Endpoint Protection
Suggest, discuss, and vote on new ideas for Sophos Endpoint Protection. Comprehensive security for users and data
-
Send an alert whenever an endpoint fails to register with Sophos Central.
We have a number of AWS instances which are cloned to bring up new servers and we ran into a problem with duplicate endpoint IDs in the MCS configuration. When the servers tried to register with Sophos Central they would receive a 401 error back. I've found how to set up the images for the servers to avoid this (KB article 133268) but I think it would be helpful to get an alert when an event like this or any other issue that prevents the server from registering. Obviously if some network issue prevents the server from connecting to the…
2 votes -
Configure sav-rms.service to start after sav-protect.service.
We've been seeing some false alarms with real time protection on some servers when they boot up. It seems to be a timing issue with the sav-rms and sav-protect systemd service files. If sav-rms.service starts before sav-protect.service, it will report that real time protection is disabled for a few minutes. I changed the After= line for sav-rms.service to include sav-protect.service and I don't see the false alarms any more.
1 vote -
File Integrity Monitoring on Linux Server Protection
Enterprises need File Integrity Monitoring on their Linux system files. This is a requirement for all systems requiring Continuous Monitoring (NIKST 800-137) which are all defense contractors, Government contractors, government agencies, and soon, all HIPAA covered entities.
9 votesLooking at FIM as part of a new Linux Proposition. Please keep an eye out for announcements and subscribe to the community forum https://community.sophos.com/products/server-protection-integration/f/linux-server-protection
-
Website/IP exclusions for Linux
Allow us to add exclusions, especially to MTD, for websites/IP addresses in Linux. We have VMs in a cloud environment that are constantly talking to a monitoring host. Without those exclusions CPU usage is really high.
1 vote -
Make Real time scanning - Local files and network shares applicable on Linux
Apparently the policy setting:
"Real-time scanning - Local files and network shares" that can be configured for:
on read
on write
only applies to Windows clients and not to Linux clients. On Linux you have to manually change the preference using eg:
/opt/sophos-av/bin/savconfig set TalpaOperations -- -open
to disable "on read"
But obviously:
1. This is not scallable
2. This makes the Linux Sophos AV impaired in terms of feature comparison to Windows
3. It's very problematic on eg. NFS servers where on open NEEDS to be disabled due to high CPU usage that sophos processes may spark.7 votes -
linux move infected to quarantine
Instead of locking access to infected file, an option to move to quarantine would be beneficial for real-time scanning of some 3rd party product queue directories
2 votes -
Exclusion rules should allow folder wildcards
ClamAV on a Linux Server uses /var/tmp/.tmp/.tmp to store email contents while scanning them, and the number of alerts from dubious contents can be high. As the .tmp names are randomly generated, but start with ClamAV-, it would be nice to exclude them and let ClamAV do it's work, then check the contents of the emails when they land in their final destination instead.
7 votes -
Make mkinstpkg support HTTPS locations
When preparing a Linux installation package on SAV for Linux 9.12.3, attempting to specify an update URL in the form "https://server.example.com/sophos" results in the message "The update source address must be a website or an absolute directory path." Keeping the same URL but removing the S, i.e. "http://server.example.com/sophos" works as expected.
Please enhance the tool to allow HTTPS locations so authentication passwords aren't sent in the clear.
2 votes -
scheduled scan: control priority / niceness of jobs
scheduled scans are still quite limited, as we can see here: https://www.sophos.com/en-us/support/knowledgebase/117346.aspx
One of the options we would like to see is being able to give the scheduled scan some reduced system priority / i.e. niceness, to limit the performance impact of scans: scheduled scans normally need not run at high priorities.
13 votes -
scheduled scan: option to abort a running scheduled scan
scheduled scans are still quite limited, as we can see here: https://www.sophos.com/en-us/support/knowledgebase/117346.aspx
One of the options we would like to see is being able to abort a running scheduled scan.
9 votes -
scheduled scan: implement quoting in exclusion definitions
One of the options we would like to see is that the exclusions specified with the exclude keyword can include quotes like "\ " to specify a space in a path / file specification. Currently, we have to workaround by putting asterisks at those character positions.
1 vote -
scheduled scan: implement controlling Default extensions
scheduled scans are still quite limited, as we can see here: https://www.sophos.com/en-us/support/knowledgebase/117346.aspx
One of the options we would like to see is that we would like to control the list of Default extensions that is implicitely active: there is only a parameter called "excludeExtension"
1 vote -
SAVDI reload on sav update
Please notify a running savdi about the performed pattern update by the savupdate process.
This is more a bug than a feature-request and should be implemented very easily, because the savdi daemon writes a pid-file and has already implemented a signal for this (kill -HUP <savdi pid>).
The implementation could be done in a few lines of code...2 votes -
HIPS for Linux
We would like to see HIPS functionality added to the Sophos AntiVirus Linux client.
8 votes
- Don't see your idea?