Authorization of Sus files/behaviour

Hello Jon,

if you open the Authorization manager on the client you can view the details including checksum when you roll over the item.

Christian

Thanks Christian

That does work, but there has got to be a better/easier way, I don't want to have to remote into a client machine everytime I need to check a file

Jon

Hi,

I always turn to the database for this sort of information.  I would suggest installing a copy of Microsoft SQL Server Management Studio (http://www.microsoft.com/downloads/details.aspx?FamilyID=08e52ac2-1d62-45f6-9a4a-4b76a8564a2b&displaylang=en) on a machine on the network and connect to the Sophos database instance.  

You could use OSQL.exe command line tool but the output format isn't too great and I tend to look in the database quite a bit for reports.  

Once in SQL Studio, choose the SOPHOS4 database from the drop down and run the following command against the SOPHOS4 database:

Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computeridwhere t.threattype=5

where threattype could be for example:
1 = Virus

2 = Adware/PUA

4 = HIPS

5 = Sus

This should help you find what you need and by adjusting the where clause for various things and threattype you should be able to find most data.  I used the view ThreatInstancesAll rather than the 2 tables Threats and ThreatsArchive that make up the view as I don't know if this is an outstanding alert or not for you.

I hope this helps you.

Jak

PS, if you can't install the MS SQL Studio, running this command will do it,  I've assumed you have a SOPHOS named instance and you would run this on the machine where the database resides.

OSQL -E -S .\sophos -d SOPHOS4 -Q "Select c.name as computerName, t.ThreatName, t.ThreatType, t.Checksum, t.FileVersion, t.FullFilePath, t.FirstDetectedAt from dbo.ThreatInstancesAll as t inner join dbo.computersanddeletedcomputers as c with (nolock) on c.id = t.computeridwhere t.threattype=5" -o C:\threatsSus.txt -w 1000

This will create a file called C:\threatsSus.txt, you can either search for the filename or the checksum.

I don't want to have to remote into a client machine everytime I need to check a file

Weeeeell, how do you know that the one is acceptable and the other isn't? You'll probably have to access the clients in one way or the other. And what if each file is detected on more than one client? There's no easy way to display this information in a useful manner in SEC.

IMO opinion the only reasonable place to display checksum/version is in the client's Computer details.

Christian

Thanks Jak

Thats exactly what i'm after

Christian, I wasn't having a go at you answer, I just think that with an application like SEC, having to go to a client to get info shouldn't happen, especially when its contain in the database somewhere

Regards

Jon