Sophos Enduser Protection

The data ingested from Virus Scan event sources are used for analytics. Adding virus scan integration allows you to track which users and assets are infected frequently. Additionally, InsightIDR uses this data to produce some notable behaviors and alerts.

Before You Begin

Sophos EndUser Protection events are antivirus (A/V) logs written to a SQL Server database, rather than to a file. Therefore, you must connect to the server via an SQL Server client connection in order to gather the logs for InsightIDR.

To connect to the server via an SQL Server client connection:

Gather information about the domain and username/password, the server hosting the Sophos A/V system, and the port the SQL Server is "listening" on for connections (typically 1433 or 1434).
Depending on database filenames (such as SOPHOS52.mdf) and the configuration of the instance the SQL Server, make sure the database follows the naming convention SOPHOS52 or SOPHOS\SOPHOS52.
Turn on shared memory, named pipes, and TCP/IP under "SQL Server Configuration Manager."

Enable remote connections to the SQL Server Database.
- SQL servers for 2012/2014/2016: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option
- SQL server(s) for 2008: https://blogs.msdn.microsoft.com/walzenbach/2010/04/14/how-to-enable-remote-connections-in-sql-server-2008
Ensure and document the specific port the server is listening on and ensure the local firewall is not blocking the Server.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
Do one of the following:
- Search for Sophos Enduser Protection in the event sources search bar.
- In the Product Type filter, select Virus Scan.
Select the Sophos Enduser Protection event source tile.
Select your collector and event source. You can name your event source if you want.
Optionally choose to send unparsed logs.
Configure your default domain and any Advanced Event Source Settings.
In the "Server" field, enter the database server name.
In the "Port" field, enter the port to the SQL Database; this is 1434 by default.
In the "Database" field, enter the server database, or the database IP address.
In the "User Domain" field, enter the User Domain information, or the domain of your credentials.
Select existing credentials or create a new credential.
In the "Password" field, enter the password for the Server.
Select Save.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.

Did this page help you?

Event Source Configuration

Symantec Endpoint Protection

Event Source Configuration

CylancePROTECT