Rebooting VDI causes 'Differs from policy'

Hello Bernhard,

which policies differ? Do the machines subsequently automatically comply or do you have to force compliance? Of course provided that the masterimage was in compliance - any chance that the policy has changed since preparation of the masterimage?
Changes of this cloned image
which changes/areas? The relevant policy and configuration data is kept under %ProgramData%\Sophos\.

Christian

Hello Christian

Firewall, Data Control and Device Control are differing. We waited hours and the client didn't get compliant. We have to force it after every reboot or every change in master image.
Ye, of course the client in master image is compliant. The master image and the cloned VDIs have also the same policies (except for the update policy but this policy is still compliant).

Here is a KBA about this personal vDisk thing if you're interested: support.citrix.com/.../CTX131553.
Long story short: Every VDI's hdd has just a link to a current snapshot of the master image. Changes of this snapshot are written into a "personal vDisk", a second VMDK of this VDI. If you change the master image, these changes appear on all VDI's without losing data which a user has created.

I took a look into %ProgramData%\Sophos\ and it's subfolders. But for an example in Device Controls subfolder I only have a subfolder called logs. No config folder or something like that. Were are these policies stored?

Regards

Hello Bernhard,

Data and Device Control have their settings in the Anti-Virus config. The Agent service compares the settings and actual state (e.g. Device Control enabled but the required service not started) with the cached policies (in %ProgramData%\Sophos\Remote Management System\3\Agent\AdapterStorage\) at startup. It then reports the compliance status (same, differs, or awaiting from console if the cache is empty) together with a revision ID (so that SEC can detect that when an endpoint considers itself compliant but uses an outdated policy - please note that a policy's ID is updated when you save it even if you didn't make any changes to it).
The Agent logs (in ...\3\Agent\Logs\) the results in informational messages starting with SAV (or: SCF) state observer received a status, Res="xxxx" is the compliance, RevID="{GUID}" names the ID which corresponds to column CorrelationID in table Policies in the database (the SAV message lists most policies so you'll see several Res=/RevID= items). 

Christian 

Hello Christian

Thanks for your reply. Great news, I'm one step further.
If I cleanup the AdapterStorage-Folder and clone my machines I can avoid the policy differ. The clone is booting up and after a couples of seconds the machine in console turns from "awaiting policy transfer" to "same as policy".
I will add this cleanup-step to my anonymizing script which i have to run before cloning.

But a little problem persists. After a reboot the Application Control policy is non-compliant again. And I don't see any errors in the agent log.
Any advice?

Regards, Berhard

Hello Bernhard,

cleanup the AdapterStorage
would have been my next suggestion. Application Control policy is non-compliant again - the Agent log says Res="Diff" or Res="Same"? Other policies are immediately compliant (which would suggest that changes to %ProgramData% are preserved) or Awaiting ...? I don't see any errors - Res="Diff" is not considered an error as far as the comparison is concerned, but verbose logging will list the differences.    

Christian

Hi

I just wanted you to know that I'm very busy at the moment. I tried cleaning the policy folder in our master image. Now the cloned machines are pulling fresh policies from our SGN Server. Everything's fine.
But if I restart one of these clones I still see "Differs from policy" in the console. I will let you know if I found something.

Regards

Hi Christian

I tried to investigate this error on my own but I get nowhere. I will open a call at Sophos.

Thanks for your help
Regards