Best Practices for Sophos AV

One domain or multiple domains? How are the offices connected - over WAN?

Let me first try to understand your setup: each of the (four) servers synchronises a certain container in your AD or one of your domains (and it is not possible for whatever reasons that one server manages all the computers)? Guess it's either full synchronisation features or central policies but not both.

• Checking for  updates every 10 minutes (no reason to set it higher and maybe I'll try 5)
• On access read and write (since Conficker as I've already said, no complaints and no observable loss in performance)
• remote files are scanned
• auto cleanup and either block or delete (had some issues with rootkit items when move is selected)
• (some of the) servers have also On Access enabled (some are running "alternate scanners", such things happen during an interregnum :smileywink:)
• HIPS alert only. I know, the guys responsible for software updates could and should check in advance so it'd be possible to authorize the necessary programs before deployment but ...  (BTW: what is the difference between the checkbox  [On-Access scanning ...]->Scanning->Scanning Options/Scan for suspicous files (HIPS) and [HIPS runtime behavior ...]?

Christian

Christian

Thanks for the reply.

We only have one domain, each of the 4 sites has its own Sophos server running enterprise console.  They synchronise containers local to them so that computers at site A are not updating to site B as we have slow WAN links :-(

The problem with this setup is that when I change something to maybe lock down a new app I need to do it at 4 sites.  What would be ideal is if Sophos could centrally update policies but push out AV updates locally?  Am I making sense!?

We are running pretty old kit here (5 year old P4 computers) so I'm wary of enabling read/write scanning and taking a performance hit.  Perhaps when we finish our desktop refresh...

I'm suprised about the remote scanning of files, but I don't fully understand it.  If I have 100 users running a program on the network then the 100 users would be scanning the same files on the network?  That just seems bonkers to me, but like I said, I don't understand it so maybe I'm wrong here?

I quarantine items as I want to try and send samples to Sophos, maybe I should change to block?

HIPS is something I feel will take a lot of effort to get working without impacting on the users, much like the Sophos Firewall.  I imagine at the first sign of trouble I would just disable any blocks and run it in read only mode.

I don't know the difference between the HIPS options you mentioned either, maybe a sophos techie can help?

Security and speed is always a trade off, users want speed and we want security!

Thanks

Stuart

I'd suggest that you run one central management server and only SUMs on the other sites (you can have them update from you central server or/and from Sophos - if the latter you have to make sure you have the correct mrinit.conf and cac.pem in the CID) . The SUM-servers could also be configured as message relays (in this case each site has to have it's own mrinit.conf).

5 year old P4s? Must've been a sell-out :smileyhappy:

100 users would be scanning the same files on the network? - as you said it's a trade off. You can exclude remote drives (assuming a fixed letter is used) but (for the time being) not UNC paths. If your users can only connect to the servers and you know the servers to be "safe" then turning off remote scanning would not increase the risk. Otherwise is still one more possible path. 

Samples and how to obtain/send them have recently been discussed here. 

Christian

I have on access scanning set on my fileservers with exclusions. Will scanning occur only when a locally logged on user reads a file or do files get scanned if someone accesses them remotely via a share.

If so am I wasting time by having a workstation and a file server policy with on access scanning set.

Hello Warren,

a file is scanned regardless of the user context (BTW: depending on the settings write and rename can also cause it to be scanned).

If so am I wasting time

In a strictly controlled environment (users can't change the settings on the workstation and all workstations are protected) you could exclude the shared locations from scanning by the server. Or if workstations can only access the server's share you could exclude remote files in their policy (this might even save some cycles in total as a file is not rescanned if it hasn't changed). If the share is not writable then a detection on a workstation can not clean it up. Thus there are several points to consider, not just wasted time. 

Christian   

Hi Christian,

Thanks for the response.

We have a strictly controlled environment in that Tamper Protection is enabled. We have excluded the users data folder from on access scanning mainly due to performance concerns and concerns over the length of time backups would take.

Have we introduced a security risk by configuring the workstation policy with the exclude remote files box ticked as the only process checking the users data is a weekly scheduled scan?

Warren.

Hello Warren,

you should at least perform on-access scans on "one end" (i.e. workstation or server). Thus if you exclude remote files I'd strongly recommend that the host (server) has on-access on for these locations. V.v. if you exclude them on the server leave the exclude remote files unchecked. Roaming profiles are another matter as the files are indeed copied from the share but the actual access is usually local.

We have no exclusions on the workstations.

Christian