Approved

Live Discover Query - identify devices where Tamper Protection is disabled

  REVIEWED by Sophos 

As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected:

select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;

Regards,

Jak

Parents
  • /cfs-file/__key/commentfiles/fb5d84b10a5745448a7a45dafc1faa43-a278b39e-c981-4508-92a2-147f9cca12a9/pastedimage1593430621802v1.png REVIEWED by Sophos  no logic changes, just slightly nicer output:   SELECT    CASE    WHEN data LIKE '0' THEN 'DISABLED'    end Tamper_Protection FROM registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;
Comment
  • /cfs-file/__key/commentfiles/fb5d84b10a5745448a7a45dafc1faa43-a278b39e-c981-4508-92a2-147f9cca12a9/pastedimage1593430621802v1.png REVIEWED by Sophos  no logic changes, just slightly nicer output:   SELECT    CASE    WHEN data LIKE '0' THEN 'DISABLED'    end Tamper_Protection FROM registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;
Children
No Data