"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
One or more clients report their status to the Sophos Enterprise Console as "differs from policy", under the "Anti-Virus Details" tab | "Anti-Virus and HIPS policy" column.
First seen in Enterprise Console 3.0
There are various reasons for the client's local Anti-Virus and HIPS policy to differ from the centrally controlled version. This article will help you identify which component is causing the warning message.
Initially it is important to confirm the client has sent a message to the Sophos management server recently. If the client has not reported to the console recently then the warning message may not be accurate.
If the server has received a recent message from the client then you should attempt to force a comply to the client. This will undo any local changes an administrator may have made to the client's configuration.
Warning: Forcing a comply for disconnected clients will generate message build-up in the management server's envelopes folder as these messages cannot be sent to offline endpoints. It is recommended you only force a comply for a small number of online endpoints first and see if the alert disappears and does not come back (see below).
Important: You may initially see the warning disappear from computers that you force to comply only to see it return after a short while (having initially complied). This happens while the policy is being sent to the endpoint and the endpoint is attempting to implement the policy. However if there is an underlying problem forcing a comply will not resolve the issue - you should work through the rest of this article to identify the issue. Forcing a policy compliance at this stage is an important step as you must rule out if the policy simply needs re-sending to the endpoint and/or a local administrator has/is altering the policy from that configured centrally.
Occasionally the endpoint computer may have trouble complying the current configuration until it has been rebooted. This is especially true if the client has just been upgraded. If you have not already done so, reboot a client and wait for the client to report (see Confirm the client has recently reported to the console above).
If your Anti-Virus and HIPS policy does not contain a scheduled scan of the client you can dismiss this section as a cause of the differs from policy issue. If you have configured a scan from the console note the name of the scan.
If your Anti-Virus and HIPS policy does contain a schedule scan (i.e. running a full on-demand scan once a week, or similar) the client may not be able to implement this part of the configuration due to security restrictions. To check if the schedule task has been created on the client:
If you are unsure whether you have restrictions on the task scheduler please test by creating a scheduled task to open a small application like notepad.exe or the calculator program:
schtasks /create /s 127.0.0.1 /ru <yourDomainName>\administrator /rp <administratorPassword> /sc once /st 11:59:59 /tn "Sophos Test Task" /tr "%windir%\System32\calc.exe"
*If you receive an error when editing the properties of the scheduled task then follow these additional steps:
Warning: The deletion of the crypto keys will remove the cached credentials for each scheduled task on the machine. Thus prior to deleting the files it would be worth noting that any existing scheduled task will still remain but credentials for each task may need to be re-entered. The impact of this will depend on the existing software/scheduled tasks on the machine.
Warning: The steps below should only be applied to a test policy on one group containing test computers. Following these steps will block all unauthorised suspicious behaviour and may stop some applications from functioning normally.
If you have previously customized any of the console policies this may cause endpoints to differ on occasion (e.g., if not done correctly). Customization of policies in CIDs (Central Installation directories) is done using the tools ExportConfig and ConfigCID. Check where the endpoint is updating from and then see if there are any XML files in the folder. If there are extra files and they are not required they can be deleted (or cut and pasted out if unsure). For example XML file names see the bottom of article 13111.
If the above steps fails to resolve the differs from policy issue please follow the steps below:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.