Uninstallation Apps record on Endpoint


I have a question if Sophos can detect any apps that been uninstall on endpoints between two dates.

For the apps installation between two dates, I've found the query but no query for uninstallation so far.

I appreciate the assistant regarding this matter.

Thank you.

  • You can use the following live discover query as a starting place. The event ID 1033 will correspond to a product installation, and 1034 corresponds with an uninstallation. 

    SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
    provider_name, eventid, task_message, data
    FROM sophos_windows_events
    WHERE eventid IN ('1033', '1034')
    AND provider_name = 'MsiInstaller'
    #AND EventTimeStamp > '$$start_date$$'
    #AND EventTimeStamp < '$$end_date$$'

    I suggest running the query with comments to make the variables start_date and end_date easier to work with. You can add these two as String variables, then copy and paste data from the original output before removing the #, restricting the output you get. 

    Note: I've joined these two threads with very similar inquiries. Please see Getting Started With Sophos Live Discover Design Mode, for more step-by-step guidance on how to use the query.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Qoosh,

    I got the result below from your suggested query. Can we know from the query what kind of software is installed or uninstall (e.g.: Microsoft Office, Adobe PDF Reader, etc.) and filepath?

    Kind regards,

    Arif Aiman

Reply Children
No Data