Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 14 subscribers
  • Views 1179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to check if a windows server applied EDR EAP?

LHerzog

we enabled the EAP for Servers.

How can I check if the servers have this enabled?

Is this it?



This thread was automatically locked due to age.
Parents
  • 0

    The health state for the item you reference (Sophos EDR Agent) is for the sspedr.exe process which is launched by the SSPService.exe process, which is the "Sophos System Protection Service".

    "C:\Program Files (x86)\Sophos\Health\SophosHealth.exe" - "Sophos Health Service", maintains the state in the registry here for that process:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\ProcessNotification\Sophos EDR Agent
    IsRunning = 1 | 0

    The sspedr.exe process is responsible for composing the trickle feed data from the journal data.

    Another check would be:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR
    Enable = 1

    This shows that the SophosED.sys driver is capturing journal data for the EDR feature.

    These would be evidence that EDR is enabled.

  • 0 in reply to Sophos User930

    This is not possible to check this on all computers manually.

  • 0 in reply to LHerzog

    What makes you think it is not installed. You could use LiveQuery to check the keys and create a report.

    If the client should have edr then health is doing the checking and it would be red due to missing services if there was an issue.

Reply Children
No Data
Unfiltered HTML