In Sophos Central, you can block all peripherals by default - and then have an allow list

You can't do it the opposite way round, where you allow all devices and just have a block list.

When trying to create a Peripheral Exemption to Block a device, with the default being Allow, it says that "Exemptions cannot be stricter than global settings."

This mean that for a particular customer, we have to Allow around 300 USB devices just to block a singular device which a user brought in with malicious content on.

It would be good to just block a singular device, whilst allowing all devices by default

It seems that the higher up the ladder that the user is, the harder it is to get them to reboot. The disruption that closing their many, many, multi-tasking windows left open as project or task placards, makes it extremely difficult for them to pick up where they left off.

Then a week after I had convinced all of my users to reboot for an update, I had another warning in the console to reboot all of the clients again.

And now two weeks later, I have a new warning to reboot the endpoint users for Hitman.

If we keep requiring the users to reboot, they loose their urgency, and could compromise the security of the network.

Could we find a way to update the client without a reqired reboot, as many competitors have?

We have several site all around the world but Sophos is centraly managed which means that we cannot always physically go to client computers or remotely connect to them (because of time zone, bad internet connectivity, etc...).

So when an alert for files like those is raised in the console:
Manual malware cleanup required: 'Mal/VMProtBad-A' at 'G:\PortableApps\Sid Meier's Civilization V + DLC\CivilizationV_DX11.exe'
Manual malware cleanup required: 'Mal/Sality-D' at 'E:\hasna .scr'
Manual malware cleanup required: 'Mal/VB-OL' at 'E:\Data Dell.exe'

I would like to be able to select "Delete" and not just wait that something happen. Currently the only option is "Marked as resolved" which is useless if cannot directly access the concerned computer.

Such Alerts are lasting for weeks now, so it would be nice to be able to clean the dashboard.

Thanks!

Hi,

Somethimes, managing 1000+ or even 5000+ machine its difficult, even more if we don't have built-in features in the console to remediate/uninstall corrupt/broken installations.

But, the main problem is not that. The problem is that we CANNOT disable Tamper Protection remotely to reinstall/remove Sophos AV, in the following cases:

1) Console was erased/failed and there's no cert/db/registry backup (all Endpoint with Tamper enabled)
2) Broken installations dont apply Tamper Policies (to disable it)
3) Migrated console (don't have the old one).

All this would be solved by having the chance to disable Tamper through Command Line. Example

Case A: Failure in console and no backup.

Solution: Create GPO Policy that disables Tamper with script:

@echo off
c:\program files\Sophos\Sophos Antivirus\DisableTamper.exe /password:TamperPassword
c:\installer\SophosReInit.vbs (to use with migration utility)

Case B: Broken instalation:

Solution: Create SCCM colection that does the following

@echo off
c:\program files\Sophos\Sophos Antivirus\DisableTamper.exe /password:TamperPassword

:: uninstall sophos
MSIEXEC /X{blablabla} /NORESTART
MSIEXEC /X{blablabla} /NORESTART
MSIEXEC /X{blablabla} /NORESTART
....

c:\instaler\SophosEndpoint_Newinstaller.exe

I mean, you get the idea. If I get the chance to disable Tamper through command line, it helps me to do more thing remotely without bothering the final user and the admin people.

Not asking to disable all without any proof that I manage the system, but if I do know the password, I should be able to put it, either GUI or CLI, specially the CLI, to help automatize.

Thanks,

Antonio.

We use Citrix PVS (Provisioning Services) to dynamically create XenApp servers from one gold image.
I followed Article 120560. All good.
Where I have a problem is the Group Assignment in Sophos Central.
My base Gold Image servers are assigned to a group called "Master".
Now I boot one production server using the new Image.
It appears in the Unassigned list. I have to manually assign it to the "Production" group and Policies.

I would like to be able to either specify the Group in a configuration file or registry key that survives the procedure I follow in Article 120560.
I recognize that all my servers will be in the same group. The Masters and the Production servers.
The command line options show a --devicegroup option. Where is this stored and can I change it after the installation is done?

The other option is to allow group assignments to be done using server name wildcards.
All my servers are xa1..., xa2...,
A simple wildcard assignment would work well for me.

Another option is simple to allow admins to pre-create server names in the console.
I don't create new names all the time. If I could create the names of all my servers and assignment them to the group that solves my problem.

Thanks

In Sophos central, for some policy categories it is possible to set a user-created policy to enforced, but "disable" it from its settings.

For example, suppose that in the Web Control section there is the base policy at the bottom and the user-created one above it. If the user-created policy is opened for editing, the very first setting is:
Web Control: Enforce/Ignore the settings in this section of the policy

This setting is different from the Enforce/Ignore policy on the far right tab. Hence, it may be the case that there is an "ignored" policy, which retains "enforced" status, thus creating misconception as to what the actual result is. The exact reason for having the enforce/ignore setting is not documented. Nevertheless, having two settings at different levels is error prone.

The policy enforced setting cannot be changed in the base policy, which is understandable (perhaps the "Web Control" setting needs to be removed from user-created policies).

Finally, the aforementioned issue seems to also occur in the following categories:
- Data Loss Prevention (Use rules for data transfers)
- Application Control (Detection Options: Detect controlled application when users access them)
- Peripheral Control (Manage Peripherals: Disable peripheral control)