Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 827 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The behaviour of Policies

Peter Vroegop

I'm curious to the behaviour of the default policies in the enterprise console.

This curiosity starts with the following case.

In the middle of the night a colleague of my is called out of his bed because of a problem at out network.

Investigation shows my colleague a suspicious file whice was blocked by Sophos.

Mine colleague, who is not a regular admin of sophos, solved the problem by authorization of the blocked file on the local client.

The next morning I saw an notification in the SEC that the policy of the client was different as the default.

I take action by inform at and verify the action of my colleague. When I was agree with him I authorized the blocked file in de central policy so every other client in the group of the changed client is uptodate with this change.

After this case I heard that the default behaviour of SEC is that as a policy whice is changed localy, like mine colleague did in the case above, and there will be not take any action in the SEC the default policy will pushed to the changed client at the next update of sophos.

In the case above I didn't saw this behaviour, but if this is the default behaviour I don't like it.

If in the time between the action of my colleague until I saw the notification Sophos was updated I never had saw the notification and the client should be set back to the policy as the where before the action of mine colleague.

The first time I should be aware of the issue should be if my colleague brief me or when the file will be blocked again be sophos.

In the past we had a lot of strange situation by the behaviour of the managment tool of Mcaffee (our last virusscanner whice is replaced by sophos).

I had a discusion with our reseller whice have the opinion  that this is the most likely behaviour otherwise you don't have the need of a central managment.

I'm not agree with my reseller I should like that SEC notify the differency in policy In the console and with any possible notification, but not that SEC correct them by it self (to the wrong setting).

My queation is as follow:

The default behaviour is that as descripted: The centrale policy overrules the locale policy at the time sophos will be update.

If so is there a possibility to change the default behaviour to the way I should like that SEC behaves itself.

If this is not a possibility is there a possibility to make this matter to a feature request.

With best regards

Peter

:8743


This thread was automatically locked due to age.
  • 0

    Hi,

    Are you saying that you would like the management server to send the central policy on update if the machine doesn't comply with a given policy?

    With tamper protection and having to be a member of the local SophosAdministrator group on the client, the number of users who are authorised to make changes to the endpoint should be limited really to Sophos Administrators.

    Currently the only time a policy will be sent to a client is:

    1. If an action in SEC is performed, e.g. comply with policy or a machine moves groups.

    2. If the clients doesn't have a local cached copy of the policy in the directory:

    C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\

    When the Sophos Agent service starts up.

    I would suggest contacting support to raise the feature request.

    Regards,

    Jak

    :8745
  • 0

    Hello Peter,

    It'd be interesting what has raised suspicion (and why in the middle of the night). But I won't discuss this now. Only - do you have Scan for suspicious files and/or HIPS turned on?

    SEC is about central management. The basic idea is not that local administrators make configuration changes as they deem necessary (and letting central management figure out what has been changed and why). In fact Sophos has (as have other vendors) added Tamper Protection which prevents even local admins from making changes.

    Now policy compliance is not enforced immediately (although I think that this has also been requested). If you change a policy in SEC or assign the client a different policy it is transferred to the clients. Also a major update will cause the client to request the current policy from the console.

    Of course if central administration works only 9 to 5 but users need to work at other hours problems like the one you described will pop up. It's a common situation - but it makes no sense wanting to have in principle a tight security in place with the option that it can be avoided at any time because the staff to support it is available less than a third of the time (given a week has 168 hours).    

    The 9 to 5 vs. 7*24 challenge is a major reason why things like tamper protection have been requested. You don't want users to make exemptions because things otherwise won't work and there's no one to call - and when you come back on Monday you'll find some nasty piece of malware having crept in virtually everywhere. 

    Christian

    :8747
  • 0

    I would suggest contacting support to raise the feature request

    Jak, I think it is about not to send the cental policy in any case (at least not  "automatically")

    Christian

    :8749
Unfiltered HTML