I have a VPN connection to a customer of mine. They use the Juniper Networks VPN software. I use Sophos Endpoint v10. When I connect to their network, the Juniper software launches the "Host Checker" app. It successfully detects v10 of Sophos AV as a valid product, so it is clearly updated. However it then deletes the savonaccesscontrol.sys and savonaccessfilter.sys driver files located in C:\Windows\System32\Drivers. This means that the next time I boot my PC the on-access scanner doesn't load, leaving me under-protected, and the next time I try to connect to the Juniper VPN it won't validate me because my Sophos AV product doesn't have on-access scanning enabled. The only fix I have found, is to restore the two files, and then make them read-only so that the Host-Checker cannot delete them.
I have contacted my customer and requested that they reach out to Juniper to find out why this is happening. HOWEVER, I would like to know how it is that the Juniper client was ABLE to delete these files, since I have Tamper Protection turned on! Shouldn't these files be protected?!? This strikes me as a MAJOR flaw in your software, if a malicious app can just disable my on-access AV software!
Thoughts?
This thread was automatically locked due to age.
