evaluating the latest endpoint protection deployed from the console (ver 5.2.1 R2). i have enabled tamper protection but some parts of the user AV is still not greyed out.
how can we prevent users from changing AV settings? even prevent uninstalling by them?
Hello,
Tamper protection will prevent users uninstall the Sophos Components even if they are an administrator.
Much of the security is handled through the local Sophos groups:
*SophosAdministrator
*SophosPowerUser
*SophosUser
You could setup "Restricted Groups" on these through Group Policy - http://support.microsoft.com/kb/279301, to define who is a member of them. By defualt local acmins will be added to SophosAdministrator, local power users to SophosPowerUser, and local users to SophosUser.
I suppose you could also setup a software restriction policy to prevent SAVMain.exe being launched.
Regards,
Jak
aahh.. but why use group policy to do a simple task of preventing users from misconfiguring the AV client? really it can't be done from the management console like in kaspersky?
the product is very good so far but this unavailable feature of protecting the av client from misconfiguration could be a show stopper.
Hello rino19ny,
TP applies to (Sophos)Administrators only (you can a few threads here where this has been discussed). It also doesn't claim to prevent any fiddling with the product (or the OS for that matter - please see the Note: in How do I: Understanding Tamper Protection), "protection" against manipulation by dedicated users with administrative rights is not a simple task. TP is intended for situations (especially with notebooks) where it is (seemingly) unfeasible to allow the use of certain hard- and software features without giving the user administrative rights.
Which kind of misconfiguration do you worry about? Please note that the On-Access ("real time") settings are unavailable - thus scanning can't be "turned off".
Christian
A user with local admin rights can stop the Sophos Anti-Virus service either through the "Services" menu or CTRL+ALT+DEL killing the Sophos process which stops on-access scanning.
Is it possible to lock down stopping the Sophos services and/or killing the Sophos process by a local admin? I'm in the same situation where my clients need the local admin right, but I don't want them having any ability to bypass their anti-virus product.
actually it is a simple task... either allow or disallow (greyed out all) features. kaspersky already have it and we used it.
the use of (additional) softwares offsite is a matter of our policy. not the av vendor. we have managed to live with the extreme setup (allow all or disallow all) of kasperksy and if you only can see the numerous ways users can manipulate the settings you'd agree with me.
hence we're quite dismayed that with your product, even with TP enabled, there are certain features that are not greyed out (configure AV and HIPS).
so the outcome of our POC is that this protection of the AV client from the user is stopping us from going for Sophos.
Hello rino19ny,
your product
to avoid misconceptions, I'm not Sophos :smileyhappy: and I'm not trying to talk you into choosing one vendor over another.
certain features that are not greyed
It's mainly a question of general principles, design decisions and the resulting (economically justifiable) implementation. In the extreme a vendor could offer granular central control over the settings available for a user (and, while we're at it, user-based policies/settings) and/or the option to completely suppress the UI. Sophos' motto is Security made simple, thus you can't expect this kind of complexity.
The actual design is naturally a tradeoff. TP has only be added later, apparently by enough request. For now, Sophos still refrains from gearing into the OS beyond the inevitable - while it would make (unauthorized) fiddling with the settings harder but not impossible it gives rise to other issues.
Specifically to the available settings: One group is for On-demand and Right-click scans. These scans are requested solely by the user - thus it's quite coherent that the settings are available to the user. Less obvious is Authorization - it is admittedly not innocuous. OTOH, not giving the user (who is administrator) the ability to authorize certain files/activity might preclude the very actions which, in order to execute them, the user has got the administrative rights for.
To add my two cents (also to IAMU's post): Personally I don't like the IT vs. users scenario. Technical "solutions" are at best the second-best. Instead users should be educated that bypassing the AV on their computer is like disabling the airbag in their car. Furthermore it should be made evident that extended rights (if they are actually necessary) come along with responsibilities.
Christian
Hi,
I truly get your point and believe me i'm with you on the design principle... but, in certain countries/cultures, it simply is impossible to pass responsibility or expect users to be responsible as for them, I.T. is solely responsible for all things IT-related. period. hence we, meaning us in our company, have to take everything in our hands and one of them is preventing users from misconfigurating the AV client. a lockdown if you will.
sadly, i was ready for Sophos but this lack of "lockdown" feature stopped it.
rino19ny,
Did a little testing in the last couple of days. Removing the user accounts from Sophos Administrators and moving them to Sophos Power Users removes most control from the user. Right Click scan and Authorize are still available, but as mentioned are probably best left open. If a user adds an authorization, you'll know about it. The central console will give you a notification that the client isn't complying with policy. You can then override that user's authorization if you wish by forcing their client back into compliance. It also will alert you to software that might be false flagged that is giving your users issues.
The Power User group at least stops your casual user that knows how to open a GUI and stop an A/V from running. It still doesn't stop the "closet techs" that know to stop services and kill processes, but it's better than leaving everyone as Sophos Administrators.
I agree that the more perfect solution is education (and good acceptable use policies that are strongly enforced), and it shouldn't be IT vs everyone else. The reality of any corporate environment though, is you will always have those users that either think they know how to run their system better or want to subvert the policy enforcement to surf their NSFW content. The more tools available to rein in those rogue users the better.
