Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I could see clear text authentication (logon type 8) with event code 4624 (Logon successful) via Splunk on our server where Sophos central is installed and process name is MgntSvc.exe, might be communicating with management server on timely basis.
Is there anyway Sophos Central can encrypt the password while communicating with management server?
our server where Sophos central is installedCentral is Central and managed in the Cloud. MgntSvc.exe belongs to the on-premise SESC management server (aka SEC) and the appropriate forum would be Sophos Enterprise Console. What's the user that is logging on? The service runs as LOCAL SYSTEM and IIRC it impersonates the database user to access the database.
Hi Tejas Bavara,
The following KBA would provide some additional information regarding MgntSvc.exe on Sophos Endpoint Security and Control.
Sophos Enterprise Console: How the Protect Computers Wizard performs an installation on endpoints
Also Please subscribe to the Endpoint Security and Control group so that I can have this thread moved to it for better response.
In reply to QC:
Thanks Chris for the information.
yes it was LOCAL SYSTEM only, user is not involved in this process log.
In reply to Tejas Bavarva:
how often do you see it?I assume SophosManagement is the so-called Database User. I don't really have an idea when this happens or could happen ... or why this is a Network Logon. There are many details in these events and usually you need to know (almost) all of them to understand their meaning.
It was captured as a part of windows audit logs.
We have implemented a use case in Splnuk to capture eventID with specific network logon (for this process, it is 8 means clear text authentication). The most common types are 2 (interactive) and 3 (network).
I don't capture any other important parameter in Splunk logs.
And the frequency of this event is once in a day.
Also I have a query, whenever communication happens between SEC agent (or whatever term you use where SEC is installed) and management server, what all info will be exchanged?
[disclaimer: I'm not Sophos]once in a dayhm, interesting. As I'm not Sophos I can't tell what SEC is doing. Support might be able to tell you (and anyway I'll enable auditing and try to capture this event, still inquisitive).
between SEC agent [...} and management serverSEC usually refers to the management server and its components, the product is/was called SESC, the managed computers are normally called endpoints (whether server, desktop, or laptop). There's a service calls Sophos Agent that's present on all machines that acts as communication hub but this is likely not what you mean. Are you asking about what information the endpoints, i.e. the computers where Sophos (Anti-Virus, Endpoint Protection, or whatever name is hip) send to the management server?
This looks pretty relevant to this part of the KBA on reasons why Management Service wouldn't start. So, the password itself is obfuscated internally by SEC using its obfuscation utility as explained under Technical Information Section of this KBA on the User Accounts used by SEC. Should you find any anomalies like Password visible as clear text (un obfuscated) then this should do the trick for you, although the password is usually obfuscated and stored in registry already. In case you face any further concerns on the same, please feel free to involve support to further dig into this in detail to understand this behavior! Kindly please open a support case with us using this link.