Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 9 subscribers
  • Views 10006 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central AV - Scan Exceptions

MatthiasSeuchter

As I implemented Sophos Central Antivirus, several customers missed the feature, to allow users to exclude there own processes / files or folders.

In an Admin Environment, this missed feature results in an high time consumation sophos central admin side.

 

Also, you do not see, what is already exluded on local client side...

 

that is really a problem for some customers from us, an results in an inaceptance for this product!

 

 

regards

Matthias



This thread was automatically locked due to age.
Parents

  • Hello Matthias,

    as Central more or less obviously implies it's a centrally managed product. Furthermore it's best practice that endpoint users can't make and implement their own decisions about what must be excluded, when to disable protection, and generally what settings should be made.
    Central is perhaps not the right product for environments where users have to make such (hopefully informed) decisions.

    you do not see, what is already excluded on local client side
    collecting changes would defeat the purpose of central management - even if you argue that it is for subsequent approval or inclusion in a central policy. If local exclusions are never contested - what's the purpose of central management? If OTOH certain local exclusions could be considered unacceptable - how would you enforce this?

    Christian 

  • in reply to QC

    Dear Christian

     

    Some Customers have used Endpoint Protection OnPrimes before, where the feature was implemented as describet, and it was also an central managed sophos product!

    So it was / is possible to set they own settings, - if required!

     

    And additional settings should not be overwritten from an actual policy set, only if you enforce the policy again from the console.

     

    My pruposal is the following:

    1. you can define policies, they everytime would be enforce and overrouls any other manual settings.

    2. you can set settings as a base, for an user / device group, with the posability to change some settings on local side - like for admin users they should know what they do.

    3. for each other users, based settings are enforced..

     

    the suggestion, to see what is local set on client side, would be improve the admin troubleshooting, in large environments, when strange thinks goes on.

     

    And, unfortunately, the Intercept X Module is only implemented on the Central AV, thats the reason, why some customers switch to this produkt right now.

     

    regards

    Matthias

     

     

     

Reply
  • in reply to QC

    Dear Christian

     

    Some Customers have used Endpoint Protection OnPrimes before, where the feature was implemented as describet, and it was also an central managed sophos product!

    So it was / is possible to set they own settings, - if required!

     

    And additional settings should not be overwritten from an actual policy set, only if you enforce the policy again from the console.

     

    My pruposal is the following:

    1. you can define policies, they everytime would be enforce and overrouls any other manual settings.

    2. you can set settings as a base, for an user / device group, with the posability to change some settings on local side - like for admin users they should know what they do.

    3. for each other users, based settings are enforced..

     

    the suggestion, to see what is local set on client side, would be improve the admin troubleshooting, in large environments, when strange thinks goes on.

     

    And, unfortunately, the Intercept X Module is only implemented on the Central AV, thats the reason, why some customers switch to this produkt right now.

     

    regards

    Matthias

     

     

     

Children
  • in reply to MatthiasSeuchter

    Hello Matthias,

    it was / is possible [with SESC]
    correct, but Central isn't simply SEC in the cloud, it's a seemingly slightly but actually significantly different approach. MCS isn't RMS, policy compliance is automatically enforced, a per-user concept exists, (enhanced) Tamper Protection is enabled, and so on.

    admin users they should know what they do
    when it comes to AV the knowledge is often pathetic

    improve the admin troubleshooting
    the only troubles an exception/exclusion can make is that the endpoint gets infected     [:)]

    Intercept X Module is only implemented on the Central AV
    Exploit Prevention is available for SESC, no Heartbeat and no Root Cause Analysis though (the former is anyway of very limited use if users can make their own settings)
    (im Übrigen typisch österreichisch, absoluter Schutz, aber jeder soll aber machen können was er für richtig hält, und nachher ist dann jemand anderer schuld [:D]).

    Of course, the customer is always right. Dunno if it is really part of Sophos' strategy, but IMO Central is also a means to convey (and mildly enforce) good practice. In some aspects Sophos (reluctantly) gave in, added some long-sought features like System Variables in exclusions or provided an interface to existing ones (process exclusions). In return they make their point more or less subtly by withholding other features.

    Just my 2 cents
    Christian

Unfiltered HTML