We are not very fond of Sophos resetting UAC, IE Security Zone settings etc during remediation.
I'm aware of https://community.sophos.com/kb/en-us/118583
I found the following additional information online that reportedly fixes this issue:
From Sophos support, here are the steps to disable and enable threat remediation:
Open Regedit and navigate to the following location:32-bit: HKLMSoftwareSophosSAVServiceApplication64-bit: HKLMSoftwareWOW6432NodeSophosSAVServiceApplication
Create a Key at this location called: CCOverride
Threat remediation is now disabled.
We are using the Sophos Console 5.5 and Sophos Endpoint Security 10.7.
Does the CCOverride setting apply to these products?
Does CCOverride setting only affect the resetting of Windows options or does it also disable other threat remediations?
Why doesn't the product have an option in the AV policy to control this? 'enforce resetting of Windows security settings' or 'not to enforce resetting of Windows security settings'
That key should work in all Windows Endpoint versions and it only controls the resetting of Windows security settings not other parts of the cleanup routine.
I guess most of the security options reverted in the cleanup are the system defaults. UAC is an obvious one people may notice as you typically get a balloon notification if I recall when it changes - maybe asking to reboot?Most people have UAC enabled these days as apps that don't work with it should be few and far between. Plus there are tools like the Application Compatibility Toolkit which can resolve such issues with installable shims without disabling UAC globally.