We'd love to hear about it! Click here to go to the product suggestion community
As some might have found out, there are some command/actions that can be done through COM objects. Example, trigger an update in the endpoint through command line:
So, after checking the COM objects of Sophos, end up finding all of these (perhaps some non-Sophos got in, but are the less)
Is this enhanced tamper protection, i.e. the one provided by the Sophos Endpoint Defense component which uses the sophoses.sys driver or the older tamper protection, which just prevents uninstalation and changing policy settings?
Enhanced TP can be now enabled/disabled in on-premise only with the latest version of SEC, i.e. 5.5.1 it essentially sets the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config\
sedenabled = 1
If it's the later (old tamper) you can just stop the SAVService and edit machine.xml to disable it but of course it requires local admin rights.
If it's the former, i.e. enhanced tamper protection short of a bug, it's hard to disable the sophosed.sys driver without rebooting in and out of safe mode to disable the driver.
I'm not aware of an API to disable tamper protection and if so, would you be brute forcing it with password attempts?
Can you describe the scenario you are trying to work around as depending on the tamper protection at play it could be easy.
In reply to jak:
Thanks for the answer. This is mainly for 5.5.0 and later, so it includes SED (normally). And no, I don't want to brute-force the password, i just want to provide the password that I already known to disable it.
Example of usage:
Client has 2000 machines and haven't performed a backup of the CERT, registry and database. Suddenly, the computer that hosts the SEC fails and there's no RAID 1, backup, etc. So, I end up with 2000 machines that can't install Sophos on top of it. I should go one by one disabling in safe mode, uninstall and then install again.
In that scenario, disabling the Tamper through the command line would be usefull since I could launch a GPO start policy doing that.
In reply to Antonio Cienfuegos:
2000 machines and haven't performed a backupcan't refrain from rubbing in that this is very bad practice (sorry for the cynicism). All you really need to recapture orphaned endpoints is the HKLM\SOFTWARE\Sophos\Certification Manager\ registry tree - and you have to back it up only once. A whopping 35k or so .reg file (and you can even prune it if space is scarce). Admittedly only the Server to Server Migration Guide instructs you to take a backup (and that just before migration) so ...
for 5.5.0 and laterwas the late server 5.5.0? If so, then Enhanced Tamper Protection could only be enabled by modifying the registry on the endpoints. Has this been done? Otherwise, as Jak has said, it's SAVService.exe that provides TP and if it's not running it should be possible to uninstall. It's safer to stop all Sophos services as an update might start SAVService but as the endpoints can't update (unless Sophos is configured as Secondary) this won't happen.Enhanced TP wouldn't be much good if you could simply disable it without the password from a running system. Keep in mind that it not only is a defence against "local admins" but also against malware.
In reply to QC:
Thanks for the reply Christian.
Yeah, I know about the backup (first thing that told them when doing best practices but that's life lol)
In this case, we did apply the SEDEnabled registry on the endpoints, so its not that easy to just shutdown the savservice and then uninstall. So that's why I'm interested in COM access to Sophos functions. I want to do the same thing that I do in the GUI but through the CLI.
I do open the GUI, put the password, disable tamper.
I want to run a comand, put the password, disable tamper. That's it.
that's lifemust be some masochistic tendency
put the passwordyou do have the password? But even if - given the purpose of SED/TP you won't get any information on how to use it through the CLI (if it's possible at all). jak has outlined in this post how to cycle a computer through and perform some action while in safe mode (dunno why he hasn't mentioned it).
Maybe using the updating channel to disable it would work? You could try creating a TP policy in SEC called OFF and disabling TP and then use ExportConfig to export this conf to a file called savconftp.xml.
https://community.sophos.com/kb/en-us/13111You can drop this into the CID (savxp sub dir) and run ConfigCID https://community.sophos.com/kb/en-us/13112
The next time the client updates hopefully it pulls the custom file and disabled TP. Check if you can stop a protected Sophos service, e.g. SAVService.You could create this "emergency" CID ahead of time, and as long as the clients can find it using their existing updating path it should work. You could create a new "file server" with the same name or use DNS to "trick" the clients to going to this staged CID.
One to try.Hope it helpsRegards,Jak
Update: As QC just reminded me, you need the registry key of the cert manager in order to run configcid.exe
thanks for all of your answers, they actually might work, but the focus of this topic is mostly to search for info on the COM methods available.
I mean, perhaps the "man in the middle" CID method could work, but what if instead of doing that I could just run a:
It would be way easier!
Not trying to bring down your help, just that I'm curious about those posibiliites (all of them) using COM natively.
The requested information for this thread goes against our EULA - Clause 3.4.2. Please open a case with our Support for the best feasible solution to achieve your requirements in reinstalling the endpoints. This thread will be locked.