Sophosendpoint



This document will explain how USC faculty, staff and students can install Sophos Endpoint Security 10.7 (Home and Mobile) on computers running Windows Vista, Windows 7, Windows 8, and Windows 10. This software is intended for installation on laptops and computers connected to USC wireless networks and home computers. With Sophos Endpoint Security and Control 10.3.15, you can protect a Windows 10 computer directly or upgrade your computer to Windows 10 following one of Microsoft’s supported upgrade paths from Windows 7 or 8.1.

For many organizations, Macs are a regular fixture in their IT estates. Whether they comprise just a few devices or a significant proportion, Macs need the same levels of cybersecurity protection and visibility as their Windows cousins.

Which is why in addition to proven protection from the latest Mac threats, Endpoint Detection and Response (EDR) is now available for Mac users in addition to Windows and Linux.

Intercept X Advanced with EDR gives both IT admins and cybersecurity experts the power to answer critical IT operations and threat hunting questions, and then remotely take any necessary actions.

Upgrade your IT security operations

Maintaining proper IT hygiene can be a significant time investment for IT admins. Being able to identify which devices need attention and what action needs to be taken can add another layer of complexity.

With Sophos EDR, you can now do just that – quickly and easily. For example:

  • Find devices with software vulnerabilities, unknown services running, or unauthorized browser extensions
  • Identify devices that have unwanted software
  • See if software has been deployed on devices, e.g. to make sure a rollout is complete
  • Remotely access devices to dig deeper and take action, such as installing software, editing configuration files, and rebooting a device

Hunt and neutralize threats

Tracking down subtle, evasive threats requires a tool capable of detecting even the smallest indicators of compromise.

With this release, Sophos EDR is significantly enhancing its threat hunting capabilities. For example:

  • Detect processes attempting to make a connection on non-standard ports
  • Get granular detail on unexpected script executions
  • Identify processes that have created files or modified configuration files
  • Remotely access a device to deploy additional forensic tools, terminate suspect processes, and run scripts or programs
Sophosendpoint

Introducing Live Discover and Live Response

The features that make solving all the important examples above possible are Live Discover and Live Response.

Live Discover allows you to examine your data for almost any question you can think of by searching across Mac devices with SQL queries. You can choose from a selection of out-of-the-box queries, which can be fully customized to pull the exact information that you need, both when performing IT security operations hygiene and threat hunting tasks. Data is stored on-disk for up to 90 days, meaning query response times are fast and efficient.

Live Response is a command line interface that can remotely access devices in order to perform further investigation or take appropriate action. For example:

  • Rebooting a device pending updates
  • Terminating suspicious processes
  • Browsing the file system
  • Editing configuration files
  • Running scripts and programs

And it’s all done remotely, so it’s ideal in working situations where you may not have physical access to a device that needs attention.

Try the new features

Existing Intercept X Advanced with EDR customers will automatically see their Mac devices appearing for selection in Live Discover and Live Response by September 16.

Intercept X and Intercept X for Server customers that would like to try out EDR functionality can head to the Sophos Central console, select ‘Free Trials’ in the left-hand menu and choose the ‘Intercept X Advanced with EDR’ or ‘Intercept X Advanced for Server with EDR’ trial.

If you’re new to Sophos Central, start a no-obligation free trial of Intercept X Advanced with EDR today. You’ll get world class protection against the latest cybersecurity threats in addition to powerful EDR capabilities. Get started.

Sophosendpoint

Live Discover and Live Response are available for Windows, Mac, and Linux devices.

This article will show you how to remove the Sophos Central Endpoint Client from your Windows system, even if the tamper protection prevents this.

Important: This method of uninstalling the Endpoint Client should only be used if there is no chance to disable tamper protection in the normal way. This may be because you forgot your password or deleted your computer from Sophos Central without uninstalling the Endpoint Client on your computer. How to disable tamper protection in the proper way is explained in this tutorial.

Sophos Endpoint Removal Tool

Option 1

  1. Boot your Windows system into Safe Mode.
  2. Click Start, than Run and type services.msc and then confirm with Enter or click on OK
  3. Search for the Sophos Anti-Virus service and click on it with the right mouse button.
  4. From the context menu, select Properties and then deactivate the service.
  5. Now you can click on Start and type Run again. Enter regedit this time. Confirm with Enter or click OK.
  6. Go to the following location in the registry editor: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos MCS Agent and set REG_DWORD Start to 0x00000004
  7. Next, Go to the following location in the registry editor: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig set the following REG_DWORD-values SAVEnabled and SEDEnabled to 0.
  8. Finally, go to the following location in the registry editor: HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection and set the value at REG_DWORDto 0.
  9. Reboot the system in normal mode.

Option 2

  1. Boot your Windows system into Safe Mode.
  2. Then open the command line (Shell) and execute the following commands:
  3. Reboot the system in normal mode.

Sophos Endpoint

No matter which of the two options you choose, they should both result in the tamper protection being disabled and you can uninstall the Endpoint Client without any problems.