Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 2763 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Selectively disable Tamperprotection via API or other means of automation

WhiteRabbit

Hello Community,
we're preparing to distribute the Sophos Endpoint Client in our network. 

We have an established software distribution system we would like to use to manage this rollout.
The removal of the old AV solution is already sorted, silent install of Sophos Endpoint is working flawlessly as far as we tested it.

The remaining issue is the rollback strategy. There is seemingly no way to selectively disable tamperprotection for individual clients by making an API call as a priviledged user.

We have found some 1st and 3rd party scripts that attempt to remove Sophos products, but this is not the ideal solution we are looking for.
(From past experience I can tell that the manual removal is not reliable and can leave the client inoperational.)

Did we miss anything in our research on this topic? We want to make use of official uninstall routines for this product, but manually disabling Tamper protection for individual clients (or globally disabling it) is not the way we want to go. Neither is triggering the removal from the Sophos Central console.

 

Thanks for any feedback, especially from people with similar issues.



This thread was automatically locked due to age.
Parents
  • 0

    There is SEDCli on the EP, which you can use to enable/disable given the password from Central.  

    If you're logged into Central, with the Developer Tools open in Chrome and toggle the enable/disable of TP for an EP, you will see in the XHR view the API calls being made. E.g. to:

    dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/.../tamper-protection

    You can click on this left hand item in the list view and choose "Copy as Powershell" for example.  This will give you an invoke-webrequest command you can use in a PS window that will look something like:

    Invoke-WebRequest -Uri "dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/.../tamper-protection" -Method "POST" -Headers @{"Sec-Fetch-Mode"="cors"; "Origin"="https://cloud.sophos.com"; "X-CSRF-Token"="edit-4ee0-8113-08190d56a270"; "User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"; "Accept"="application/vnd.sophos-compressed+json"; "Referer"="cloud.sophos.com/.../summary"; "X-Hammer-Token"="EDITEC1jd11rObUHr2YcftkIoxV"} -ContentType "application/json;charset=UTF-8" -Body "{`"enabled`":false,`"regenerate`":false}"

    To enable/disable TP for this EP, in this case 41b17f17-cd53-04a6-bb5c-ada356253ee7 is the machine ID, you can just change the command from true to false in the body section.

    The tokens will timeout by this could offer something.

    Regards,
    Jak

Reply
  • 0

    There is SEDCli on the EP, which you can use to enable/disable given the password from Central.  

    If you're logged into Central, with the Developer Tools open in Chrome and toggle the enable/disable of TP for an EP, you will see in the XHR view the API calls being made. E.g. to:

    dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/.../tamper-protection

    You can click on this left hand item in the list view and choose "Copy as Powershell" for example.  This will give you an invoke-webrequest command you can use in a PS window that will look something like:

    Invoke-WebRequest -Uri "dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/.../tamper-protection" -Method "POST" -Headers @{"Sec-Fetch-Mode"="cors"; "Origin"="https://cloud.sophos.com"; "X-CSRF-Token"="edit-4ee0-8113-08190d56a270"; "User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"; "Accept"="application/vnd.sophos-compressed+json"; "Referer"="cloud.sophos.com/.../summary"; "X-Hammer-Token"="EDITEC1jd11rObUHr2YcftkIoxV"} -ContentType "application/json;charset=UTF-8" -Body "{`"enabled`":false,`"regenerate`":false}"

    To enable/disable TP for this EP, in this case 41b17f17-cd53-04a6-bb5c-ada356253ee7 is the machine ID, you can just change the command from true to false in the body section.

    The tokens will timeout by this could offer something.

    Regards,
    Jak

Children
No Data
Unfiltered HTML