Thread Info
  • State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 3564 views
  • Users 0 members are here
Options
Suggested

Endpoint Agent WMI/PowerShell

Lanky Doodle

Hi,

Does Sophos provide any native WMI namespaces/classes to programmatically retrieve information about the Endpoint Agent installed directly on devices, both Windows Client OS and Windows Server OS? For example I am looking to gather the overall health status (green tick, yellow warning, red critical etc. and the reason for each status) of devices that is shown in the 'Status' tab of the Sophos Endpoint Agent.

I have looked into the standard root/SecurityCenter and root/SecurityCenter2 namespaces but these do not exist on Windows Server OS.

We are a Sophos Partner and manage multiple organisations endpoints, and while we do use the Sophos Partner portal for day-to-day activities I am looking for a way to include the status of Sophos in a monthly report, which also includes Windows Patch/Update health, disk health and lots more so would like it all captured in the one place; I am using PowerShell for gathering this other data.

I appreciate I can use the Sophos Central online API to check this information, however if I am running PowerShell scripts locally in an organisations environment, considering I am looking at many thousands of devices per organisation, checking them one-by-one as part of a PowerShell loop would be extremely inefficient use of internet bandwidth. And of course if the WAN is offline the online API won't work anyway!

Essentially the script starts by gathering computer objects from AD then looping through, making both remote PowerShell and remote WMI/CIM connections and interrogating the necessary WMI classes needed to get my other data.

Thanks

  • 0 in reply to Lanky Doodle

    Hello Lanky,

    Thanks for reaching out to the Sophos Community Forum. 

    As far as Service Status goes, you can get some information from the following registry location. 

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status

    0 = Ok for each of the services
    1= Stopped service

    For entry "health"
    - 1 = Green
    - 2 = Medium/yellow
    - 3 = Red

    Let me know if this will work for you, or if you’re looking for specifically WMI related information.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Hi Kushal

    This is brilliant, thank you. I can see there's a lot more useful information in the entire Sophos registry key so I don't suppose there's full documentation of it is there?

    Subkeys that look interesting are:

    UpdateStatus -> Details
    UpdateStatus -> VolatileFlags
    Health -> Status (as you already said)
    Health -> ThreatNotification
    SAVService -> Status
    SAVService -> Status -> Infected
    SAVService -> Status -> LastScan
    SAVService -> Status -> Policy
    SAVService -> TamperProtection
    SAVService -> Telemetry
    SAVService -> UpdateStatus
    Telemetry

    Thanks again

  • 0 in reply to Lanky Doodle

    I was able to locate some additional information in the following KBA. Information on the specifics you're looking for don't appear to be readily available. 
    - Significant Anti-Virus files and registry entries

    Much of this will need to be obtained through trial and error, though I will see if I can do some testing to help you out on some of these points.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Lanky Doodle

    Some of the values I was able to locate are as follows. 

    Sophos -> AutoUpdate -> UpdateStatus
    "IsUpdating" - REG_DWORD is created when an update is in progress

    Sophos -> AutoUpdate -> UpdateStatus -> Details
    "DownloadFailedSinceTime" - Downloads initially began failing at this timestamp
    "DownloadStateCredit" - Default value is 72, decremented by 1 for every consecutive update failure
    "EventStateLastDeviceId" - Same as (C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt)
    "EventStateLastError" - Nature of update failure (not affected by download failures)
    "EventStateLastTime" - Time when the last update error occurred
    "InstallFailedSinceTime" - If a component installation failed, X time is when it originally occurred
    "InstallState" - 0 is Good
    "InstallStateCredit" - Default value is 3, presumably is decremented with each consecutive install failure

    Sophos -> AutoUpdate -> UpdateStatus -> VolatileFlags
    Entries here indicate whether a reboot after an update is necessary. Some updates will only add on additional scanning features, meaning the agent will remain operable in its current state. Other updates are critical requiring the system to be rebooted right away.

    Sophos -> Health -> ThreatNotification
    - 1 = Green
    - 2 = Yellow (PUA) or AppC detection
    - 3 = Red manual intervention required on the device (typically manual cleanup required or outbreak detected)

    Entries within the location "SAVService" will be depreciated in future versions of Sophos Endpoint, so I would avoid relying on these too heavily. 

    Sophos -> Telemetry
    A full explanation can be found in the following KBA: Telemetry Data Collection

    Hopefully, this helps you out to some degree.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Unfiltered HTML