Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1298 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Defaul policy being used when it isn't supposed to be.

nealbscott

I have a couple machines where the 'Default' policy is being used when it isn't supposed to be.  How do I fix this, and how can I identify other machines doing this?  The console says 'same as policy' in the Policy compliance column, which I guess means it is using a valid policy ... just not the right one!

using Sophos Antivirus 9.0.5, and Enterprise console  4.0.0.2362

:4410


This thread was automatically locked due to age.
Parents
  • 0

    Hello Neal,

    thought about it and played a little bit.

    Policies are applied to groups but mapping is done on a per-computer basis although it includes the "state" ("Same as ...", "Awaiting ...").  From what you say I surmise some inconsistencies in your database. Assuming the Default AV policy has ID=2 I used the following: 

    sqlcmd -E -S .\SOPHOS -d SOPHOS4 -Y 20 -Q

    SELECT c.Name,c.Deleted,
           cps.State,
           g.Name
       FROM  ComputerPolicyStates AS cps,
             Groups AS g
               INNER JOIN ComputerGroupMapping AS cgm ON g.ID = cgm.GroupID
               INNER JOIN
               (SELECT Name, ID, Deleted FROM ComputersAndDeletedComputers)
                 AS c ON cgm.ComputerID = c.ID,
             ComputerPolicyMapping AS cpm  
       WHERE (cpm.PolicyID=2 AND cpm.ComputerID=c.ID AND (cps.ComputerID=c.ID AND cps.Type=2))

    It displays the computer name, the deleted flag (I was curious, when 1 the computer isn't shown in SEC), the (I assume) policy compliance state  (1=Same, 2=Differs, 3=Awaiting transfer, ...) and the group (only the "bottom" but that was sufficient for me). Use at your own risk though (and it's all guesswork BTW).

    I think you could do one of the following to correct the problem:

    1) Modify the policy which should be in effect (just delete some names from the "known" pane in the Authorization window) - this should transfer it to the clients

    2) Create a copy of the AV policy, assign it to the group

    Christian

    :4529
Reply
  • 0

    Hello Neal,

    thought about it and played a little bit.

    Policies are applied to groups but mapping is done on a per-computer basis although it includes the "state" ("Same as ...", "Awaiting ...").  From what you say I surmise some inconsistencies in your database. Assuming the Default AV policy has ID=2 I used the following: 

    sqlcmd -E -S .\SOPHOS -d SOPHOS4 -Y 20 -Q

    SELECT c.Name,c.Deleted,
           cps.State,
           g.Name
       FROM  ComputerPolicyStates AS cps,
             Groups AS g
               INNER JOIN ComputerGroupMapping AS cgm ON g.ID = cgm.GroupID
               INNER JOIN
               (SELECT Name, ID, Deleted FROM ComputersAndDeletedComputers)
                 AS c ON cgm.ComputerID = c.ID,
             ComputerPolicyMapping AS cpm  
       WHERE (cpm.PolicyID=2 AND cpm.ComputerID=c.ID AND (cps.ComputerID=c.ID AND cps.Type=2))

    It displays the computer name, the deleted flag (I was curious, when 1 the computer isn't shown in SEC), the (I assume) policy compliance state  (1=Same, 2=Differs, 3=Awaiting transfer, ...) and the group (only the "bottom" but that was sufficient for me). Use at your own risk though (and it's all guesswork BTW).

    I think you could do one of the following to correct the problem:

    1) Modify the policy which should be in effect (just delete some names from the "known" pane in the Authorization window) - this should transfer it to the clients

    2) Create a copy of the AV policy, assign it to the group

    Christian

    :4529
Children
No Data