This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Finding unprotected computers on the network

Hello Gentlemen,

I have a client, a hospital with more than 300 computers, this client uses Sophos Endpoint Standard (EPS) with Enterprise Console.
Today we detected that one of his computers was trying to access a Botnet network and the UTM IPS blocked, the customer's technician picked up the computer and saw that it did not have the Sophos Endpoint agent installed.
On the Enterprise Console I see many computers that are apparently unprotected, but since Active Directory is still very dirty, with orphaned computer accounts that technicians have not removed, there is no way to be sure how many computers do not actually have Sophos Endpoint installed.

I ask: Is there a GUI tool or script that can run on the entire network, in order to find computers on which there is really no antivirus installed?

This thread was automatically locked due to age.

0 QC over 4 years ago

Hello IvanildoGalvão,

managed software (AV, deployment, whatever) normally identifies its clients by means of an agent. Thus unprotected (or unmanaged, uncatalogued, whatever) is ALL minus identified. Obviously the challenge is to enumerate ALL. There are many tools to scan a network, but all depend on the target devices to return some information. I rogue device might go into almost complete stealth mode.
SEC can scan the network - Discover has the option to scan an IP range. As said, whether you really detect ALL this way depends. Only the network (UTM did notice it) knows which devices are connected, and only if they are directly connected. If you have other sources (like AD) that suggest non-existent devices it's impossible to separate the wheat from the chaff.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 4 years ago

Hi IvanildoGalvão

Kindly take a look at the startup script listed in this article where it checks all of the computers in the group during startup, to see if the Sophos Endpoint Security and Control software is already installed. In case a computer is detected unprotected, it will try to install the software on the computer. Hope this helps.

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Matze over 4 years ago in reply to Shweta

Hi Shweta,

maybe it's better to provide the script more userfriendly with variables like this.

Br Mathias

---

@ECHO ON
REM
REM Version: 20200304
REM
REM script bases on community.sophos.com/.../13090
REM obfuscate the username and password: community.sophos.com/.../13094
REM
REM C:\sec_551\tools\ObfuscationUtil.exe --obfuscate <USERNAME> -w
REM C:\sec_551\tools\ObfuscationUtil.exe --obfuscate <PASSWORD> -w
REM

REM --------- CONFIGURATION ---------
set sophos_server=mysophosserver.local

set sophos_o_user=MYDOM\sophos_setup
set sophos_o_pwd=supersecure_password

REM --------- Exec ---------

IF EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
IF EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" goto _End
IF EXIST "C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
IF EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End

REM --- Deploy
\\%sophos_server%\SophosUpdate\CIDs\S000\SAVSCFXP\Setup.exe -updp "\\%sophos_server%\SophosUpdate\CIDs\S000\SAVSCFXP" -user %sophos_o_user% -pwd %sophos_o_pwd% -mng yes -crt R

REM --- End of the script
:_End

REM pause

---
Cancel
Vote Up 0 Vote Down

Cancel