Hi,
Does Sophos provide any native WMI namespaces/classes to programmatically retrieve information about the Endpoint Agent installed directly on devices, both Windows Client OS and Windows Server OS? For example I am looking to gather the overall health status (green tick, yellow warning, red critical etc. and the reason for each status) of devices that is shown in the 'Status' tab of the Sophos Endpoint Agent.
I have looked into the standard root/SecurityCenter and root/SecurityCenter2 namespaces but these do not exist on Windows Server OS.
We are a Sophos Partner and manage multiple organisations endpoints, and while we do use the Sophos Partner portal for day-to-day activities I am looking for a way to include the status of Sophos in a monthly report, which also includes Windows Patch/Update health, disk health and lots more so would like it all captured in the one place; I am using PowerShell for gathering this other data.
I appreciate I can use the Sophos Central online API to check this information, however if I am running PowerShell scripts locally in an organisations environment, considering I am looking at many thousands of devices per organisation, checking them one-by-one as part of a PowerShell loop would be extremely inefficient use of internet bandwidth. And of course if the WAN is offline the online API won't work anyway!
Essentially the script starts by gathering computer objects from AD then looping through, making both remote PowerShell and remote WMI/CIM connections and interrogating the necessary WMI classes needed to get my other data.
Thanks
Hello Lanky,
Thanks for reaching out to the Sophos Community Forum.
As far as Service Status goes, you can get some information from the following registry location.
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node…
Basically, this screen is what I want to gather...
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status
0 = Ok for each of the services1= Stopped service
For entry "health"- 1 = Green- 2 = Medium/yellow- 3 = Red
Let me know if this will work for you, or if you’re looking for specifically WMI related information.
Hi Kushal
This is brilliant, thank you. I can see there's a lot more useful information in the entire Sophos registry key so I don't suppose there's full documentation of it is there?
Subkeys that look interesting are:
UpdateStatus -> DetailsUpdateStatus -> VolatileFlagsHealth -> Status (as you already said)Health -> ThreatNotificationSAVService -> StatusSAVService -> Status -> InfectedSAVService -> Status -> LastScanSAVService -> Status -> PolicySAVService -> TamperProtectionSAVService -> TelemetrySAVService -> UpdateStatusTelemetry
Thanks again
I was able to locate some additional information in the following KBA. Information on the specifics you're looking for don't appear to be readily available. - Significant Anti-Virus files and registry entries
Much of this will need to be obtained through trial and error, though I will see if I can do some testing to help you out on some of these points.
Some of the values I was able to locate are as follows.
Sophos -> AutoUpdate -> UpdateStatus"IsUpdating" - REG_DWORD is created when an update is in progress
Sophos -> AutoUpdate -> UpdateStatus -> Details"DownloadFailedSinceTime" - Downloads initially began failing at this timestamp"DownloadStateCredit" - Default value is 72, decremented by 1 for every consecutive update failure"EventStateLastDeviceId" - Same as (C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt)"EventStateLastError" - Nature of update failure (not affected by download failures)"EventStateLastTime" - Time when the last update error occurred"InstallFailedSinceTime" - If a component installation failed, X time is when it originally occurred"InstallState" - 0 is Good"InstallStateCredit" - Default value is 3, presumably is decremented with each consecutive install failure
Sophos -> AutoUpdate -> UpdateStatus -> VolatileFlagsEntries here indicate whether a reboot after an update is necessary. Some updates will only add on additional scanning features, meaning the agent will remain operable in its current state. Other updates are critical requiring the system to be rebooted right away.
Sophos -> Health -> ThreatNotification- 1 = Green- 2 = Yellow (PUA) or AppC detection- 3 = Red manual intervention required on the device (typically manual cleanup required or outbreak detected)
Entries within the location "SAVService" will be depreciated in future versions of Sophos Endpoint, so I would avoid relying on these too heavily.
Sophos -> TelemetryA full explanation can be found in the following KBA: Telemetry Data Collection
Hopefully, this helps you out to some degree.