Sophos XDR: Instructions for creating Query to check whether Tamper Protection is enabled on workstations or servers

1.The purpose of the article

Techbast will guide you to use Sophos Central’s Live Discover feature to create a query to check the status of Tamper Protection on workstations and servers that have Sophos Endpoint installed.



  • The internet connection is connected at port 2 of the Sophos Firewall device with IP 10,150.30.106.
  • The LAN subnet is configured at port 1 of the Sophos XG Firewall device with IP and configured with a DHCP Server to allocate IPs to connected devices.
  • In the LAN we will have 2 devices one is WIN-V3N9Q4OC2GG server with IP and installed Sophos Endpoint.
  • The second is a Windows 10 PC named DESKTOP-HP5D580 with IP and also has Sophos Endpoint installed.


We will turn off Tamper Protection on a PC DESKTOP-HP5D580.

Then perform a Query on Sophos Central using the Live Discover feature to check which one of the two devices has Tamper Protection turned off.

4.What to do

  • Turn off Tamper Protection on the DESKTOP-HP5D580.
  • Create query.


5.1.Turn off Tamper Protection on the DESKTOP-HP5D580.

To turn off Tamper Protection we need to log in to Sophos Central with an admin account.

Next we go to Devices > Computers > click on the DESKTOP-HP5D580 name of the device.

In the Tamper Protection section, we click Disable Tamper Protection to turn off this feature for the DESKTOP-HP5D580.

5.2.Create query

To create a query, go to Threat Analysis Center > Live Discover.

First, we will turn on Designer Mode.

Then we click Create new query to create a new query.

The query creation table appears, we will enter the following information:

  • Query Name: Name this query Query Tamper Protection status.
  • Category: select Device.
  • Source: select Live Endpoint and select Windows (Note with this option, the computer or server must have an internet connection to be able to query).
  • In the SQL box we enter the code below.

select data,path

from registry

where key=’HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config’ AND name=’SEDEnabled’ AND data=0;

  • At the Device selector we select the computer and the server that has installed Sophos Endpoint and click Query.

Wait a few seconds, the query results will show which computer or server Tamper Protection is turned off.

As you can see, the DESKTOP-HP5D580 computer that we turned off Tamper Protection in step 1 has appeared.

With the Live Discover feature and this query, it helps us to check the status of Tamper Protection on computers.

From there, it helps us to determine which computer has Tamper Protection turned off to prevent users from being able to remove the Sophos Endpoint software from the computer.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.