This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Updates changing UAC and ACL in Windows?

A customer of ours has about 300 endpoints. 50 of these have some very specific UAC and ACL configurations in Windows. When we initally rolled out Sophos, these settings were reversed even though we have GPO setting this stuff up. Well, GPO never set it back up and we had to manually resolve. After this recent update, 10.8.1, it seems to have reverted again!

Has anyone else encountered things like this before? Our customer is ready to say Uninstall Sophos. These are critical machines that Sophos is breaking. I need to come up with another solution instead of Uninstall.

I have opened a ticket but have yet to even receive the automated email confirmation. May have to open it again.

This thread was automatically locked due to age.

Parents

0 QC over 6 years ago

Hello Keith Morris,

first of all, which product (SESC, Central, ...)?
Off the top of my head - certain Windows Security Options are reset during remediation (cleanup in response to a detection). I'm not aware that updating would modify global settings, but certain product related settings are set to their intended values. Actually install or update fails if settings aren't as expected (e.g. permissions on HKLM\Software).
Can you disclose which settings these are?

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 6 years ago

Hello Keith Morris,

first of all, which product (SESC, Central, ...)?
Off the top of my head - certain Windows Security Options are reset during remediation (cleanup in response to a detection). I'm not aware that updating would modify global settings, but certain product related settings are set to their intended values. Actually install or update fails if settings aren't as expected (e.g. permissions on HKLM\Software).
Can you disclose which settings these are?

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Holger over 6 years ago in reply to QC

See here:

https://community.sophos.com/kb/en-us/118583

https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/90238/window-security-options-being-reset-during-remediation

Regards,

Holger
Cancel
Vote Up 0 Vote Down

Cancel
0 Keith Morris over 6 years ago in reply to Holger

Sadly, I would consider this software Legacy as the UAC breaks this software. Additionally, the users have to run this software as Admin with special command line parameters. the Windows ACL that I mentioned is due to the user also needing write access to a few folders inside of Program Files.

Horrible programming on their part, I know. But our customer is quite invested in this software and not using it is not an option. We would have to ditch Sophos before they ditched this software.

I am going to look into the Application Compatibility Toolkit to see what it can do for us... But I am fearing we will have to remove Sophos on these PCs, at least until a fix is found...
Cancel
Vote Up 0 Vote Down

Cancel
0 Holger over 6 years ago in reply to Keith Morris

Why don't you apply the registry value that is listed here ?

https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/90238/window-security-options-being-reset-during-remediation

It is the fix that you are looking for.
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 6 years ago in reply to Keith Morris

Hello Keith Morris,

the user also needing write access to a few folders inside of Program Files
don't have (convenient) access to a Windows endpoint right now but I'll check. Off the top of my head I couldn't say which rights this would be.

the users have to run this software as Admin with special command line parameters
You've lost me here. Interaction with this software is, if at all, via the GUI. But maybe I miss which part you are referring to.

There seems to be some misunderstanding (it could as well be on my part).

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 6 years ago in reply to Keith Morris

Hello Keith Morris,

after checking I still don't see what the UAC breaks or that it is modified - could you give details?

the user also needing write access to a few folders inside of Program Files
re-reading this part I'm sure I've misunderstood you - you mean that upgrading Sophos resets the ACLs on non-Sophos folders under Program Files (Program Files or Program Files (x86) - under the latter I have folders where users have write access and their ACLs haven't been modified)?

Christian
Cancel
Vote Up 0 Vote Down

Cancel