Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 64787 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tamper Protection greyed out

AMS_User

Hi All,

We are in the process of rolling out Sophos Antivirus in our company.

One of our users is complaining he can no longer connect USB devices like iPhones and Cameras.

We've just installed Sophos on his PC and Device Control is not enabled.

To confirm it was Sophos I wanted to disable it.  However the Authenticate User option is disabled!

How do I disable Sophos on an end-users PC.

Many thanks

:47938


This thread was automatically locked due to age.
  • 0
    Hello AMS_User,

    if you haven't set a Device Control policy it should be disabled. Normally at least "something" is logged when Sophos (deliberately) interferes - either locally or in SEC.
    Authenticate User is ony available if Tamper Protection is enabled and active for this user. If all TP links are greyed (and other configuration options as well) then the user running the GUI does not belong to the SophosAdministrator group and thus has only limited rights.

    Christian
    :47944
  • 0

    Thanks for the quick reply.  I raised another post for the USB issue.  This one is mainly for disablling Sophos.

    We are not running device control, so I dont think it can be that (see attached).

    I am running the same policy as the PC I want to disable tamper control on and I can access it.  So I guess the end user needs to be in the SophosAdministrators group to access it.  Is this what Sophos recommend?

    I guess my question is - how do admins disable Sophos on users PC's for debugging etc?

    :47946
  • 0
    Hello AMS_User,

    maybe your users act very responsible and therefore you see no problem allowing them to control all aspects of Sophos (and the rest). Normally it's better to not let users turn off this and that (for better performance or just because I think this PDF is really important).
    The SophosAdministrator group is populated with the members (which might be groups) of the Administrators group at install time.

    Christian
    :47948
  • 0

    If you are local admin on the client you can simply stop the Sophos services whilst you troubleshoot, afterwards enable them again.

    :48080
  • 0

    I'm not looking to allow users to disable Sophos, from what I gather you need the password disable tamper protection.

    I want to have the option to disable Sophos when I'm on their PC.

    Also, once I have the option to authenticate.  How do I disable the software?  In Kaspersky there was an option to disable for 15 minutes.

    :48246
  • 0

    From my understanding, the Tamper protection is there to prevent local administrators to change settings in Sophos. So, for instance, if you want to uninstall it manually from the PC, you need to put in first the Tamper Protection password before you can uninstall it.

    You don't need the Tamper Protection for anything more, if you are managing Sophos via the Enterprise Console.

    Temporarily de-activating Sophos is not as easy as in Avast or Kaspersky, where you can simply de-activate it for some time. I know of only two ways of doing it:

    • You have local administrator permissions on the PC and you stop the Sophos Services (easiest and quickest way)
    • You create a Sophos Policy that disables the AV and you move the machine in the Sophos Enterprise Console into that group. However this takes more time, as policies need to be downloaded and applied. Once you want to turn the AV back on, you have to move the computer back again.
    :48250
  • 0

    Hello AMS_User,

    for a managed endpoint TP is, like the other components, controlled with the corresponding policy. You can always force the endpoints to comply (well, as long as there is a working connection).

    There are two cases (if the endpoint complies with the policy):

    1. you have enabled TP from SEC. To do so you also had to set a password (this is the password to use for Authenticate User). In the client GUI when logged in as a SophosAdministrator Authenticate User is active (as is View TP log), whereas Configure is greyed
    2. you have not enabled TP. Then Authenticate is greyed, Configure is active (again provided you are SophosAdministrator)

    For completeness - if you have not enabled TP, but the endpoint does not comply and shows TP as active then a local admin has enabled TP locally (in which case you likely do not know the password). You should be able to force (from SEC) compliance though.

    How do I disable the software

    Well, in a certain sense you can't really (and neither with other vendors) as low-level components are involved which remain present. Timed disabling has IMO limited use - you are debugging, aren't you? Unlikely you can tell in advance how long it will take and if there is significant time remaining when you are finished you'd have to re-enable it manually anyway.

    You can disable each component individually, as you don't have Device Control On-Access should be the only one which comes into play here (if at all).

    Christian

    :48252
  • 0

    Thanks for the info.

    I've stopped the services and unticked the run device and data control.  But the USB device still doesnt work.  Which suggests Sophos is still running.

    Note, they are MTP devices and Sophos is designed to stop them;

    http://downloads.sophos.com/readmes/historic/103/sesc_1032_09_2013_rneng.html

    :48258
  • 0

    After lots of messing around it looks like the issue I was experiencing was a registry key left behind by Kaspersky.

    Deleting the following fixed the issue.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{EEC5AD98-8080-425F-922A-DABF3DE3F69A}\UpperFilters

    Thanks for your help.

    :48272
  • 0

    Hello AMS_User,

    MTP devices and Sophos is designed to stop them

    only if you have requested this with a Device Control policy. The screenshot you've posted suggests you haven't and as Device Control isn't shown at all I assume you have not touched the Default policy and the corresponding service wasn't started. But anyway, I see you've found the reason. Thanks for sharing it.

    Christian

    :48302
Unfiltered HTML