Endpoint Tamper Protection Hardening
Can endpoint tamper protection be hardened in a way that the user (even administrator) does not have the ability to disable Sophos services, rename the Sophos directory structure, or even delete Sophos registry keys.
All this will add optimal protection against tampering by not allowing anyone to uninstall Sophos, even with administrative privileges.
Very usefull option! I have a lot of developers in my company who need to work with local administration rights. They easily can disable the endpoint AV suite by disabling all the services etc....
Clint Harris commented
I 100% agree and I can't believe, 2 years later, that this isn't the way the product works yet. Other AV vendors work in exactly this way. Using the argument "if you don't trust administrators don't give them that access" is asinine. Why have tamper protection prevent an uninstall then ? I'm sure every virus writer out there knows that all they need do is stop the sophos service to evade detection.
It should be more difficult to evade the endpoint protection - regardless of who you are. If an administrator needs to work on the agent, then they can use the password.
If I had the option (and if we do) I'd choose a different vendor based on this alone.
My guess is that voting in here is futile.
Manuel Mitteregger commented
this will not be a secure solution as the GPO can be turned-aroung for 180minutes by the local admin.
Jeff Moreau commented
Please see this KB: