This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X advanced for Server with Tamper Protection Disabled when installed

Hi Team,

Kindly assist. I uninstalled and reinstalled a Sophos Intercept X Advanced agent on a Domain Controller but then on the reinstall the Settings tab on the Agent dashboard on the DC is enabled though the features were grayed out (the disabled for 4 hours is not effective), and i could easily uninstall the agent (meaning the Tamper Protection is Disabled). But on Sophos central, the Tamper Protection for this agent (the DC agent) is enabled. Kindly assist in rectifying this. I have uninstalled and reinstalled several times but this is still the same.

What do you suggest i do?



This thread was automatically locked due to age.
Parents
  • It sounds like you're suggesting that tamper is enabled in Central but not enabled at the endpoint.

    At the endpoint I would start with the policy, as sent by Central to prove the endpoint has the expected policy, this is stored here:

    %ProgramData%\Sophos\Remote Management System\3\Agent\AdapterStorage\CORE\policy

    For example, the section of interest looks like this:

    <tamper-protection>
    <enabled>false</enabled>
    <ignore-sav>true</ignore-sav>
    <password>sed-tp1:upUILC5pp0mC8Y7Y3XJBSQ==:XWKRpdqHo4XnWX6rsv+QwDLtz1oEfm1vEggLpNWwUFlmpr66SlfDxQ==</password>
    </tamper-protection>

    If tamper protection is enabled in Central, the above "enabled" value would be true, it would have a password.

    Do you have enabled = true and a password value in this file?  If so Central has done its job.

    The SophosED.sys driver enforces Tamper Protection, the config is read from:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

    Specifically, the SEDEnabled DWORD, when tamper is on, the value is 1, when disabled 0.

    If you run in an admin prompt:
    "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -s

    It will report the local state also.

    What does the tool report and the registry key show?

Reply
  • It sounds like you're suggesting that tamper is enabled in Central but not enabled at the endpoint.

    At the endpoint I would start with the policy, as sent by Central to prove the endpoint has the expected policy, this is stored here:

    %ProgramData%\Sophos\Remote Management System\3\Agent\AdapterStorage\CORE\policy

    For example, the section of interest looks like this:

    <tamper-protection>
    <enabled>false</enabled>
    <ignore-sav>true</ignore-sav>
    <password>sed-tp1:upUILC5pp0mC8Y7Y3XJBSQ==:XWKRpdqHo4XnWX6rsv+QwDLtz1oEfm1vEggLpNWwUFlmpr66SlfDxQ==</password>
    </tamper-protection>

    If tamper protection is enabled in Central, the above "enabled" value would be true, it would have a password.

    Do you have enabled = true and a password value in this file?  If so Central has done its job.

    The SophosED.sys driver enforces Tamper Protection, the config is read from:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

    Specifically, the SEDEnabled DWORD, when tamper is on, the value is 1, when disabled 0.

    If you run in an admin prompt:
    "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -s

    It will report the local state also.

    What does the tool report and the registry key show?

Children