Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1922 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Synchronization and correct identification of clients without Sophos

milank

What checks does 'Sophos Synchronization' go through in determining that a client does not have Sophos installed before pushing out the installation? The reason I ask is: We have some systems that do not have any EXEs or DLLs associated with Sophos, but have Sophos directories. Not sure how they got into that state in the first place.

Those systems have Sophos Agent service in 'Running' state, and 'Sophos Anti-Virus' , 'Sophos Status Report' services in stopped state. Trying to run the later two services error out (as expected) with following message:

Could not start the Sophos Anti-Virus service on Local Computer. Error 2: The system cannot find the file specified"

Because these systems do not have a complete and working installation of Sophos, these should be correctly identified by the Synchronization or whatever process that checks the installation status. Because of the lack of accurate information resulting from these limitations, we are incorrectly interpreting systems that have Sophos services disabled due to users' action. 

Can someone shed some light into this? Thanks. 

:13933


This thread was automatically locked due to age.
  • 0

    Hello milank ,

    do you mean Synchronize with AD and automatic protection?

    There's no magic and no sophisticated technology involved. If a client "appears" in a sync'ed OU and was previously unknown to SEC one (and only one) attempt is made to install the software. Unknown means that the client has never reported to SEC and no attempt has been made to protect it. That is - if you move a client to a sync'ed OU and installation fails and you then remove it, delete it from SEC and then move it back into the OU protection will not be re-attempted (as it is already in the database but with the deleted flag so you just didn't see it). What is on the client isn't checked though and does not matter. Thus installation will be attempted on a client with the standalone version or a managed version from a different management server running.

    HTH

    Christian   

    :13957
  • 0

    ok. It helped to know that Synchronization does not attempt to push the installation more than once.

    In that case, what is Sophos' recommended method  to identify, and deal with systems that have corrupted or non-functioning installation? Is there a detection mechanism that distinguishes what systems have Sophos installed and are operational vs what don't, other than the 'policy compliance' and 'Update details' that are specific to signature update and policy compliance progress status? Thanks.

    :14217
  • 0

    There is no single indication of "problem clients" (yet) but it's not too hard to identify them:

    First - if a client doesn't appear as managed (i.e. it is greyed out) and there is no protection error indicator then likely it was "known" in the past. wasn't managed at this time and automatic protection hasn't be attempted (again). In this case attempt to manually Protect computers.

    Managed computers should appear as connected (i.e. without the red x) when they are turned on. SEC has no way to check whether a computer is turned on or not. In addition it doesn't indicate Whether a client's RMS  has attempted to communicate but has failed to log on or just hasn't contacted the server at all. As sometimes a client can appear as connected but no longer "talks" to the server it's a good idea to check the Last message received column (can be sorted) in the Computer Details tab. 

    Additionally SEC offers several filters to list clients with potential problems.

    HTH for a start. Feel free to ask if something is not clear

    Christian

    :14249