Comparison failure in AV and HIPS

W7 or XP?

For XP: check if SYSTEM belongs to SophosAdministrator group. If it's missing, add it, else lots of Sophos actions will just plainly fail due to missing rights.

Thanks for the reply

Sorry forgot All clients are Windows XP Service Pack 3.

Just checked and System is a member of SohposAdministrator group.

All other policies are updating fine I just changed a room to have access to real-player application this morning to allow a music studio program to work. it is only the AV and HIPS policy. :(

This is typically caused by the default Microsoft permissions being changed on the boot partition (C:\). The local Everyone group should be listed with Travers Folder, List Folder, Read Attributes, Read Extended, and Read permissions. If this group and these rights are missing, the above mentioned issue will result. The permission change should only be applied to "This folder only". Please note that changing permisssions on the folder structure could damage the computer.

If the system is critical, make sure you have a backup of the data. Microsoft's "FixIt" tool can be used in worst case scenarios. This tool can be found at http://support.microsoft.com/kb/313222.

Before following these steps, be sure that the symptoms mentioned fit what you are seeing and that the permissions on the C:\ are missing the Everyone group.

1. Open My Computer, right click the C:\ drive, select Sharing and Security.
2. Click the Security tab. Confirm that "Everyone" is not listed.
3. Click Advanced
4. Click Add
5. Change the Location to the local computer
6. Type Everyone in the name field, then click OK.
7. In the Permission Entry dialogue, select "This folder only" for the 'Apply onto:' drop down.
8. Tick the Allow checkbox for Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, and Read Permissions. (see screen shot)
9. Click OK 3 times to commit the change.
10. Restart the Sophos Anti-Virus Service and confirm the issue is resolved.

For further assistance, please contact Sophos Technical Support via http://www.sophos.com/support/queries/, advising that KB 109831 has been followed.

Permissions in the root folder were not the issue they were set correctly.

I have determined that the fault lies with the scheduled scan. I have removed it from the AV and HIPS policy completely and removed the scheduled task from the clients they are now showing "same as policy" (phew!)

I think this will have been caused by the fact that these machines were sysprep'd for imaging and deployment. They must have had Sophos on before they were imaged which created a scheduled scan. So when the security identifiers were reset this scheduled task was orphaned and stopped Sophos from adding the new one when they were deployed.

I will be attempting to re-introduce the scheduled scan next week after I have removed all the scheduled scans from the system.

I will let this forum know what happens.

Thanks :)

After mentioning the Scheduled Tasks, I now remember that I had a problem on one machine which got infected by malware which autostarted itself by using the Task Scheduler. The malware must have modified permissions for the Task Scheduler in the registry or something. So when i moved the machine from my default SEC policy (with no Scheduled Scans enabled) into the "Infected/Quarantine" container (with Scheduled Scans enabled) the result was a comparisons mismatch which basically meant that there is a problem adding my Sophos Scheduled Scan to the Taks Scheduler. I tried 5 or 6 times to force down the policy but had no success. I remoted in and after some digging I found the malware in the Task Scheduler and 5 or 6 Sophos Scheduled Scans which never had started.