This knowledge base article provides answers to the Frequently Asked Questions about Sophos File Integrity Monitoring.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Central AdminCentral Server Core Agent 2.1.1 Sophos Central Windows Server
Sophos File Integrity Monitoring assists customers who need to meet PCI:DSS compliance, or those that would like to monitor system critical files and registry keys for additional security. Sophos provides default rules that monitor changes to critical Windows system files as well as providing the ability to add additional monitoring locations and exclusions via policy. Sophos File Integrity Monitoring can monitor; files, folders, registry keys and registry values.
The following operating systems are supported by Sophos File Integrity Monitoring:
Sophos File Integrity Monitoring is installed by default but is only enabled when the Use File Integrity Monitoring setting is turned on in the Policy.
There are two configurable Policies for File Integrity Monitoring as shown below:
Yes, the order of preference is:
Events are logged to databatch.xml files in the following location:
C:\ProgramData\Sophos\File Integrity Monitoring\Export\
These files are written every 15 minutes and each file may contain multiple events.
In addition to the default location specified above, you can also register a Windows Event Log channel that will enable events to be logged to the Windows Event Log.
To enable the logging of events in the Windows Event Log:
wevtutil im "%ProgramFiles%\Sophos\File Integrity Monitoring\SophosFimEventProvider.man"
Events will be logged to:
Applications and Services Logs
Sophos FIM Event Channel
Note: Sophos does not purge the Windows Events – this is done by the Windows Event Log when the size of the data persisted in the FIM Event Channel exceeds the default limit of 51 MB. The limit can be changed from Windows Event Viewer or by a policy you may have configured. You may want to periodically export and persist events to another location to prevent loss of data.
Yes, the data files in the default Export location are purged when they become older than 90 days. We recommended storing your own copy of the data to prevent deletion of any data you may require.
Yes, Sophos File Integrity Monitoring is designed to be accessible by third party products using two methods:
Yes, every event contains a field isCustom with a value of 0 or 1. A value of 0 refers to a Sophos default rule, a value of 1 refers to a custom defined rule.
This alert is triggered due to the high volume of events being created. When this occurs we stop File Integrity Monitoring processing events on the server and no new monitoring events will be created until the backlog of existing events has been processed.
There may be no requirement to do anything as processing will start again automatically. However, you should review your File Integrity Monitoring Policy for the locations you monitor, and the monitoring events to find out why there’s a high volume of events.
Note: Along with the alert, you will also receive an email.
As Sophos File Integrity Monitoring is installed by default there is no uninstall option. However, Sophos File Integrity Monitoring can be turned off by the Use File Integrity Monitoring setting in the Policy.
If you no longer require events to be logged to the Windows Event channel, or you have turned off File Integrity Monitoring so no longer require them, you will need to unregister the Windows Event Log channel:
wevtutil um "%ProgramFiles%\Sophos\File Integrity Monitoring\SophosFimEventProvider.man"
Sophos File Integrity Monitoring
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.