Under Review

Live Response - Using command line tools to check files

There are a number of tools installed on the endpoint for evaluating files.  For example:


Sav32cli which is part of the Sophos Anti-Virus component.  If you wished to scan a folder or file, from the command line you could run:

sav32cli.exe -dn -ns -mrlog -pua -controlled -suspicious

This is installed in "C:\Program Files (x86)\Sophos\Sophos Anti-Virus" for 64-bit computers.  The switches provided will list the files being scanned, it will also show detections bt application control identities (controlled). 


This command-line tool is part of Sophos Endpoint Self Help to provide info about files.  It lives on disk here: "C:\Program Files\Sophos\Endpoint Self Help\". An example command to check notepad.exe would be:

./MLFileInfo.exe --filepath "C:\windows\notepad.exe" | convertfrom-json