This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

want to disable task view windows 10 via Sophos central

We have critical issues with Sophos endpoint software in 65 computers which have windows 10 operating system only We have installed Sophos endpoint to client computer in windows 10 64bit and 32 bit the are able to disable Sophos software from task manager startup and none of the policy's which we have applied from Sophos central works. I hope you will give this matter serious consideration and encourage new ideas to tackle the problem as its impact on this,



This thread was automatically locked due to age.
Parents
  • There must be an issue that needs resolving as Tamper Protection should prevent the killing of Sophos processes from Task Manager. 

    The fact none of the policies are working also suggests something is not right, maybe components failed to install?

    Is you run Endpoint Self Help as a starting point does it suggest any issues?

    "C:\Program Files\Sophos\Endpoint Self Help\SophosESH.exe"

  • I agree, this sounds like Tamper Protect. This is by design. What exactly are you trying to do via Task Manager and what policies are you trying to push?

  • In the Windows Task Manager there is a tab for services that start when the computer is booted.  What I think he's trying to say is that the users can go to that tab and turn off the Sophos services so they don't run when the computer is booted.,,and he wants to prevent the user from doing that.  It's a Windows issue.

  • I'm not aware of the functionality you mention.

    In Task Manager I see the following options for a service:

    So there is an option to Stop the service, which is different from the Services MMC snap-in, which shows it as disabled when Tamper Protection is enabled.

    So this is just a presentation difference. 

    If you interact with the Service Control Manager (SCM) via SC.exe though you can see the service is not stoppable:

    From Task Manager, if you do try and stop it you will get just that:

    You can't change the config of the service from Task Manager, e.g. to Disabled so it doesn't start at boot.  I don't think you mean services I suspect you mean start up processes.

    Maybe this tab and setting is the one:

    to:

    This is the process responsible for the notification tray icon and runs as the logged on user as launched from: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    "Sophos UI.exe" = '"C:\Program Files\Sophos\Sophos UI\Sophos UI.exe" /hidden'

    To "disable/enabled" this, TaskManager.exe changes the Reg Binary value "Sophos UI.exe" under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

    Without the Sophos UI.exe process, protection remains the same, it's just you will not get desktop messages.

    This process is part of the Sophos UI component, so if the config was to go anywhere to protect it with Tamper, it would be in the file: "C:\Program Files\Sophos\Sophos UI\integrity.dat".  For example, there are ProtectRegKey entries but these are preventing keys being changed not values.

Reply
  • I'm not aware of the functionality you mention.

    In Task Manager I see the following options for a service:

    So there is an option to Stop the service, which is different from the Services MMC snap-in, which shows it as disabled when Tamper Protection is enabled.

    So this is just a presentation difference. 

    If you interact with the Service Control Manager (SCM) via SC.exe though you can see the service is not stoppable:

    From Task Manager, if you do try and stop it you will get just that:

    You can't change the config of the service from Task Manager, e.g. to Disabled so it doesn't start at boot.  I don't think you mean services I suspect you mean start up processes.

    Maybe this tab and setting is the one:

    to:

    This is the process responsible for the notification tray icon and runs as the logged on user as launched from: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    "Sophos UI.exe" = '"C:\Program Files\Sophos\Sophos UI\Sophos UI.exe" /hidden'

    To "disable/enabled" this, TaskManager.exe changes the Reg Binary value "Sophos UI.exe" under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

    Without the Sophos UI.exe process, protection remains the same, it's just you will not get desktop messages.

    This process is part of the Sophos UI component, so if the config was to go anywhere to protect it with Tamper, it would be in the file: "C:\Program Files\Sophos\Sophos UI\integrity.dat".  For example, there are ProtectRegKey entries but these are preventing keys being changed not values.

Children