Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 2605 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Checkpoint Connectra Endpoint on demand scan

Striker

Hi,

We have implemented a remote access solution for our 3rd party support companies to use. This appliance (Connectra) has the ability to scan endpoints for the existence of certain security products.

I am trying to setup a new rule that will scan for the existing of the latest Sophos products I can scan for reg keys, services or the presence of files

Does anyone know the location of the latest definitions so that I can scan for their existence.

Is this a single file that gets updated or do new files get added to the host PC upon update?

Is there a registry key that I can "look" for to check existence?

Is there a service that runs on the host PC that I can check for?

I need something that is a constant so that I don't have to keep changing my policy when the 3rd party performs and update.

Any help greatly received

:14411


This thread was automatically locked due to age.
  • 0

    Hi,

    In terns of services there are a few but they depend on the components installed, the SAVService has been a constant for many years and is the core service on the endpoint.  That would always exist and should always be started.
     

    Display Name: "Sophos Anti-Virus "
    Name: "SAVService " 

    So "net stop SAVService" would stop it.

    In terns of registry keys:

    [HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\SAVService ]

    I guess could be used if required.

    As for updates, by default, I.e. when a customer is subscribed to a "Recommended" version, Sophos perform a minor version once a month and downloads .ide files throughout the month.  These IDEs up to a certain date are then rolled into the next versions main virus data library files.  The incremental files are: C:\Program Files (x86)\Sophos\Sophos Anti-Virus \*.ide

    If you could make a WMI call you could ask Action Center/Security Center if Sophos is installed and the state as Sophos registers with that.  

    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 PathAntiVirusProduct Get displayName,productState /Format:List

    http://blogs.msdn.com/b/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx?PageIndex=2#comments

    Hope that helps.

    Regards,

    Jak

    :14413