We get alot of alerts that state "One or more Sophos services are missing or not running" or "realtime protection has been disabled." We then have to go into Central and look up those machines only to find that 9 out of 10 times the alert has cleared itself. There is an Event Log entry that states "all services are running" or "realtime protection has been enabled." It would be nice to have an alert that is triggered from those resolved entries. That or be able to create an alert from Events contained in the Event Log.
Gerry Morley commented
I agree - also what would be even better as well is if the alerts on the dashboard would auto acknowledge/ auto resolve themselves. So when a machine that requires a reboot - is reboot - the alert disappears without having to be manually acknowledge. Same with when the API token expires and it is renewed that the system then auto clears the alert. Its pain staking going through all our clients to acknowledge alerts that should be closed out automatically. A simple scan once a day or once an hour by sophos could easily clear these alerts.
I agree with this, and would like to add to the suggestion. It would be much more meaningful if no alerts were sent when the disabled protection is known to be caused by an update to the product, or mention in the email that the alert is due to an update process, as the current alerts prevent people from taking Sophos alerts seriously when they might actually require intervention.
The existing behavior (too many false positives) is very bad for security. So it is not just an operational issue (too many Help Desk resources wasted) but specially security issue (Help Desk will fail to report/escalate real security threat/attack due to tiredness caused by false positives).
Therefore it should be high priority for a security product such as Sophos to reduce false positives and report only high risk security events (for example, do not report an event, when the agent goes thru update/upgrade process and changes the agent status to RED, resulting in alert).
Adrian Schweizer commented
Agreed. We receive a lot of false positives. Most of the time the "Real-time protection is disabled" for less than a minute and clears up. It would be great if there was a threshold like: if it's been 15 minutes and the alert hasn't cleared for it to then alert.
Like any repetitive false-positive alerts, you start to become desensitized. Which is dangerous because what if there was a real issue, it will become ignored.