| Server IP : 180.180.241.3 / Your IP : 216.73.216.252 Web Server : Microsoft-IIS/7.5 System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586 User : IUSR ( 0) PHP Version : 5.3.28 Disable Function : NONE MySQL : ON | cURL : ON | WGET : OFF | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : C:/ProgramData/Sophos/AutoUpdate/Cache/sophos_autoupdate1.dir/decode/savxp/diagnose/ |
Upload File : |
<DiagConfig upload-url="https://sdu-feedback.sophos.com/prod/" version="6.5.238.238">
<Exclusions name="File type extensions">
<ExclusionItem type=".acm"/>
<ExclusionItem type=".ax"/>
<ExclusionItem type=".cpl"/>
<ExclusionItem type=".dll"/>
<ExclusionItem type=".drv"/>
<ExclusionItem type=".efi"/>
<ExclusionItem type=".exe"/>
<ExclusionItem type=".mui"/>
<ExclusionItem type=".ocx"/>
<ExclusionItem type=".scr"/>
<ExclusionItem type=".sys"/>
<ExclusionItem type=".tsp"/>
<!-- HMPA exclusions -->
<ExclusionItem type=".db"/>
<ExclusionItem type=".db-shm"/>
<ExclusionItem type=".db-wal"/>
</Exclusions>
<EncryptionKeys/>
<Section name="Collect information about Sophos products installed" option="sophos">
<!-- Sophos Common -->
<Product name="Common">
<CollectFiles path="%COMMON_APPDATA%\Sophos\*\Logs\*" recursive='true' age='365'/>
<CollectFiles path="%PROGRAMFILES%\Sophos\*\integrity.dat"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\*\integrity.dat"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\*\*\integrity.dat"/>
</Product>
<!-- Sophos Sharepoint -->
<Product name="SP">
<CollectFiles path="%TEMP%\MsiSavSP*"/>
</Product>
<!-- Management Communications Endpoint Product -->
<Product name="MCS">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Management Communications System\Endpoint\Cache\*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Management Communications System\Endpoint\Config\*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Management Communications System\Endpoint\Persist\*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Management Communications System\Endpoint\Trail\*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Management Communications System\Endpoint\Logs\*" age='365'/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Certificates\Management Communications System\*"/>
</Product>
<!-- Sophos Mobile Device Control -->
<Product name="SMC">
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Sophos Mobile Control\INSTALLATION\licence.sql"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Sophos Mobile Control\jboss\server\mdm\deploy\*.xml"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Sophos Mobile Control\jboss\server\mdm\deploy\jbossweb-tomcat55.sar\*.xml"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Sophos Mobile Control\jboss\server\mdm\log\*.log"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Sophos Mobile Control\jboss\server\mdm\log\server.log\*.log"/>
<CollectFiles path="%TEMP%\SMCSVC_install.log"/>
<CollectFiles path="C:\smc_203_spc\*.log"/>
</Product>
<!-- Sophos Anti-Rootkit -->
<Product name="SAR">
<CollectFiles path="%TEMP%\sar*.log"/>
</Product>
<!-- Source of Intection Tool -->
<Product name="SOI">
<CollectFiles path="%TEMP%\Source of Infection*"/>
</Product>
<!-- Sophos Anti-Virus -->
<Product name="SAV">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos Anti-Virus\Config\*.xml"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\SAV for NetApp\*.txt"/>
<CollectFiles path="%SYSTEMDRIVE%\Documents and Settings\LocalService\Local Settings\Temp\Sophos*.txt"/>
<CollectFiles path="%WINDIR%\ServiceProfiles\LocalService\AppData\Local\Temp\sophos*.txt"/>
<CollectFiles path="%USERPROFILE%\Local Settings\Application Data\Sophos\Sophos Anti-Virus\*" recursive='true' age='365'/>
<CollectFiles path="%USERPROFILE%\local settings\application data\Sophos\Sophos Anti-Virus\Config\user.xml"/>
<CollectFiles path="%TEMP%\SophosOfficeAV_pid_*_Log.txt"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\Path' path="*.upd"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\Path' path="scf.dat"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\Path' path="vvf.xml"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SBE\Management tools\CIDShare' path="ESNT\svf.xml"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SBE\Management tools\CIDShare' path="SAVSCFXP\svf.xml"/>
<!-- Component: Sophos Download Scanner (BHO) -->
<CollectFiles path="%TEMP%\WebScanningTrace*.log"/>
<CollectReg reg='HKEY_CLASSES_ROOT\AppID\SophosBHO.DLL'/>
<CollectReg reg='HKEY_CLASSES_ROOT\AppID\{061CC07B-BA7A-44D1-81FA-D36BE1CE55D9}'/>
<CollectReg reg='HKEY_CLASSES_ROOT\CLSID\{39EA7695-B3F2-4C44-A4BC-297ADA8FD235}'/>
<CollectReg reg='HKEY_CLASSES_ROOT\SophosBHO.BrowserObject'/>
<CollectReg reg='HKEY_CLASSES_ROOT\SophosBHO.BrowserObject.1'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SophosBHO.DLL'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{061CC07B-BA7A-44D1-81FA-D36BE1CE55D9}'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39EA7695-B3F2-4C44-A4BC-297ADA8FD235}'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SophosBHO.BrowserObject'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SophosBHO.BrowserObject.1'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects' log="REG-IE-BHO.xml"/>
</Product>
<!-- Sophos Web Intelligence (component of SAV) -->
<Product name="SWI">
<CollectFiles path="%SystemDrive%\Documents and Settings\LocalService\Local Settings\Temp\swisdiag.log"/>
<CollectFiles path="%TEMP%\swi*.log"/>
<CollectFiles path="%TEMP%\webintelligence.log"/>
<CollectFiles path="%WINDIR%\ServiceProfiles\LocalService\AppData\Local\Temp\swisdiag.log"/>
<CollectFiles path="%WINDIR%\Temp\swi*.log"/>
<CollectFiles path="%WINDIR%\Temp\webintelligence.log"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\Path' path="Web Intelligence\scf.dat"/>
</Product>
<!-- Sophos Web Control (component of SAV) -->
<Product name="SWC">
<CollectFiles path="%PROGRAMFILESX86%\Common Files\Sophos\Web Control\*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Web Control\*" recursive='true'/>
<CollectFiles path="%TEMP%\swc_*.log"/>
<CollectFiles path="%WINDIR%\Temp\swc_*.log"/>
</Product>
<!-- Sophos Malicous Traffic Detector -->
<Product name="MTD">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos Network Threat Protection\*" recursive="true" />
</Product>
<!-- Sophos System Protection -->
<Product name="SSP">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos System Protection\Config\*" recursive="true" />
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos System Protection\Data\feedback.dmp" />
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\BPALOGGING\File" path="*.log"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SystemProtection\LOG\File" path="*.log"/>
</Product>
<!-- Sophos AutoUpdate -->
<Product name="SAU">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Certificates\AutoUpdate\*" recursive='true'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path="Cache\*.map"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path="Cache\escdp.dat"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path="Cache\savxp\*.bat"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path="Cache\savxp\*.vbs"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path="Cache\savxp\sav.cfg"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path="Logs\*"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path='Config\*'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path='DefaultConfig\*'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path='data\machine_ID.txt'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path='data\warehouse\catalogue\*.txt'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path='data\warehouse\catalogue\*.xml'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path='data\status\*'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Installation Path" path="Logs\*" recursive='true'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Installation Path" path='Config\*.cfg'/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Data Path" path="Cache*.pem"/>
</Product>
<!-- Sophos Remote Management -->
<Product name="RMS">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Remote Management System\*" recursive='true'/>
<CollectFiles path="%TEMP%\ClientMrinit*.log"/>
<CollectFiles path="%TEMP%\Createinitfile*.log"/>
<CollectFiles path="%WINDIR%\TEMP\ClientMrinit*.log"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent\ServiceHomeDir" path="svc.conf"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent\ServiceHomeDir" path="cac.pem"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent\ServiceHomeDir" path="mrinit*"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent\ServiceHomeDir" path="scapi_config.txt "/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent\ServiceHomeDir" path="scf.dat"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="cac.pem"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="mrinit.*"/>
</Product>
<!-- Sophos Client Firewall -->
<Product name="SCF">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos Client Firewall\configuration.conf"/>
<CollectFiles path="%SYSTEMDRIVE%\scf-*"/>
<CollectFiles path="%USERPROFILE%\Local Settings\Application Data\Sophos\Sophos Client Firewall\*" age='365'/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos Client Firewall\Application\Path' path="scf.dat"/>
</Product>
<!-- Sophos Patch Agent -->
<Product name="SPA">
<CollectFiles path="%PROGRAMFILESX86%\Sophos\SMC\PluginManager\Plugins\PatchPlugins\PatchEndpointCommunicator\PatchEndpointCommunicator.dll.config"/>
</Product>
<!-- Sophos Competitor Remove Tool -->
<Product name="CRT">
<CollectFiles path="%TEMP%\avremove.log"/>
<CollectFiles path="%WINDIR%\TEMP\avremove.log"/>
</Product>
<!-- Microsoft SQL -->
<Product name="SQL">
<CollectFiles path="%PROGRAMFILESX86%\Microsoft SQL Server\MSSQL*\MSSQL\LOG\ERRORLOG*"/>
<CollectFiles path="%PROGRAMFILES%\Microsoft SQL Server\MSSQL*\MSSQL\LOG\ERRORLOG*"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SOPHOS\Setup\SQLPath" path="Log\Errorlog.*"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer' reglog="REG-HKLM-Software-MSSQLServer.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server' log="REG-HKLM-Software-MicrosoftSQLServer.xml"/>
<SophosDataBaseInfo/>
</Product>
<!-- Sophos Enterprise Console -->
<Product name="SEC">
<CollectFiles path="%PROGRAMDATA%\Sophos\Credential Store\*.log" age='365'/>
<CollectFiles path="%PROGRAMDATA%\Sophos\Sophos Endpoint Management\log\*" recursive='true' age='365'/>
<CollectFiles path="%APPDATA%\Sophos\Sophos Endpoint Management\*" recursive='true' age='365'/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Management Installer\*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\ManagementServer\5.0\log\*" age='365'/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\ManagementServer\log\*" age='365'/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Remote Management System\3\CertificationManager\IssuedCert\CMIssuedCertificates.log" age='365'/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos Endpoint Management\*.log" recursive='true' age='365'/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos Endpoint Management\*.xml" recursive='true' age='365'/>
<CollectFiles path="%LOCALAPPDATA%\Sophos\Sophos Endpoint Management\*" recursive='true' age='365'/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Enterprise Console\CertificationManager\IssuedCert\CMIssuedCertificates.log" age='365'/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Enterprise Console\CertificationManager\Logs\CertManager*.log" age='365'/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Enterprise Console\MetaData\*.xml" age='365'/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Enterprise Console\*.config" recursive='true'/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Enterprise Console\catalog\*.Plugin"/>
<CollectFiles path="%SYSTEMDRIVE%\SECTracing.txt" age='365'/>
<CollectFiles path="%TEMP%\ServerInit*.log" age='365'/>
<CollectFiles path="%TEMP%\SetSvcFailAction*.log" age='365'/>
<CollectFiles path="%TEMP%\Setup.exe.debug" age='365'/>
<CollectFiles path="%TEMP%\setup.exe.debug.log" age='365'/>
<CollectFiles path="%USERPROFILE%\Local Settings\Application Data\Sophos\Sophos Endpoint Management\*" recursive='true' age='365'/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="*.config" age='365'/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="DB\InstallDB.log" age='365'/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="Mgntsvc*.log" age='365'/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="Remote Management System\CertificationManager\IssuedCert\CMIssuedCertificates.log" age='365'/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="Remote Management System\CertificationManager\Logs\CertManager*.log" age='365'/>
<ListFiles path="%COMMON_APPDATA%\Sophos\ManagementServer\Backup\*" log="SDU-ListFiles-SEC.xml"/>
</Product>
<!-- Sophos Update Manager -->
<Product name="SUM">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP\*.xml"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP\cac.pem"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP\customer_ID.txt"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP\mrinit.*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Update Manager\Warehouse\fileliststore.dat"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Update Manager\Warehouse\catalogue\*"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Working\Decoded-SDDM\*UpdaterLog.txt" recursive='true'/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Update Manager\Working\Decoded-SDDM\*\SUMSelfUpdaterLog.txt"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Update Manager\*.log"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Update Manager\*.xml"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Update Manager\*.xml~"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Update Manager\cac.pem"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Update Manager\mrinit.conf"/>
<CollectFiles path="%TEMP%\SUM*.log"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}\InstallLocation' path="*.log"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}\InstallLocation' path="*.xml"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}\InstallLocation' path="*.xml~"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}\InstallLocation' path="cac.pem"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}\InstallLocation' path="machine_ID.txt"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}\InstallLocation' path="mrinit.*"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C7A82DB-69BC-4198-AC26-BB862F1BE4D0}\InstallLocation' path="scf.dat"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM\*.log"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM\*.xml"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM\*.xml~"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM\cac.pem"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM\machine_ID.txt"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM\mrinit.*"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM\scf.dat"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="SUM_*.log"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\Management Tools\SumInstallDir' path="cac.pem"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\Management Tools\SumInstallDir' path="mrinit.*"/>
</Product>
<!-- Sophos Encryption -->
<Product name="SENC">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos SafeGuard Installers\InstallCache\*.txt"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos SafeGuard Installers\InstallCache\*.xml"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos SafeGuard Installers\staging\*.txt"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Encryption\*.config"/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Encryption\*.config"/>
<CollectFiles path="%WINDIR%\temp\SGNDE.LOG"/>
<CollectFiles path='%PROGRAMFILESX86%\Sophos\Enterprise Console\*.xml'/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="*.xml"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="Catalog\*.Plugin"/>
<CollectFiles reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EE\InstallDir' path="Plugins\EncryptionFEService\*.config"/>
</Product>
<!-- Sophos Patch Management -->
<Product name="SPM">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Patch\ThirdParty\*.xml"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Patch\ThirdParty\Warehouse\*.xml"/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Patch\*.config" recursive='true'/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Patch\*.log"/>
<CollectFiles path="%PROGRAMFILES%\sophos\Sophos Patch Agent\*.dat"/>
<CollectFiles path="%PROGRAMFILES%\sophos\Sophos Patch Agent\*.log"/>
</Product>
<!-- Generalised Sophos Installer Logs -->
<Product name="MSI">
<CollectFiles path="%TEMP%\Sophos*"/>
<CollectFiles path="%WINDIR%\Temp\Sophos*"/>
</Product>
<!-- Sophos PureMessage for Exchange -->
<Product name="PME">
<CollectFiles path="%SYSTEMDRIVE%\PMDEBUGLOGS\*"/>
<CollectFiles path="%TEMP%\ICD*.tmp"/>
<CollectFiles path="%TEMP%\MsiPureMessage*.log"/>
<CollectFiles path="%TEMP%\PureMessage*.txt"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\MMex\InstallPath" path="Config\LastKnown\*.xml"/>
<CollectFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\MMex\InstallPath" path="logs\*.log" maxsize="200"/>
</Product>
<!-- Sophos LanCrypt -->
<Product name="LAN">
<CollectReg reg='HKEY_CURRENT_USER\Software\Utimaco' log="REG-HKCU-Software-Utimaco.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Utimaco' log="REG-HKLM-Software-Policies-Utimaco.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO' log="REG-HKLM-System-CurrentControlSet-Utimaco.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\Software\Utimaco' log="REG-HKLM-Software-Utimaco.xml"/>
</Product>
<!-- Sophos Safeguard Enterprise -->
<Product name="SGE">
<SafeGuardEnterprise/>
<CollectFiles path="%COMMON_APPDATA%\Utimaco\SafeGuard Enterprise\Import\*" recursive='true'/>
<CollectFiles path="%COMMON_APPDATA%\Utimaco\SafeGuard Enterprise\LocalCache\*" recursive='true'/>
<CollectFiles path="%COMMON_APPDATA%\Utimaco\SafeGuard Enterprise\logfile.sgt"/>
</Product>
<!-- Sophos Computer Security Scan -->
<Product name="SCSS">
<CollectFiles path="%SystemDrive%\Sophos\Computer Security Scan\Console.log"/>
<CollectFiles path="%SystemDrive%\Sophos\Computer Security Scan\SCSS_Share\Config.ini"/>
<CollectFiles path="%SystemDrive%\Sophos\Computer Security Scan\Report\Published\*.html"/>
<CollectFiles path="%SystemDrive%\Sophos\Computer Security Scan\SUM\SUM_Status.xml"/>
<CollectFiles path="%SystemDrive%\Sophos\Computer Security Scan\SUM\config.xml"/>
<CollectFiles path="%SystemDrive%\Sophos\Computer Security Scan Client\config.ini"/>
<CollectFiles path="%SystemDrive%\Sophos\Computer Security Scan Client\SCSSCLOG.txt"/>
<CollectFiles path="%USERPROFILE%\local settings\temp\scssclog*.txt"/>
</Product>
<!-- Sophos Virtualisation Scan Controller -->
<Product name="SVSC">
<CollectFiles path="%SystemDrive%\svsc_10\SavScanController.*"/>
<CollectFiles path="%SystemDrive%\svsc_10\*.cfg"/>
<CollectFiles path="%SystemDrive%\svsc_20\SavScanController.*"/>
<CollectFiles path="%SystemDrive%\svsc_20\*.cfg"/>
</Product>
<!-- Sophos Lockdown -->
<Product name="SLD">
<CollectFiles path="%COMMON_APPDATA%\Sophos\SLD\*" recursive='true'/>
</Product>
<!-- Sophos Health -->
<Product name="HEALTH">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Health\Event Store\*" recursive='true'/>
</Product>
<!-- Sophos Endpoint Defense -->
<Product name="SED">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Endpoint Defense\Config\*.conf"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Endpoint Defense\Config\*.dat"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Endpoint Defense\Config\*\*.dat"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Endpoint Defense\Data\Edr Saved Data\Backup\*.dat"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\Endpoint Defense\Data\LuaTelemetry\*.dat"/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Endpoint Defense\SophosED.inf"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Endpoint Defense\SophosED.inf"/>
</Product>
<!-- Sophos Heartbeat -->
<Product name="HBT">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Heartbeat\*" recursive='true'/>
</Product>
<!-- Sophos Update Cache -->
<Product name="UC">
<CollectFiles path="%COMMON_APPDATA%\Sophos\UpdateCache\Config\*" />
<CollectFiles path="%COMMON_APPDATA%\Sophos\UpdateCache\Status\*" />
</Product>
<!-- Sophos File Integrity Monitoring -->
<Product name="FIM">
<CollectFiles path="%COMMON_APPDATA%\Sophos\File Integrity Monitoring\Config\*" />
</Product>
<!-- Sophos HitmanPro.Alert -->
<Product name="HMPA">
<CollectFiles path="%COMMON_APPDATA%\HitmanPro.Alert\*" recursive='true'/>
<CollectFiles path="%PROGRAMFILES%\HitmanPro.Alert\integrity.dat"/>
<CollectFiles path="%PROGRAMFILESX86%\HitmanPro.Alert\integrity.dat"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert' log="REG-HKLM-Software-HitmanProAlert.xml"/>
</Product>
<!-- Sophos Clean -->
<Product name="CLEAN">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Clean\*" recursive='true'/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Clean\integrity.dat"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Clean\integrity.dat"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\SophosClean' log="REG-HKLM-Software-SophosClean.xml"/>
</Product>
<Product name="Safestore">
<ListFiles path='%PROGRAMFILESX86%\Sophos\Safestore\*' recursive='true' log="SDU-ListFiles-Safestore32-AllFiles.xml"/>
<ListFiles path='%PROGRAMFILES%\Sophos\Safestore\*' recursive='true' log="SDU-ListFiles-Safestore64-AllFiles.xml"/>
<ListFiles path='%COMMON_APPDATA%\Sophos\Safestore\*' log="SDU-ListFiles-Data-Safestore-Files.xml"/>
</Product>
<!-- Sophos UI -->
<Product name="UI">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos UI\*" recursive='true'/>
</Product>
<!-- Sophos Message Relay -->
<Product name="MR">
<CollectFiles path="%COMMON_APPDATA%\Sophos\MessageRelay\Config\*" />
<CollectFiles path="%COMMON_APPDATA%\Sophos\MessageRelay\Status\*" />
</Product>
<!-- Sophos Policy Evaluation Tool -->
<Product name="SPET">
<CollectFiles path="%PROGRAMDATA%\Sophos\Policy Evaluation Tool\Logs\*" recursive='true'/>
</Product>
<!-- Sophos Cloud Migration Tool -->
<Product name="SCMT">
<CollectFiles path="%WINDIR%\Temp\scmt*.log"/>
<CollectFiles path="%PROGRAMFILESX86%\Sophos\Cloud Migration Tool\*.config"/>
<CollectFiles path="%PROGRAMFILES%\Sophos\Cloud Migration Tool\*.config"/>
</Product>
<!-- Sophos for Virtual Environments GVM -->
<Product name="SVE-GVM">
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Sophos-SVE-*.evtx"/>
<CollectFiles path="%SGVM_INSTALL_DIR%Sophos for Virtual Environments\SGVM Scanning Service\SGVMScanningServiceEtw.man"/>
<CollectFiles path="%SGVM_INSTALL_DIR%Sophos for Virtual Environments\SGVM Scanning Service\SGVMScanningIntegrationServiceETW.man"/>
<CollectFiles path="%SGVM_INSTALL_DIR%Sophos for Virtual Environments\SGVM Management Service\SGVMManagementServiceEtw.man"/>
<CollectFiles path="%SGVM_INSTALL_DIR%Sophos for Virtual Environments\SGVM Deployment Service\SGVMDeploymentServiceEtw.man"/>
</Product>
<!-- Sophos MDR - renamed to MTR, remove when all customers have upgraded to MTR -->
<Product name="MDR">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Managed Detection and Response\Config\*" />
<ListFiles path="%COMMON_APPDATA%\Sophos\Managed Detection and Response\Data\osquery.db\*" log="SDU-ListFiles-MDR-osquery.db.xml"/>
</Product>
<!-- Sophos MTR -->
<Product name="MTR">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Managed Threat Response\Config\*" />
<ListFiles path="%COMMON_APPDATA%\Sophos\Managed Threat Response\Data\osquery.db\*" log="SDU-ListFiles-MTR-osquery.db.xml"/>
</Product>
<!-- Sophos LIVEQUERY -->
<Product name="LIVEQUERY">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Live Query\Config\*" recursive="true"/>
<ListFiles path="%COMMON_APPDATA%\Sophos\Live Query\*" recursive="true" log="SDU-ListFiles-LiveQuery-programdata.xml"/>
</Product>
<!-- Sophos AMSI Protection -->
<Product name="AMSI">
<CollectFiles path="%COMMON_APPDATA%\Sophos\Sophos AMSI Protection\Logs\*" recursive='true'/>
<CollectRegGroup log="REG-HKLM-Software-AMSI.xml">
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI' recursive='true'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19016286-87D5-4D51-A042-2A9C5CBB8D5F}' recursive='true'/>
<!-- AMSI UAC COM registration -->
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1889EA68-C4C9-4667-B7BB-27E8C9AA9BBB}' recursive='true'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1889EA68-C4C9-4667-B7BB-27E8C9AA9BBB}' recursive='true'/>
</CollectRegGroup>
</Product>
</Section>
<Section name="Collect System Information" option="sysinfo">
<msinfo/>
<AuditPol/>
<Bcdedit/>
<Bios/>
<Bootcfg/>
<Driverquery/>
<EnvVars log="SDU-Sysinfo-EnvVariables.xml"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Application.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Security.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\System.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Windows Powershell.evtx"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Sophos Network Threat Protection Diagnostics.etl"/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\Sophos Cloud AD Sync.evtx"/>
<CollectFiles path="%SYSTEMDRIVE%\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"/>
<GroupPolicy/>
<IpConfig/>
<NetShares/>
<NetStat/>
<QueryLSPs/>
<RouteTable/>
<scqueryex/>
<gathertelem/>
<arp/>
<assoc/>
<ftype/>
<net-firewall/>
<net-filters/>
<net-group/>
<net-user/>
<netsh-http/>
<ntfs-security/>
<openfiles/>
<schtasks/>
<sql-helplogins/>
<sql-sysdbs/>
<sql-validatelogins/>
<sql-ver/>
<sophosbkup/>
<systeminfo/>
<tasklist-modules/>
<tasklist/>
<tasklist-services />
<wmic/>
<fltmc />
<manage-bde/>
<!-- Malware registry keys -->
<CollectRegGroup log="REG-Mal-Exeload.xml">
<CollectReg reg="HKEY_CLASSES_ROOT\.exe"/>
<CollectReg reg="HKEY_CLASSES_ROOT\exefile"/>
<CollectReg reg="HKEY_CURRENT_USER\Software\Classes\.exe"/>
<CollectReg reg="HKEY_CURRENT_USER\Software\Classes\exefile"/>
<CollectReg reg="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Opera.exe\shell\open\command"/>
</CollectRegGroup>
<CollectRegGroup log="REG-Mal-IE.xml">
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar"/>
</CollectRegGroup>
<CollectReg reg="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" log="REG-Mal-HKLM-ImageFileExeOptions.xml"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\Software\Classes\.exe"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\Software\Classes\exefile"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost" log="REG-Mal-HKLM-Svchost.xml"/>
<CollectRegGroup log="REG-Mal-HKLM-Windows.xml">
<CollectReg reg="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<CollectReg reg="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/>
</CollectRegGroup>
<CollectRegGroup log="REG-Mal-Runkeys.xml">
<CollectReg reg='HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'/>
<CollectReg reg='HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'/>
<CollectReg reg='HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices'/>
<CollectReg reg='HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices'/>
<CollectReg reg='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce'/>
</CollectRegGroup>
<!-- Malware file list -->
<ListFilesGroup log="SDU-Mal-StartMenu-Startup.xml">
<ListFiles path='%ALLUSERSPROFILE%\Start Menu\Programs\Startup\*'/>
<ListFiles path='%USERPROFILE%\Start Menu\Programs\Startup\*'/>
<ListFiles path='%WINDIR%\Start Menu\Programs\Startup\*'/>
</ListFilesGroup>
<ListFiles path='%SYSTEMDRIVE%\*' log="SDU-Mal-ListFiles-systemdrive.xml"/>
<ListFiles path='%WINDIR%\*' log="SDU-Mal-ListFiles-windir.xml"/>
<ListFiles path='%WINDIR%\System32\*' log="SDU-Mal-ListFiles-winsys32.xml"/>
<ListFiles path='%WINDIR%\System32\Drivers\*' log="SDU-Mal-ListFiles-windrivers.xml"/>
<ListFiles path='%WINDIR%\Temp\*' log="SDU-Mal-ListFiles-wintemp.xml"/>
<ListFiles path='%TEMP%\*' log="SDU-Mal-ListFiles-usertemp.xml"/>
<ListFiles path='%APPDATA%' recursive='true' log="SDU-Mal-ListFiles-AppData.xml"/>
<ListFiles path='%LOCALAPPDATA%' recursive='true' log="SDU-Mal-ListFiles-Local-AppData.xml"/>
<!-- Malware file collection -->
<CollectFiles path="%WINDIR%\System.ini" />
<CollectFiles path="%WINDIR%\win.ini"/>
<CollectFiles path="%SystemDrive%\Autoexec.bat"/>
<CollectFiles path="%SystemDrive%\config.sys"/>
<!-- MSSQL -->
<ListFiles path="%PROGRAMFILESX86%\Microsoft SQL Server\MSSQL*\DATA\*" log="SDU-ListFiles-MSSQL32-DATA.xml"/>
<ListFiles path="%PROGRAMFILES%\Microsoft SQL Server\MSSQL*\DATA\*" log="SDU-ListFiles-MSSQL64-DATA.xml"/>
<!-- ListFiles - SPA -->
<ListFiles path='%PROGRAMFILES%\Sophos\Sophos Patch Agent\Assess\*' log="SDU-ListFiles-SophosPatchAgent-Assess.xml"/>
<ListFiles path='%PROGRAMFILES%\Sophos\Sophos Patch Agent\Results\*' log="SDU-ListFiles-SophosPatchAgent-Results.xml"/>
<!-- ListFiles - WEBC -->
<ListFiles path='%COMMON_APPDATA%\Sophos\Web Control\Keys\*' log="SDU-ListFiles-WEBC-Keys.xml"/>
<!-- ListFiles - SENC -->
<ListFiles path='%PROGRAMFILESX86%\Sophos\SafeGuard Enterprise\MachCert\*' log="SDU-ListFiles-SGN-MachCert.xml"/>
<ListFiles path='%PROGRAMFILESX86%\Sophos\SafeGuard Enterprise\Import\*' log="SDU-ListFiles-SGN-Import.xml"/>
<!-- ListFiles - RMS -->
<ListFiles path='%COMMON_APPDATA%\Sophos\Remote Management System\3\Router\Envelopes\*' log="SDU-ListFiles-Envelopes.xml"/>
<ListFiles path='%COMMON_APPDATA%\Sophos\Remote Management System\3\Agent\AdapterStorage\*\*' log="SDU-ListFiles-RMS-AdapterStorage.xml"/>
<!-- ListFiles - SAU -->
<ListFiles path='%PROGRAMFILESX86%\Sophos\AutoUpdate\*' log="SDU-ListFiles-SAU-AllFiles.xml"/>
<!-- ListFiles - SAV -->
<ListFiles path='%PROGRAMFILESX86%\Sophos\Sophos Anti-Virus\*' log="SDU-ListFiles-SAV-AllFiles.xml"/>
<ListFiles reg="HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos Network Threat Protection\Application\Path" path="*" recursive="true" log="SDU-ListFiles-MTD-AllFiles.xml"/>
<!-- ListFiles - SED -->
<ListFiles path='%PROGRAMFILESX86%\Sophos\Endpoint Defense\*' recursive='true' log="SDU-ListFiles-SED-PROGRAMFILES32.xml"/>
<ListFiles path='%PROGRAMFILES%\Sophos\Endpoint Defense\*' recursive='true' log="SDU-ListFiles-SED-PROGRAMFILES64.xml"/>
<ListFiles path='%PROGRAMDATA%\Sophos\Endpoint Defense\*' recursive='true' log="SDU-ListFiles-SED-DataFiles.xml"/>
<!-- ListFiles - SLD -->
<ListFiles path='%PROGRAMFILES%\Sophos\SLD\*' checksums="true" recursive="true" log="SDU-ListFiles-SLD-AllFiles.xml" />
<!-- ListFiles - UC -->
<ListFiles path='%PROGRAMFILES%\Sophos\UpdateCache\*' log="SDU-ListFiles-UC-AllFiles.xml" />
<!-- ListFiles - DB Backup -->
<ListFiles path='%COMMON_APPDATA%\Sophos\ManagementServer\Backup\*' log="SDU-ListFiles-DB-Backup-Files.xml"/>
<!-- ListFiles - Patch - Third Party -->
<ListFiles path='%ALLUSERPROFILE%\Start Menu\Programs\Startup\*' log="SDU-Mal-StartMenu-Startup.xml"/>
<!-- ListFiles - HMPA -->
<ListFiles path='%PROGRAMFILESX86%\HitmanPro.Alert\*' recursive='true' log="SDU-ListFiles-HMPA-AllFiles.xml"/>
<!-- ListFiles - CLEAN -->
<ListFiles path='%PROGRAMFILESX86%\Sophos\Clean\*' recursive='true' log="SDU-ListFiles-CLEAN32-AllFiles.xml"/>
<ListFiles path='%PROGRAMFILES%\Sophos\Clean\*' recursive='true' log="SDU-ListFiles-CLEAN64-AllFiles.xml"/>
<!-- ListFiles - UI -->
<ListFiles path='%PROGRAMFILESX86%\Sophos\Sophos UI\*' recursive='true' log="SDU-ListFiles-SophosUI32-AllFiles.xml"/>
<ListFiles path='%PROGRAMFILES%\Sophos\Sophos UI\*' recursive='true' log="SDU-ListFiles-SophosUI64-AllFiles.xml"/>
<!-- ListFiles - MR -->
<ListFiles path='%PROGRAMFILES%\Sophos\MessageRelay\*' recursive='true' log="SDU-ListFiles-MR-AllFiles.xml"/>
<!-- General Windows files -->
<CollectFiles path='%COMMON_APPDATA%\Microsoft\Dr Watson\*.log'/>
<CollectFiles path='%LOCALAPPDATA%\Microsoft\Windows\WER\ReportArchive\AppCrash_Savservice*\*'/>
<CollectFiles path='%LOCALAPPDATA%\Microsoft\Windows\WER\ReportArchive\AppHang_Savservice*\*'/>
<CollectFiles path='%LOCALAPPDATA%\Microsoft\Windows\WER\ReportArchive\Report*'/>
<CollectFiles path='%WINDIR%\Debug\NetSetup.log'/>
<CollectFiles path='%WINDIR%\Debug\Netlogon.log'/>
<CollectFiles path='%WINDIR%\Debug\UserMode\Userenv.log'/>
<CollectFiles path='%WINDIR%\Debug\mrt.log'/>
<CollectFiles path='%WINDIR%\DirectX.log'/>
<CollectFiles path='%WINDIR%\Inf\setupapi.app.log'/>
<CollectFiles path='%WINDIR%\Inf\setupapi.dev.log'/>
<CollectFiles path='%WINDIR%\Inf\setupapi.setup.log'/>
<CollectFiles path='%WINDIR%\PFRO.log'/>
<CollectFiles path='%WINDIR%\Schedlgu.txt'/>
<CollectFiles path='%WINDIR%\Security\winlogon.log'/>
<CollectFiles path='%WINDIR%\system32\drivers\etc\hosts'/>
<CollectFiles path='%WINDIR%\System32\drivers\etc\lmhosts'/>
<CollectFiles path='%WINDIR%\System32\drivers\etc\networks'/>
<CollectFiles path='%WINDIR%\System32\drivers\etc\protocol'/>
<CollectFiles path='%WINDIR%\System32\drivers\etc\services'/>
<CollectFiles path='%WINDIR%\Tasks\*.job'/>
<CollectFiles path='%WINDIR%\Windowsupdate.log'/>
<CollectFiles path='%WINDIR%\inf\iereset.inf'/>
<CollectFiles path='%WINDIR%\msmqinst.log'/>
<CollectFiles path='%WINDIR%\pfirewall.log'/>
<CollectFiles path='%WINDIR%\setupapi.log'/>
<!-- General Windows Registry -->
<CollectReg reg='HKEY_CLASSES_ROOT\*\shellex' log="REG-HKCR-ALL-shellex.xml"/>
<CollectReg reg='HKEY_CLASSES_ROOT\Directory' log="REG-HKCR-Directory.xml"/>
<CollectReg reg='HKEY_CLASSES_ROOT\Drive' log="REG-HKCR-Drive.xml"/>
<CollectReg reg='HKEY_CLASSES_ROOT\Folder' log="REG-HKCR-Folder.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions' log="REG-HKLM-Software-Microsoft-Windows-CurrentVersion-ShellExt.xml"/>
<CollectReg reg='HKEY_CLASSES_ROOT\Installer\Products' log="REG-HKCU-Installer-Products.xml"/>
<CollectReg reg='HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer' log="REG-HKCU-Software-MS-IE.xml"/>
<CollectReg reg='HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion' log="REG-HKCU-Software-WindowsNT-CurrentVersion.xml"/>
<CollectReg reg='HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' log="REG-HKCU-Software-MS-WIN-IESettings.xml"/>
<CollectReg reg='HKEY_CURRENT_USER\SOFTWARE\Policies' log="REG-HKCU-Software-Policies.xml"/>
<CollectReg reg='HKEY_CURRENT_USER\SOFTWARE\Sophos' log="REG-HKCU-Software-Sophos.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components' log="REG-HKLM-Software-Classes-Installer-Components.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies' log="REG-HKLM-Software-Classes-Installer-Dependencies.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features' log="REG-HKLM-Software-Classes-Installer-Features.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Patches' log="REG-HKLM-Software-Classes-Installer-Patches.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products' log="REG-HKLM-Software-Classes-Installer-Products.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes' log="REG-HKLM-Software-Classes-Installer-UpgradeCodes.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing' log="REG-HKLM-Software-Microsoft-DriverSigning.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer' log="REG-HKLM-Software-IE.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetworkAccessProtection' log="REG-HKLM-Software-Microsoft-DriverSigning.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc' log="REG-HKLM-Software-Microsoft-RPC.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' log="REG-HKLM-Software-Microsoft-SecurityCenter.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug' log="REG-HKLM-Software-MS-WinNT-CVer-AeDebug.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards' log="REG-HKLM-Software-MS-WinNT-CVer-NetworkCards.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage' log="REG-HKLM-Software-MS-WinNT-CVer-PerHwIdStorage.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost' log="REG-HKLM-Software-MS-WinNT-CVer-Svchost.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' log="REG-HKLM-Software-MS-WinNT-CVer-SystemRestore.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' log="REG-HKLM-Software-MS-WinNT-CVer-Windows.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' log="REG-HKLM-Software-MS-WinNT-CVer.xml-Winlogon.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers' log="REG-HKLM-Software-MS-Win-CVer-Auth.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' log="REG-HKLM-Software-MSWin-CurrentVersion-Explorer.xml" />
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy' log="REG-HKLM-Software-MSWin-CurrentVersion-GroupPolicy.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' log="REG-HKLM-Software-MSWin-CurrentVersion-InternetSettings.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup' log="REG-HKLM-Software-MSWin-CurrentVersion-Setup.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' log="REG-HKLM-Software-Uninstall.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' log="REG-HKLM-Software-MSWin-CurrentVersion-WindowsUpdate.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies' log="REG-HKLM-Software-MSWin-CurrentVersion-Policies.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx' log="REG-HKLM-Software-MSWin-CurrentVersion-DIFx.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFxApp' log="REG-HKLM-Software-MSWin-CurrentVersion-DIFxApp.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Policies' log="REG-HKLM-Software-Policies.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SOFTWARE\Sophos' log="REG-HKLM-Software-Sophos.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl' log="REG-HKLM-System-Control-CrashControl.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem' log="REG-HKLM-System-Control-FileSystem.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList' log="REG-HKLM-System-Control-GroupOrderList.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' log="REG-HKLM-System-Control-LSA.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network' log="REG-HKLM-System-Control-Network.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot' log="REG-HKLM-System-Control-SecureBoot.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' log="REG-HKLM-System-Control-SessionManager.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows' log="REG-HKLM-System-Control-Windows.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum' log="REG-HKLM-System-Enum.xml"/>
<CollectReg reg='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services' log="REG-HKLM-System-Services.xml"/>
<ListFiles path='%WINDIR%\System32\DRVSTORE\*' checksums="true" recursive="true" log="SDU-ListFiles-System32-DRVSTORE.xml"/>
<!-- List any dmp files we can find in \Windows or \Windows\minidump -->
<ListFilesGroup log="SDU-ListFiles-Dumps.xml">
<ListFiles path='%SYSTEMROOT%\*.dmp'/>
<ListFiles path='%SYSTEMROOT%\minidump\*'/>
</ListFilesGroup>
<!-- Sophos Cloud AD Sync -->
<ListFiles path='%COMMON_APPDATA%\Sophos\Sophos Cloud AD Sync\*' log="SDU-ListFiles-SophosCloudADSync.xml"/>
</Section>
<Section name="Collect Deep Forensics" option="forensics">
<ExportReg reg64="HKEY_LOCAL_MACHINE\SYSTEM" log="HKLM_SYSTEM.hiv"/>
<ExportReg reg64="HKEY_LOCAL_MACHINE\SOFTWARE" log="HKLM_SOFTWARE_64.hiv"/>
<ExportReg reg32="HKEY_LOCAL_MACHINE\SOFTWARE" log="HKLM_SOFTWARE_32.hiv"/>
<CollectFiles path="%SYSTEMROOT%\appcompat\Programs\amcache.hve"/>
<CollectFiles path="%SYSTEMROOT%\appcompat\Programs\amcache.hve.LOG1"/>
<CollectFiles path="%SYSTEMROOT%\appcompat\Programs\Install\*.txt"/>
<CollectFiles path="%SYSTEMROOT%\appcompat\appraiser\*" recursive="true"/>
<CollectFiles path="%SYSTEMROOT%\Prefetch\*" recursive='true'/>
<CollectFiles path="%SYSTEMROOT%\System32\winevt\Logs\*" recursive="true"/>
<CollectFiles path="%COMMON_APPDATA%\Sophos\SafeStore\*" recursive="true"/>
<CollectFiles path="%SYSTEMROOT%\System32\sru\SRUDB.DAT"/>
<CollectFiles path="%SYSTEMROOT%\minidumps\*"/>
<CollectFiles path="%LOCALAPPDATA%\CrashDumps\*"/>
<CollectFiles path="%PROGRAMDATA%\Microsoft\Windows\WER\*" recursive="true"/>
<ForEachUser>
<ExportReg reg64="HKU\%USER_SID%" path="%USER_HOME%\NTUSER.DAT" log="%USER_HOME%\NTUSER.DAT"/>
<CollectFiles path="%USER_HOME%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db"/>
<CollectFiles path="%USER_HOME%\AppData\Local\ConnectedDevicesPlatform\L.%USER_NAME%\ActivitiesCache.db"/>
<CollectFiles path="%USER_HOME%\AppData\Roaming\Microsoft\Windows\Recent\*"/>
<!-- Microsoft Edge v44- (prior to Edge Chromium) -->
<CollectFiles path="%USER_HOME%\AppData\Local\Packages\Microsoft.MicrosoftEdge_*\AC\MicrosoftEdge\User\Default\Favorites\*" recursive="true" />
<CollectFiles path="%USER_HOME%\AppData\Local\Packages\Microsoft.MicrosoftEdge_*\AC\MicrosoftEdge\User\Default\Recovery\*" recursive="true" />
<CollectFiles path="%USER_HOME%\AppData\Local\Packages\Microsoft.MicrosoftEdge_*\AC\MicrosoftEdge\User\Default\DataStore\*" recursive="true" />
<CollectFiles path="%USER_HOME%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" />
<!-- Microsoft Edge v79+ (Edge Chromium) -->
<CollectFiles path="%USER_HOME%\AppData\Local\Microsoft\Edge*\User Data\Default\Bookmarks" />
<CollectFiles path="%USER_HOME%\AppData\Local\Microsoft\Edge*\User Data\Default\Cookies" />
<CollectFiles path="%USER_HOME%\AppData\Local\Microsoft\Edge*\User Data\Default\History" />
<!-- Google Chrome -->
<CollectFiles path="%USER_HOME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" />
<CollectFiles path="%USER_HOME%\AppData\Local\Google\Chrome\User Data\Default\Cookies" />
<CollectFiles path="%USER_HOME%\AppData\Local\Google\Chrome\User Data\Default\History" />
<CollectFiles path="%USER_HOME%\AppData\Local\Google\Chrome\User Data\Profile *\Bookmarks" />
<CollectFiles path="%USER_HOME%\AppData\Local\Google\Chrome\User Data\Profile *\Cookies" />
<CollectFiles path="%USER_HOME%\AppData\Local\Google\Chrome\User Data\Profile *\History" />
</ForEachUser>
</Section>
</DiagConfig>