One or more of the following Alerts are displayed in Sophos Central Admin:
Policy non-compliance: [Component]
Policy non-compliance: Malware Protection
Policy non-compliance: Device Control
Policy non-compliance: Tamper Protection
Policy non-compliance: Web Control
Real time protection disabled / Real time protection re-enabled
In addition to the Action Center alert, an email is also sent to each Sophos Central Admin administrator with the same event information.
One or more of the above alerts may be genuine and due to a change made by a local administrator on the client. For example, if the end user has changed a scanning option in which case the 'Malware Protection' event may be generated. This is an event the Sophos Central administrator should know about.
In addition to the above legitimate scenario, these events may also be brought about by an unfortunate timing of events at the endpoint. For example, as a Windows computer shuts down, there is a chance that the 'Sophos Anti-Virus' service terminates before the 'Sophos MCS Client' and 'Sophos MCS Agent' service stops. Given this scenario, there may be sufficient time before the shut down for the 'Sophos MCS Agent' service to generate (and the 'Sophos MCS Client' service to send) a status message indicating the computer differs from one or more policies.
Evidence of the second scenario over the first is that you may experience all three of the above events in short succession along with a 'Real time protection disabled' event as can be seen in the Events report. In the shut down scenario, if the 'Sophos Anti-Virus' service is stopped, it is not possible for the 'Sophos MCS Agent' service to obtain the running configuration of Sophos Anti-Virus, Tamper Protection and Device Control, this could therefore give rise to all four events.
You may also see events that state that Real time protection has been disabled and then subsequently re-enabled in a short period. These events can occur if the Sophos MCS Agent Service sends back a status report on the Sophos Anti-Virus Service whilst an update is occurring. It should subsequently report that Real time protection has been re-enabled. If you are seeing these events with a large time delay in protection being re-enabled or are not seeing this at all. This would indicate an issue, and we would advise you raise a case with Sophos Technical Support.
Applies to the following Sophos products and versions Sophos Central Admin
If a change has been made by a local administrator such that the running configuration of the endpoint does differ from the policy, Sophos Central will send a policy to the endpoint 2 hours after the 'differs' message is sent.
If the event is brought about by the second scenario; which can be confirmed by looking in the Windows Event log at the order in which services have been shut down, you can safely ignore this message from the Action Center.
In addition to checking the Windows event log, it is also possible to enable a trail of messages sent by the Sophos Management Communication System (MCS) to Sophos Central. This client side XML files can then be checked to see the exact time the 'differs' policy was sent. This should help determine the scenario that lead to the differs message being reported. For more information on enabling message trails see article 119608.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.