Uninstallation Apps record on Endpoint

Hi,

I have a question if Sophos can detect any apps that been uninstall on endpoints between two dates.

For the apps installation between two dates, I've found the query but no query for uninstallation so far.

I appreciate the assistant regarding this matter.

Thank you.

  • Thank you for reaching us, as per checking the default queries which can be found under live discover don't have the query for uninstallation event. Allow us to further check this and get back to you. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi,

    May I know if there's any query to detect uninstall software on endpoint?

    I can only found the query for software installation but not the uninstallation.

    Thank you.

  • Thank you for reaching us, as per checking the default queries which can be found under live discover don't have the query for uninstallation event. Allow us to further check this and get back to you. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi Glenn,

    Sure. Please let me know once you have the update on this matter.

    FYI, I already checked with Sophos Support regarding this. Sophos Support said the Sophos EDR or any other Sophos Central licenses/products does not have a feature that records the applications being Installed and uninstalled by users in every Endpoint device. It does not have a report that shows the applications being Installed and uninstalled by every users. 

    Kind Regards,

    Arif

  • Thank you, But allow me to correct the statement. Sophos EDR has the capacity to collect the data for the installed application through Live discover, provided that the said feature is enabled on your Sophos Central. I've attached the link to this thread. You can collect the installed application by running a query "Installed applications (Data Lake)," which is already available on Data Lake Query. If the query isn’t available on the default list you can also create your own query.  However, we don't have the query for collecting uninstalled application reports, and that is what we're currently checking internally. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • You can use the following live discover query as a starting place. The event ID 1033 will correspond to a product installation, and 1034 corresponds with an uninstallation. 

    SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
    provider_name, eventid, task_message, data
    FROM sophos_windows_events
    WHERE eventid IN ('1033', '1034')
    AND provider_name = 'MsiInstaller'
    #AND EventTimeStamp > '$$start_date$$'
    #AND EventTimeStamp < '$$end_date$$'

    I suggest running the query with comments to make the variables start_date and end_date easier to work with. You can add these two as String variables, then copy and paste data from the original output before removing the #, restricting the output you get. 

    Note: I've joined these two threads with very similar inquiries. Please see Getting Started With Sophos Live Discover Design Mode, for more step-by-step guidance on how to use the query.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Qoosh,

    I got the result below from your suggested query. Can we know from the query what kind of software is installed or uninstall (e.g.: Microsoft Office, Adobe PDF Reader, etc.) and filepath?

    Kind regards,

    Arif Aiman