Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 19 subscribers
  • Views 45130 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Option to prevent tampering with Sophos services and settings

ksmith0724

Hello Folks -

We just recently implemented Sophos S&C 9.0 for our end-users.  The product works great but we are looking for some sort of mechanism to prevent our limited number of users who are also local administrators on their laptops from stopping the Sophos services.  I know with other vendors products that regardless of whether the user is an admin or not they still provided some sort of setting(s) that would prevent the users from doing so.

I do realize (and I saw this on other posts in this forum) that it doesn't go along with "safe computing practices" but in some companies (i.e. telecoms) it is often at times cumbersome to lock down certain departments (RF engineers, field crews, etc) especially when these departments are in direct contact with vendors, etc.  I can restrict with a Group Policy the "Install with Elevated Privilges" settings but many applications are hard coded to require an administrator installing the software.

I saw that Sophos Professional Services can assist with this type of configuration but in my honest opinion this is something that should be included in an enterprise class endpoint solution.  I also may be searching on the wrong keywords so if there is an article / suggestion on how to accomplish this please steer me in the correct direction.

Thanks!

:2028


This thread was automatically locked due to age.
  • 0

    My previous post was in haste apparently as I just reviewed the new features included in S&C 9.5 and it does include tamper proof settings.

    :2124
  • 0

    What's in the works right now might not be what you need. You said some sort of mechanism to prevent our [...] local administrators [...] from stopping the Sophos services. Are you talking about using the GUI to disable certain functions or about stopping or disabling a service? Preventing the latter is not part of the Tamper Protection AFAIK.

    In addition to Tamper Protection you can deny local administrators the right to stop a service and thus make it harder for them to turn off scanning. And you'd also have to restrict access to the registry. A kernel mode filter driver also would make it harder but not impossible to turn off scanning (as MS has articles on it).

    The question is always: Why do they want to turn off scanning (or other components)?

    Christian

    :2134
  • 0

    I spoke to our account manager at Sophos and he said that he believes the new tamper proof settings that will be included in S&C 9.5 will only prevent Sophos from being uninstalled.  I guess I will take a closer look at restricting the services, access to scanner settings, ability to enable/disable device control, etc via the GPO options I've seen discussed here in the forums. 

    The users we have whom are local admins typically only disable the device control mechanism but yes, you are correct when asking, why would someone want to disable something that is protecting your system? - guess that is an age old question.  Unfortunately some of our road warriors and tower crews need the ability to install software from hardware vendors in the wee hours of the morning when they are troubleshooting issues - hence the reason they have local admin rights.  Now granted all of local admin users don't fall under that category.

    :2135
  • 0

    Hi,

    This is my problem too. I must give administrative rights for some users on their mobile computer. In this case they can disable sophos services and they able to shut down sophos specific processes via task manager. It is a big problem for me. I hoped the tamper protection will prevent the Sophos client, services, processes from shutdown (like in avast for example) but NOT. I think it is useless until it not possible to prevent the whole client from bad guys.

    question for developers:

    Is it possible to reach this protection level of sophos client in the future?

    Thanks

    :2278
  • 0

    I'm repeating myself ...

    All the so-called tamper protection (whether from Sophos,  another vendor or MS) is basically putting the cart before the horse. Not that it is absolutely useless.

    It can offer significant protection from must-be-admin users with limited technical knowledge - until some sympathetic programmer writes the next indispensable tool for the unjustly confined (turn off this, bypass that , access hidden items and so on). Works like your standard security lock which is easy to pick if you know how - most of us just don't bother to learn it.

    You can add a second layer of protection by entwining the various components so that a tamper attempt renders the device all but useless and in effect you add another layer to the OS where the user is no longer administrator - and if you haven't got it perfectly right you'll soon face the same problem (must give administrative rights for some users) again.

    Now you can argue that certain software (malware) offers the very "functionality" you are looking for: processes, files and registry keys are hidden even from administrators, it's hard to remove and so on. Then why not using the same technology to protect legitimate applications? Well, apart from "moral qualms" it's quite an effort to get it right. Malware doesn't need to work perfectly on all encountered computers ...

    Your users - irritating as they may be - should not be your enemies (and you not theirs). And bad guys should not be in your organization at all  No one expects a company's trucks to be equipped with some nifty device which would prevent drivers from using the trucks for "private business". Or that a copier can't be used for private copies. 

    If a computer gets infected because the user has turned off scanning - who should be held responsible?

    Christian

    :2281
  • 0

    I realize this is an old post but I came across it in my searches for understanding how Sophos can possibly be compliant with PCI when the process can easily be killed by any local administrator.

    PCI DSS 3.0 regulation 5.3 states that all anti-virus mechanisms anti-virus must be actively running and unable to be disabled or altered by users.   Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

    I don't see how Sophos's tamper protection feature meets this requrement at all when anyone who is a local admin is able to do this.

    Can someone from Sophos please comment on this?

    :55122
  • 0

    Hello froggy,

    anyone who is a local admin

    these anyones are able to do a lot more than just alter AV protection and if anyone could qualify as local admin you have a lot of other requirements to worry about, not just AV.

    Incidentally - and quite interesting - the standard is rather vague or even incomplete w/r to other aspects. It requires that the anti-virus software is actively running but otherwise enumerates only that [t]he anti-virus software and definitions are current and [p]eriodic scans are performed as specific requirements. Something like real-time or on-access isn't mentioned (or hinted at) at all. In this context I don't think that by users encompasses local admins ...  

    Christian

    :55136
  • 0

    I realize that local admins have the rights to do other things than disable A/V.  But when we trialed other endpoint security solutions prior to purchasing Sophos they have had the option to prevent users from killing the process or disabling the services, including local admins.  I think this is a very useful feature and truly makes a solution tamperproof.

    If someone is able to compromise a computer with admin permissions it would seem pretty easy for them to end the process and load all the malware they wish.

    Is there even any way of properly detecting that someone did this via the management console?

    :55137
  • 0

    Hello froggy,

    [this feature] truly makes a solution tamperproof

    said who? :smileyhappy: Give any ordinary pen-tester local admin rights and watch how long the solution holds out. Some malware uses an equivalent "self-protection" scheme - if it were bullet-proof we'd see it being used more widely.

    detecting [...] via the management console

    Regardless of the product this requires an uncompromised communication channel - otherwise you can't trust the information from the endpoint. "Simple" tampering will show the endpoint as non-compliant with the AV policy but there's no frequent heartbeat which would enable you to detect a deactivated communication. 

    Christian

    :55140
  • 0

    Doesn't really seem  like you are interested in hearing constructive criticism about your product but I think that both of these areas are gaps in the Sophos endpoint security solution.

    Sure I shouldn't have used the word phrase "truly" tamper proof there but preventing admins from killing the process does make it MORE tamper proof and having the ability to detect a heartbeat or at least validate and alert for non complying endpoints would help with visibility into scenarios where the service has been disabled or process has been killed.

    Of course you can feel free to blame the possibility of this happening onto the customer's policies and the possibility of having local admin privileges, but security is all about layers and your approach seems to be ignoring that.  Almost no security implementation of anything is bulletproof, so pointing out the holes in these aspects as your reason for not implementing a more secure implementation isn't a solid argument in my opinion.

    Do you also not lock your door because locks can be easily picked?

    :55148
Unfiltered HTML