Differs from policy - Updating policy

Hello,

I have had some communication issues between the Sophos Enterprise Console management server the majority of my Sophos endpoint clients. These clients were not reporting to the server. They were all unmanaged. Once we allowed the RMS ports to our server vlan, all the unmanaged clients start reporting and became managed clients.

However, 95 clients are not compliant with the Updating Policy. All other policies Anti-Virus and HIPS, etc. are stating same as policy. Also confirmed that both compliant and non-compliant machines the “Last message received from computer” is a recent date/time.

During troubleshooting, I have noticed that on non-compliant endpoints, the modified date of the iconn.cfg file is from November 2018. I have compared this file with some endpoints, which are compliant, as the modified date of those iconn.cfg files are much more recent, early March 2020. I did not spot any differences in the content of both iconn.cfg files.

Could you please help me to get these 95 non-compliant endpoints in a compliant state? Any help would be much appreciated.

- I performed a re-installation of all Sophos endpoint security and control components (Anti-Virus, AutoUpdate, Defence etc.).
- Restarted the Sophos Agent service, triggered “comply with all group policies”. This results in endpoints reporting same as policy, after some time they will go back in differs from policy state.

Regards,

RB

  • Hello RB,

    endpoints are Windows or macOS? Never seen this with Windows as far as I can remember.

    Christian

  • In reply to QC:

    Hi Christian,

     

    Yes, all clients are Windows 10

     

    RB

  • In reply to QC:

    Christian,

     

    Maybe you could point me which log files I need to check or is there a specific error status/code I might look for?

     

    Thank you in advance,

     

    RB

  • In reply to R B2:

    Hello RB,

    as said, I haven't seen this with Windows endpoints and I have no idea why the iconn.cfg should revert to an older version - unless some external power, a GPO or similar, replaces the file with an old "known good" one.

    As for the differs, verbose logging for the Agent might tell what it thinks is different.

    Christian

  • In reply to QC:

    Hi Christian,

     

    This one has been resolved.

     

    The correct icon.cfg file was being replaced indeed by GPO. Once the old iconn.cfg file had been replaced by the latest iconn.cfg file, the majority of the connected/active Sophos clients became compliant again.

    |

    RB

  • In reply to R B2:

    Hello RB,

    replaced indeed by GPO
    thought as much. Modifying configuration/policies via "alternate channels" is, err, not recommended - as it likely leads to situations as yours.

    Christian