Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 5726 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Detecting machines without Sophos

JhunBanz

Hi ,

What is the best way to detect or locate machines without running Sophos Endpoint Protection clients.?

Regards,

Jhun

:48328


This thread was automatically locked due to age.
  • 0

    Hello Jhun,

    arguably the "best" way is some kind of NAC.

    Now, Machines Without Sophos are, as set theory tells us, the complement of Machines With Sophos in All Machines. Assuming, for simplification, that you know the Machines With Sophos as they report to SEC the requisite is that enumerate All Machines. Excuse my lecturing but it boils down to this.

    In practice it first depends on your definition of running with protection, i.e. whether you allow unmanaged clients or not. This aside SEC has several built-in methods for discovery, all have prerequisites. Please see step 6 in the Sophos endpoint deployment guide and the linked articles for details.

    HTH

    Christian 

    :48332
  • 0

    I use the following vbs script to check for host that are in the Sophos DB, have not reported to the console for 3 days but are responding to a ping.

    Maybe this is what you need or otherwise you could adopt it and modify it for your use case.

    Notice that it is for a SEC 5.0 DB (we are still at that release) but I think it also works for higher versions.

    The user that executes the script must have read access to the Sophos DB.

    ' Joost Bakker
' 29-04-2011
' Script to check for hosts that have not reported to the Sophos management
' console for 3 days (or at all) but do respond to a ping.


option explicit

Dim objConnection, objRecordSet, strConnection, strDataSource, strDatabase

' define variables
' SQL server URL:
strDataSource = "sqlserver.domain.com"
' Database name:
strDatabase = "SOPHOS50"
strConnection = "Provider=SQLOLEDB;" & "Data Source=" & strDataSource & ";" & "Initial Catalog=" & strDatabase & ";" & "Integrated Security=SSPI"

'Set objects
Set objConnection = CreateObject("ADODB.Connection")
Set objRecordSet = CreateObject("ADODB.Recordset")

' Message to let user know what the script is doing
WScript.Echo "This script will check for hosts that have not reported to the Sophos management console " & vbnewline & " for 3 days (or at all) but do respond to a ping." & vbnewline & vbnewline & "This can take some time so please be patient."

' connect to DB
objConnection.Open strConnection
' Do query
objRecordSet.Open "SELECT name FROM ComputersAndDeletedComputers WHERE (LastMessageTime <= GetUTCDate() - 3 OR managed = 'false') AND Deleted = 'false' ORDER BY NAME ASC", objConnection, 3

' Loopt trough record set
objRecordSet.MoveFirst
WHILE NOT objRecordSet.EOF
	' If host reponds to ping presend user with a nice message.
	If Ping(objRecordSet("name")) = True then
		WScript.Echo  "Host " & objRecordSet("name") & " responds to a ping but has not made contact with the management server for 3 days (or at all)." & vbnewline & "Please (re)install on " & objRecordSet("name")
	else
	end if
objRecordSet.MoveNext
WEND

' Message to let user know script has ended
WScript.Echo "I'm done checking!"

' Ping host
' Return true if host responds
' Return false if host does not anwser
Function Ping(strHost)
	dim objPing, objRetStatus

	set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}").ExecQuery ("select * from Win32_PingStatus where address = '" & strHost & "'")

	for each objRetStatus in objPing
		if IsNull(objRetStatus.StatusCode) or objRetStatus.StatusCode<>0 then
			Ping = False
		else
			Ping = True
		end if
	next
End Function
    :48444