Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 10141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auto comply with policies

Spectrum

Hi,

I been using the Sophos Data Protection Suite for approximately 5 years, and presently on console 5.2.1 and endpoint 10.3

I've requested as a development enhancement through tech support several times which seems to go into a black hole.

Basically we apply tamper protection to prevent staff from disabling/altering any of the products settings.  However IT staff do need to turn off the firewall, etc to do various tests.  The problem is that they forget to turn the protection back on, and comply with the policies.

What I want on the endpoint is a pop up box when removing tamper protection, and subsequently disabling features (in otherwords, not compling with the policies).  The pop up should ask the user how long before it re-complies with policies, such as a dropdown offering 1 hour, 4 hours, upon next reboot).  A bit look the snooze option for windows updates.

This has been around in other vendor products for years, and I'm gobsacked Sophos are missing this trick!  It also leaves open a big security risk.

Does anyone know if this is on the roadmap? Or can you point me to a Sophos employee who can escalate my request, rather than putting it in the bin.  First line support seem to read off a script and not action my requests.

I look forward to anyone's response.

Thanks,

Jon

:51528


This thread was automatically locked due to age.
  • 0

    Hello,

    Maybe not quite what you're after but Sophos Cloud will auto-comply the policy after 2 hours.

    The only other way to get SEC to send down a policy is:

    1. The client to send back a "no-ref" in the status message for the policy in question.

    2. The computer to change group in SEC.

    The first option, is how the client gets its initial policy following install.  Essentially RMS keeps a cache of the SEC policy under the adapter storage directory, e.g. C:\Programdata\sophos\remote management system\3\agent\adapterstorage\[component]\[subcomponent].  This is compared against the component's actual config to determine if the endpoint is in compliance for the given component.  So you can delete any of these cached policies, restart the Sophos Agent service to trigger a status message.  If a file is missing, it will get "no-ref" for the policy and will ask for one.

    So in theory, you could have a logoff or sthutdown/startup script to delete the file and restart the agent.  This would at least guarantee you were never too far away from the client getting the correct policy again.  Maybe something to work with.

    Regards,

    Jak

    :51558
  • 0

    Hello Jon,

    as Jak has said, there's a poor man's implementation of this feature in the Cloud product - dunno the details though (e.g. whether it reverts to the cached policy or re-requests it - in either case it's not bullet-proof).

    I can imagine reasons why Sophos could be reluctant to implement it. Complexity is one - in addition to the pop-up you'd probably want a reminder when the time is up (so that the auto-comply doesn't kick in at an inappropriate moment), but would you want to wait "forever" if the reminder is not acknowledged? Should until reboot really be an option, or only for those who want it - then it should be configurable from SEC, into which policy should it go? Another one is the big security risk. Returning the equipment to its correct state after maintenance/troubleshooting is an integral part of the work, not some afterthought one might or might not have. If you argue that it's convenient and saves time - shouldn't the state and working of the device be checked for correctness as final step before it's returned? Isn't a SOP which does not include this step much more of a security risk than the absence of this kind of failsafe function?

    Once there was a feature request template and the requests eventually became SUGgestions their status is (like with DEFects) not externally available (at least to us Gold :smileytongue: - i.e. Basic - Support customers). UTM/Astaro has a feature board with status tags and a voting/commenting system. The Cloud Preview had a similar board. Something like this has been requested (and more or less promised) for SophosTalk but is still not available for whatever reason.

    Christian

    :51574
  • 0

    Hi Jak & Christian,

    Sorry for the late reply, and thanks for taking the time to reply.

    Jak...  It seems strange that Sophos would add it (well sort of) to the Cloud product and not to SEC!  Are they not bothering to develop the on premise solution any longer?  Also your work around isn't ideal, but I may have no option if I don't get any further with Sophos themselves.

    Christian...  I don't think it is overally complex.  It could be implemented into SEC under each poilcy with tick boxes against each timeframe, say 1 hour, 2hours, 4 hours, next reboot.  We could then choose which ones to present to the client.  It would only be presented to the client, if tamper protection was disabled.  How the communication would work between SEC and Client could be via RMS, or have another service that is purly for this function.  Once the timeframe is up, the client issues a request to SEC to comply with all policies, and SEC forces that compliance.

    Also I wouldn't want it to wait forever (not sure I said that), but until next reboot is a viable option, as some complex troubleshooting could take all day.

    Furthermore, I don't really know what SOP means, but I do think it's a security risk.  All AnitVirus suites that we have at home offer a timeframe that you may want to disable it for.  Why?  Because it's human nature to forget to turn it back on, and the vendors don't want to put your at any unnecessary risk.  I don't see there should be any difference here, especially where data within a corporate environment is far more important than that at home.

    Finally, It's ridiculous that Sophos don't offer an obvious way to put suggestions for developing their product into a more robust solution.

    Anyway thanks again for your replies, though it looks as though I had hit another deadend.  I will try with my Account Manager AGAIN!!!  Or drive up to Sophos HQ and staple my suggestion to the CEO's forehead.

    :51764
  • 0

    Hello Jon,

    what SOP means

    Standard Operating Procedure :smileyhappy:

    [not] overally complex

    :smileytongue: I probably don't want to know what something could be you'd call complex :smileywink:. Seriously, the devil's in the details (the Message Router - or the another service - could be stopped, which process should run the timer, and so on). I don't say it can't be implemented but it won't be perfect. One example that just crossed my mind: One or more reboots might be required for troubleshooting - which timeframe should be chosen?

    Cloud product [vs.] SEC

    Don't think the on premise solution is being neglected. The products target different albeit partially overlapping audiences. The current implementation of the policy reset might not go down too well (as either being insufficient or dispensable) with many existing SEC customers.

    any unnecessary risk

    As said, a device should be returned to normal operation and tested before it's "given back" to the user. I can see that "turning back on AV and firewall" might be the only special actions and autocomply would be convenient. But then - how often do you forget to lock up your office when leaving? Knowing that it will be locked automatically after some time, wouldn't you adopt to constantly "forget" locking up? As the timeframe for autocomply is more or less arbitrary wouldn't that lead to more exposure than an exceptional "forget" (which admittedly will happen - I remember a case where back then - the computers were heavy mainframes, the operators priests, and the system programmers demigods - someone forgot to reset the debug switch on the console panel and the system suddenly came to a complete halt at a very inappropriate moment ... )?

    We all want a product that's top-notch, reliable, fully-featured, highly configurable, simple to use, easily expandable, and all but free. So far I know of such which satisfy all these requirements except 5 and 7 ... :smileywink:    

    Enough of this blabber. Don't expect autocomply any time soon (but, hey, I'm not good at fortune-telling and it might come all of a sudden), Jak's suggestion is definitely worth considering.

    Christian 

    :51768
  • 0

    Had a same problem on citrix. after reading multiple articles i have found a solution.

    Computer GPO > scheduled task

     

    .bat script 

    cd "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\"
    del * /q
    net stop "Sophos Agent"
    net start "Sophos Agent"

Unfiltered HTML