Jump to content
darrinpio

Sophos Scripts Needed

Recommended Posts

We are using the Sophos Central Partner (MSP Connect) or whatever you want to call it dashboard. I have successfully created a few monitors that check for infections, but now I need a script or two to pull the quarantine log, create a ticket, attempt a cleanup, report back if failed, and so on. Sophos sent me something, but it does not import properly. They also sent me a document with screenshots, which I have tried manually entering the script from, but not all the lines are visible.

 

We are using Labtech hosted.

 

Thanks.

Share this post


Link to post
Share on other sites

We are also planning to build deployment and removal scripts, but would also be interested in the scripts you've mentioned. Let me know if you can share.

Share this post


Link to post
Share on other sites

Dude! This is fantastic! I’d starting building almost an almost identical script/EDF setup but stopped as the thin installer was hanging when run via command line.

I did end up building scripts for using the “fat” installer (one needed per tenant), but this seems much cleaner. This is actually a great foundation they’ve given you/us.  

I’ll be deploying this tomorrow as we have a ton of Central rollouts planned. I’ll report back with hopefully positive results.  

Edited by jlane

Share this post


Link to post
Share on other sites

I have actually just finished my auto-installer via the fat installer yesterday, and received this today. I think I will stick with what I have done rather than the thin one here, i like what i did better. :P

For reference, I have made an EDF at the client level for the URL to the installer, and we paste in the link from central to whatever the customer has (the installer for full, just endpoint, just intercept x, etc). I have an on-demand install script that calls that to download and runs silently (two scripts, one with the detect third party option and one without).

For the auto installer, I have another EDF at the client level to 'enable' auto install, then some 'disable' edf's at the location / computer level to allow exclusions, and then using a search / group, detect machines that are meant to be auto-installed on and dont have it installed, then download / install as needed. Tries a few options, prompts for reboots if it cant get it installed, then after x attempts will try without detecting third party software, then a few attempts later make a ticket.

 

Share this post


Link to post
Share on other sites

Nice! That sounds more comprehensive then that I'd built.  If you do have the time, please share with us, as I'm sure everyone would benefit.

Share this post


Link to post
Share on other sites

I am still testing it at the moment since I only built it yesterday. Once I confirmed the thing works correctly and make any changes needed, I will pop it up here.

Share this post


Link to post
Share on other sites

Yeah... built one today, in fact.  I just have to finish testing the uninstall script.  They've made it much easier in the newest versions... just run C:\program files\Sophos\Sophos Endpoint Agent\uninstallcli.exe 

Can anyone think of more flexibility that I could/should add?  here's what I have so far:

Client Level - TWO edfs - one for mgt server info and one for client id info

Location Level - FOUR edfs - enable server install, enable workstation install, product set to install on workstation, product set to install on server

Computer level - TWO edfs - Override Product List to install, and deny install on this machine.

 

Share this post


Link to post
Share on other sites

@chavousc that sounds awesome! I think you’ve built in much more flexibility than the defaults from Sophos. And an uninstaller script is important as well for easy offboarding.  

I don’t think there’s much more you could add to the install side.  Sophos has provided a decent framework for monitors and group installs, so I’d be interested as to whether you’re leveraging this or have just built it all from scratch. 

Sharing is caring! ;)

Share this post


Link to post
Share on other sites

I forgot to mention the uninstall script. I found that new command the other day as well and tested it via a script and it works well.

Chav, you have done a few more EDF's than I plan to, but I mean the option is there, you can do as many as you like depending on how granular you are getting. Because I am using the URL per customer (which the URL for me defines which product to install), I only need that, and we don't mix and match per customer, all servers get x, all endpoints get y.

I'd be interested to hear from you guys about how your sophos central endpoints are behaving in terms of services. I took a 'clean' workstation installed with endpoint advanced + intercept x, checked what services are installed and should be running, then wrote monitors for that to restart if stopped and create tickets if still stopped / missing. What I found was around 3% of our endpoints were missing some services, yet Sophos Central never complained about that and gave the 'green tick' that everything was fine. I havent been able to get any documented information from Sophos about what should actually be there, and if these services missing are actually a problem or not, but what my team has found is that doing complete uninstalls, reboots and re-installs gets the 'full' list of services back, so I can only assume it is an error.

I had a phone call about 30 minutes ago where they believe they have found a particular service not starting due to a compatibility problem with Malwarebytes. Apparently there are some references to it on the forums, and sure enough the two machines they were looking at today have MB on it, so they are cleaning as we speak and seeing if it fixes it and we may end up scripting an uninstall of Malwarebytes if found on Sophos machines as well.

Share this post


Link to post
Share on other sites
1 hour ago, Jacobsa said:

I had a phone call about 30 minutes ago where they believe they have found a particular service not starting due to a compatibility problem with Malwarebytes. Apparently there are some references to it on the forums, and sure enough the two machines they were looking at today have MB on it, so they are cleaning as we speak and seeing if it fixes it and we may end up scripting an uninstall of Malwarebytes if found on Sophos machines as well.

Jacobsa

Do you know if Malwarebytes removed the missing services or if the Sophos install failed to install those services with Malwarebytes running? We currently have Malwarebytes running on many end clients and as we are migrating them over to Sophos I would love to avoid any issues like this. 

Share this post


Link to post
Share on other sites

Definitely didnt remove them (the two things in my previous post were separate, some services missing, some services not starting). Update from my team is the references they found didnt fix these two machines in question, the network protection service still wouldnt start despite removals and fresh installs. They have logged tickets with Sophos.

Share this post


Link to post
Share on other sites

@Jacobsa, I've had the opposite happen... services *are* installed and *are* running, but Central tells me there is an issue and never gives the green tick... which is REALLY maddening... especially if you are trying to use syncsec...

And yes, I will share what I have done... just as soon as I finish testing the script.  My biggest issue with uninstall, though, is it absolutely does not work if tamper protection is enabled.  That's a *good thing* for security, but a darned annoying thing for automation when you need to uninstall and offboard.

Really, our "friends" at sophos need to write a plugin... plain and simple... but they won't.  Or haven't, yet.  They've *promised* one at the last *SEVERAL* Sophos Discover conferences, but nothing yet....... 

Share this post


Link to post
Share on other sites

About 15% of our endpoints will generate this alert PER day. We started ignoring them. It always happens with a reboot. I wish we could control alerts from the dashboard. I have not been able to figure that out and no one on the partner team responds to emails.

BTW it has been a year since they started promising a Labtech integration. Sophos is dangling a carrot to get MSPs on board.

Share this post


Link to post
Share on other sites
4 hours ago, darrinpio said:

BTW it has been a year since they started promising a Labtech integration. Sophos is dangling a carrot to get MSPs on board.

 

Two years, by my count... 

Who are you contacting at the partner team? I can get some folks - like the MSP folks (travis and his co-horts) - to respond... 

Share this post


Link to post
Share on other sites

And may I just say.... automating the uninstall via uninstallcli.exe more annoying than it looks.

Even with tamper protection off, it __REALLY__ does not want to uninstall.  like REALLY doesn't.  It's told me that i have to reboot prior to install multiple times now after multiple reboots.... 

Geez sophos - I get that you want to be hard to uninstall so malware can't have an easy go of it, but this is a wee bit ridiculous.  

 

Share this post


Link to post
Share on other sites

Ok... Scripts are ready. 

https://github.com/cirlc/cwa-scripts/tree/master/Sophos-Deploy

The uninstaller is much more fun than the installer... it actually parses the output and decides what happened... did it install? do you need to reboot first? is tamper protection enabled?  I didn't have enough test cases to run the installer through those same bits of fun... and supposedly the installer does spit some error messages out... but the installer just uses regular old "is this service active"-type tests after install to verify.  Not as elegant, but works.  

Read the readme. Look at the excel spreadsheets... they contain the visual output of the script.  Hope this is useful to someone.

Feel free to suggest any updates.

Share this post


Link to post
Share on other sites

Hey mate, awesome work there. Much more polished version for others to use than what I have put together, but a similar end result. 

I hope you don't mind, I shared it with the VP for Global MSP at Sophos to give them some inspiration. ;)

Share this post


Link to post
Share on other sites

Fyi also on the services issue we discussed. 

Article ID: 127758
Title: Sophos Central: Alerts for missing/stopped services for Windows computers
URL: https://sophos.com/kb/127758 
-----------------------------------------

Further information

We are aware of the disruption this can cause for customers who have affected endpoints. Sophos is investigating the underlying causes of all issues and all scenarios that can lead to the issue arising. We are addressing a number of service related issues as follows:

  1. Suppress the alerting and sending of mails to instances where the service reports stopped or missing for computers. This was done on the 18th November 2017.
  2. Change the event in Sophos Central to clarify the actual state of the service (stopped or missing). This is planned for release as soon as possible, our current estimate is January 20th, 2018. At this time the Central Admin UI will prefix whether the service is stopped or not present, for example:

    service5.png
     
  3. Releasing a product update, planned for the second half of January/beginning of February 2018 that will:
    • Address the cosmetic issues of services reporting as stopped on startup/shutdown.
    • Automatically fix a number of instances where services are either missing or cannot start.

Further analysis and investigation is being performed on any further service related issues and this article will be updated as soon as further information is available.

 

Share this post


Link to post
Share on other sites
12 hours ago, Jacobsa said:

 

I hope you don't mind, I shared it with the VP for Global MSP at Sophos to give them some inspiration. ;)

Oh you sent it to Scott? Good. Maybe he’lol run with it. 

Share this post


Link to post
Share on other sites

For anyone still looking, attached is the latest 'official but not supported' scripts from Sophos. They also include the latest definitions for Automate to detect the new endpoint version, so even if you are using @chavousc scripts above, you may want to import the sql definition from this to ensure everything is detecting ok. @jlane fyi. 

Sophos Central Thin Installer Setup v2.zip

Sophos Central Thin Installer Setup (Automate) v2.pdf

Share this post


Link to post
Share on other sites

Just adding a note here to say the scripts and groups work perfect from the Sophos MSP Hub.

The only issue is that when importing the XML it puts the groups under Cisco Folder (Irony much?) but other than that looks good and have tested pushing it out to a few devices in our test lab.

Next I need to look into ways to automate enabling TPM since pushing out disk encryption on a new machine will try and do it with a pin if its not enabled. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...