Under Review

Live Response read text files; change configuration files etc.

Hello 99%  of my time I use the GUI; so when it comes to use the CMD prompt I feel a little uncomfortable

I am trying to use live response; in the kb and other documentation it is stated that with Live Response on windows you can:

Reboot a device that has pending updates ---I would do it with---  shutdown /r

View list of running processes and choose to terminate anything suspicious ---I would do it with---    tasklist   -- taskkill

Browse the file system to identify anything unexpected --I would do it with---   cd ....

Edit registry key ---I would do it with---    reg add   --Reg query   -- Red delete etc

 

Here are some questions:

View a log file -- from powershell: get-content C:\ProgramData\Sophos\CloudInstaller\Logs\abc.log      -- Are there better ways to view log files?

Install and uninstall software -- You need to have the software on the device; how can I do it from my console if I cannot connect to the GUI of the computer (maybe FTP for the sophos Endpoint software? How?

Edit configuration files -- How can I edit XML; TXT etc. files in windows 10 cmd?

 

Is it possible to copy files from live response on our computer?

What can I do with the Live Response console?

 

It would be great if someone could write a little guide on how to use the "Live Response" console for the most common tasks we should do in troubleshooting the sophos Endpoint problems remotely.

 

Thank you and Best Regards

Giuseppe

 

 

 

 

 

 

 

Parents
  • As you can appreciate there are many ways to do things from the command line and PowerShell has certainly made things simpler.  I suppose it's worth a few example commands for common tasks.  If I think about the most common commands I use from the command line: Manging services: sc.exe start servicenmame sc.exe stop servicename sc.exe query servicename Checking logs type sav.txt more sav.txt gc .\SAV.txt -tail 10 -wait type SAV.txt | find "Sophos" (gc .\SAV.txt) -match "Sophos" Simple update of a text file $content = gc C:\test.txt This will read the file test.text into $content which can then be treated like and array.  Say you know you want to change line 5, you could run: $content[4] = "New line" $content | Set-Content C:\test.txt You may need to consider the encoding of a file and if this approach is acceptable for any given file. Installing/Uninstalling software This is a little more tricky if you don't know the command to uninstall something or the type of installer your dealing with.  I would: 1. Find the UninstallKey or possibly QuietUninstallString from the registry for the product in question.  For example, the Powershell command below could be used: foreach ($UKey in 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*', 'HKLM:\SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall\*'){ foreach ($Product in (Get-ItemProperty $UKey)){ if ($Product.Displayname -match "Sophos"){$Product.DisplayName + " : " + $Product.UninstallString}}} This will, on a 64-bit computer check the 32-bit and native 64-bit installed software packages where the DisplayName value contains "Sophos" and then print the Product Name and UninstallString values.  So in the case of Sophos being installed, you might get back something like: HitmanPro.Alert 3 (managed by Sophos) : "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall Sophos Clean : "C:\Program Files\Sophos\Clean\uninstall.exe" Sophos Endpoint Agent : C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe Sophos Endpoint Defense : "C:\Program Files\Sophos\Endpoint Defense\SEDuninstall.exe" Sophos Live Query : "C:\Program Files\Sophos\Live Query\SophosLiveQueryUninstall.exe" Sophos Live Terminal : "C:\Program Files\Sophos\Live Terminal\Uninstall.exe" Sophos ML Engine : "C:\Program Files\Sophos\Sophos ML Engine\SophosSMEUninstall.exe" Sophos Standalone Engine : "C:\Program Files\Sophos\Sophos Standalone Engine\SophosSSEUninstall.exe" Sophos AMSI Protection : "C:\Program Files\Sophos\Sophos AMSI Protection\Uninstall.exe" Sophos Endpoint Firewall : MsiExec.exe /X{2831282D-8519-4910-B339-2302840ABEF3} Sophos Network Threat Protection : MsiExec.exe /X{2D2A1891-4657-4E6F-9373-BFCE4C9AC5BA} Sophos Endpoint Self Help : MsiExec.exe /X{4EFCDD15-24A2-4D89-84A4-857D1BF68FA8} Sophos Exploit Prevention : "C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe" Sophos Endpoint Agent : MsiExec.exe /X{8D7BB12C-6854-46DF-A67D-F82D778D75C8} Sophos File Scanner : "C:\Program Files\Sophos\Sophos File Scanner\Uninstall.exe" Sophos Anti-Virus : MsiExec.exe /X{1DE930DF-6191-4859-A97E-E37029B1EA08} Sophos AutoUpdate XG : MsiExec.exe /X{1FBBCD17-2403-4794-B2A8-A3ADDD3B0AF8} Sophos Management Communications System : "C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\Uninstall.exe" Sophos Diagnostic Utility : MsiExec.exe /X{8078549C-CFF0-48C5-9B77-6BA48A14673D} Sophos Health : MsiExec.exe /X{80D18B7B-8DF1-4BCA-901F-BEC86BAE2774} So all the cases where we have a MsiExec.exe command, we know it's a MSI based installer, and we can then typically run for example: MsiExec.exe /X{1DE930DF-6191-4859-A97E-E37029B1EA08} /quiet /norestart /l*v C:\windows\temp\log.txt Note: Just run msiexec to see the possible parameters.  The tricky thing is with non-MSI based installers as how do you run then non-interactively? This is the bit that varies from installer to installer. You might need to consult the documentation, search the web, use strings.exe (Sysinternals) to dump all the strings in a file to find additional switches.  On a test computer try uninstall.exe /? for example. As a working example, if we take:  HitmanPro.Alert 3 (managed by Sophos) : "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall Not knowing anything about it, I might do as follows all from the command line: 1. Download String64.exe to C:\windows\temp\ wget live.sysinternals.com/strings64.exe -outfile C:\windows\temp\strings64.exe      Note: wget here is the Powershell alias command for Invoke-WebRequest as is curl or iwr, so they could be used. 2. Create a text file containing all the strings of the exe: C:\Windows\temp\strings64.exe /AcceptEULA "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe"  > C:\windows\temp\hmpalert.txt 3. Search the text file for the switch I do know about, i.e. uninstall and print 25 lines either side: Select-String C:\Windows\temp\hmpalert.txt -Pattern "/Uninstall" -context 25,25 The output might look something like: ... C:\Windows\temp\hmpalert.txt:38392:/quiet C:\Windows\temp\hmpalert.txt:38393:/elevated C:\Windows\temp\hmpalert.txt:38394:/show C:\Windows\temp\hmpalert.txt:38395:/scan C:\Windows\temp\hmpalert.txt:38396:/silentalert C:\Windows\temp\hmpalert.txt:38397:Never C:\Windows\temp\hmpalert.txt:38398:/noautoupdate C:\Windows\temp\hmpalert.txt:38399:/v2 C:\Windows\temp\hmpalert.txt:38400:/flyout= C:\Windows\temp\hmpalert.txt:38401:/vaccination= C:\Windows\temp\hmpalert.txt:38402:/lic= C:\Windows\temp\hmpalert.txt:38403:/mode= C:\Windows\temp\hmpalert.txt:38404:full C:\Windows\temp\hmpalert.txt:38405:sophos C:\Windows\temp\hmpalert.txt:38406:sophoshome C:\Windows\temp\hmpalert.txt:38407:sophosserver C:\Windows\temp\hmpalert.txt:38408:crypto C:\Windows\temp\hmpalert.txt:38409:/alert: C:\Windows\temp\hmpalert.txt:38410:/restart: C:\Windows\temp\hmpalert.txt:38411:/service C:\Windows\temp\hmpalert.txt:38412:/tray C:\Windows\temp\hmpalert.txt:38413:/install > C:\Windows\temp\hmpalert.txt:38414:/uninstall C:\Windows\temp\hmpalert.txt:38415:/update C:\Windows\temp\hmpalert.txt:38416:/upgrade ... So we have found that there are other switches, and the one we want is probably /quiet. Ideally this discovery stage would be carried out on a computer you could test with first but if it's not available this is an option. Installing software is the same really.  Assuming you can download the file to the computer (wget as above for example) or access it remotely (UNC path), you an run it with the required switches.  They will vary based on the installer. Copying files off, is easy if you have a writable UNC path, e.g.  \\fileserver\share\ as you can just copy files to it using the command line Copy. It is more tricky if your accessing a computer not on your domain or network, at that point you are relying on some web service to receive the file. E.g. a FTP server.  Some cloud storage space, etc..   I created a few posts for Live Response, which might help get you going but this is such a huge topic it would be impossible to cover everything. Live Response - Capturing network traffic community.sophos.com/.../live-response---capturing-network-traffic Live Discover Query + Response in combination for file source investigation community.sophos.com/.../live-discover-query-response-in-combination-for-file-source-investigation Live Response - Don't forget Tamper Protection community.sophos.com/.../live-response---don-t-forget-tamper-protection Live Response - Suspicious Process - Create a dump for offline analysis community.sophos.com/.../live-response---suspicious-process---create-a-dump-for-offline-analysis Live Response - Investigating other devices community.sophos.com/.../live-response---investigating-other-devices Live Response - Making use of Sysinternals tools community.sophos.com/.../live-response---making-use-of-sysinternals-tools Live Response - Using command line tools to check files community.sophos.com/.../live-response---using-command-line-tools-to-check-files Live Response - Force an update from the command line and checking status community.sophos.com/.../live-response---force-an-update-from-the-command-line-and-checking-status Live Response - Viewing the raw JSON Sophos Health trail files community.sophos.com/.../live-response---viewing-the-raw-json-sophos-health-trail-files
Comment
  • As you can appreciate there are many ways to do things from the command line and PowerShell has certainly made things simpler.  I suppose it's worth a few example commands for common tasks.  If I think about the most common commands I use from the command line: Manging services: sc.exe start servicenmame sc.exe stop servicename sc.exe query servicename Checking logs type sav.txt more sav.txt gc .\SAV.txt -tail 10 -wait type SAV.txt | find "Sophos" (gc .\SAV.txt) -match "Sophos" Simple update of a text file $content = gc C:\test.txt This will read the file test.text into $content which can then be treated like and array.  Say you know you want to change line 5, you could run: $content[4] = "New line" $content | Set-Content C:\test.txt You may need to consider the encoding of a file and if this approach is acceptable for any given file. Installing/Uninstalling software This is a little more tricky if you don't know the command to uninstall something or the type of installer your dealing with.  I would: 1. Find the UninstallKey or possibly QuietUninstallString from the registry for the product in question.  For example, the Powershell command below could be used: foreach ($UKey in 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*', 'HKLM:\SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall\*'){ foreach ($Product in (Get-ItemProperty $UKey)){ if ($Product.Displayname -match "Sophos"){$Product.DisplayName + " : " + $Product.UninstallString}}} This will, on a 64-bit computer check the 32-bit and native 64-bit installed software packages where the DisplayName value contains "Sophos" and then print the Product Name and UninstallString values.  So in the case of Sophos being installed, you might get back something like: HitmanPro.Alert 3 (managed by Sophos) : "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall Sophos Clean : "C:\Program Files\Sophos\Clean\uninstall.exe" Sophos Endpoint Agent : C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe Sophos Endpoint Defense : "C:\Program Files\Sophos\Endpoint Defense\SEDuninstall.exe" Sophos Live Query : "C:\Program Files\Sophos\Live Query\SophosLiveQueryUninstall.exe" Sophos Live Terminal : "C:\Program Files\Sophos\Live Terminal\Uninstall.exe" Sophos ML Engine : "C:\Program Files\Sophos\Sophos ML Engine\SophosSMEUninstall.exe" Sophos Standalone Engine : "C:\Program Files\Sophos\Sophos Standalone Engine\SophosSSEUninstall.exe" Sophos AMSI Protection : "C:\Program Files\Sophos\Sophos AMSI Protection\Uninstall.exe" Sophos Endpoint Firewall : MsiExec.exe /X{2831282D-8519-4910-B339-2302840ABEF3} Sophos Network Threat Protection : MsiExec.exe /X{2D2A1891-4657-4E6F-9373-BFCE4C9AC5BA} Sophos Endpoint Self Help : MsiExec.exe /X{4EFCDD15-24A2-4D89-84A4-857D1BF68FA8} Sophos Exploit Prevention : "C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe" Sophos Endpoint Agent : MsiExec.exe /X{8D7BB12C-6854-46DF-A67D-F82D778D75C8} Sophos File Scanner : "C:\Program Files\Sophos\Sophos File Scanner\Uninstall.exe" Sophos Anti-Virus : MsiExec.exe /X{1DE930DF-6191-4859-A97E-E37029B1EA08} Sophos AutoUpdate XG : MsiExec.exe /X{1FBBCD17-2403-4794-B2A8-A3ADDD3B0AF8} Sophos Management Communications System : "C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\Uninstall.exe" Sophos Diagnostic Utility : MsiExec.exe /X{8078549C-CFF0-48C5-9B77-6BA48A14673D} Sophos Health : MsiExec.exe /X{80D18B7B-8DF1-4BCA-901F-BEC86BAE2774} So all the cases where we have a MsiExec.exe command, we know it's a MSI based installer, and we can then typically run for example: MsiExec.exe /X{1DE930DF-6191-4859-A97E-E37029B1EA08} /quiet /norestart /l*v C:\windows\temp\log.txt Note: Just run msiexec to see the possible parameters.  The tricky thing is with non-MSI based installers as how do you run then non-interactively? This is the bit that varies from installer to installer. You might need to consult the documentation, search the web, use strings.exe (Sysinternals) to dump all the strings in a file to find additional switches.  On a test computer try uninstall.exe /? for example. As a working example, if we take:  HitmanPro.Alert 3 (managed by Sophos) : "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall Not knowing anything about it, I might do as follows all from the command line: 1. Download String64.exe to C:\windows\temp\ wget live.sysinternals.com/strings64.exe -outfile C:\windows\temp\strings64.exe      Note: wget here is the Powershell alias command for Invoke-WebRequest as is curl or iwr, so they could be used. 2. Create a text file containing all the strings of the exe: C:\Windows\temp\strings64.exe /AcceptEULA "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe"  > C:\windows\temp\hmpalert.txt 3. Search the text file for the switch I do know about, i.e. uninstall and print 25 lines either side: Select-String C:\Windows\temp\hmpalert.txt -Pattern "/Uninstall" -context 25,25 The output might look something like: ... C:\Windows\temp\hmpalert.txt:38392:/quiet C:\Windows\temp\hmpalert.txt:38393:/elevated C:\Windows\temp\hmpalert.txt:38394:/show C:\Windows\temp\hmpalert.txt:38395:/scan C:\Windows\temp\hmpalert.txt:38396:/silentalert C:\Windows\temp\hmpalert.txt:38397:Never C:\Windows\temp\hmpalert.txt:38398:/noautoupdate C:\Windows\temp\hmpalert.txt:38399:/v2 C:\Windows\temp\hmpalert.txt:38400:/flyout= C:\Windows\temp\hmpalert.txt:38401:/vaccination= C:\Windows\temp\hmpalert.txt:38402:/lic= C:\Windows\temp\hmpalert.txt:38403:/mode= C:\Windows\temp\hmpalert.txt:38404:full C:\Windows\temp\hmpalert.txt:38405:sophos C:\Windows\temp\hmpalert.txt:38406:sophoshome C:\Windows\temp\hmpalert.txt:38407:sophosserver C:\Windows\temp\hmpalert.txt:38408:crypto C:\Windows\temp\hmpalert.txt:38409:/alert: C:\Windows\temp\hmpalert.txt:38410:/restart: C:\Windows\temp\hmpalert.txt:38411:/service C:\Windows\temp\hmpalert.txt:38412:/tray C:\Windows\temp\hmpalert.txt:38413:/install > C:\Windows\temp\hmpalert.txt:38414:/uninstall C:\Windows\temp\hmpalert.txt:38415:/update C:\Windows\temp\hmpalert.txt:38416:/upgrade ... So we have found that there are other switches, and the one we want is probably /quiet. Ideally this discovery stage would be carried out on a computer you could test with first but if it's not available this is an option. Installing software is the same really.  Assuming you can download the file to the computer (wget as above for example) or access it remotely (UNC path), you an run it with the required switches.  They will vary based on the installer. Copying files off, is easy if you have a writable UNC path, e.g.  \\fileserver\share\ as you can just copy files to it using the command line Copy. It is more tricky if your accessing a computer not on your domain or network, at that point you are relying on some web service to receive the file. E.g. a FTP server.  Some cloud storage space, etc..   I created a few posts for Live Response, which might help get you going but this is such a huge topic it would be impossible to cover everything. Live Response - Capturing network traffic community.sophos.com/.../live-response---capturing-network-traffic Live Discover Query + Response in combination for file source investigation community.sophos.com/.../live-discover-query-response-in-combination-for-file-source-investigation Live Response - Don't forget Tamper Protection community.sophos.com/.../live-response---don-t-forget-tamper-protection Live Response - Suspicious Process - Create a dump for offline analysis community.sophos.com/.../live-response---suspicious-process---create-a-dump-for-offline-analysis Live Response - Investigating other devices community.sophos.com/.../live-response---investigating-other-devices Live Response - Making use of Sysinternals tools community.sophos.com/.../live-response---making-use-of-sysinternals-tools Live Response - Using command line tools to check files community.sophos.com/.../live-response---using-command-line-tools-to-check-files Live Response - Force an update from the command line and checking status community.sophos.com/.../live-response---force-an-update-from-the-command-line-and-checking-status Live Response - Viewing the raw JSON Sophos Health trail files community.sophos.com/.../live-response---viewing-the-raw-json-sophos-health-trail-files
Children
No Data