This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Files and folders that Sophos Intercept X installed?

Hi Heroes,

New to Sophos and currently I'm testing the Sophos Intercept X product.

I want to have a quick look at the files/processes structure that Intercept X installed on the machines.

Does Sophos has such kind of knowledge base articles to describe this? like process name and it's description && log files and it's locations etc..

 

Thanks in advance.



This thread was automatically locked due to age.
  • I don't think such a thing really exists given how it can change.

    Typically all logs go to %programdata\Sophos\[component]\logs\ with the exception of %ProgramData%\HitmanPro.Alert\logs\.  They also write to the Event log. 911 Event ID for HMPA, etc..

    Regarding processes/services/files that's possibly too open-ended without a description of every file for every component. It is possible to provide general information as to the services per component, e.g.

    Sophos MCS Agent and Sophos MCS Client belong to the Management Communication System (MCS) component.  Sophos MCS Client service - mcsclient.exe, is the process that talks to the APIs of Sophos Central for reporting and policy retrieval.  The Sophos MCS Agent service (McsAgent.exe) loads adapter DLLs that belong to each of the managed components to get and set policy, etc.. It works in combination with MCS Client to deliver messages to and from the endpoint.

    I suppose the question is, what are you trying to understand specifically? It might be best to just ask specific questions as the level of detail you could write on any component is vast.

    Regards,

    Jak

    • Hi Jak,

       

      Thanks, the reason I asked like this is because I worked as a McAfee partner before... I knew McAfee has such information to let me have a quick knowledge of McAfee Endpoint Security's file/process structure...

      For example McAfee KB87791 

      • I had a look at the article and I don't think I could glean much more than just looking at service and process descriptions :) 

        For example, the following PowerShell command could get something close for Sophos and it would require no maintenance. 

        $(Get-Process | %{ if($_.Company -match "sophos" -or $_.Company -match "surfright"){$_ | select product, path, description } }) | Out-GridView 

        If you use a tool such as Process Explorer or maybe even Process Hacker and filter/sort by Sophos you'll probably get a good feel for the processes and how they might relate.

        I suppose the key thing to know about Sophos is that there are a number of products or components that make up the solution, e.g.

        Sophos AutoUpdate  - Updating and installing
        HitmanPro.Alert  - Cryptoguard and Exploit mitigations
        Sophos Management Communications System  - reporting to Central and for receiving policies.
        Sophos Anti-Virus - Traditional scanning component, performs web control, web protection, data control, device control.
        Sophos Endpoint Agent - This is the UI component.
        Sophos Clean - Responsible for clean-up scans post detection.
        Sophos Endpoint Self Help - Support tool at the endpoint for diagnosing issues, this could help with the understanding of components also. You will find a link from the About link in the UI.
        Sophos File Scanner - newer scanner component.
        Sophos Health - watches for the health of Sophos services and if threats are detected.
        Sophos Live Query - Essentially is OSQuery so you can query machine info from Central. Extended by Sophos with additional data.
        Sophos Network Threat Protection  - provides many of the network protection features, e.g. IPS, C2 server detection, stonewalling for the XG Firewall.
        Sophos Safestore - When threats are detected, they are moved to Safestore so they can be revived if authorised, etc..
        Sophos System Protection - newer scanner component.
        Sophos Endpoint Defense - provides tamper protection and the component includes the sophosed.sys file system driver which performs much of the file interception and data recording for EDR/RCA/FIM.
        Sophos AMSI - AMSI Provider DLL loaded by processes covered by AMSI to enable script inspection for example, e.g. PS, VBS.#

        As a quick overview of the installer:

        When you run the Central Installer, this pulls down each of these components and installs them in turn. The log file for this installer is here: %ProgramData%\Sophos\CloudInstaller\Logs\

        You have the pre-check phase, the registration with Central phase, the download phase and the install phase. Prior to the install phase you get this which shows you the order of the components to be installed:

        INFO : Install sequence for components is: sdu uninstaller64 sed64 mcsep sse64 sfs64 clean64 shs amsi64 esh64 ui64 efw64 savxp sme64 ntp64 hmpa64 sau 

        As long as "sau" (Sophos AutoUpdate) gets installed, this will take over the management of the installation, in that it will keep trying to install components and provide all the updating going forwards.

        If you have a specific question, for example what does component x do, or what does process x do, please reply.

        Regards,

        Jak