This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dealing with False Positives in general

Hi,

we were also affected by the false positive last week. At last it has been fixed. But I was wondering if Sophos would consider improving the remote control abilities of the clients out of the SEC.

It came to my mind such things like:

  1. disable entire Sophos on the endpoints (stopping, starting Sophos services),
  2. just copy the necessary program files like the vbs script provided by Sophos does,
  3. improving the deploy-/redeploy process,  i.e. if anything went wrong with the installation process on the endpoint, Sophos just stops deploying.  what about a force uninstall (see the fixit tool of MS for resolving uninstall issues, had to use it several times to forcly uninstall Sophos to redeploy ist) regardless of a broken installation.
  4. Maybe a check if the necessary services (remote registry, task scheduler...) are running, if not try to start them remote from the SEC.

Just thoughts.

Regards

Marcus Deubel

:32995


This thread was automatically locked due to age.
Parents
  • Hi Christian,

    thanks for your reply. Concerning:

    1. disable entire Sophos on the endpoints

    This should not be a real problem. I am shure Sophos could use the same mechanism as Windows would use for disabling/stopping services from remote. Regarding the credentials, we have a setup with sync'd AD groups and automatic deployment of Sophos, so we have to supply an AD account with local admin rights anyway. Problem solved so far.

    2. just copy the necessary program files like the vbs script

    3. improving the deploy-/redeploy process

    Basically I don't want to hijack anything and I don't want to touch an endpoint locally. You are right with  the Fixit Tool/Msicuu2.exe. They don't remove the services. This should not be a problem. Just call or builtin the functionality of the sc command. So one may be able to delete services. After calling the fixit or msicuu2.exe or what else.

    4. Maybe a check if the necessary services are running, if not try to start them
    At least the service check and starting if one is not running would be a benefit.

    I suggested all of the above in concern of the false positive event that happened. We have a installation of around 6000 client computers. So touching a client locally without using the SEC must be an exception for us.

    Regards,

    Marcus Deubel

    :33377
Reply
  • Hi Christian,

    thanks for your reply. Concerning:

    1. disable entire Sophos on the endpoints

    This should not be a real problem. I am shure Sophos could use the same mechanism as Windows would use for disabling/stopping services from remote. Regarding the credentials, we have a setup with sync'd AD groups and automatic deployment of Sophos, so we have to supply an AD account with local admin rights anyway. Problem solved so far.

    2. just copy the necessary program files like the vbs script

    3. improving the deploy-/redeploy process

    Basically I don't want to hijack anything and I don't want to touch an endpoint locally. You are right with  the Fixit Tool/Msicuu2.exe. They don't remove the services. This should not be a problem. Just call or builtin the functionality of the sc command. So one may be able to delete services. After calling the fixit or msicuu2.exe or what else.

    4. Maybe a check if the necessary services are running, if not try to start them
    At least the service check and starting if one is not running would be a benefit.

    I suggested all of the above in concern of the false positive event that happened. We have a installation of around 6000 client computers. So touching a client locally without using the SEC must be an exception for us.

    Regards,

    Marcus Deubel

    :33377
Children
No Data