[Sophos Notification] Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

Hi Community,

[UPDATE] We have released an update for our Enterprise Console users that will automatically add Windows exclusions to all Anti-virus and HIPS policies in your Enterprise Console.

Please read the article for full details: https://community.sophos.com/kb/en-us/133945 

Best,

Hi Karlos,

SEC 5.5.1 installed and confirmed updating is OK but I'm not seeing these Windows exclusions appearing in any of my AV/HIPS policies. I've tried asking Rob in his comments on the Spiceworks thread about this issue but he's not hearing me.

Can you please advise?

Cheers,

David.

Hello David,

when correctly done it looks like this:

The changes should have been performed on the 12th by a special run of the Policy Evaluation Tool (PET). PET writes its output and logs to %ProgramData%\Sophos\Policy Evaluation Tool\Logs\. I've noticed though that it processed only 22 of 34 AV policies. The Default policy has been ignored - that might be expected. But why the rest. At first I could find a pattern. Decided to poke around in the database and it was almost immediately obvious: PET processed only those policies where the GUID in the CorrelationID column is NOT enclosed in curly brackets {}.
I neither know why some of the GUIDs have brackets nor why PET skips those.

[Edit]
On second thoughts: If indeed the Default policy is unconditionally skipped customers using mainly Default as AV policy might be more severely affected.
[/Edit]

[Edit 24 May 2019]
Turned out that I jumped to conclusions. PET disregards (and consequently doesn't amend) policies that aren't assigned to any computer (and in my case it seemed to correlate with the CorrelationID). The Policy Evaluation Tool article has been updated with this information. This only has an effect when a policy that was unassigned when PET ran is later assigned to. Can't be ruled out as cause for missing exclusions on the endpoints but very unlikely.
[/Edit] 

Christian

Hi Christian,

Thanks for your response. Points/questions on this:

1. I thought PET was only for reporting on your AV/HIPS compliance, allowing one to then make changes, manually, according to the output of the reports.

2. The article clearly states that "For Enterprise Console customers we are performing an update that will automatically add the following Windows exclusions to all  Anti-virus and HIPS  policies in your Enterprise Console". There is no mention of anything to do with PET.

3. Why are Sophos being so reluctant to clarify or post adequately unambiguous information about this "automatic" update of SEC, that doesn't appear to be happening?

I guess I'm going to have to open a tech support case with them, to get some sensible answers.

Cheers,

David.

Hi Christian,

Thanks for your response. Points/questions on this:

1. I thought PET was only for reporting on your AV/HIPS compliance, allowing one to then make changes, manually, according to the output of the reports.

2. The article clearly states that "For Enterprise Console customers we are performing an update that will automatically add the following Windows exclusions to all  Anti-virus and HIPS  policies in your Enterprise Console". There is no mention of anything to do with PET.

3. Why are Sophos being so reluctant to clarify or post adequately unambiguous information about this "automatic" update of SEC, that doesn't appear to be happening?

I guess I'm going to have to open a tech support case with them, to get some sensible answers.

Cheers,

David.

Hello David,

There is no mention of anything to do with PET
correct, but apparently this is how it is/was/should have been done. There's no need to describe the mechanism in detail if you expect it to work. Seems it doesn't though.
PET was only for reporting
It isn't - please see the /remediate command line parameter.

Christian