Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automated reaction to "Differs from policy" possible?

Manaburner

Hi all,

as the administrator, you receive a message and you see in the SEC, that one or more computers differ from group policy, e.g. they have deactivated the On Access Scan.

Is there a way to automatically react to this situation, i.e. to make the server execute the "Comply with"-action by itself?

Thanks

Regards,

Michael

:29087


This thread was automatically locked due to age.
Parents
  • 0

    Hello Michael,

    looks like this is not so much a technical problem.

    TP should prevent admins from turning off on-access scanning - but as Jak said they can still stop the service (or otherwise fiddle with the product and cripple it). If the service is stopped SEC will show no Anti-Virus version and IDEs for this computer (as opposed to simply on-access being turned off). Thus if they are in fact stopping the service (can't see how they could otherwise turn off on-access scanning with TP enabled) just pushing the policy won't help. And you still have the triggering problem.

    Generally it's not a good idea to engage in a fight. Again - TP should take care of all but the dedicated "local admins" and those will likely find a way to work around whatever you come up with. If you have to give your users local admin rights then, apart from disciplining transgressions, education is the only way to go. This is not the responsibility of IT alone though. Sadly, management sometimes tends to ignore the human aspect of security and expects technology to be the magic wand (and IT the ones to build and wield it).

    Nevertheless there are some things you could do right now. For a start, try to find out why (some of) your users are turning off scanning. It might be simply for "performance". Or it might be that Sophos blocks software downloads and installs. Of course I don't know your particular situation so I can't say whether this is feasible. And consider explaining what Sophos does, what central management means and why the settings (including TP) are how they are.

    Just my two cents

    Christian     

    :29105
Reply
  • 0

    Hello Michael,

    looks like this is not so much a technical problem.

    TP should prevent admins from turning off on-access scanning - but as Jak said they can still stop the service (or otherwise fiddle with the product and cripple it). If the service is stopped SEC will show no Anti-Virus version and IDEs for this computer (as opposed to simply on-access being turned off). Thus if they are in fact stopping the service (can't see how they could otherwise turn off on-access scanning with TP enabled) just pushing the policy won't help. And you still have the triggering problem.

    Generally it's not a good idea to engage in a fight. Again - TP should take care of all but the dedicated "local admins" and those will likely find a way to work around whatever you come up with. If you have to give your users local admin rights then, apart from disciplining transgressions, education is the only way to go. This is not the responsibility of IT alone though. Sadly, management sometimes tends to ignore the human aspect of security and expects technology to be the magic wand (and IT the ones to build and wield it).

    Nevertheless there are some things you could do right now. For a start, try to find out why (some of) your users are turning off scanning. It might be simply for "performance". Or it might be that Sophos blocks software downloads and installs. Of course I don't know your particular situation so I can't say whether this is feasible. And consider explaining what Sophos does, what central management means and why the settings (including TP) are how they are.

    Just my two cents

    Christian     

    :29105
Children
No Data