Sophos Enduser Protection

The data ingested from Virus Scan event sources are used for analytics. Adding virus scan integration allows you to track which users and assets are infected frequently. Additionally, InsightIDR uses this data to produce some notable behaviors and alerts.

Before You Begin

Sophos EndUser Protection events are antivirus (A/V) logs written to a SQL Server database, rather than to a file. Therefore, you must connect to the server via an SQL Server client connection in order to gather the logs for InsightIDR.

To connect to the server via an SQL Server client connection:

1. Gather information about the domain and username/password, the server hosting the Sophos A/V system, and the port the SQL Server is "listening" on for connections (typically 1433 or 1434).
2. Depending on database filenames (such as SOPHOS52.mdf) and the configuration of the instance the SQL Server, make sure the database follows the naming convention SOPHOS52 or SOPHOS\SOPHOS52.
3. Turn on shared memory, named pipes, and TCP/IP under "SQL Server Configuration Manager."

4. Enable remote connections to the SQL Server Database.
   • SQL servers for 2012/2014/2016: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option
   • SQL server(s) for 2008: https://blogs.msdn.microsoft.com/walzenbach/2010/04/14/how-to-enable-remote-connections-in-sql-server-2008
5. Ensure and document the specific port the server is listening on and ensure the local firewall is not blocking the Server.

How to Configure This Event Source

1. From your dashboard, select Data Collection on the left hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the "Security Data" section, select the Virus Scan icon. The "Add Event Source" panel appears.
4. Select your collector and event source. You can name your event source if you want.
5. Optionally choose to send unparsed logs.
6. Configure your default domain and any Advanced Event Source Settings.
7. In the "Server" field, enter the database server name.
8. In the "Port" field, enter the port to the SQL Database; this is 1434 by default.
9. In the "Database" field, enter the server database, or the database IP address.
10. In the "User Domain" field, enter the User Domain information, or the domain of your credentials.
11. Select existing credentials or create a new credential.
12. In the "Password" field, enter the password for the Server.
13. Select Save.