Discussions How do i monitor if some is trying to break the Sophos tamper?

Sophos Central requires membership for participation - click to join

Thread Info

State Not Answered
Replies 2 replies
Subscribers 9 subscribers
Views 1437 views
Users 0 members are here

Options

Suggested

How do i monitor if some is trying to break the Sophos tamper?

blueskies 8 months ago

Scenario - Attacker has made into a system and now wants to kill \stop the AV but is tamper locked.

From SIEM perspective to Monitor such events

what logs can be shipped from the Event viewer? or from Sophos log directories?

Added tags
[edited by: Gladys at 5:58 AM (GMT -7) on 27 Oct 2023]

Top Replies

blueskies 8 months ago in reply to GlennSen +1

that is surprising though as we should have some mechanism to detect tampering of the Endpoint protection software as attackers would attempt to do so normally.

0 GlennSen 8 months ago

Thank you for reaching out to the community forum.

For tamper protection, Receiving alerts for password failure attempts isn’t possible, as it only shows in reports when TP is successfully turned On/Off.

Glenn ArchieSeñas (GlennSen)

Global Community Support Engineer

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 blueskies 8 months ago in reply to GlennSen

that is surprising though as we should have some mechanism to detect tampering of the Endpoint protection software as attackers would attempt to do so normally.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel