Live Discover - Compliance Report Queries

Our customer would like to build out a query that would allow them to retrieve the following information for compliance requirements:

 

  • configuration out of Sophos that Live-Protection is enabled.
  • configuration for the automatic updates of clients
  • Sophos configuration of weekly scanning job
  • Sophos configuration of real-time scanning is turned on
  • antivirus software console including system deployed, version, and the current virus definition
  • frequency configuration settings for scans and virus definition updates

Could we get some assistance on building these queries out, thank you.

  • Hi Nilesh, sorry for not getting back to you earlier. I will see what I can do with regard to these compliance queries this week. 

  • These seem quite specific and I assume have their roots in the on-premise product but I will do my best to offer something. 

    Configuration out of Sophos that Live-Protection is enabled.

    Sophos Live-Protection traditionally is a configuration option for the Sophos Anti-Virus component. Sophos Anti-Virus configuration, for the most part, is stored in configuration files that are out of reach of Live Query. You can read these values directly from the XML file machine.xml. For example:

    #live protection
    $([xml](gc $env:programdata'\sophos\sophos anti-virus\config\machine.xml')).SelectNodes('//configuration/components/VEManager/settings/scanner/saviOptions/item[@itemName="SXLDetectionLookups"]/value')

    #on-demand live protection
    $([xml](gc $env:programdata'\sophos\sophos anti-virus\config\machine.xml')).SelectNodes('//configuration/components/VEManager/settings/scanner/onDemandSxlLookups')

    As you are primarily asking about Live Query, we need some way of "getting at this state'.  One option is to fall back to the telemetry data that is obtained routinely.  Of course this is not the current configuration but the last configuration state at the time telemetry last ran.  For this we could use:

    select json_extract(data,'$.liveProtectionEnabled') from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SystemProtection\Telemetry\PolicyConfiguration';

    Configuration for the automatic updates of clients

    If you are referring to the configuration of Sophos AutoUpdate, then there are a number of items that might be of interest but what are you trying to understand here?  

    https://community.sophos.com/products/intercept/early-access-program/f/recommended-reads/120147/live-response---force-an-update-from-the-command-line-and-checking-status details a little on how you can initiate an update and where to obtain the last update information so a query to the registry for the last update time might look like the following:

    select datetime(data,'unixepoch') as UpdateTimeUTC from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\%\Sophos\AutoUpdate\UpdateStatus\LastUpdateTime';

    Sophos configuration of weekly scanning job

    Sophos Central doesn't really allow you to change the settings of a scan.  The only option exploded in Sophos Central is:

    • Enable deep scanning - scans inside archive files (.zip, .cab, etc.)

    This is a Sophos Anti-Virus configuration option, the value of which is stored in machine.xml, so the problem detailed in question 1 is applicable.

    Sophos configuration of real-time scanning is turned on

    There are multiple parts of the endpoint solution for which the concept of realtime scanning is applicable.  These are:

    • Sophos Anti-Virus
    • Sophos Endpoint Defense (SED)

    The configuration is set in Central as on|off and filters down to both components so they should be in sync.

    For Sophos Anti-Virus, we look to machine.xml for the configuration. Of course, this isn't necessarily the state just the config.  To actually obtain the real state for SAV you need to turn to COM calls.  For SED, the config is in the registry so it could be obtained from Live Query:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config DWORD - OnAccessEnabled = 1|0

    select data as OnAccessEnabled from registry where path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config\OnAccessEnabled';

    Antivirus software console including system deployed, version, and the current virus definition

    I don't quite understand what you're after here and how you plan to use the information. The Sophos endpoint solution is made up of a number of components, each with its own version number. These can all be seen in Central against the client. Traditionally the Sophos Anti-Virus component is the component that is most associated with the marketing version. Like with all software, you can get this from the uninstall key.  In terms of virus definition - then I assume you are referring to ide files and other than the files on disk, this is not really accessible. 

    Along time ago, there was some integration with a NAC product.  SAV did maintain a number of keys under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\Status\

    But this "API", if you like, is no longer maintained in any formal way.  For Sophos Anti-Virus component, you may want to consider again the telemetry values found under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\Telemetry\

    Frequency configuration settings for scans and virus definition updates

    The scan frequency I assume is scheduled scans?  These are stored in machine.xml.

    Virus definition updates?  The last time SAV installed a new ide?  This is similar to the above question.

    If you have any followup questions I can try and add more details.

    Regards,

    Jak