When performing a Live Response session, with a view to troubleshoot Sophos components, it may be worthwhile confirming if Tamper Protection (Endpoint Defense) is disabled. To do so you can run:
"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -s
This will return either:
- SED Tamper Protection is disabled
- SED Tamper Protection is enabled
If it is enabled, you should be able to disable it via Sophos Central or re-use SEDcli.exe with the -TPoff switch, e.g.
"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPoff 12345678890
Where the password for this computer can be obtained from Sophos Central.
Tip: To get to the correct page in Central without the need to search for and endpoint, at the time of writing the direct URL to the computer page takes the form:
https://cloud.sophos.com/manage/devices/computers/<EndpointID>
Servers take the form:
https://cloud.sophos.com/manage/server/devices/servers/<EndpointID>
Where the <EndpointID> at the end of the URL is the unique endpoint id issued to the managed client. This can be obtained with the command line:
type "%ProgramData%\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt"
Given the link format and this ID, you can construct the URL to the device page.
Regards,
Jak
