We'd love to hear about it! Click here to go to the product suggestion community
Our customer would like to build out a query that would allow them to retrieve the following information for compliance requirements:
Could we get some assistance on building these queries out, thank you.
Hi Nilesh, sorry for not getting back to you earlier. I will see what I can do with regard to these compliance queries this week.
These seem quite specific and I assume have their roots in the on-premise product but I will do my best to offer something.
Configuration out of Sophos that Live-Protection is enabled.
Sophos Live-Protection traditionally is a configuration option for the Sophos Anti-Virus component. Sophos Anti-Virus configuration, for the most part, is stored in configuration files that are out of reach of Live Query. You can read these values directly from the XML file machine.xml. For example:
#live protection$([xml](gc $env:programdata'\sophos\sophos anti-virus\config\machine.xml')).SelectNodes('//configuration/components/VEManager/settings/scanner/saviOptions/item[@itemName="SXLDetectionLookups"]/value')
#on-demand live protection$([xml](gc $env:programdata'\sophos\sophos anti-virus\config\machine.xml')).SelectNodes('//configuration/components/VEManager/settings/scanner/onDemandSxlLookups')
As you are primarily asking about Live Query, we need some way of "getting at this state'. One option is to fall back to the telemetry data that is obtained routinely. Of course this is not the current configuration but the last configuration state at the time telemetry last ran. For this we could use:
select json_extract(data,'$.liveProtectionEnabled') from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SystemProtection\Telemetry\PolicyConfiguration';
Configuration for the automatic updates of clients
If you are referring to the configuration of Sophos AutoUpdate, then there are a number of items that might be of interest but what are you trying to understand here?
https://community.sophos.com/products/intercept/early-access-program/f/recommended-reads/120147/live-response---force-an-update-from-the-command-line-and-checking-status details a little on how you can initiate an update and where to obtain the last update information so a query to the registry for the last update time might look like the following:
select datetime(data,'unixepoch') as UpdateTimeUTC from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\%\Sophos\AutoUpdate\UpdateStatus\LastUpdateTime';
Sophos configuration of weekly scanning job
Sophos Central doesn't really allow you to change the settings of a scan. The only option exploded in Sophos Central is:
This is a Sophos Anti-Virus configuration option, the value of which is stored in machine.xml, so the problem detailed in question 1 is applicable.
Sophos configuration of real-time scanning is turned on
There are multiple parts of the endpoint solution for which the concept of realtime scanning is applicable. These are:
The configuration is set in Central as on|off and filters down to both components so they should be in sync.
For Sophos Anti-Virus, we look to machine.xml for the configuration. Of course, this isn't necessarily the state just the config. To actually obtain the real state for SAV you need to turn to COM calls. For SED, the config is in the registry so it could be obtained from Live Query:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config DWORD - OnAccessEnabled = 1|0
select data as OnAccessEnabled from registry where path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config\OnAccessEnabled';
Antivirus software console including system deployed, version, and the current virus definition
I don't quite understand what you're after here and how you plan to use the information. The Sophos endpoint solution is made up of a number of components, each with its own version number. These can all be seen in Central against the client. Traditionally the Sophos Anti-Virus component is the component that is most associated with the marketing version. Like with all software, you can get this from the uninstall key. In terms of virus definition - then I assume you are referring to ide files and other than the files on disk, this is not really accessible.
Along time ago, there was some integration with a NAC product. SAV did maintain a number of keys under:
But this "API", if you like, is no longer maintained in any formal way. For Sophos Anti-Virus component, you may want to consider again the telemetry values found under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\Telemetry\
Frequency configuration settings for scans and virus definition updates
The scan frequency I assume is scheduled scans? These are stored in machine.xml.
Virus definition updates? The last time SAV installed a new ide? This is similar to the above question.
If you have any followup questions I can try and add more details.