We have been checking the status and success of Sophos installation across about 1000 devices in order to determine is any have failed to install correctly. Although a minor few were identified as missing the delivery and in need of installation, the vast majority of the estate was confirmed as having Sophos protection (as one might hope/expect!). However.. In performing this exercise a worrying anomaly has been identified. The services installed seem to vary across the machines. It is appreciated that there may be variation between Windows versions and architecture but; ‘Sophos Device Control Service’ seems to be universally applicable and yet missing from ~20% of assets. This does not seem to have any bearing on OS as we can see from the other 80% that it is reported across all types. The service is not present almost randomly and we are unable to trend any correlation that may explain this. The install is performed in the same way in all case and the problem seems to be happening even on later installations. We have subsequently installed on several new machines and found that again, around 1 in 5 fail to end up with this service at all. Just to confirm that post installation and update the service remains missing, not present and stopped or otherwise not running. Can anybody explain this or provide an explanation? Perhaps this is seen elsewhere with setup failing in this regard to a similar degree?
Is this SEC managed? I'm pretty sure the DevC service only gets created when the EP recieves a Device Control polocy? Do all computer have the same Device Control policy?Regards,Jak
Yes, the policy in this regard is the same across all devices, Furthermore the devices are spread so randomly and yet almost evenly across different OS types, Architectures, AD locations, Geographic locations and hardware; that there is no way this can be explained by policy. All of the devices should be identical in terms of Sophos delivery and all are connecting back to a singular back end. Testing yesterday has shown that this element fails to appear on new installation in limited but seemingly random number of cases. Now it could be that the DevC service will be created later when policy ‘catches up’, but in most cases this is completed at the time of initial setup. We will now take a sub-set of failed devices and re-scan to see if the service has now been created, and equally will take a section of previously successful devices to re-test in case it is now lost!? Assuming the situation is, as assumed, static and the same returns are seen; how can we ‘update’ devices without the service to bring them into line with the majority (even if by some manual means)??
All advice / help appreciated.