Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3478 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Comparison failure in AV and HIPS

Dazza

I have gone through the forums and found a few similar threads.

90% of my machines have a comparison failure with the Anti-virus and HIPS policy.

I have tried force comply with all group policies and the AV and HIPS one seperate

I have tried re-protecting

I have tried removing scheduled scans as in Knowledge base article 28060 this works for some machines (only a few)

The majority are still not compling with the policy

i have one of the agent logs here and it looks like access denied . i use an admin account with full access to the machine for sophos.

Any suggestions? Other than manually removing the software from all my machines and doing a fresh install (again!).

15.04.2010 09:54:00 0F14 I SAUAdapter - SAU AdapterImpl: Notifying agent of configuration change
15.04.2010 09:54:00 0F14 I ALC state observer received a configuration
15.04.2010 09:54:00 0F14 I SAUAdapter - SAU AdapterImpl: Notifying agent of status change: <?xml version="1.0" encoding="utf-8" ?><status xmlns="http://www.sophos.com/EE/EESauStatus"><CompRes xmlns="com.sophos\msys\csc" Res="Same" RevID="{ECB95FD7-6425-47DE-B4BC-62A2A1591CA6}" /></status>
15.04.2010 09:54:00 0F14 I ALC state observer notified that ALC is running
15.04.2010 09:54:00 0F14 I ALC state observer received a status: <?xml version="1.0" encoding="utf-8" ?><status xmlns="http://www.sophos.com/EE/EESauStatus"><CompRes xmlns="com.sophos\msys\csc" Res="Same" RevID="{ECB95FD7-6425-47DE-B4BC-62A2A1591CA6}" /></status>
15.04.2010 09:54:04 0B3C E SAVXP Adapter: COM exception caught in SAVConfig::CRTInspectionLoaderSaver::WriteConfigToService and re-thrown. Error Code 0x80070005: Access is denied.
15.04.2010 09:54:04 0B3C E SAVXP Adapter: COM exception caught in SAVConfig::CSAVConfigDataSaver::WriteConfigToService. Error Code 0x80070005: Access is denied.

:2408


This thread was automatically locked due to age.
Parents
  • 0

    After mentioning the Scheduled Tasks, I now remember that I had a problem on one machine which got infected by malware which autostarted itself by using the Task Scheduler. The malware must have modified permissions for the Task Scheduler in the registry or something. So when i moved the machine from my default SEC policy (with no Scheduled Scans enabled) into the "Infected/Quarantine" container (with Scheduled Scans enabled) the result was a comparisons mismatch which basically meant that there is a problem adding my Sophos Scheduled Scan to the Taks Scheduler. I tried 5 or 6 times to force down the policy but had no success. I remoted in and after some digging I found the malware in the Task Scheduler and 5 or 6 Sophos Scheduled Scans which never had started.

    :2540
Reply
  • 0

    After mentioning the Scheduled Tasks, I now remember that I had a problem on one machine which got infected by malware which autostarted itself by using the Task Scheduler. The malware must have modified permissions for the Task Scheduler in the registry or something. So when i moved the machine from my default SEC policy (with no Scheduled Scans enabled) into the "Infected/Quarantine" container (with Scheduled Scans enabled) the result was a comparisons mismatch which basically meant that there is a problem adding my Sophos Scheduled Scan to the Taks Scheduler. I tried 5 or 6 times to force down the policy but had no success. I remoted in and after some digging I found the malware in the Task Scheduler and 5 or 6 Sophos Scheduled Scans which never had started.

    :2540
Children
No Data
Unfiltered HTML