Hey everyone,
I want to find a file named "baocao.docx" on 100 server to see if any file with that name exists on servers and location of this file. How could I do that?
I have tried "File.01.3 - Files on disk (path-filename)" in live discovery feature but sophos technical support say that "the "File.01.3 - Files on disk (path-filename)" search will only look for the file within immediate files and will not search within subfolders."
Another option that might work, depending what's in the file is the yara table.
For example, if I want to find all PE files, identified by the MZ magic bytes at the start of a file in a directory and sub-directories I could use an inline YARA rule in the query:
SELECT
path,
matches,
sigrule
FROM yara
WHERE path like 'C:\Program Files\Sophos\%%'
AND sigrule = 'rule inline_detect_pe_mz {
strings:
$mz_marker = { 4D 5A }
condition:
$mz_marker
}';
For example, the results might then be as follows, note the matches column is only for the files that are PE files.
Another option that might work, depending what's in the file is the yara table.
For example, if I want to find all PE files, identified by the MZ magic bytes at the start of a file in a directory and sub-directories I could use an inline YARA rule in the query:
SELECT
path,
matches,
sigrule
FROM yara
WHERE path like 'C:\Program Files\Sophos\%%'
AND sigrule = 'rule inline_detect_pe_mz {
strings:
$mz_marker = { 4D 5A }
condition:
$mz_marker
}';
For example, the results might then be as follows, note the matches column is only for the files that are PE files.
