This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Information about COM methods/calls to use/manage Sophos Endpoint On-Premise though command line.

Hi,

As some might have found out, there are some command/actions that can be done through COM objects. Example, trigger an update in the endpoint through command line:

Link:
https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/2115/manual-update-via-command-line-script

So, after checking the COM objects of Sophos, end up finding all of these (perhaps some non-Sophos got in, but are the less)


 

ActiveLinkClient.ALUpdateNotification
ActiveLinkClient.AutoUpdateStatus
ActiveLinkClient.AutoUpdateStatus2
ActiveLinkClient.ClientUpdate
ActiveLinkClient.MonitorControl
ActiveLinkClient.RebootRequest
AppFeedManager.AppFeed
ApplicationManagement.ApplicationManager
AuthorisedLists.AppControlLists
AuthorisedLists.AuthorisationListManager
AuthorisedLists.AuthorisedAppList
AuthorisedLists.AuthorisedFileList
AutoUpdatePlugin.AutoUpdateUIPlugin
BackgroundScanning.BackgroundScan
BackgroundScanning.BackgroundScanFactory
BHOManagement.BHOManager
BHOManagement.DownloadReputationActionQuery
BHOManagement.WebScanningProcessorFacto
ComponentManager.Manager
Configuration.ConfigurationManager
Configuration.ConfigurationNode
DataControlManagement.DataControlActionQuery
DataControlManagement.DataControlManager
DataControlPlugin.DataControlUIPlugin
DCManagement.DCManager
DesktopMessaging.DesktopEventHandler
DetectionFeedback.DetectionFeedbackMana
DeviceControlPlugin.DeviceControlUIPlugin
DriveProcessor.DriveDecomposer
DriveProcessor.DriveDecomposerFactory
DriveProcessor.ScannableDrive
DriveProcessor.ScannableDriveFactory
DriveProcessor.ScannableLogicalSector
DriveProcessor.ScannablePhysicalSector
DriveProcessor.ScannableSectorFactory
EEConsumer.Consumer
EXPPlugin.EXPUIPlugin
FilterProcessors.ExclusionFilterProcessor
FilterProcessors.ExclusionFilterProcessorFact
FilterProcessors.ExtensionFilterProcessor
FilterProcessors.ExtensionFilterProcessorFact
FilterProcessors.FileAttributeFilter
FilterProcessors.FileAttributeFilterFac
FSDecomposer.FSDecomposerFactory
FSDecomposer.FSDecomposerProc
ICAdapter.EnumExclusions
ICAdapter.EnumMissedFiles
ICAdapter.ICFilterDriver
ICAdapter.ICFilterDriverConnection
ICManagement.ICManager
ICProcessors.DriveExclusions
ICProcessors.DriveExclusionsFactory
ICProcessors.DriverExtensions
ICProcessors.DriverExtensionsFactory
ICProcessors.DriverOperations
ICProcessors.DriverOperationsFactory
ICProcessors.FileExclusions
ICProcessors.FileExclusionsFactory
ICProcessors.GeneralExclusions
ICProcessors.GeneralExclusionsFactory
ICProcessors.ProcessExclusions
ICProcessors.ProcessExclusionsFactory
ICProcessors.UserExclusions
ICProcessors.UserExclusionsFactory
iMonitor.PropertiesDialog
iMonitor.UpdateNotification2
Infrastructure.ComponentManager
ISPSheet.1
LegacyConsumers.SNMPMessaging
Localisation.ConstantDSFactory
Localisation.ConstantStringDS
Localisation.MessageResDSFactory
Localisation.MessageResourceDS
Localisation.StringResDSFactory
Localisation.StringResourceDS
Logging.ConsumerFactory
Logging.DebugLogSource
Logging.DesktopConnPoint
Logging.DesktopConsumer
Logging.EventLog
Logging.FileLog
Logging.JobSink
Logging.JobSinkFactory
Logging.LogConnectionPoint
Logging.LogController
Logging.LogFilter
Logging.LogItem
Logging.LogSourceFactory
Logging.NotificationConfig
Logging.Properties
Logging.SmtpConsumer
Logging.UserLogSource
Persistance.FileStorage
Persistance.PersistanceManager
Persistance.StringStorage
ProgressDlg.ScanJob
SAUConfigDLL.Address
SAUConfigDLL.IntelligentUpdating
SAUConfigDLL.Log
SAUConfigDLL.Proxy
SAUConfigDLL.SAUConfig
SAUConfigDLL.SauConfig2
SAUConfigDLL.Schedule
SAVAdminService.CleanupMediator
SAVAdminService.DeviceControlSystemAcce
SAVAdminService.NetworkServiceAccessce
SAVAdminService.SavConfigEnforcer
SAVAdminService.SWIRegistrar
SAVControl.SophosAntiVirusControl
SAVI.MIMEsweeper
SAVI.SAVI
SavPlugin.SavUIPlugin
ScanEditFacade.ScanEditFacadeFactory
ScanEditFacade.ScanJob
ScanEditFacade.ScanningConfig
ScanEditFacade.ScanSummariser
ScanManagement.LiveScansCollection
ScanManagement.ProgressAdapter
ScanManagement.ScanEventHandler
ScanManagement.ScanManager
ScanManagement.ScanManagerFactory
Security.SecurityManager
SEDManagement.SEDManager
SEDManagement.SEDScanProcFact
SIPSManagement.SIPSManager
Sophos.ContextMenuHandler
Sophos.WebControl
SophosOfficeAV.SophosOfficeAVImpl
SophtainerAdapter.Adapter
SophtainerAdapter.ArchiveTypeInfo
SPA.SophosPatchApi
SWIManagement.SWIManager
SystemInformation.InfoProvider
SystemInformation.SaviSubTypeDS
TamperProtectionControl.TamperProtectionControl
TamperProtectionManagement.TamperProtectionManager
TamperProtectionPlugin.TamperProtectionUIPlugin
ThreatDetection.ScannableDirItemFactory
ThreatDetection.ScannableFile
ThreatDetection.ScannableFolder
ThreatDetection.ScannableMemory
ThreatDetection.ScannableMemoryFactory
ThreatDetection.ScannableNode
ThreatDetection.ScannableNodeFactory
ThreatDetection.ScannableRawFSFact
ThreatDetection.ScannableRegistry
ThreatDetection.ScannableRegistryFactor
ThreatDetection.ScannableShellItem
ThreatDetection.SOCDecomposer
ThreatDetection.SOCDecomposerFactory
ThreatDetection.SOCollection
ThreatDetection.SOCollectionFactory
ThreatDetection.TDEFactory
ThreatDetection.ThreatDetectionEngine
ThreatManagement.AuthoriseCurativeActio
ThreatManagement.CurativeActionFactory
ThreatManagement.DeleteCAction
ThreatManagement.DisinfectCAction
ThreatManagement.DisinfectSectorCAction
ThreatManagement.FileOpProcessor
ThreatManagement.FileOpProcessorFactory
ThreatManagement.MoveCAction
ThreatManagement.PUAThreat
ThreatManagement.QuarantinedThreat
ThreatManagement.QuarantineManager
ThreatManagement.QuarantineManagerFacad
ThreatManagement.RemoveCurativeAction
ThreatManagement.Threat
ThreatManagement.ThreatFactory
Translators.Clip
Translators.ConfigurationStorage
Translators.DateTranslator
Translators.ExtensionList
Translators.List
Translators.PathTranslator
Translators.PersistanceTranslator
Translators.SingleDataList
Translators.TranslatorFactory
Translators.Value
UserSubSystem.ImpersonationToken
UserSubSystem.UserSession
VEController.VEManager
VirusDetection.PUAThreatCause
VirusDetection.PUAThreatComponent
VirusDetection.PUAThreatComponentFactor
VirusDetection.ScanPostprocessor
VirusDetection.ScanPostprocessorFactory
VirusDetection.ScanPreprocessor
VirusDetection.ScanPreprocessorFactory
VirusDetection.ThreatCauseFactory
VirusDetection.VEAdapterFactory
VirusDetection.VirusEngineAdapter
VirusDetection.VirusThreat
WebControlPlugin.WebControlUIPlugin

 
Apparently, you can do a lot with low level COM objects and I'm interested in the TamperProtection ones. Have a customer with more than 2000+ clients that forgot to backup their cert + registry + db and had Tamper Enabled, so you can understand that trying to automatize instead of going one by one is the idea.
 
So, after messing a little bit with it, it takes the password with the "CreateReadWriteSession" (it fails if you don't specify the right password)
 
 
And enables a "WriteSession"
 
 
For TamperProtectionManager there are plenty of methods:
 
 
 
So, the  question is: Does someone knows or have information on how to use the TamperProtection objects to disable tamper through command line? I prefer that someone could share some info instead of trying trial and error 100 times until I find out how it works. This would help creating an script in which I disable the tamper (putting the known password), uninstalling and then install the new sophos from the new server.
 
 
Thanks!
 
 



[locked by: Sure Win at 12:42 PM (GMT -7) on 25 May 2018]
[unlocked by: Sure Win at 12:42 PM (GMT -7) on 25 May 2018]
[locked by: Sure Win at 12:43 PM (GMT -7) on 25 May 2018]
Parents
  • Is this enhanced tamper protection, i.e. the one provided by the Sophos Endpoint Defense component which uses the sophoses.sys driver or the older tamper protection, which just prevents uninstalation and changing policy settings? 

    Enhanced TP can be now enabled/disabled in on-premise only with the latest version of SEC, i.e. 5.5.1 it essentially sets the key: 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config\

    sedenabled = 1

    If it's the later (old tamper) you can just stop the SAVService and edit machine.xml to disable it but of course it requires local admin rights. 

    If it's the former, i.e. enhanced tamper protection short of a bug, it's hard to disable the sophosed.sys driver without rebooting in and out of safe mode to disable the driver.

    I'm not aware of an API to disable tamper protection and if so, would you be brute forcing it with password attempts?

    Can you describe the scenario you are trying to work around as depending on the tamper protection at play it could be easy.

    Regards,

    Jak

Reply
  • Is this enhanced tamper protection, i.e. the one provided by the Sophos Endpoint Defense component which uses the sophoses.sys driver or the older tamper protection, which just prevents uninstalation and changing policy settings? 

    Enhanced TP can be now enabled/disabled in on-premise only with the latest version of SEC, i.e. 5.5.1 it essentially sets the key: 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config\

    sedenabled = 1

    If it's the later (old tamper) you can just stop the SAVService and edit machine.xml to disable it but of course it requires local admin rights. 

    If it's the former, i.e. enhanced tamper protection short of a bug, it's hard to disable the sophosed.sys driver without rebooting in and out of safe mode to disable the driver.

    I'm not aware of an API to disable tamper protection and if so, would you be brute forcing it with password attempts?

    Can you describe the scenario you are trying to work around as depending on the tamper protection at play it could be easy.

    Regards,

    Jak

Children
  • Hi,

     

    Thanks for the answer. This is mainly for 5.5.0 and later, so it includes SED (normally). And no, I don't want to brute-force the password, i just want to provide the password that I already known to disable it.

    Example of usage:

    Client has 2000 machines and haven't performed a backup of the CERT, registry and database. Suddenly, the computer that hosts the SEC fails and there's no RAID 1, backup, etc. So, I end up with 2000 machines that can't install Sophos on top of it. I should go one by one disabling in safe mode, uninstall and then install again.

    In that scenario, disabling the Tamper through the command line would be usefull since I could launch a GPO start policy doing that.

     

    Thanks!

     

     

    Antonio.

  • Hello Antonio,

    2000 machines and haven't performed a backup
    can't refrain from rubbing in that this is very bad practice (sorry for the cynicism). All you really need to recapture orphaned endpoints is the HKLM\SOFTWARE\Sophos\Certification Manager\ registry tree - and you have to back it up only once. A whopping 35k or so .reg file (and you can even prune it if space is scarce). Admittedly only the Server to Server Migration Guide instructs you to take a backup (and that just before migration) so ...

    for 5.5.0 and later
    was the late server 5.5.0? If so, then Enhanced Tamper Protection could only be enabled by modifying the registry on the endpoints. Has this been done? Otherwise, as Jak has said, it's SAVService.exe that provides TP and if it's not running it should be possible to uninstall. It's safer to stop all Sophos services as an update might start SAVService but as the endpoints can't update (unless Sophos is configured as Secondary) this won't happen.
    Enhanced TP wouldn't be much good if you could simply disable it without the password from a running system. Keep in mind that it not only is a defence against "local admins" but also against malware.

    Christian 

  • Thanks for the reply Christian.

    Yeah, I know about the backup (first thing that told them when doing best practices but that's life lol)

    In this case, we did apply the SEDEnabled registry on the endpoints, so its not that easy to just shutdown the savservice and then uninstall. So that's why I'm interested in COM access to Sophos functions. I want to do the same thing that I do in the GUI but through the CLI.

    I do open the GUI, put the password, disable tamper.

    I want to run a comand, put the password, disable tamper. That's it.

     

    Thanks!

  • Hello Antonio,

    that's life
    must be some masochistic tendency [;)]

    put the password
    you do have the password? But even if - given the purpose of SED/TP you won't get any information on how to use it through the CLI (if it's possible at all). has outlined in this post how to cycle a computer through and perform some action while in safe mode (dunno why he hasn't mentioned it).

    Christian

  • Maybe using the updating channel to disable it would work?  You could try creating a TP policy in SEC called OFF and disabling TP and then use ExportConfig to export this conf to a file called savconftp.xml.

    https://community.sophos.com/kb/en-us/13111

    You can drop this into the CID (savxp sub dir) and run ConfigCID https://community.sophos.com/kb/en-us/13112 

    The next time the client updates hopefully it pulls the custom file and disabled TP.  Check if you can stop a protected Sophos service, e.g. SAVService.

    You could create this "emergency" CID ahead of time, and as long as the clients can find it using their existing updating path it should work.  You could create a new "file server" with the same name or use DNS to "trick" the clients to going to this staged CID.

    One to try.

    Hope it helps

    Regards,
    Jak

     

    Update: As QC just reminded me, you need the registry key of the cert manager in order to run configcid.exe

  • thanks for all of your answers, they actually might work, but the focus of this topic is mostly to search for info on the COM methods available.

     

    I mean, perhaps the "man in the middle" CID method could work, but what if instead of doing that I could just run a:

    $variable.TamperProtectionControl.Disable("insertpasswordhere",disabled)

    It would be way easier!

     

    Not trying to bring down your help, just that I'm curious about those posibiliites (all of them) using COM natively.

     

    Thanks!