This article provides an overview of the processes used by the different 'Discover Computers' methods available in the Sophos Enterprise Console.
Applies to the following Sophos product(s) and version(s)
Sophos Enterprise Console - Discover Computers
The following options are available for selection when choosing the 'Discover computers' option within Sophos Enterprise Console:
The following explains the processes used by each of these options.
Import from Active Directory (recommended)
This option utilizes LDAP to search Active Directory for the computers/containers specified within the wizard. LDAP operations run which search, list and retrieve the domains, containers and computers found. The logged on credentials are used to bind to AD and perform these operations.
Further detailed information
- An LDAP_SCOPE_BASE (Search the base entry only) operation is performed (this is part of the ldap_search_init_page Function)
- This gets the domain name values
- A further LDAP_SCOPE_BASE operation is performed but this time against the domain
- The LDAP port (389) is initialized and a set of LDAP_OPT functions (set options) are applied
- An AD bind is then performed with the logged on credentials
- A further LDAP_SCOPE_BASE operation is performed using these credentials
- An LDAP_SCOPE_ONELEVEL (Search all entries in the first level below the base entry, excluding the base entry) operation is then performed
- This gets the container values until there are no more entries. It then abandons the search
The above is all actioned by the EnterpriseConsole.exe process
Discover with Active Directory
This options utilises LDAP to search Active Directory for computers. LDAP operations run which search and return any computers found. This is done using the machine$ account.
Further detailed information
The wizard gives the option of supplying credentials or skipping. However, either option will still use the machine$ account to perform the operation.
- A bind to the global catalogue is performed using the ADSOpenObject Function:
- An LDAP search is then performed which returns the domains list. (This appears as part of the wizard where a domain can be selected)
- A connection is then made to the domain on port 389
- An LDAP query is then performed against the domain using the ExecuteSearch function:
This performs the following:
LDAP_SCOPE_BASE (Search the base entry only)
LDAP_SCOPE_SUBTREE (Search the base entry and all entries in the tree below the base)
This returns all machines with their attributes
- If this fails a GC query will be performed in the same way.
- Once no more results are returned it abandons the search and SEC will show the found machines
The above is all actioned by the MgntSvc.exe process
Discover on the network Basic information
A Microsoft API is used to interrogate the available domains using the credentials specified Further detailed information
- If credentials are supplied the 'Discover' will be performed using these credentials. If no credentials are specified a NULL set of credentials are used
- A WNet function is then used to determine a list of available domains seen on the network:
- After choosing the Domain a further WNet function is used to determine machines within that domain. At this point no credentials are used to retrieve this information
Discover by IP range
For further information on discovering computers by IP range see article 16436