Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 15 subscribers
  • Views 11823 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A computer does not comply with the Sophos Central policy you applied to it.

Paul Hutchings

We currently have a single policy (the default one).

Any ideas why a client would suddenly flag this?

When I look the Network Threat Protection service is stopped and the Central console shows:

Update succeeded Nov 23, 2016 4:46 PM
    Update succeeded Nov 23, 2016 2:48 PM
    Policy non-compliance: Network Threat Protection Nov 23, 2016 2:45 PM
    Policy in compliance: Device Control Nov 23, 2016 2:43 PM
    Policy non-compliance: Device Control Nov 23, 2016 2:42 PM
    Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com∕update. Nov 23, 2016 1:51 PM

Is there a definitive guide on what logs there are and which to look in to try to sort out what seems like a lot of "false positive" type alerts?



This thread was automatically locked due to age.
  • 0

    Hi,

    The polices are fetched from the regional cloud infrastructure by the Sophos MCS Client service and locally handed off to the Sophos MCS Agent service.  See the Persist directory (Program Data for MCS) as the middle man here for inter process communication.

    The MCS Agent is able to communicate with the managed components, i.e. SAV, AutoUpdate, Network Threat Protection, etc, as each managed component provides an adapter DLL which is loaded into the Agent process.  These adapters essentially 'set' and 'get' policy from the managed component in order to compare if the policy matches the running config.  All policy compliance is performed at the client side and reported back in the status messages to the cloud infrastructure. 

    You can increase the level of logging on the Sophos MCS Client and MCS Agent service following this article: https://community.sophos.com/kb/en-us/119607.  For policy compliance, the Sophos Agent is the one to consider.

    As the Sophos Agent makes the comparison, if it has problems getting the running config from the component, E.g. its service is stopped, to compare it with the cached policy it will call it as non-compliance as it can't say it complies.  There is some tolerance around if it's in the middle of an update but I think it's fair to say the Sophos Agent expects to be able to get running config and will throw an error if this is not the case.

    Regards,

    Jak

Unfiltered HTML