All users have the base policy applied - what does the policy non-compliance warning mean - the users cannot change anything as this has only occurred within an hour of putting the sophos onto their machine and they are not logged in.
the policy non-compliance warning should only appear if you e.g. set up a policy which enables realtime(on-access) scanning / blocks a device etc. and one of these settings is changed on the endpoint somehow. So far I did only get non-compliance events if the endpoints were actually non compliant (just tested it again).
Could you log in to the clients were you deployed the endpoint and check the endpoint settings if on-access scanning is really non compliant to your policy?
If is not compliant and the users didn't do anything manually, you can click "View anti-virus and HIPS Log" on the endpoint. There you can see which user deactivated on-access scanning. If it was disabled via policy it shows NT AUTHORITY\SYSTEM. Please also make sure there is no additional antivirus software / personal firewall etc. installed that conflicts with our endpoint.
If the endpoint is compliant to the policy (realtime/on-access scanning enabled in the policy and on the endpoint) and the non-compliance event is displayed regardlessly, we have another problem. Please tell me your Windows Version (including Service Pack), so I can try to reproduce the issue.
Have logged in to this user - the only policy non-compliance I could find is that on the application control - the enable on-access scanning was unticked.
I'm not sure how this could have happened as other than the initial install of Sophos last night - the user would not have been able to change anything as this was done out of hours.
I've refreshed the dashboard and have got another policy non-compliance, so not really sure what's happening here really.
Have logged in to this user - the only policy non-compliance I could find is that on the application control - the enable on-access scanning was unticked.
I'm not sure how this could have happened as other than the initial install of Sophos last night - the user would not have been able to change anything as this was done out of hours.
I've refreshed the dashboard and have got another policy non-compliance, so not really sure what's happening here really.
