If I have a scheduled scan using 9.x for a certain time, and that system is turned off during that time, will it run the scheduled scan when its powered on next?
This thread was automatically locked due to age.
Same question, using Sophos Endpoint Security & Control 10.3 controlled by policy from Sophos Enterprise Console 5.2
How does Sophos handle system scan on machines that missed the scheduled time due to being powered off or in sleep mode? Are there options to configure this behavior either telling the clients to do the scan at bootup, or force them to wait until the next scheduled time depending on how policy is applied?
Thanks
Hello deployed,
Sophos uses the Windows task scheduler, there is no extra monitoring whether a scan has been run or missed. Therefore it is not possible to specify a conditional execution (apart from the fact that it is not as simple as it seems - consider a policy with two scans which both have been missed, which scan should be run a boot?).
force them to wait
You mean to lock the machine until the scan has been run (either at boot or on the next schedule) - or am I misinterpreting you? Considering the number of requests to delay updates at boot I don't think that scan-on-boot will enjoy great popularity :smileyhappy:. May I ask why you think this is necessary?
Christian
QC wrote:...
Sophos uses the Windows task scheduler, there is no extra monitoring whether a scan has been run or missed.
...
May I ask why you think this is necessary?
=-=-=-=
I have two comments:
1) Some companies have a Security policy that mandates all end user systems have a weekly (or monthly) full AV scan. Because Sophos is missing the feature to reschedule missed scans, this means that I cannot schedule a full scan to happen on the weekend or after hours where it will have the least overall effect. Instead I have to schedule this scan *during the workday*, affecting everyone.
2) The Windows Task Scheduler (at least on modern versions of Windows) most definately has the ability to run a task that has been missed. Sophos just doesn't take advantage of the feature. (Hint to programmers, look for the "Run task as soon as possible after a scheduled start is missed" checkbox)
Hello Scissor,
I have to schedule this scan *during the workday*, affecting everyone
I read this as - excuse my disparaging wording, I do not insinuate you'd put it this way - affecting everyone instead of only those blockheads who shut down the computer. I infer though that you can't (or don't want to) wake up the machines - this would IMO be the better method.
Sophos just doesn't take advantage of the feature
Perhaps because the advantage is small especially when compared to the potential problems. Guess most installations would not want to run a scan just after boot. One problem is that when the client has missed the schedule you likely can't prevent the scan from running if you change your mind. Another one, already mentioned, is that the client might have missed more than one scan (of course it'd be likely a per-scan option so if you are careful in setting it this shouldn't happen).
Anyway, if a policy mandates that a scan is performed this likely means that the scan should run to completion (and also that its results are checked). That the task finished successfully doesn't mean that the scan did (e.g. if the computer is shut down shortly after).
Christian
Wow QC ... Are there any feature requests for Sophos AV that you won't rationize away as somehow being a fault of the customer?
It is really offputting to have someone with a tag of "Executive VIP" telling me that I am "just doing things wrong".
I don't know what magical fairyland you work in where end users never power off their laptops, where Wake on Lan actually works reliably with laptop users, or where end users do not complain when a scheduled scan "slows down" their computer during their work day. Wherever it is I know that I don't work there.
=-=-=
While we are on the subject of Scheduled Scans, another feature that Sophos is missing is staggered scan starts. This would be where I can schedule a scan to start at 10 AM, plus or minus a random XX minute offset. This feature would be invaluable for large virtualized environments where I don't want 200 VMs all scanning themselves at once and overwhelming the backend SAN storage.
Scan on boot being a problem with too much disk access? Sophos could add logic to the scanner software to only start scanning after xx minutes of uptime has passed. I know that Symantec AV has a 10 minute delay for pattern updates at boot just for this reason. (at least it did 5 years ago).
=-=-=
By the way, every single feature request in this thread is *already* offered by competitors. For example, McAfee VirusScan does them all. If only VirusScan didn't suck so much in other ways...
Anyway, sorry about my rant. I haven't had my coffee today. I think I will go grab a cup now.
Hello Scissor,
Executive VIP
:smileylol: is just a forum rank (you could question the automated ranking system which assigns such a rank not only to serious advisors like Jak but also to motormouths - or motorfingers - like me).
rationalize away as somehow being a fault of the customer
not at all. It is also not meant to discourage anyone from submitting feature requests. What I'm trying to do is to explain the rationale (as far as I understand it, I'm not Sophos and I don't have access to inside information) behind some "strategic and implementation decisions", their consequences and how to better live with them (if you excuse the presumptuous wording). Do not forget that even if your request is accepted it will often take considerable time until it is implemented. So, sorry if I've put you off - this was not my intention.
[the] magical fairyland
called university - with the lack of policies (or if there are, the lack of empowerment to enforce them) as its most exciting (or most frustrating, depending on your POV) charm. :smileyhappy:
One more stab at scans:
For a workstation a (scheduled) scan is supplement to on-access scanning (no more, no less) and not essential. Its main purposes are
As the timing of the scan is arbitrary (especially if it is weekly or even monthly) a missed scan doesn't actually make much difference in terms of protection or security. If you do think it does, then you shouldn't let the user log in before the scan has finished - otherwise ...
Leaves the compliance. I assume though there aren't many requests for scan on/after boot or run ASAP if missed. Sophos "believing" in simplicity is reluctant to add too many features unless there is sufficient demand (Audit has been added recently but IMnshO it reeks of audit as defined by auditors and not audit as defined by administrators :smileywink:). As said, serious auditing/monitoring also requires to assure that the scan has completed, check the results and perform additional actions if necessary. In such an environment you likely have the means to wake up the machines as well. And then - patching is at least as important as regular scanning.
staggered scan starts
Sophos has at least made an attempt with the Virtualization Scan Controller. If it falls short in your environment please do tell them so. I'm not using it so I can't say if it is any good.
*already* offered by competitors
Philosophy - it's as simple (forgive the pun) as that. It is part of what makes Sophos Sophos. Strategy and economic reasons also define how a product is developed and placed. This is not to defend Sophos. There's only so much you can get for a certain amount you (and me too) are willing or can afford to pay. Whichever vendor, you have to adjust, you have to make the most of the product you bought. That's why I'm trying to get to the bottom of it (but obviously overshoot) and also to depict alternatives.
So, sorry about my rant - had too much coffee today :smileyhappy:
Christian
