Jump to content
darrinpio

Sophos Scripts Needed

Recommended Posts

Thanks for the feedback @MidbossQ - I plan to implement them shortly. Interested to know if you have many services failing / machines rebooting based on what they have included.

Share this post


Link to post
Share on other sites

The actual rollout has been fine so far not much noise.

The only noise/issues is that we are moving from webroot. It looks as if Labtech is still picking up leftovers and reporting webroot as the AV so it is putting the machines into "Missing Sophos Endpoint" even though Sophos is on and checking in.

Reviewing our options now to clean that up.

Edited by MidbossQ

Share this post


Link to post
Share on other sites

For anyone else watching this, just a word of warning here.

The group 'Sophos Central Endpoints' that imports uses a search to find endpoints.

It also includes a remote monitor that checks for the Sophos registry key that a reboot is required and is set to the alert template '~autofix action reboot computer'

I cant imagine this is by design from Sophos, but for me, the group imported, and before I checked what had occurred, it applied the remote monitor, and in the middle of the day I had a bucket load of customers workstations and servers reboot. Was spectacular.

I've killed off the searches from the group now, but if you are importing them, I suggest you do that immediately after importing to ensure things are how you want them first, so you dont have the same scenario.

Share this post


Link to post
Share on other sites

Confirmed there were 100% issues with the items I posted here and what was available in the portal.

Expecting an update to them soon and in the portal the old items have been taken down.

 

image.png.e607bd772e9ba79ae30974592bdc7dae.png

Share this post


Link to post
Share on other sites

For anyone still watching this, or finds it, Sophos have now released their official kit into the Automate Solution Center for deployment / monitoring.

Share this post


Link to post
Share on other sites

So I'm following up on this thread.  Has anyone made any scripts for Sophos?  We just got started with Connectwise Automate because I got tired of fixing Sophos Deployments for our 2000+ Endpoints.  Just wanted to see what was out in the community.

If not I'll try and make some repair scripts and post them for others like me.

I already have an event log reset script that resets the local sophos event log on an endpoint if it doesn't clear the "Suspicious" health status after a malware/pua clean-up.

Share this post


Link to post
Share on other sites

The solution is simple: stop using Sophos. If you have to go to that much effort just so that the AV solution functions and operates properly, it's time to look at another solution.

The fact that I had to go to the lengths I did to write a somewhat proper removal script for Sophos (when Sophos themselves are not providing any reliable and effective script) speaks a lot to how bad of a scamware and application Sophos is, and to read how much maintenance and effort it takes to keep it running makes it all the more appalling that anyone would even consider Sophos.

  • Haha 1

Share this post


Link to post
Share on other sites
8 hours ago, Will_Mc_BMB said:

So I'm following up on this thread.  Has anyone made any scripts for Sophos?  We just got started with Connectwise Automate because I got tired of fixing Sophos Deployments for our 2000+ Endpoints.  Just wanted to see what was out in the community.

If not I'll try and make some repair scripts and post them for others like me.

I already have an event log reset script that resets the local sophos event log on an endpoint if it doesn't clear the "Suspicious" health status after a malware/pua clean-up.

Hey mate, so what issues you having with Sophos deployments when you say you need to fix them? We have the same if not more endpoints and are not seeing them fail, so keen to know what you are seeing.

In regards to the suspicious health status, where are you seeing that? Do you mean within Sophos Central or on the endpoint itself? We are just starting to look at options now. Ben Verschaeren has put some stuff up on Git here to interface with the Partner CLI. https://github.com/0xBennyV - @Gavsto tagging you just FYI as well in the event you wanted to play with the Central API.

  • Thanks 1

Share this post


Link to post
Share on other sites
On 12/17/2019 at 4:56 PM, Jacobsa said:

Hey mate, so what issues you having with Sophos deployments when you say you need to fix them? We have the same if not more endpoints and are not seeing them fail, so keen to know what you are seeing.

In regards to the suspicious health status, where are you seeing that? Do you mean within Sophos Central or on the endpoint itself? We are just starting to look at options now. Ben Verschaeren has put some stuff up on Git here to interface with the Partner CLI. https://github.com/0xBennyV - @Gavsto tagging you just FYI as well in the event you wanted to play with the Central API.

Thanks man!  We actually already made scripts using the partner api.  We keep seeing "Failures to Protect" which can be any number of issues.  It seems to be environmental.  As we have gone through and replaced/upgraded machines to Win 10, we have been seeing less and less of them, however, they are still there.

I'm mostly tackling disabling sleep and re-enabling sleep.  I've tried looking up scripts here that can perform that, however, I have not found any that can do that just yet.

There's also Duplicate devices, out-of-date, PC's just straight up not checking in to central even though they are online, policy non-compliance alerts that I cannot start services until I uninstall and reinstall, etc.

We got all the issues haha.

Edited by Will_Mc_BMB
Did not finish post.

Share this post


Link to post
Share on other sites

Have you installed the Sophos Central integration from the solution center?

It comes with some scripts from sophos.

Two of them is install and uninstall. New version of the integration is on its way.

For uninstallation you first need to turn off tamper protection in sophos central.

We using this. Every new machine for a customer using sophos the endpoint automatically gets installd so you never have a computer without protection.

Share this post


Link to post
Share on other sites

I have had alot of headache moving from BD to Sophos... Just for the fact that scripts supplied by sophos half ass work. But like you guys I made some adjustments. I do have some questions if there are any other MSP partners that would like to chat let me know

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...