then it is Sophos Central, if there is a Sophos Message Router service it is on-premise SEC managed.

    If you have the EDR component installed (Sophos Central only) the admin can perform queries, such as listing all the applications installed for example.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR

    Enabled = 1 would mean EDR is enabled.

    They can also get an admin command prompt to the computer via Live Response, from that they could do anything. This would be Sophos Central only.

    Application Control, is another feature which is designed to block alert to certain applications.  For example, I could block in the browser category Firefox.  If you ran Firefox the admin would get an alert for example. This is Sophos Central and on-premise - SEC managed.

Reply
  • 0

    It depends on the components/version of Sophos installed. 

    Is it the Sophos Central client or is it the on-premise Sophos Enterprise Console (SEC) managed client?

    If you run services.msc and there is a Sophos MCS Client service then it is Sophos Central, if there is a Sophos Message Router service it is on-premise SEC managed.

    If you have the EDR component installed (Sophos Central only) the admin can perform queries, such as listing all the applications installed for example.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR

    Enabled = 1 would mean EDR is enabled.

    They can also get an admin command prompt to the computer via Live Response, from that they could do anything. This would be Sophos Central only.

    Application Control, is another feature which is designed to block alert to certain applications.  For example, I could block in the browser category Firefox.  If you ran Firefox the admin would get an alert for example. This is Sophos Central and on-premise - SEC managed.

Children
Unfiltered HTML