This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Server Policy Override Problem

Has anyone else had the 'Override Sophos Central Policy for up to 4 hours to troubleshoot' not work on a server OS (in our case it is 2012 R2)? We disabled Real Time Scanning while performing a large data move, but found out that the scanner re-enabled itself after 10 minutes. I am concerned that this is serious bug in the software and will hamper our ability to migrate this data.

This thread was automatically locked due to age.

Parents

0 jak over 7 years ago

Hi,

If you look in the MCS Agent/Client logs - https://community.sophos.com/kb/en-us/119626 after disabling the scanning, do you see a config message being sent down from the server to re-enable it? It would be good to know if this is being enabled due to a config.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jak over 7 years ago

Hi,

If you look in the MCS Agent/Client logs - https://community.sophos.com/kb/en-us/119626 after disabling the scanning, do you see a config message being sent down from the server to re-enable it? It would be good to know if this is being enabled due to a config.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 K_M over 7 years ago in reply to jak

Jak,

It appears that the timestamps in the file(s) are not local time - do you know if it is GMT?

Thank you,

Keith
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 7 years ago in reply to K_M

They are UTC.

At least the Z at the end typically denotes this.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 7 years ago in reply to jak

If a policy (e.g. SAV) is sent down from Central, in:

C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\McsClient.log

You would see the line:

2017-08-22T15:04:25.608Z [ 5048] INFO SAV policy queued -> 20170822150425-0003-policy-SAV.xml

The local cached policy file would also be updated, i.e. The date modified timestamp here should also match up:

C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 K_M over 7 years ago in reply to jak

I see this in the logs:

INFO SWC policy queued -> 20170822141132-0008-policy-SWC.xml

A few minutes ago I also received this (it matched the server in quesion):

Sophos Central Event Details for <companyname>

What happened: A computer does not comply with the Sophos Central policy you applied to it.

Where it happened: <servername>

User associated with device: n/a

How severe it is: Medium

What Sophos has done so far: We tried to reapply the policy.

What you need to do: Go to the computer to check that it is turned on and connected to the internet. If it is and the problem persists, re-protect the computer.

It seems OK now, but I don't like that the override was initially overridden.
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 7 years ago in reply to K_M

SWC = Sophos Web Control. So a policy was sent for this component.

If you have a scheduled web c policy, this wouldn't require a policy to be sent as the policy has the times within it.

An update to the global website management options under:

https://cloud.sophos.com/manage/server/config/settings/websites-tagged

...would cause a policy to be sent.

For an endpoint rather than server, if a different user logs in, and that user has a different policy assigned, that would cause a policy to be sent as the user logs in. I don't think this user model applies to servers.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel