Sophos diagnose Utility from Console end

Hi Team,

 

We could see a button Diagnose from console end to collect and send logs directly to Sophos.

But may we know that Will they be sent if logged in user don't have access over Temp folder as created logs are stored in Temp folder.

 

Regards,

Balarama Kishore Yerra

  • The command is initiated by the MCS Agent service, so runs as local system, so \windows\temp\ is likely to be used.

    I'm pretty sure you will find the log under \windows\temp\sdu\

    Regards

    Jak

  • In reply to jak:

    Hi Jak,

     

    Yes , they are stored under \windows\temp\sdu\ folder.

    But my query is will they be uploaded to Sophos when will click diagnose from console end and when user don't have access to that folder

    Regards,

    Balarama Kishore Yerra

  • In reply to balaramyerra:

    Hello Balarama Kishore Yerra,

    please see Sophos Diagnostic Utility (SDU) - How to run from Sophos Central that says ... and to automatically be uploaded to a Sophos address without the need to visit the device itself. So no user interaction or access to the folder is required.

    Christian

  • In reply to balaramyerra:

    The zip file will be uploaded to Sophos at the end.  It will be sent by "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\uploader.exe"

    https://community.sophos.com/kb/en-us/133466

    I'm not sure what you're getting at regarding the user having access?

    MCS Client service (MCSClient.exe) picks up the action message from Central to run a diagnose task.  It passes a message to the MCS Agent service (MCSAgent.exe).  The Agent process is running as local system and creates the process:

    "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\uploader.exe" -uploadurl sdu-feedback.sophos.com/.../[endpointid]_[Date Time].zip

    Uploader then calls:
    "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\sducli.exe" -logdir=C:\WINDOWS\TEMP\sdu\ -archive=[endpointid]_[Date Time].zip

    Sducli.exe creates the zip file given the filename and path.  At the end the zip is uplaoded to https://sdu-feedback.sophos.com by uploader.exe.

    If you want to be able to generate the zip files (i.e. drop them to disk) but not send them, I guess you'd have to block https://sdu-feedback.sophos.com in some way.

    Regards,

    Jak

  • In reply to QC:

    Hello Christian,

     

    Thanks for your answer and may we know when will the diagnose feature will be included for MAC Device.

     

    Regards,

    Balarama Kishore Yerra