"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article explains how to create an Active Directory group policy to prevent administrators from stopping the Sophos Anti-Virus service.
By default all users who are a member of the administrators group can stop services on a client computer. This means that they can stop the Sophos Anti-Virus service and remove Sophos endpoint security software with these rights.
Applies to the following Sophos products and versions Sophos Endpoint Security and Control
The instructions below are for a Windows 2008 server. On the Windows 2008 Domain Controller:
You can now apply the group policy to required containers in the normal way and allow the policy to be applied to the client computers.
You can test the functionality by enabling the GPO and logging onto a client computer as an administrator or as an account with group permissions that you have restricted. Attempting to stop the service will display the following message:
Could not stop the service on Local Computer. Error 5: Access is denied.
OR the option to stop the service is grayed out and unavailable.
Either of these shows that the GPO was configured and applied to the client successfully.
If you do not see the error message and you are still able to stop a restricted service, check that the GPO was configured correctly and that there are no conflicting GPOs.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.