Solved

Secure Restore / Sophos Endpoint Agent


Userlevel 7
Badge +7

Hello guys,

I m trying to used the Secure Restore with Sophos Endpoint Agent.
Is not an antivirus implemented by default in the configuration files. So I tried to edit the AntivirusInfos.xml but for the moment I got the following error message :


Here the part added:
<AntivirusInfo Name='SOPHOS Endpoint Agent' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\Sophos\Endpoint Defense\SophosInterceptXCLI.exe' CommandLineParameters= 'scan %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='' IsParallelScanAvailable='false'>
        <ExitCodes>
            <ExitCode Type='Success' Description='Command executed successfully'>0</ExitCode>
            <ExitCode Type='Error' Description='Error during command handling'>1</ExitCode>
            <ExitCode Type='Error' Description='Unexpected error during CLI setup'>2</ExitCode>
        </ExitCodes>
    </AntivirusInfo>

Does anyone have already implement Sophos Endpoint Agent with Veeam ?
I ll continue my test :)

icon

Best answer by MicoolPaul 12 April 2023, 11:32

View original

13 comments

Userlevel 7
Badge +20

Hi @Stabz 

 

I used to use this a few years ago and this post was helpful:

https://forums.veeam.com/veeam-backup-replication-f2/secure-restore-malware-scanning-with-sophos-t67511.html

 

Though I see you’re using the InterceptXCLI the rest should hopefully match up 😁

Userlevel 7
Badge +7

Hi @Stabz 

 

I used to use this a few years ago and this post was helpful:

https://forums.veeam.com/veeam-backup-replication-f2/secure-restore-malware-scanning-with-sophos-t67511.html

 

Though I see you’re using the InterceptXCLI the rest should hopefully match up 😁

Hey @MicoolPaul thanks! Yes I was looking to this example as support.

I changed the isportablesoftware to true and now Veeam detect my antivirus.
 

 

but the scan is pretty fast I m not sure about what is he doing 😂, I ll try with the same setting from the forum post

Userlevel 7
Badge +7

 

Unfortunately the antivirus is detected but for me nothing is scanned, it’s too fast.
 

I change the setting to use Windows Defender, the scan took almost 1hour

Difference with Sophos

I tried with different parameters with and witout a backslash after the %Path%, but always the same result. I ll try to open a support case :)

Userlevel 7
Badge +7

Hey a quick update 

Unfortunately, Sophos is not one of the officially supported AV solutions. And Veeam support does not provide support for the configuration of this product.

Userlevel 7
Badge +20

Think you’ll need support from Sophos as to how their CLI works to ensure its being used correctly 🙂

For us, the Solution was to remove the Exclusion for C:\VeeamFLR\. We added this Exclusion because of the Veeam KB (https://www.veeam.com/kb1999). But the CLI Scanner from Sophos also does not Scan any Exclusion configured in Sophos Central.

As soon as we removed that exclusion, the scan started to work propertly.

 

AntivirusInfos.xml:

<Antiviruses>
<AntivirusInfo Name='Sophos Intercept X' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\Sophos\Endpoint Defense\SophosInterceptXCLI.exe' CommandLineParameters='scan %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='[dD]etections(: )*[1-9][0-9]*' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Error during command handling'>1</ExitCode>
<ExitCode Type='Error' Description='Unexpected error during CLI setup'>2</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>

 

I found no way to edit my last post. there was a small mistake in the XML abobe (“--noui” is missing as paramter).

 

The correct, working, xml:

<Antiviruses>
<AntivirusInfo Name='Sophos Intercept X' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\Sophos\Endpoint Defense\SophosInterceptXCLI.exe' CommandLineParameters='scan --noui %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='[dD]etections(: )*[1-9][0-9]*' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Error during command handling'>1</ExitCode>
<ExitCode Type='Error' Description='Unexpected error during CLI setup'>2</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>

 

Userlevel 2
Badge

Hi @solae, do you have a guide on how i can integrate Veeam with Sophos?

Userlevel 2
Badge

Hello All, @Stabz @solae @MicoolPaul  from your experience, based on the CLI exit codes, if there is a malware that is detected, will it trigger exit code 1 or exit code 2? I managed to make it scan, but i just wanted to confirm.

 

Error codes

The command-line tool can return the following error codes:

Code Description
0 Success
1 Error during command handling
2 Unexpected error during CLI setup

 

I created a backup with Eicar test file. The malware is detected in Sophos Central but still it retuned an Exit code of 0. which is No threats detected. Is it the same for you guys?

 

Userlevel 7
Badge +7

hey @seanrockvz13 unfortunetally I didnt try again. 

Probably Sophos has an ExitCode for this. Maybe you can ask to Sophos Support.

 

 

I created a backup with Eicar test file. The malware is detected in Sophos Central but still it retuned an Exit code of 0. which is No threats detected. Is it the same for you guys?

 

There is no exit code in Sophos in case of an infection. You have to parse the output of the SophosInterceptXCLI.exe.

See the example XML file posted above. It checks if “Detections“ in the output is not equal to “0”.

Exit code 0 only means that there was no error running the .exe file.

 

I created a backup with Eicar test file. The malware is detected in Sophos Central but still it retuned an Exit code of 0. which is No threats detected. Is it the same for you guys?

 

There is no exit code in Sophos in case of an infection. You have to parse the output of the SophosInterceptXCLI.exe.

See the example XML file posted above. It checks if “Detections“ in the output is not equal to “0”.

Exit code 0 only means that there was no error running the .exe file.

Does Sophos Central get detections once scanned, or do we can only check the logs for Detections?

In my recent tests, InterceptX has been configured within VEEAM 12.1 for Secure Restore.

The ExitCode 0 has to be changed to ”Process was completed successfully” which is right, because it doesn’t check for Detections.

But Veeam 12.1 (in my test) now handles Detections > 0, which results in a Warning during Restore

 

 

Comment