FIM (File Integrity Monitoring) for sophos endpoints
We're wondering why there is no FIM (File Integrity Monitoring) functionality for endpoints but servers, only.
There are also files or paths on endpoints where it would higher the security level a lot if you could assure the integrity of these files and paths.
We have a specific scenario that I cannot cover with Sophos Endpoint Security because we cannot assure the integrity of certain files.
To allow us central management of credentials of local administrator accounts on our windows client we use a well-known tool from MS called LAPS.
LAPS uses a little application on the clients to create the random administrator passwords as soon as the passwords expire after the given amount of days.
To do this, it uses the admpwd.dll which creates the passwords and writes it back to the assigned attribute field of the AD computer account.
This works great but the big deal is that the source of this dll is published at GitHub network.
So if there is an attacker who knows how to code he just has to extend the code of this dll e.g. to write the created passwords additionally in a text file.
We had to deal with this case in our network!
Currently, we don't see any way to close this security issue without changing the local admin password management tool.
If the endpoint would also use the FIM feature we could protect or check the integrity of this dll file and make it way harder for attackers.
So let's roll up the sleeves and bring this amazing feature to endpoints as well :)