Need help with Sophos Endpoint Protection 10

Hello iStalk,

I hope I understood you correctly (can't suggest you pose your question in Russian). You can't protect a machine from a local administrator unless in a domain environment. This begs the question why both of this is necessary - the user being and administrator and the need to secure the Sophos installation. Am I right that this is in addition an unmanaged installation?

Christian

Hello, QC

Yes it is, we're talking about installing an unmanaged, and we need to protect a folder on the Sophos local administrator, as a dedicated laptop is not included in the domain with a set Sophos Endpoint 10.

By the way why the defense only protects against changes Sophos Anti-Virus, but not the firewall ...

Hello iStalk,

as said, outside a domain there is no higher authority than a local administrator. That's not a Sophos problem. One way to overcome this is giving a (Power) User the additional needed rights (you did not say why the user needs to be an administrator, i.e. what actions s/he must be able to perform which are by default not available to a non-admin) without ceding full control - which might be tricky.  

By the way why the defense only protects against changes Sophos Anti-Virus

If you're talking about Tamper Protection - keep in mind that TP can be enabled/disabled locally. Thus if a (local) administrator enables TP and sets the SCF working mode to Interactive a user would be unable to undo changes to the configuration in response to an interactive prompt. Keeping the machine usable takes precedence over guarding against manipulation (you might have noticed that Configure\A-V\Authorization ... is still available even when TP is enabled). Extending TP (do not forget that it applies only to Administrators and usually the average user doesn't belong to this group) requires careful evaluation of the pros and cons and possible side-effects.

Christian

What's the difference what requires administrator rights ... We need it ...

TP protects against removal and all that, but having an administrator, I can safely get to the Sophos folder and delete files changed, as I did with the localization of its own product. Why Sophos can not make the protection of that folder?

Why Sophos can not make the protection of that folder?

As I said, this is not Sophos' shortcoming. And TP is neither the magic wand nor does Sophos say so. To quote from the help: 

Note: Tamper protection is not designed to protect against users with extensive technical knowledge. It will not protect against malware which has been specifically designed to subvert the operation of the operating system to avoid detection.

Whatever mechanism you use there has to be a way to get into the machine in case of a malfunction (unless you design it in a way that tampering leads to self-destruct - similar to smart cards - but that's clearly not desirable). An administrator can always invoke Windows' recovery functions. Booting from an external medium is another way to manipulate an installation (you could thwart these attempt with encryption). No matter how you look at it - it boils down to either implement self-destruct (which you wouldn't want to risk in case the machine could contain important data) or kernel modification (which is apart from legal implications not a simple thing and beyond the task of a product like Sophos).

Christian

I understand you, sorry sorry - but you have your own way of development and in the Russian market because you are not present. and he is huge and now it is just (market) is very interesting information protection, and it just two of a monopolist - Kaspersky and DrWeb, well, still trying to catch up with Symantec ...

and on this forum are developed, or an affiliated entity?