This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible improvements from my point of view

Hi,

we use the Sophos Dataprotection Suite (just did the upgrade today from 5.0 -> 5.1:)) in a large scale deployment (6000 clients roughly). As the person in charge for the Sophos administration I came across some concerns:

I would like to have in the Enterprise Console

1. Exclusions/Inclusions in the policy settings, like "include this and exclude everything else" beside "exclude this, include everything else",

2. per computer/per user policies,

3. more detailed view per computer especially which policy settings are deployed (keyword "differs from policy"),

4. per schedule settings, especially exclusions/inclusions,

5. some sort of progress view when initiated a full scan from the EC,

Just forget a concern with the Data Control: Would be great if one might deny the download/creation of certain files with Data Control.

The order is not specific.

Well that might be a challenge:).

Regards

Marcus

This thread was automatically locked due to age.

Parents

0 QC over 12 years ago

Hello Marcus,
keyword "differs from policy"
the logfiles on the client only help if you also turn on agent tracing - please see Differs from policy (one of the first threads) which also explains why it is done on the client. As an aside - I once had a cryptic case where even with the help of the logs I couldn't immediately spot the difference. Turned out that SEC had a suspicious file (which subsequently had been authorized) recorded with a trailing blank. When the client saved the policy XML this blank was removed (although it was present in the "working" data). Thus the client complied after applying the policy from the console only to report "differs" after the next start as the saved policy differed from the one in the adapter storage.
per schedule settings
I see - I'd rather call it per scan settings - you mean the ability to configure scheduled scans as detailed as local ones, i.e. selecting only parts of the file system (and down to specific folders and exclusions - note that this is currently not available, not even using the local GUI). I agree that being able to scan only parts of the file system would be an improvement. Individual exceptions would be a major change though.
on-access scanning of one directory only
I can imagine that one would want to scan only directories which are writable (and shared) by the clients but I can't see why in case of only readable ones some should be scanned but not all.
AD vs. SEC groups
Using sync (with automatic install) is only one way to manage and protect computers. You might indeed be better off by not syncing but use an (AD) scripted approach to install Sophos (and using the -G switch can take care of the correct initial group assignment). AD groups can be set up in different ways and only some of the possible structures are useful for management by SEC.
key generators and cracks
Sounds like an educational institution (most of the software where key-generators and cracks a sought for requires admin rights to install anyway). Sophos has quite a number of malware (Mal/, CXMal/, Troj/, Sus/, ... sometimes just "Mal/Generic") as well as PUA detections for keygens and cracks (naturally I can't determine the detection ratio but I see regular alerts) . If you have samples which go totally undetected you can always send them in. Sophos is about protection of your business and this includes "misbehaviour".
Christian
:25517
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 12 years ago

Hello Marcus,
keyword "differs from policy"
the logfiles on the client only help if you also turn on agent tracing - please see Differs from policy (one of the first threads) which also explains why it is done on the client. As an aside - I once had a cryptic case where even with the help of the logs I couldn't immediately spot the difference. Turned out that SEC had a suspicious file (which subsequently had been authorized) recorded with a trailing blank. When the client saved the policy XML this blank was removed (although it was present in the "working" data). Thus the client complied after applying the policy from the console only to report "differs" after the next start as the saved policy differed from the one in the adapter storage.
per schedule settings
I see - I'd rather call it per scan settings - you mean the ability to configure scheduled scans as detailed as local ones, i.e. selecting only parts of the file system (and down to specific folders and exclusions - note that this is currently not available, not even using the local GUI). I agree that being able to scan only parts of the file system would be an improvement. Individual exceptions would be a major change though.
on-access scanning of one directory only
I can imagine that one would want to scan only directories which are writable (and shared) by the clients but I can't see why in case of only readable ones some should be scanned but not all.
AD vs. SEC groups
Using sync (with automatic install) is only one way to manage and protect computers. You might indeed be better off by not syncing but use an (AD) scripted approach to install Sophos (and using the -G switch can take care of the correct initial group assignment). AD groups can be set up in different ways and only some of the possible structures are useful for management by SEC.
key generators and cracks
Sounds like an educational institution (most of the software where key-generators and cracks a sought for requires admin rights to install anyway). Sophos has quite a number of malware (Mal/, CXMal/, Troj/, Sus/, ... sometimes just "Mal/Generic") as well as PUA detections for keygens and cracks (naturally I can't determine the detection ratio but I see regular alerts) . If you have samples which go totally undetected you can always send them in. Sophos is about protection of your business and this includes "misbehaviour".
Christian
:25517
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data