Deploying Endpoint Protection

Question

Hi Guys, 
 
 Just want to ask on how would the Sophos Management Console see the Windows endpoint to have the same policy (reflect it to management console) after I installed endpoint protection to the Monitored host? 
 
 Thanks!

Yashraj S · Accepted Answer

Hi Floki, 
 I am not sure if I understand your question completely. As per my understanding, you want to know if the policy which is applied is working properly or not on the endpoint machine. 
 If the policy is not working properly, Sophos Enterprise Console will show a warning such as "Differs from policy" if the policy is violated. 
 This article will help you in scenarios where you get such warnings.

QC · Answer

Hello Floki, 
 I'm not sure how this relates to Deployment Packager - maybe you should edit this thread's subject. 
 A managed computer communicates with the management server via the RMS component. The endpoint's RMS has two elements, the Agent and the Router. The latter routes the messages (status, alerts, and events) from the Agent to the management server and v.v. (policies, commands), the former collects them from and distributes them to the other components. The Agents stores the policies in its AdapterStorage. Whenever it receives a policy or a notification (status, settings change) from a local component it compares the cached policy to the settings in effect, reporting the result ( Same as , Differs , or Comparison failure ) to SEC. Initially the cache is empty and the Agent requests the policies from SEC ( Awaiting policy from console ). There's one more state, Awaiting policy transfer , when a policy has been changed (or a different policy assigned) and not yet acknowledged. As messages from SEC have a TTL it is possible that the Awaiting states persist for an endpoint that was disconnected when the message was enqueued and remained disconnected for longer than TTL. 
 Christian

QC · Answer

Hello Floki, 
 for communication the process is RouterNT.exe. Scope Local 127.0.0.1 would not permit connections from/to remote hosts though, would it? And monitored hosts need 8192 outbound (from RouterNT.exe ) as well. 
 For updating the process is ALUpdate.exe , it uses either SMB/NetBIOS (445/137-139) or HTTP (80) to download. 
 Please note that certain features (Live Protection, MTD, ...) require additional connectivity . If not permitted nothing will break but the functionality won't be available. 
 Christian