1.The purpose of the article
Techbast will guide you to use Sophos Central’s Live Discover feature to create a query to check the status of Tamper Protection on workstations and servers that have Sophos Endpoint installed.
- The internet connection is connected at port 2 of the Sophos Firewall device with IP 10,150.30.106.
- The LAN subnet is configured at port 1 of the Sophos XG Firewall device with IP 172.16.16.16/24 and configured with a DHCP Server to allocate IPs to connected devices.
- In the LAN we will have 2 devices one is WIN-V3N9Q4OC2GG server with IP 172.16.16.19/24 and installed Sophos Endpoint.
- The second is a Windows 10 PC named DESKTOP-HP5D580 with IP 172.16.16.17/24 and also has Sophos Endpoint installed.
We will turn off Tamper Protection on a PC DESKTOP-HP5D580.
Then perform a Query on Sophos Central using the Live Discover feature to check which one of the two devices has Tamper Protection turned off.
4.What to do
- Turn off Tamper Protection on the DESKTOP-HP5D580.
- Create query.
5.1.Turn off Tamper Protection on the DESKTOP-HP5D580.
To turn off Tamper Protection we need to log in to Sophos Central with an admin account.
Next we go to Devices > Computers > click on the DESKTOP-HP5D580 name of the device.
In the Tamper Protection section, we click Disable Tamper Protection to turn off this feature for the DESKTOP-HP5D580.
To create a query, go to Threat Analysis Center > Live Discover.
First, we will turn on Designer Mode.
Then we click Create new query to create a new query.
The query creation table appears, we will enter the following information:
- Query Name: Name this query Query Tamper Protection status.
- Category: select Device.
- Source: select Live Endpoint and select Windows (Note with this option, the computer or server must have an internet connection to be able to query).
- In the SQL box we enter the code below.
where key=’HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config’ AND name=’SEDEnabled’ AND data=0;
- At the Device selector we select the computer and the server that has installed Sophos Endpoint and click Query.
Wait a few seconds, the query results will show which computer or server Tamper Protection is turned off.
As you can see, the DESKTOP-HP5D580 computer that we turned off Tamper Protection in step 1 has appeared.
With the Live Discover feature and this query, it helps us to check the status of Tamper Protection on computers.
From there, it helps us to determine which computer has Tamper Protection turned off to prevent users from being able to remove the Sophos Endpoint software from the computer.