Hi,
As some might have found out, there are some command/actions that can be done through COM objects. Example, trigger an update in the endpoint through command line:
So, after checking the COM objects of Sophos, end up finding all of these (perhaps some non-Sophos got in, but are the less)
ActiveLinkClient.ALUpdateNotification
ActiveLinkClient.AutoUpdateStatus
ActiveLinkClient.AutoUpdateStatus2
ActiveLinkClient.ClientUpdate
ActiveLinkClient.MonitorControl
ActiveLinkClient.RebootRequest
AppFeedManager.AppFeed
ApplicationManagement.ApplicationManager
AuthorisedLists.AppControlLists
AuthorisedLists.AuthorisationListManager
AuthorisedLists.AuthorisedAppList
AuthorisedLists.AuthorisedFileList
AutoUpdatePlugin.AutoUpdateUIPlugin
BackgroundScanning.BackgroundScan
BackgroundScanning.BackgroundScanFactory
BHOManagement.BHOManager
BHOManagement.DownloadReputationActionQuery
BHOManagement.WebScanningProcessorFacto
ComponentManager.Manager
Configuration.ConfigurationManager
Configuration.ConfigurationNode
DataControlManagement.DataControlActionQuery
DataControlManagement.DataControlManager
DataControlPlugin.DataControlUIPlugin
DCManagement.DCManager
DesktopMessaging.DesktopEventHandler
DetectionFeedback.DetectionFeedbackMana
DeviceControlPlugin.DeviceControlUIPlugin
DriveProcessor.DriveDecomposer
DriveProcessor.DriveDecomposerFactory
DriveProcessor.ScannableDrive
DriveProcessor.ScannableDriveFactory
DriveProcessor.ScannableLogicalSector
DriveProcessor.ScannablePhysicalSector
DriveProcessor.ScannableSectorFactory
EEConsumer.Consumer
EXPPlugin.EXPUIPlugin
FilterProcessors.ExclusionFilterProcessor
FilterProcessors.ExclusionFilterProcessorFact
FilterProcessors.ExtensionFilterProcessor
FilterProcessors.ExtensionFilterProcessorFact
FilterProcessors.FileAttributeFilter
FilterProcessors.FileAttributeFilterFac
FSDecomposer.FSDecomposerFactory
FSDecomposer.FSDecomposerProc
ICAdapter.EnumExclusions
ICAdapter.EnumMissedFiles
ICAdapter.ICFilterDriver
ICAdapter.ICFilterDriverConnection
ICManagement.ICManager
ICProcessors.DriveExclusions
ICProcessors.DriveExclusionsFactory
ICProcessors.DriverExtensions
ICProcessors.DriverExtensionsFactory
ICProcessors.DriverOperations
ICProcessors.DriverOperationsFactory
ICProcessors.FileExclusions
ICProcessors.FileExclusionsFactory
ICProcessors.GeneralExclusions
ICProcessors.GeneralExclusionsFactory
ICProcessors.ProcessExclusions
ICProcessors.ProcessExclusionsFactory
ICProcessors.UserExclusions
ICProcessors.UserExclusionsFactory
iMonitor.PropertiesDialog
iMonitor.UpdateNotification2
Infrastructure.ComponentManager
ISPSheet.1
LegacyConsumers.SNMPMessaging
Localisation.ConstantDSFactory
Localisation.ConstantStringDS
Localisation.MessageResDSFactory
Localisation.MessageResourceDS
Localisation.StringResDSFactory
Localisation.StringResourceDS
Logging.ConsumerFactory
Logging.DebugLogSource
Logging.DesktopConnPoint
Logging.DesktopConsumer
Logging.EventLog
Logging.FileLog
Logging.JobSink
Logging.JobSinkFactory
Logging.LogConnectionPoint
Logging.LogController
Logging.LogFilter
Logging.LogItem
Logging.LogSourceFactory
Logging.NotificationConfig
Logging.Properties
Logging.SmtpConsumer
Logging.UserLogSource
Persistance.FileStorage
Persistance.PersistanceManager
Persistance.StringStorage
ProgressDlg.ScanJob
SAUConfigDLL.Address
SAUConfigDLL.IntelligentUpdating
SAUConfigDLL.Log
SAUConfigDLL.Proxy
SAUConfigDLL.SAUConfig
SAUConfigDLL.SauConfig2
SAUConfigDLL.Schedule
SAVAdminService.CleanupMediator
SAVAdminService.DeviceControlSystemAcce
SAVAdminService.NetworkServiceAccessce
SAVAdminService.SavConfigEnforcer
SAVAdminService.SWIRegistrar
SAVControl.SophosAntiVirusControl
SAVI.MIMEsweeper
SAVI.SAVI
SavPlugin.SavUIPlugin
ScanEditFacade.ScanEditFacadeFactory
ScanEditFacade.ScanJob
ScanEditFacade.ScanningConfig
ScanEditFacade.ScanSummariser
ScanManagement.LiveScansCollection
ScanManagement.ProgressAdapter
ScanManagement.ScanEventHandler
ScanManagement.ScanManager
ScanManagement.ScanManagerFactory
Security.SecurityManager
SEDManagement.SEDManager
SEDManagement.SEDScanProcFact
SIPSManagement.SIPSManager
Sophos.ContextMenuHandler
Sophos.WebControl
SophosOfficeAV.SophosOfficeAVImpl
SophtainerAdapter.Adapter
SophtainerAdapter.ArchiveTypeInfo
SPA.SophosPatchApi
SWIManagement.SWIManager
SystemInformation.InfoProvider
SystemInformation.SaviSubTypeDS
TamperProtectionControl.TamperProtectionControl
TamperProtectionManagement.TamperProtectionManager
TamperProtectionPlugin.TamperProtectionUIPlugin
ThreatDetection.ScannableDirItemFactory
ThreatDetection.ScannableFile
ThreatDetection.ScannableFolder
ThreatDetection.ScannableMemory
ThreatDetection.ScannableMemoryFactory
ThreatDetection.ScannableNode
ThreatDetection.ScannableNodeFactory
ThreatDetection.ScannableRawFSFact
ThreatDetection.ScannableRegistry
ThreatDetection.ScannableRegistryFactor
ThreatDetection.ScannableShellItem
ThreatDetection.SOCDecomposer
ThreatDetection.SOCDecomposerFactory
ThreatDetection.SOCollection
ThreatDetection.SOCollectionFactory
ThreatDetection.TDEFactory
ThreatDetection.ThreatDetectionEngine
ThreatManagement.AuthoriseCurativeActio
ThreatManagement.CurativeActionFactory
ThreatManagement.DeleteCAction
ThreatManagement.DisinfectCAction
ThreatManagement.DisinfectSectorCAction
ThreatManagement.FileOpProcessor
ThreatManagement.FileOpProcessorFactory
ThreatManagement.MoveCAction
ThreatManagement.PUAThreat
ThreatManagement.QuarantinedThreat
ThreatManagement.QuarantineManager
ThreatManagement.QuarantineManagerFacad
ThreatManagement.RemoveCurativeAction
ThreatManagement.Threat
ThreatManagement.ThreatFactory
Translators.Clip
Translators.ConfigurationStorage
Translators.DateTranslator
Translators.ExtensionList
Translators.List
Translators.PathTranslator
Translators.PersistanceTranslator
Translators.SingleDataList
Translators.TranslatorFactory
Translators.Value
UserSubSystem.ImpersonationToken
UserSubSystem.UserSession
VEController.VEManager
VirusDetection.PUAThreatCause
VirusDetection.PUAThreatComponent
VirusDetection.PUAThreatComponentFactor
VirusDetection.ScanPostprocessor
VirusDetection.ScanPostprocessorFactory
VirusDetection.ScanPreprocessor
VirusDetection.ScanPreprocessorFactory
VirusDetection.ThreatCauseFactory
VirusDetection.VEAdapterFactory
VirusDetection.VirusEngineAdapter
VirusDetection.VirusThreat
WebControlPlugin.WebControlUIPlugin
Apparently, you can do a lot with low level COM objects and I'm interested in the TamperProtection ones. Have a customer with more than 2000+ clients that forgot to backup their cert + registry + db and had Tamper Enabled, so you can understand that trying to automatize instead of going one by one is the idea.
So, after messing a little bit with it, it takes the password with the "CreateReadWriteSession" (it fails if you don't specify the right password)
And enables a "WriteSession"
For TamperProtectionManager there are plenty of methods:
So, the question is: Does someone knows or have information on how to use the TamperProtection objects to disable tamper through command line? I prefer that someone could share some info instead of trying trial and error 100 times until I find out how it works. This would help creating an script in which I disable the tamper (putting the known password), uninstalling and then install the new sophos from the new server.
Thanks!
[locked by: Sure Win at 12:42 PM (GMT -7) on 25 May 2018]
[unlocked by: Sure Win at 12:42 PM (GMT -7) on 25 May 2018]
[locked by: Sure Win at 12:43 PM (GMT -7) on 25 May 2018]
