Dear All Thought I might be able to get a thread going here whereby we post our Sophos AV setup and configurations. This way we might be able to see why others have implemented Sophos in a certain way and maybe understand better which policies need tweaking etc. I am about to harmonise our 4 offices installations of Sophos so before I do that hopefully someone will notice something possibly wrong with my setup or offer advice on why it should be changed etc. So here goes... Sophos 9 running on a complete Windows environment synchronised with Active Directory. Each Sophos server controls its own policies. If I could configure one server for policies and push these policies out to the other sites that would be ideal, but I don't know if its possible and whether my branch office pc's would update correctly? Workstations check for updates every 60 minutes On Access scanning enabled on all workstations, behaviour = On Read Remote scanning of files disabled Auto cleanup of infected files, move to default location Web scanning is 'As on access' All Servers On Access scanning disabled, scheduled scans run each night at 9PM HIPS enabled for notifications only. Too many false positives for software updates IMO We also use the Application Control and Device Control which (when working) helps us to nail down rogue apps! If anyone has any recommendations for me to change I am all ears! Cheers :850

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Practices for Sophos AV

Dear All

Thought I might be able to get a thread going here whereby we post our Sophos AV setup and configurations. This way we might be able to see why others have implemented Sophos in a certain way and maybe understand better which policies need tweaking etc. I am about to harmonise our 4 offices installations of Sophos so before I do that hopefully someone will notice something possibly wrong with my setup or offer advice on why it should be changed etc.

So here goes...

Sophos 9 running on a complete Windows environment synchronised with Active Directory.
Each Sophos server controls its own policies. If I could configure one server for policies and push these policies out to the other sites that would be ideal, but I don't know if its possible and whether my branch office pc's would update correctly?
Workstations check for updates every 60 minutes
On Access scanning enabled on all workstations, behaviour = On Read
Remote scanning of files disabled
Auto cleanup of infected files, move to default location
Web scanning is 'As on access'
All Servers On Access scanning disabled, scheduled scans run each night at 9PM
HIPS enabled for notifications only. Too many false positives for software updates IMO

We also use the Application Control and Device Control which (when working) helps us to nail down rogue apps!

If anyone has any recommendations for me to change I am all ears!

Cheers

This thread was automatically locked due to age.

Parents

0 notesguru99 over 15 years ago

Christian
Thanks for the reply.
We only have one domain, each of the 4 sites has its own Sophos server running enterprise console. They synchronise containers local to them so that computers at site A are not updating to site B as we have slow WAN links :-(
The problem with this setup is that when I change something to maybe lock down a new app I need to do it at 4 sites. What would be ideal is if Sophos could centrally update policies but push out AV updates locally? Am I making sense!?
We are running pretty old kit here (5 year old P4 computers) so I'm wary of enabling read/write scanning and taking a performance hit. Perhaps when we finish our desktop refresh...
I'm suprised about the remote scanning of files, but I don't fully understand it. If I have 100 users running a program on the network then the 100 users would be scanning the same files on the network? That just seems bonkers to me, but like I said, I don't understand it so maybe I'm wrong here?
I quarantine items as I want to try and send samples to Sophos, maybe I should change to block?
HIPS is something I feel will take a lot of effort to get working without impacting on the users, much like the Sophos Firewall. I imagine at the first sign of trouble I would just disable any blocks and run it in read only mode.
I don't know the difference between the HIPS options you mentioned either, maybe a sophos techie can help?
Security and speed is always a trade off, users want speed and we want security!
Thanks
Stuart
:927
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 notesguru99 over 15 years ago

Christian
Thanks for the reply.
We only have one domain, each of the 4 sites has its own Sophos server running enterprise console. They synchronise containers local to them so that computers at site A are not updating to site B as we have slow WAN links :-(
The problem with this setup is that when I change something to maybe lock down a new app I need to do it at 4 sites. What would be ideal is if Sophos could centrally update policies but push out AV updates locally? Am I making sense!?
We are running pretty old kit here (5 year old P4 computers) so I'm wary of enabling read/write scanning and taking a performance hit. Perhaps when we finish our desktop refresh...
I'm suprised about the remote scanning of files, but I don't fully understand it. If I have 100 users running a program on the network then the 100 users would be scanning the same files on the network? That just seems bonkers to me, but like I said, I don't understand it so maybe I'm wrong here?
I quarantine items as I want to try and send samples to Sophos, maybe I should change to block?
HIPS is something I feel will take a lot of effort to get working without impacting on the users, much like the Sophos Firewall. I imagine at the first sign of trouble I would just disable any blocks and run it in read only mode.
I don't know the difference between the HIPS options you mentioned either, maybe a sophos techie can help?
Security and speed is always a trade off, users want speed and we want security!
Thanks
Stuart
:927
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data