Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3428 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automated reaction to "Differs from policy" possible?

Manaburner

Hi all,

as the administrator, you receive a message and you see in the SEC, that one or more computers differ from group policy, e.g. they have deactivated the On Access Scan.

Is there a way to automatically react to this situation, i.e. to make the server execute the "Comply with"-action by itself?

Thanks

Regards,

Michael

:29087


This thread was automatically locked due to age.
  • 0

    Hi,

    There is no way within the product to automate the server to push a policy down.  

    You can make the client re-request a policy as mentioned here:

    /search?q= 22831

    You may wish to contact Support - as Pro-Services probably have a tool to interface with the Sophos Management Service to poke it into action.  Sadly it's not something you can initiate from the database layer.

    To stop users changing settings locally you can enable Tamper Protection but if they are local admins they can stop the SAVService anyway.

    Regards,

    Jak

    :29089
  • 0

    Hi Jak,

    thanks for your reply. I'll look into the "scripted push".

    I have Tamper Protection already enabled, but our users are all local admins.

    Thanks anyway

    Regards,

    Michael

    :29095
  • 0

    Hi,

    In terms of SAV, there are reg values under the following key:

    HKLM\Software\[wow6432node]\Sophos\SAVService\Status\

    that could be assessed to determine if the local adapter storage could be removed and the agent service restarted.

    E.g. As a system startup script (AD based), a script could check the above registry key(s), if not-complies, then delete the relevant adpater storage file and restart the agent service, within 20-25 seconds the client should get a policy.

    Cheers,

    Jak

    :29103
  • 0

    Hello Michael,

    looks like this is not so much a technical problem.

    TP should prevent admins from turning off on-access scanning - but as Jak said they can still stop the service (or otherwise fiddle with the product and cripple it). If the service is stopped SEC will show no Anti-Virus version and IDEs for this computer (as opposed to simply on-access being turned off). Thus if they are in fact stopping the service (can't see how they could otherwise turn off on-access scanning with TP enabled) just pushing the policy won't help. And you still have the triggering problem.

    Generally it's not a good idea to engage in a fight. Again - TP should take care of all but the dedicated "local admins" and those will likely find a way to work around whatever you come up with. If you have to give your users local admin rights then, apart from disciplining transgressions, education is the only way to go. This is not the responsibility of IT alone though. Sadly, management sometimes tends to ignore the human aspect of security and expects technology to be the magic wand (and IT the ones to build and wield it).

    Nevertheless there are some things you could do right now. For a start, try to find out why (some of) your users are turning off scanning. It might be simply for "performance". Or it might be that Sophos blocks software downloads and installs. Of course I don't know your particular situation so I can't say whether this is feasible. And consider explaining what Sophos does, what central management means and why the settings (including TP) are how they are.

    Just my two cents

    Christian     

    :29105
  • 0

    Hello Christian,

    thank you for your "two cents" :-)

    I'll talk to my colleagues about that.

    Regards,

    Michael

    :29107