Sophos Endpoint causing 1000s of Audit Failures in Event Viewer

Question

I've seen some reports, so I decided to take a look myself. 
 I noticed having lots of Audit Failures in Event Viewer. Some troubleshooting later, I found out following is happening: 
 Default state of the Audit Policy "Filtering Platform Packet Drop" is No Auditing. After installation of Sophos Server Protection (Core Agent, A/V, Intercept X), I saw it change to "Failure", and logs starts to appear. Setting back to No Auditing, solves the "problem". 
 While I do get what this Policy does, I wonder why Sophos is changing the auditing of default windows firewall? 
 Thanks

DianneY · Accepted Answer

Hello Kosta88 
 To report connection firewall-blocked applications, Sophos uses the local profile configuration set on the computer. 
 When installing the Endpoint Firewall component, Sophos attempts to set the audit policy to enable Windows Firewall application block events. This means when the Windows Firewall blocks an application because it violates one of the Firewall rules, an entry is added to the Windows Security log. If the audit policy is already being managed by Windows Group Policy and is disabled, blocked application events will not be sent to Sophos Central. 
 The configuration change made is equivalent to: 
 auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable 
 On uninstall of the Sophos endpoint software, this setting is left in place, thus leaving the auditing turned on. It can be disabled by an admin locally or via Windows Group Policy if required at a later time. 
 If the audit setting is overridden by an admin whilst the Endpoint Firewall component is enabled, this will prevent blocked-applications raising entries in the Windows Security log and application blocked messages will not be sent to Sophos Central. 
 For further information from Microsoft on using this configuration, see Enabling Audit Events for Windows Firewall with Advanced Security .