We'd love to hear about it! Click here to go to the product suggestion community
When performing a Live Response session, with a view to troubleshoot Sophos components, it may be worthwhile confirming if Tamper Protection (Endpoint Defense) is disabled. To do so you can run:
"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -s
This will return either:
If it is enabled, you should be able to disable it via Sophos Central or re-use SEDcli.exe with the -TPoff switch, e.g.
"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPoff 12345678890
Where the password for this computer can be obtained from Sophos Central.
Tip: To get to the correct page in Central without the need to search for and endpoint, at the time of writing the direct URL to the computer page takes the form:
Servers take the form:
Where the <EndpointID> at the end of the URL is the unique endpoint id issued to the managed client. This can be obtained with the command line:
type "%ProgramData%\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt"
Given the link format and this ID, you can construct the URL to the device page.
When sedcli is used via Live Response to switch off Tamper Protection, please note that a locally logged on user can access Settings in the UI while TP is off.