Sophos CLI scan goes wrong

Hello AKoenig,

please see SAVCLI32 - Do not follow links and .Sav32cli, Windows 7/Vista and NTFS junctions. What kind of account does perform these scans? 

As the downloadable version (the one you seem to be using) has been withdrawn you should use the one from the CID. You also don't specify -nc (the inverted default -c flag) which, I think, would make it wait indefinitely in case of a cleanabe detection. And perhaps the -ss or --ignore-could-not-open would speed it up a little bit.  

Christian

Hello Christian,

I am practicly telling the system itselfe to run those commands, but as stated above, remotely.

Using the flags you gave me, it still takes a pile of time.

Also: what do you mean with CID?

Best Reguards

Axel

Hi,

Is there a reason the standard scheduled scan in the product is of no use?  

Is it the condition when to scan you want to influence and reacting to time as part of a schedule is not helpful?  

Is it the cutomization of options to scan with?  

Is it that the endpoints don't have SAV installed and you're just copying the command line scanner to the computer to run the scan?

If SAV is installed on the computer, you can just run the following commands to initate a scan:

64-bit:

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe" {F86EBCD5-687E-40B1-800D-021062361F6C}

32-bit:

"C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe" {F86EBCD5-687E-40B1-800D-021062361F6C}

This will trigger the default (Scan my computer now).  

When running scans it is worth considering the user context it is being called under and therefore the files that can be accessed.

Regards,

Jak

Hi jak,

thanks a lot, this works perfectly fine! It is now scaning everything if i tell our Kaseyaserver to run that command you gave me.

But another question, now i am trying to get the current version of SAV, and i searched the forums a bit.

Only thing i found was using some VB script to get that, sad thing is, that our Kaseya provider isnt supporting upload of custom files,so i cant upload any VB script or something like that to use that.

Is there maybe a version info in the registry?

Thanks a lot again!

Regards,

Axel

Hello Axel,

I am trying to get the current version of SAV

it's not clear - at least to me - what you mean by this. Apparently your endpoints have SAV installed (otherwise the command wouldn't work) and this should update itself automatically.

Christian

Hello QC,

the thing is, that we had an infiltration on one of our workstations which wasnt on the newest version and wasnt scaning regularly.

So now we are trying to make this so we are safe 'n sound, even if sophos fails to detect/scan for whatever reason.

Regards

Axel

Hello Axel,

am I correct that you want to know whether SAV on the endpoint is up-to-date (this information is available in the console unless there is a communication/RMS problem)? As you can't upload scripts - which methods for obtaining information does Kaseya offer?

Christian

Dear Chris,

I am trying to get the current version of the end-point-software. 

As for now, i've tried to gather the version info from the registry key found at:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\ProductVersion

 Later on i found out that this seems to be some other version info, since it displays "2.9.0.344", which seems to be the wrong version. Sophos downloads page tells me newest one is 10.3, and im assuming that our company is not THAT far away from the current version.

tl;dr:

I can , as stated above, read registry key values and I can get stuff that is written to files .

Regards,

Axel

Hello Alex Axel [Ihad it right the first time],

the version numbers now have a lifetime of roughly one month (this hasn't always been the case) and thus won't tell you if the endpoint has recently updated and all the IDEs (guess you'd have to count them). The different components have their own version, the one you showed is for AutoUpdate, RMS has another.

The best thing I can come up with is:

HKLM\SOFTWARE\[Wow6432Node\]Sophos\AutoUpdate\Service\Subscription\\version

Christian

Hello Chris,

thank you for that information, i was qite confused about that.

Sadly, i do not have the Subscription folder within the Service folder.

This is what it looks like to me:

Ill look arround a bit more,thanks for your help again.

Regards,

Axel 

By the way, its Axel, not Alex :smileytongue:

EDIT:

It seems that the "C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe"  {F86EBCD5-687E-40B1-800D-021062361F6C}"  command doesn't want to work with Win8.