Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 1 reply
  • Subscribers 9 subscribers
  • Views 2405 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Diagnostic Utility (SDU) - How to run from Sophos Central

Gowtham Mani

Hi Everyone,

The article provides information on the process of running and obtaining the Sophos Diagnostic Utility (SDU) when triggered from Sophos Central.

This process allows the Sophos Diagnostic Utility (SDU) to be run on a Central managed Windows computer/server from Sophos Central Admin and to automatically be uploaded to a Sophos address without the need to visit the device itself.

Sophos Diagnostic Utility (SDU) - How to run from Sophos Central



This thread was automatically locked due to age.
Parents

  • This is a useful feature as it can be useful to remotely create an SDU also that can harvested internally.

    I see from running Process Monitor on the client, that once the command is picked up by MCS, the MCS Agent process (MCSAgent.exe) launches the command:

    "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\uploader.exe" -uploadurl  https://sdu-feedback.sophos.com/prod/[machineID]_[timestamp].zip

    This in turn launches the child sducli.exe process:

    "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\sducli.exe" -logdir=C:\WINDOWS\TEMP\sdu\ -archive=[machineID]_[timestamp].zip

    Where the zip file name is based on the unique machine ID, as referenced here:

    %ProgramData%\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt

    So each SDU generated ends up here: 

    C:\Windows\Temp\sdu\[machineID]_[timestamp].zip

    After being uploaded they remain in this location so they could be obtained from the clients for investigations.  The filename is listed on the device page in Central as well so you know the name of the file in the above location.

    Maybe someone will find this useful.

    Regards,

    Jak

Reply

  • This is a useful feature as it can be useful to remotely create an SDU also that can harvested internally.

    I see from running Process Monitor on the client, that once the command is picked up by MCS, the MCS Agent process (MCSAgent.exe) launches the command:

    "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\uploader.exe" -uploadurl  https://sdu-feedback.sophos.com/prod/[machineID]_[timestamp].zip

    This in turn launches the child sducli.exe process:

    "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility\sducli.exe" -logdir=C:\WINDOWS\TEMP\sdu\ -archive=[machineID]_[timestamp].zip

    Where the zip file name is based on the unique machine ID, as referenced here:

    %ProgramData%\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt

    So each SDU generated ends up here: 

    C:\Windows\Temp\sdu\[machineID]_[timestamp].zip

    After being uploaded they remain in this location so they could be obtained from the clients for investigations.  The filename is listed on the device page in Central as well so you know the name of the file in the above location.

    Maybe someone will find this useful.

    Regards,

    Jak

Children
No Data
Unfiltered HTML