Regional University Computing Center Kaiserslautern-Landau

Information for administrators of a Sophos client

Here are a few key points to help you get started with the Sophos client. Unfortunately, RHRZ cannot provide in-depth advice or training.

Setting up your admin account requires multiple one-time confirmations from you. The login in the Sophos backend uses 2-factor authentication. For this, we recommend using an app that supports TOTP (Time-based One-time Passwords), e.g. Authy or Google/Microsoft Autenticator.

You can find detailed information on the functions of the Sophos backend via Help in the top right-hand corner of the backend.

Software Download

In the menu "Devices -> Installers" you can download the software for clients and servers customized for your client. The Sophos client automatically registers in your tenant. All detailed information about the clients is only displayed within your client. Only the number of licenses used and the number of warning messages can be seen at a higher level.

To download, please select "Choose Components", then select only the option "Sophos Intercept X Advanced" in the following window. Other components are not licensed and therefore do not need to be installed. (If you have used the "Complete . Installer" or have installed unlicensed components, then this is unproblematic as long as you do not activate the additional functions).

After installing the Sophos client, the protection functions are active on the respective device. Further settings are not absolutely necessary.

Sophos for Linux is listed as software for servers. However, this version can also be used on Linux desktops. In the backend, however, the Linux desktops appear in the list of servers. The assignment of a device to the list of clients and servers only plays a role if different rules are defined for clients and servers.

Overview of Sophos installations

All devices assigned to your client are listed in the "Devices" menu. You can call up detailed information on each device.

Please do NOT select the "+" in the Encryption or ZTNA columns, as this will activate additional unlicensed functions - if these have been installed.

Overview and evaluation of an incident

In the "Dashboard" and "Alerts" menus, you will find a summarized or more detailed overview of all unresolved alerts. Potentially harmful events that Sophos was able to prevent are not listed here. These can be found under "Logs & Reports" -> "Events" or in the detailed information for the respective endpoint device.

In the "Thread Analysis Center" you can get detailed information about (potentially) harmful events. This includes: starting point of a threat (blue dot) and any malware detected (red dot), involved or affected processes, libraries, files, network connections, registry keys (Windows), ...

In the example below, only 'curl malware.wicar.org' was executed in the Powershell, i.e. a URL was called under which "Demo Malware" can be loaded. The network connection was interrupted by Sophos and the process was stopped. The user received a warning message. In the analysis, the - in this case all harmless - activities of the Powershell can be traced (the files and registry keys can be listed and detailed information about executable files can be retrieved).

More detailed example at Sophos: https://support.sophos.com/support/s/article/KB-000036359
(the screenshots show an older version of the interface)

Tamper protection and password for Sophos Client

If tamper protection is enabled, the Sophos client cannot be uninstalled by the user. Tamper protection can be activated or deactivated under "Global Settings" for all clients or under "Devices" for each device.

In the Sophos client, the user has the option of deactivating Sophos or individual Sophos functions for up to four hours. If tamper protection is activated, a password must be entered. This must be retrieved for each device ("Devices" -> Select device -> "View Password Details"). The password can be renewed with a click (the new password becomes active after ~ 1 minute). Previous passwords are listed in the backend.

Predefined configuration

Many configuration options are predefined by the RHRZ via a template and cannot be changed within a client. The padlock symbol marks predefined configurations. The template largely contains the configuration recommended by Sophos, only the "Web Control" function has been deactivated.

Unfortunately, the template has a predefined granularity, so it is not possible to make fewer specifications. If you need access to predefined configurations for your area, this is possible by arrangement.

Recommendation

Email alerts: You can receive email alerts from Sophos. You can configure this under "General Settings" (gear wheel top right) -> "Configure email alerts".

As an "Alert", Sophos usually only reports things that require your intervention as an administrator. It is also best to check regularly under "Logs & Reports" -> "Events" to see what other messages there are, e.g. whether certain messages occur very frequently.

It cannot be ruled out that false positives may occur when malicious behavior is detected. In this case, we can configure exceptions. In this case, please contact us via the ticket system.

Installing Sophos InterceptX with SCCM

The following instructions assume that a client has already been set up with Sophos for the use of InterceptX for your area. In addition, these instructions are aimed at administrators who use SCCM to manage their clients. The availability of the RHRZ SCCM in your area is therefore also assumed. Sophos InterceptX can be deployed via SCCM using the Sophos InterceptX package from the central SCCM software catalog. However, a one-time configuration of the installation process in the SCCM console is required beforehand. The CustomerToken and the MCSCustomerID of your client at Sophos must be made known to your managed clients via SCCM with the help of collection variables. In this way, the clients can be assigned to your Sophos tenant when Sophos InterceptX is installed. Please note that Sophos InterceptX requires Windows 10 21h2 (2109) or Windows 11 21h2 or higher as the operating system.