Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1162 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Opinions on Dead Client Reporting

AVBen

Hi All,

This is my first SophosTalk Post, so go easy on me :-)

I am currently reviewing how we manage client which appear in Sophos as not having reported back for a while, and the best practise to manage them.

I have been reading this thread:

/search?q= 23331

Which contains some useful steps about how to remove old clients from the SEC, but here's what bothers me;

As far as I can tell, through the SEC,  seeing that a client hasn't reported back isn't proof that the client is an old PC which is now off the network, and can be removed from the console, it could be a PC that's got some virus preventing that PC from reporting back to the Sophos server - so removing it from SEC not only means you don't have a true licence count, but also means you may have a PC on your network that is infected.

I inherited our AV service about a year ago, and my predecessor had created some clever scripts that compared the last time a client had reported back to when the client was last seen on the network. If both were over a set amount of time, we could safely remove them from the console, but if a client was on the network recently but not reporting back to sophos, we knew we had a problem!

These scripts don't work any more because they relied on a browsing function on our domain which has now been deactivated - so I'm trying to figure out what others do....

Are we going  way over the top here?!

Regards,

Ben

:40755


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    One thing to note which may help explain a few things, as of SEC 4.7 onwards, when the Sophos Management Service performs its daily maintenance task.  Which it runs every 24 hours after starting, along with other things the following Stored Procedure (SP) is executed:

    PurgeTaskWithThreasholdAndLimit

    Within the SQL of that SP you can see that for any computer that has a LastMessageTime older than 24 hours, the computer will be marked as disconnected.

    So if you wanted to, you could replace 24 with another value and let the system manage the connected state for you as you would want it.   If your reporting is based on your "new" connected state condition, maybe that is ok?

    Note: you would need to perform this modification after every upgrade as with each new version is a new "core" database.

    That all being said, as you say, this relies on RMS working, so to distinguish between communication failing and the client still being alive you would need some other marker to correlate with this LastMessageTime.  

    Updating may prove more reliable than RMS communication?  IIS logs could provide some data if you're using HTTP updating.  Querying AD objects, I assume you'd go for computer objects rather than user for the lastloggedontimestamp. This might also offer something central to report on without implementing a custom solution of creating markers or parsing event logs:

    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

    http://www.techrepublic.com/blog/datacenter/identify-stale-active-directory-computer-accounts-with-dsquery/4148

    So the above could provide you with a input list of stale computer that, you could parse and cross reference that with an output of disconnected clients with a last message time > than the same threashold for the AD query. etc..

    Maybe you have someother managed agent sofware that reports a last seen time of the client, you could use the messagign system of that as a watchdog for Sophos RMS and vica versa?

    The other question is what does "remove" mean to you in the sense of removing a computer as when you "delete" a computer in SEC via the console, you just set the deleted flag to 1 in the ComputersAndDeletedComputers table so it's not really deleted, is this sufficient, i.e. to get it out of the computer list view in the console?

    Regards,

    Jak

    :40759
Reply
  • 0

    Hi,

    One thing to note which may help explain a few things, as of SEC 4.7 onwards, when the Sophos Management Service performs its daily maintenance task.  Which it runs every 24 hours after starting, along with other things the following Stored Procedure (SP) is executed:

    PurgeTaskWithThreasholdAndLimit

    Within the SQL of that SP you can see that for any computer that has a LastMessageTime older than 24 hours, the computer will be marked as disconnected.

    So if you wanted to, you could replace 24 with another value and let the system manage the connected state for you as you would want it.   If your reporting is based on your "new" connected state condition, maybe that is ok?

    Note: you would need to perform this modification after every upgrade as with each new version is a new "core" database.

    That all being said, as you say, this relies on RMS working, so to distinguish between communication failing and the client still being alive you would need some other marker to correlate with this LastMessageTime.  

    Updating may prove more reliable than RMS communication?  IIS logs could provide some data if you're using HTTP updating.  Querying AD objects, I assume you'd go for computer objects rather than user for the lastloggedontimestamp. This might also offer something central to report on without implementing a custom solution of creating markers or parsing event logs:

    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

    http://www.techrepublic.com/blog/datacenter/identify-stale-active-directory-computer-accounts-with-dsquery/4148

    So the above could provide you with a input list of stale computer that, you could parse and cross reference that with an output of disconnected clients with a last message time > than the same threashold for the AD query. etc..

    Maybe you have someother managed agent sofware that reports a last seen time of the client, you could use the messagign system of that as a watchdog for Sophos RMS and vica versa?

    The other question is what does "remove" mean to you in the sense of removing a computer as when you "delete" a computer in SEC via the console, you just set the deleted flag to 1 in the ComputersAndDeletedComputers table so it's not really deleted, is this sufficient, i.e. to get it out of the computer list view in the console?

    Regards,

    Jak

    :40759
Children
No Data