Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 9251 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Differs from policy - Anti-Virus and HIPS policy

keystroke13

I have a handful (2%) of machines that will not comply with the Anti-Virus and HIPS policy. I followed all aspects of Article ID: 113070 without resolution. I've enabled verbose logging, however I'm not entire sure what I'm looking for. I noticed that a few machines do not thave the Sophos scheduled scan task in the C:\Windows\Tasks directory. I have also removed the SAUPolicy file, contacted support which keeps referring me to the aforementioned article, and forum post "Differs from policy" dated 2009.

Aside from running the Sophos Diagnostic Utility (SDU) and submitting it to support (again) does anyone on the forums have any suggestions? Would posting a lastest RMS log file help diagnose the problem?

:27661


This thread was automatically locked due to age.
  • 0
    keystroke13 wrote:

    a few machines do not thave the Sophos scheduled scan task in the C:\Windows\Tasks directory


    So is it true to say that you have a scheduled scan set up in the policy and that hasn't been set up on the endpoint?

    If so remove the scheduled scan from the central policy and comply it again to a test computer.  Does the policy comply now?

    A good tip is to create a new (blank) policy and comply that.  If it doesn't differ add just a scheduled scan and test if that is the cause.

    :27665

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Ruckus, that is correct we have daily and weekly scans setup for our workstations and/or server environment.

    On the existing policy I made a scheduled scan change and forced a comply with Anti-Virus and HIPS policy on the problematic servers. The policy compliance went from awaiting policy transfer > Differs from policy.

    I then removed the scheduled scan and forced a comply with Anti-Virus and HIPS policy. The policy applied correctly to the problematic servers. I re-added the scheduled scans and re-forced the comply with Anti-Virus and HIPS policy and they came back with differs from policy.

    Lastly I created a blank policy w/o a scheduled scan and the policy applied correctly to the problematic servers.

    The policy difference is based around creating the scheduled task. Services are running and I'm able to create a test task using the same account that is used during the installation. Ironically, both physical servers are identical. One is currently in production and the other in our offsite colocation.

    This is a stretch, but both machines have dual nics on separate subnets (10.x and 172.x) and VLANS (Data and Voice). If there was a communication issue I would expect further problems. To test I disabled the voice nic at our colocation, re-ran the installation wizard, and restarted the server isoloating the network. Still have the same results.

    Any other thoughts?

    :27671
  • 0

    So it's definitely the scheduled task.

    Therefore it's back to article 113070 and the section titled 'Check if the schedule task has been created on the client'.  The two servers must be different in some way or other - even only slightly.  As the section suggests maybe a GPO or system restriction - it doesn't take very much.

    Also see the follow-on section titled 'Delete the crypto keys from the local client' if you haven't already done so - but read the warning.

    :27673

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Thinking I may have missed something I followed that KB twice. I run the scheduled task command and the "Sophos Test Task" is created and removed the crytpto keys with the same reults. Support eluded to our WAN connection blocking the RMS ports, but this is also happening on the LAN side as well. I will dig further tomorrow and see what I can come up with.

    Thank you 

    :27675
  • 0

    Doubt it's RMS - it's correctly ("successfully") reporting that it is indeed differing.

    If I was doing it myself (not the best test because several things are all changing at once)...

    1. Ensure the user SYSTEM and group 'administrators' have full control of:
      • C:\Windows\Tasks\
      • C:\Windows\System32\Tasks\
    2. Delete the Crypto keys (again).
    3. Reboot immediately afterwards - important.
    4. Force a comply of the policy to the server when it's up again (with a scheduled scan configured).

    If the policy still differs (and based on a quick scan of case history where the problem was found to be related to scheduled scans) you should remove/disable all group policies that are applied and force comply again.  If that works it's something in the GPO and the next steps then are to switch the GPOs back on one by one and see what affects it.

    Hope it helps.

    :27677

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Dear all,

    recently I found that (don't remember where) and it could be helpful for you if you have an issue with Differs from policy on AV and HIPS, in any case it resolved my issues:

    Please try the following on a single system.


    1) On the clients that are showing as differs you will need to delete the contents of the following path: C:\Documents and settings\all users\application data\microsoft\crypto\RSA\s-*-**-**\
    2) Then delete any scheduled tasks completely
    3) Stop and restart the task scheduler service
    4) Re-apply the policy from the console and verify that the machine got the policy.
    5) Then wait about 3 min and it should remove the error.

    A possible script would be:

    net stop "task scheduler"
    del "%allusersprofile%\Application Data\Microsoft\Crypto\rsa\S-1-5-18\*.*" /AS /Q
    at /delete /yes
    net start "task scheduler"

    Regards

    :28699
  • 0

    Rselec, this worked like a charm. Thank you for taking the time to post a solution and I hope other forum members find this information valuable.

    :28705
  • 0

    Thanks for your post, Rselec

    recently I found that (don't remember where)

    Could it be Differs from policy - Anti-Virus and HIPS policy?

    Christian

    :28729
  • 0

    I have a problem with Anti-Virus and Hips policy, when I set up new Scheduled scan all my computers reply Differs from policy (just couple PC works ok, others  ~1200 PC's replying error).

    I have tried fast everything also solution on this article, but this not works for me. Also i have tried this troubleshooting community.sophos.com/.../113070.

    When I have tried troubleshoot this problem, i have stuck on this by getting ACCESS Denied error

    schtasks /create /s 127.0.0.1 /ru <yourDomainName>\administrator /rp <administratorPassword> /sc once /st 11:59:59 /tn "Sophos Test Task" /tr "%windir%\System32\calc.exe"

    If i remove /s 127.0.0.1 the command above works also.

    Any suggestions?

     

Unfiltered HTML