This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Finding unprotected computers on the network

Hello Gentlemen,

I have a client, a hospital with more than 300 computers, this client uses Sophos Endpoint Standard (EPS) with Enterprise Console.
Today we detected that one of his computers was trying to access a Botnet network and the UTM IPS blocked, the customer's technician picked up the computer and saw that it did not have the Sophos Endpoint agent installed.
On the Enterprise Console I see many computers that are apparently unprotected, but since Active Directory is still very dirty, with orphaned computer accounts that technicians have not removed, there is no way to be sure how many computers do not actually have Sophos Endpoint installed.

I ask: Is there a GUI tool or script that can run on the entire network, in order to find computers on which there is really no antivirus installed?



This thread was automatically locked due to age.
  • Hello IvanildoGalvão,

    managed software (AV, deployment, whatever) normally identifies its clients by means of an agent. Thus unprotected (or unmanaged, uncatalogued, whatever) is ALL minus identified. Obviously the challenge is to enumerate ALL. There are many tools to scan a network, but all depend on the target devices to return some information. I rogue device might go into almost complete stealth mode.
    SEC can scan the network - Discover has the option to scan  an IP range. As said, whether you really detect ALL this way depends. Only the network (UTM did notice it) knows which devices are connected, and only if they are directly connected. If you have other sources (like AD) that suggest non-existent devices it's impossible to separate the wheat from the chaff.

    Christian

  • Hi  

    Kindly take a look at the startup script listed in this article where it checks all of the computers in the group during startup, to see if the Sophos Endpoint Security and Control software is already installed. In case a computer is detected unprotected, it will try to install the software on the computer. Hope this helps. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi Shweta,

    maybe it's better to provide the script more userfriendly with variables like this.

    Br Mathias

    ---

    @ECHO ON
    REM
    REM Version: 20200304
    REM
    REM script bases on community.sophos.com/.../13090
    REM obfuscate the username and password: community.sophos.com/.../13094
    REM
    REM C:\sec_551\tools\ObfuscationUtil.exe --obfuscate <USERNAME> -w
    REM C:\sec_551\tools\ObfuscationUtil.exe --obfuscate <PASSWORD> -w
    REM

    REM --------- CONFIGURATION ---------
    set sophos_server=mysophosserver.local

    set sophos_o_user=MYDOM\sophos_setup
    set sophos_o_pwd=supersecure_password

     

    REM --------- Exec ---------


    IF EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
    IF EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" goto _End
    IF EXIST "C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
    IF EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End

    REM --- Deploy
    \\%sophos_server%\SophosUpdate\CIDs\S000\SAVSCFXP\Setup.exe -updp "\\%sophos_server%\SophosUpdate\CIDs\S000\SAVSCFXP" -user %sophos_o_user% -pwd %sophos_o_pwd% -mng yes -crt R

    REM --- End of the script
    :_End

    REM pause

    ---