This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Defaul policy being used when it isn't supposed to be.

I have a couple machines where the 'Default' policy is being used when it isn't supposed to be. How do I fix this, and how can I identify other machines doing this? The console says 'same as policy' in the Policy compliance column, which I guess means it is using a valid policy ... just not the right one!

using Sophos Antivirus 9.0.5, and Enterprise console 4.0.0.2362

This thread was automatically locked due to age.

0 QC over 14 years ago

Hello nealbscott,

which Default policy and how did you find out? Computers are in groups and to the groups certain policies are assigned (which could also be the Default policies). So - which type of policy (updating, AV, ...) isn't correct? Same as policy means that the client reported the policy it's using is identical to the one received from SEC.

Christian
:4419
Cancel
Vote Up 0 Vote Down

Cancel
0 nealbscott over 14 years ago

The antivirus 'default' policy is the one I speak of. We started getting false positives on an app that we were scratching our heads on since we knew we had approved it. Then we noticed one person was getting email aletrs about the false virus that wasn't supposed to. Turns out the default policy did not list the 'approved' exe, and default also included the email address that was not in the other policy we created. To confirm our theory, we added my email address to the default policy and reapplied. Near as we can tell we have *nothing* using the default policy. So if I start getting antivirus alerts in my email today, it will confirm what is going on. Will know more in a few days. Maybe making a change to the default policy is enough to cause everything to synch up again. Cross fingers!
This false positive, which not everybody has, is really the only clue about the use of the wrong policy, which is why I can't tell what other machines are using.
:4436
Cancel
Vote Up 0 Vote Down

Cancel
0 nealbscott over 14 years ago

Yup I can now confirm that the system used 'default' policy. I know this because I got a virus notice email over the weekend, and we added my email to the default policy friday to see what would happen..
When I right click on the default policy and choose 'View Groups using policy' I get, 'This policy is not assigned to any groups' I should not be getting that notification email!
:4501
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 14 years ago

Hello Neal,

thought about it and played a little bit.

Policies are applied to groups but mapping is done on a per-computer basis although it includes the "state" ("Same as ...", "Awaiting ..."). From what you say I surmise some inconsistencies in your database. Assuming the Default AV policy has ID=2 I used the following:

sqlcmd -E -S .\SOPHOS -d SOPHOS4 -Y 20 -Q

SELECT c.Name,c.Deleted,
       cps.State,
       g.Name
   FROM ComputerPolicyStates AS cps,
         Groups AS g
           INNER JOIN ComputerGroupMapping AS cgm ON g.ID = cgm.GroupID
           INNER JOIN
           (SELECT Name, ID, Deleted FROM ComputersAndDeletedComputers)
             AS c ON cgm.ComputerID = c.ID,
         ComputerPolicyMapping AS cpm
   WHERE (cpm.PolicyID=2 AND cpm.ComputerID=c.ID AND (cps.ComputerID=c.ID AND cps.Type=2))

It displays the computer name, the deleted flag (I was curious, when 1 the computer isn't shown in SEC), the (I assume) policy compliance state (1=Same, 2=Differs, 3=Awaiting transfer, ...) and the group (only the "bottom" but that was sufficient for me). Use at your own risk though (and it's all guesswork BTW).

I think you could do one of the following to correct the problem:

1) Modify the policy which should be in effect (just delete some names from the "known" pane in the Authorization window) - this should transfer it to the clients

2) Create a copy of the AV policy, assign it to the group

Christian

:4529
Cancel
Vote Up 0 Vote Down

Cancel