In Sophos Central, you can block all peripherals by default - and then have an allow list

You can't do it the opposite way round, where you allow all devices and just have a block list.

When trying to create a Peripheral Exemption to Block a device, with the default being Allow, it says that "Exemptions cannot be stricter than global settings."

This mean that for a particular customer, we have to Allow around 300 USB devices just to block a singular device which a user brought in with malicious content on.

It would be good to just block a singular device, whilst allowing all devices by default

We have several site all around the world but Sophos is centraly managed which means that we cannot always physically go to client computers or remotely connect to them (because of time zone, bad internet connectivity, etc...).

So when an alert for files like those is raised in the console:
Manual malware cleanup required: 'Mal/VMProtBad-A' at 'G:\PortableApps\Sid Meier's Civilization V + DLC\CivilizationV_DX11.exe'
Manual malware cleanup required: 'Mal/Sality-D' at 'E:\hasna .scr'
Manual malware cleanup required: 'Mal/VB-OL' at 'E:\Data Dell.exe'

I would like to be able to select "Delete" and not just wait that something happen. Currently the only option is "Marked as resolved" which is useless if cannot directly access the concerned computer.

Such Alerts are lasting for weeks now, so it would be nice to be able to clean the dashboard.

Thanks!

I've certain sites "old style" that need to download a windows executable in the browser cache, basically without user intervention. To be clearer, I mean in a "hidden" way. I would like to let user to download THIS executable from THIS site without showing any warning from antivirus. The problem is that user can't see the sophos warning that "organization discourage executable download" because the download is hidden, and so the app fail. It's a feature that is in some way similar to that already existing in sophos that let execution of executable if located in a specifical folder. See case #8322103. Thanks

Currently there is no alert / status change for an endpoint who's definition files are out of date, meaning, let's say you have a fully protected client, but, sophos update (not engine as that alerts if it fails) but rather JUST the definitions fail to update.

we would like the ability to be able to either configure a threshold for alerting, or be able to simply enable/disabled alerting for definitions not updated.

we have many endpoints that will fail to update for days, and the result is a system that while there are no alerts, is potentially not protected.

my thought would be, an alert that we could choose:

enable Definition alerts older than XX Days, such that if an endpoints definition has not updated in XX Days we would get an alert.

Hi,

Somethimes, managing 1000+ or even 5000+ machine its difficult, even more if we don't have built-in features in the console to remediate/uninstall corrupt/broken installations.

But, the main problem is not that. The problem is that we CANNOT disable Tamper Protection remotely to reinstall/remove Sophos AV, in the following cases:

1) Console was erased/failed and there's no cert/db/registry backup (all Endpoint with Tamper enabled)
2) Broken installations dont apply Tamper Policies (to disable it)
3) Migrated console (don't have the old one).

All this would be solved by having the chance to disable Tamper through Command Line. Example

Case A: Failure in console and no backup.

Solution: Create GPO Policy that disables Tamper with script:

@echo off
c:\program files\Sophos\Sophos Antivirus\DisableTamper.exe /password:TamperPassword
c:\installer\SophosReInit.vbs (to use with migration utility)

Case B: Broken instalation:

Solution: Create SCCM colection that does the following

@echo off
c:\program files\Sophos\Sophos Antivirus\DisableTamper.exe /password:TamperPassword

:: uninstall sophos
MSIEXEC /X{blablabla} /NORESTART
MSIEXEC /X{blablabla} /NORESTART
MSIEXEC /X{blablabla} /NORESTART
....

c:\instaler\SophosEndpoint_Newinstaller.exe

I mean, you get the idea. If I get the chance to disable Tamper through command line, it helps me to do more thing remotely without bothering the final user and the admin people.

Not asking to disable all without any proof that I manage the system, but if I do know the password, I should be able to put it, either GUI or CLI, specially the CLI, to help automatize.

Thanks,

Antonio.