This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console 5.3.0: Is there a way to run the SophosBootTasks.exe manually?

I´m trying to automate the cleanup process on the computers. What I´m looking for is a way to set the service with the name of the computers and the adware/PUA's location as parameters and run it every time an alert pops up, instead of openning the Console and cleanup one by one.

 

Thanks in advance.

 

Regards.



This thread was automatically locked due to age.
Parents
  • Hello

    first of all, SophosBootTasks.exe is a temporary service on the endpoint that Performs advanced cleanup on boot-up, this is a temporary service that will only install and run on demand, once complete it will be removed. Please note advanced cleanup, most cleanup action don't require this service.

    If I understand you correctly you want "something" that opens Resolve alerts and errors, checks the applicable boxes, and clicks and confirms Cleanup, correct?
    SEC has no automation and there is no interface (other than the GUI) to send commands to the endpoints. Are you specifically interested in handling Adware and PUA (which isn't automatically cleaned up in response to a detection)? What is the advantage of immediate cleanup?

    Christian 

Reply
  • Hello

    first of all, SophosBootTasks.exe is a temporary service on the endpoint that Performs advanced cleanup on boot-up, this is a temporary service that will only install and run on demand, once complete it will be removed. Please note advanced cleanup, most cleanup action don't require this service.

    If I understand you correctly you want "something" that opens Resolve alerts and errors, checks the applicable boxes, and clicks and confirms Cleanup, correct?
    SEC has no automation and there is no interface (other than the GUI) to send commands to the endpoints. Are you specifically interested in handling Adware and PUA (which isn't automatically cleaned up in response to a detection)? What is the advantage of immediate cleanup?

    Christian 

Children
  • Hi Christian,

     

    Thanks for your response.

     

    Yes, we are on de the same page. What I am trying to do is to create a script/program/something that checks the cleanable threats (Adware and PUA), run the cleanup and send an alert (e.g. by email) in case the cleanup fails. I am able to pull the data from the DB and find the threat instances. What I do not know how to do is to run the cleanup in the script/program/something. I was wondering if finding the service is the best approach for this. The goal is to take immediate action in any case.

     

    Hope this makes sense.

     

     

     

  • Hello Axel Monroy,

    SEC talks to the endpoints over a secure channel, so you can't inject commands this way.
    Thus you'd have to initiate some command on the endpoint by some other (regular) means - e.g. psexec (which is, BTW, classified as PUA). Again there's no API on the endpoint to operate the endpoint software (not the least because malware could abuse such an interface). All you can do is to schedule scans with certain cleanup options. Quite some feat and you'd ask, why hasn't Sophos thought of this?

    Please note that if you enable On-Access scanning for PUAs they will be blocked - thus there's no need for immediate action. You can request cleanup with a scheduled scan (those that can't be cleaned up are anyway left behind). The practical use is very limited.

    Christian

  • Hi Christian, 

     

    So I will have to focus only on the SQL reports. Maybe an API would be a nice idea for new releases.

     

    Thanks for all your help.

  • Hello Axel Monroy,

    my two cents: There's deliberately no automatic cleanup for this category, even if an item can be cleaned up you are advised to review it. Providing an automation API which enables you to bypass this wouldn't make much sense. 

    Christian