Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1163 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Opinions on Dead Client Reporting

AVBen

Hi All,

This is my first SophosTalk Post, so go easy on me :-)

I am currently reviewing how we manage client which appear in Sophos as not having reported back for a while, and the best practise to manage them.

I have been reading this thread:

/search?q= 23331

Which contains some useful steps about how to remove old clients from the SEC, but here's what bothers me;

As far as I can tell, through the SEC,  seeing that a client hasn't reported back isn't proof that the client is an old PC which is now off the network, and can be removed from the console, it could be a PC that's got some virus preventing that PC from reporting back to the Sophos server - so removing it from SEC not only means you don't have a true licence count, but also means you may have a PC on your network that is infected.

I inherited our AV service about a year ago, and my predecessor had created some clever scripts that compared the last time a client had reported back to when the client was last seen on the network. If both were over a set amount of time, we could safely remove them from the console, but if a client was on the network recently but not reporting back to sophos, we knew we had a problem!

These scripts don't work any more because they relied on a browsing function on our domain which has now been deactivated - so I'm trying to figure out what others do....

Are we going  way over the top here?!

Regards,

Ben

:40755


This thread was automatically locked due to age.
Parents
  • 0

    Hello Ben,

    welcome and no fear we're used to go easy :smileyhappy:

    Sounds like you don't have a real asset management. The true licence count is probably the least of your worries (as this scenario results in underlicensing it's Sophos' problem :smileywink:).

    Joking aside - are you saying you have no idea when and which clients come and go and there is no policy which requires protection? Or is this perhaps a university or similar? Is our domain an AD environment? If I understand correctly then AV service is more or less disconnected from other IT management. Please correct me if I'm wrong.

    some virus preventing that PC from reporting back to the Sophos server - possible, but in my experience crippled installations are a more likely cause. last seen on the network - as the scripts seem to rely on browsing you don't have (access to) network management data (i.e. data from network components like switches or access points), do you?

    As said, the licence count is not your (primary) problem (you could argue that protection is not working and therefore the installation shouldn't be counted). If you don't have a reliable asset management and/or network monitoring there's no way to tell whether a client has issues or is simply gone for good. There's more than one way to skin the cat but all involve some appropriate means (whether probing tools, monitoring or asset data) to ascertain a client's existence.

    Meanwhile, Jak has already covered the technical aspects.

    Christian

    :40763
Reply
  • 0

    Hello Ben,

    welcome and no fear we're used to go easy :smileyhappy:

    Sounds like you don't have a real asset management. The true licence count is probably the least of your worries (as this scenario results in underlicensing it's Sophos' problem :smileywink:).

    Joking aside - are you saying you have no idea when and which clients come and go and there is no policy which requires protection? Or is this perhaps a university or similar? Is our domain an AD environment? If I understand correctly then AV service is more or less disconnected from other IT management. Please correct me if I'm wrong.

    some virus preventing that PC from reporting back to the Sophos server - possible, but in my experience crippled installations are a more likely cause. last seen on the network - as the scripts seem to rely on browsing you don't have (access to) network management data (i.e. data from network components like switches or access points), do you?

    As said, the licence count is not your (primary) problem (you could argue that protection is not working and therefore the installation shouldn't be counted). If you don't have a reliable asset management and/or network monitoring there's no way to tell whether a client has issues or is simply gone for good. There's more than one way to skin the cat but all involve some appropriate means (whether probing tools, monitoring or asset data) to ascertain a client's existence.

    Meanwhile, Jak has already covered the technical aspects.

    Christian

    :40763
Children
No Data
Cookie Information Banner