Live Response - Don't forget Tamper Protection

When performing a Live Response session, with a view to troubleshoot Sophos components, it may be worthwhile confirming if Tamper Protection (Endpoint Defense) is disabled.  To do so you can run:

"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -s

This will return either:

  • SED Tamper Protection is disabled
  • SED Tamper Protection is enabled

If it is enabled, you should be able to disable it via Sophos Central or re-use SEDcli.exe with the -TPoff switch, e.g.

"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPoff 12345678890

Where the password for this computer can be obtained from Sophos Central.

Tip: To get to the correct page in Central without the need to search for and endpoint, at the time of writing the direct URL to the computer page takes the form:

https://cloud.sophos.com/manage/devices/computers/<EndpointID>

Servers take the form:

https://cloud.sophos.com/manage/server/devices/servers/<EndpointID>

Where the <EndpointID> at the end of the URL is the unique endpoint id issued to the managed client.  This can be obtained with the command line:

type "%ProgramData%\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt"

Given the link format and this ID, you can construct the URL to the device page.

Regards,
Jak

  • When sedcli is used via Live Response to switch off Tamper Protection, please note that a locally logged on user can access Settings in the UI while TP is off.