Approved

Query - Are any Sophos services not running?

  REVIEWED by Sophos 

Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue.  As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services running.

SELECT
   name,
   display_name,
   start_type,
   path,
   status,
   user_account
FROM services
WHERE (path like '%sophos%' or path like '%hitman%')
   AND status <> 'RUNNING';

  • You can change the WHERE statement to look for just the sophos service you are interested in like so. WHERE (Service_Status = 'MISSING' OR status != 'RUNNING') AND Sophos_Services.Display_Name = 'Sophos Network Threat Protection'
  • I think this is what you are looking for. It will only return a result if an expected service is missing OR not running. WITH Sophos_Services (Display_Name) AS (    VALUES --      ('Test Data No such service'),       ('HitmanPro.Alert service'),       ('Sophos Anti-Virus status reporter'),       ('Sophos Anti-Virus'),       ('Sophos Network Threat Protection'),       ('Sophos AutoUpdate Service'),       ('Sophos Clean'),       ('Sophos Device Control Service'),       ('Sophos Endpoint Defense Service'),       ('Sophos File Scanner Service'),       ('Sophos Health Service'),       ('Sophos Live Query'),       ('Sophos Safestore'),       ('Sophos System Protection Service'),       ('Sophos Web Control Service'),       ('Sophos Web Filter'),       ('Sophos Web Intelligence Service'),       ('Sophos MCS Agent'),       ('Sophos MCS Client')    ) SELECT    sophos_services.Display_Name,    Services.name,    CASE status NOT NULL       WHEN 1 THEN status       ELSE 'MISSING'    END Service_Status,    pid,    start_type,    path,    description,    user_account FROM Sophos_Services    LEFT JOIN Services ON Services.display_name LIKE Sophos_Services.Display_Name WHERE Service_Status = 'MISSING' OR status != 'RUNNING'    
  • This is what I am looking for, but how would I use it to find if Network Threat Protection is not running on the device.