Possible improvements from my point of view

Hello Marcus,

there's always room for improvement - and you correctly called your suggestions a challenge. TANSTAAFL though, are you willing to fork over the quid or bucks for major redesign :smileywink:? If you prefer economically priced evolution you should prioritize your list (and possibly explain the value for your business).

In the hope to stir up some discussion allow me a few remarks:

some sort of progress view when initiated a full scan from the EC

Has already been wished (there's the Last scan completed but nothing more). While it seems simple at first it's more than just sending a tick at regular intervals. Do you want this just for the Full System Scan (to make sure it has been started and progresses)? What would be your next action if it doesn't?

more detailed view per computer especially which policy settings are deployed (keyword "differs from policy")

Making the client send back the policy XML and storing it in the database shouldn't be too hard. More of a challenge is making it readable in SEC - you probably want want to have the differences flagged. It would likely inflate the console as it would have to be able to deal with different client versions (what about "uplevel" clients?) or the clients would have to be "console version aware". If you simply want the clients to comply just force compliance - to determine the underlying cause for the difference the policy values in effect might be insufficient though. Or what else do you think you would gain?

per schedule settings, especially exclusions/inclusions

I'm not sure where this would be necessary. Are you thinking of backup? In this case a per (validated) process exclusion would probably be better.

"include this and exclude everything else"

You're not talking about on-access, are you? Do you think of "partial" scans from SEC, i.e. a scheduled or immediate scan of only parts if the file system (similar to a scan initiated locally)?

per computer/per user policies

This is a different paradigm than that currently implemented in SEC. This too has come up when this forum was still young. While a per computer assignment is thinkable (but wouldn't you want to be able to group the 6000 of them in one or the other way - and think about the clarity of AD) additional per user would further complicate things. But please see Device Control - By User?.

download/creation of certain files

Creation would necessitate "constant scanning" - you probably wouldn't like the performance penalty. I think that DC could be extended to downloads though (although it might be better to scan them already on the gateway).

Personally I'd like to see some other features, for example (not all of it my original ideas):

The ability to safely collect samples (this is not the same as the move cleanup option) upon request from SEC (maybe with direct submission to the Labs)

Access to the logs via SEC, or perhaps better: an option to run SDU on the client and have the logs stored in a central location (or perhaps sent by mail)

Christian

Hello Christian,

I will explain my suggestions more fully in this post. At least one thing. Because we have a large scale installation of Sophos we have to do as many Sophos jobs from remote as possible. It is not always possible to log on the clients and see what's going on with the Sophos client.

some sort of progress view when initiated a full scan from the EC :

Just for the Full System Scan. It would be nice to see in the EC that it progresses. Right now I can just assume the System Scan is running.

more detailed view per computer especially which policy settings are deployed (keyword "differs from policy")

You just got me. What you have written is exactly what I want. At least it would help to see the differences in the client gui. We have clients with "differs from policy" but I don't see what is different when checking the client locally. But I must admit that I did not check any logfiles on the client side.

per schedule settings, especially exclusions/inclusions

Ok. I should have provided an example:

I have set up Sophos on our File Service Cluster node and wanted to schedule two scans. One scan should only be for the system drive c:. The other scan should only be for the SAN volumes. The scan for the system drive should include Root Kit Scan and the SAN scan should not.

Unfortunately the exclusions apply to all schedules.

"include this and exclude everything else"

Again an example would be usefull:smileyhappy:. We had one case where one department requested the scanning of one directory on a cluster volume and all other directories should be excluded. I managed to implement the policy by using the common way. But hey, it were quit an amount of directories to exclude:). Oh yes I am talking about on-access scanning.

per computer/per user policies

A per user policy is nice to have but not necessary. A per computer policy would be better. Just to explain why it would be best for our needs.

We have setup an AD and do synchronize the OUs with our Sophos installation. Every department has it's own OU with their computers in it, well the user OUs and the computer OUs are seperate. Because we deploy group policies for particular computer OUs it is almost not possible to move computers to a "Sophos OU" to deploy a different policy than other computers in this department OU. By writing these words it comes to my mind maybe we should break with the synchronisation between AD and Sophos...But we use this to automatically deploy the Sophos client on new machines.

download/creation of certain files

I have to discuss this with our network team. In my mind is a policy of such kind "block the downloading of keygen.exe" for example.

Your suggestions are also very good! Would like to see them realized

Regards
Marcus

PS: Had to look up what "TANSTAAFL " meant. Wikipedia is your friend:smileyhappy:

Well Christian,

unfortunately we do have a slight problem with people downloading cracks and key generators. I prefer having people complaining about not being able to download this and that rather having people being able to download cracked software.

Regards

Marcus

Hello Marcus,

keyword "differs from policy"

the logfiles on the client only help if you also turn on agent tracing - please see Differs from policy (one of the first threads) which also explains why it is done on the client. As an aside - I once had a cryptic case where even with the help of the logs I couldn't immediately spot the difference. Turned out that SEC had a suspicious file (which subsequently had been authorized) recorded with a trailing blank. When the client saved the policy XML this blank was removed (although it was present in the "working" data). Thus the client complied after applying the policy from the console only to report "differs" after the next start as the saved policy differed from the one in the adapter storage.

per schedule settings

I see - I'd rather call it per scan settings - you mean the ability to configure scheduled scans as detailed as local ones, i.e. selecting only parts of the file system (and down to specific folders and exclusions - note that this is currently not available, not even using the local GUI). I agree that being able to scan only parts of the file system would be an improvement. Individual exceptions would be a major change though.

on-access scanning of one directory only

I can imagine that one would want to scan only directories which are writable (and shared) by the clients but I can't see why in case of only readable ones some should be scanned but not all.

AD vs. SEC groups

Using sync (with automatic install) is only one way to manage and protect computers. You might indeed be better off by not syncing but use an (AD) scripted approach to install Sophos (and using the -G switch can take care of the correct initial group assignment). AD groups can be set up in different ways and only some of the possible structures are useful for management by SEC.

key generators and cracks

Sounds like an educational institution (most of the software where key-generators and cracks a sought for requires admin rights to install anyway). Sophos has quite a number of malware (Mal/, CXMal/, Troj/, Sus/, ... sometimes just "Mal/Generic") as well as PUA detections for keygens and cracks (naturally I can't determine the detection ratio but I see regular alerts) . If you have samples which go totally undetected you can always send them in. Sophos is about protection of your business and this includes "misbehaviour".

Christian

Hi

sry that I reply that late.  Was very busy. I came across an additional improvements what would be realy great.

How about a comment field in some way to track what changes and additions have been made to policies for example.

Regards

Marcus