Dealing with False Positives in general

Hello Marcus,

1. disable entire Sophos on the endpoints

the devil's in the details - you are correct about the saved credentials in conjunction with AD sync. Recently there have been inquiries about an audit trail in connection with policy changes and I think that the same concerns would apply here - you'd probably want to know who has stopped the services and for what reason. If just a restart would be implemented the it'd be perhaps less of a problem. Then consider that SEC should as far as possible correctly display the status of the client - so it'd have to keep track of the commands issued and their outcome. As more than one administrator might use the console at the same time the display would have to be consistent to avoid confusion - if you stop, say, the Anti-Virus service then the client is not only non-compliant with respect to the AV policy but also the update status changes to unknown. Admittedly this is the same whether you do it from inside SEC or by an external command, but it's good practice to indicate that it has been done by SEC. 

Controlling the Sophos services from SEC might be handy if e.g. you want to restart the Agent. If the Installer encounters a problem which you want to resolve this way you'd probably need to do more than just stop a service though. In addition SEC would ideally have to be aware of the services and their semantics (and thus to have a way to "understand" uplevel SAV versions - something which is not implemented at the moment)

2./3. install(er) issues

If my observations are correct the install sequence has lately been revised to better handle existing installations. Previously Protect Computers (i.e. the sequence run by setup.exe) was rather reckless and while - if employed correctly - it could overcome issues like the ones of late it had also the potential of messing things up. Can't say what exactly spurred this revision but I assume it hasn't been done just for the fun of it.

I'm sure Sophos is looking into addressing the issues encountered - and of course I'd welcome any changes which make central management easier. I'm just trying to illustrate that it might not be as simple as it looks on the surface. If it were that simple (and innocuous) then the MS Installer would have an option ignore all product's data and perform an unconditional initial install, wouldn't it?

Christian

Hello Marcus,

1. disable entire Sophos on the endpoints

the devil's in the details - you are correct about the saved credentials in conjunction with AD sync. Recently there have been inquiries about an audit trail in connection with policy changes and I think that the same concerns would apply here - you'd probably want to know who has stopped the services and for what reason. If just a restart would be implemented the it'd be perhaps less of a problem. Then consider that SEC should as far as possible correctly display the status of the client - so it'd have to keep track of the commands issued and their outcome. As more than one administrator might use the console at the same time the display would have to be consistent to avoid confusion - if you stop, say, the Anti-Virus service then the client is not only non-compliant with respect to the AV policy but also the update status changes to unknown. Admittedly this is the same whether you do it from inside SEC or by an external command, but it's good practice to indicate that it has been done by SEC. 

Controlling the Sophos services from SEC might be handy if e.g. you want to restart the Agent. If the Installer encounters a problem which you want to resolve this way you'd probably need to do more than just stop a service though. In addition SEC would ideally have to be aware of the services and their semantics (and thus to have a way to "understand" uplevel SAV versions - something which is not implemented at the moment)

2./3. install(er) issues

If my observations are correct the install sequence has lately been revised to better handle existing installations. Previously Protect Computers (i.e. the sequence run by setup.exe) was rather reckless and while - if employed correctly - it could overcome issues like the ones of late it had also the potential of messing things up. Can't say what exactly spurred this revision but I assume it hasn't been done just for the fun of it.

I'm sure Sophos is looking into addressing the issues encountered - and of course I'd welcome any changes which make central management easier. I'm just trying to illustrate that it might not be as simple as it looks on the surface. If it were that simple (and innocuous) then the MS Installer would have an option ignore all product's data and perform an unconditional initial install, wouldn't it?

Christian