I would like some functionality added to Sophos Central to accommodate for the need to exempt a specific application on a single server without creating the need for an endless and complicated web of policies as additional application exemption needs are identified.

An example:

The company has all servers "enrolled" in the Default Application Control policy. Server A requires all of the same rules as the Default policy but needs PuTTY allowed. No other servers can have PuTTY installed per a strict security policy. To accommodate this need, we, at present, must create Default Application Controls policy clone (w/PuTTY allowed).

After that first application exemption need was identified and accommodated, we now have two policies that are nearly identical, the Default policy and the Default policy clone w/PuTTY exemption.

A new application is identified as requiring exemption on all servers. To accommodate this, we need to modify the Default policy AND the Default policy clone w/Putty exemption. Fine, so we modify the two policies and move on.

A new application, Ruby Installer, for instance, is identified that is required to be exempted on Server B, but not on Server A where PuTTY is exempted, so a third policy must now be created.

Now, for our policies, we have: 1) Default policy, 2) Default policy clone w/PuTTY exemption, and 3) Default policy clone w/Ruby Installer exemption.

Another application is identified that all servers need allowed, so we have to update all three policies.

Over time, this list is expected to grow in complexity that appears exponential.

Perhaps I am missing something somewhere, but it appears as though there is no nice accommodation for one-off exemptions like this in the Application Control policy. If possible, I would like to suggest the addition of the ability to add an exemption that is assigned to a machine that overrides the Application Control policy to which it subscribes in Sophos Central.

There needs to be a way to deal with old Alerts and Warnings which have gone past the displayable events logs. If any event is causing an endpoint to stay consistently in Red Alert or Yellow Warning state, then the event should stay persistent and never go away until addressed. There's no way to deal with these issues currently other than to uninstall/reinstall Sophos completely or follow the below instructions from Sophos. This will only clear the events log to stop the alerts from showing, but doesn't actually address the original alerts.

1. Disable tamper Protection


2. Stop Sophos Health service


3. Navigate to folder C:\ProgramData\Sophos\Health\Event Store\Database


4. Rename events.db to eventsold.db


5. Restart Sophos Health service


6. Kill the Sophos UI from Task Manager


7. Re-launch Sophos UI.exe from C:\Program Files\Sophos\Sophos UI

Currently (7/1/20) in Sophos Central endpoints of ours with certain VPN software also installed will show events that a firewall has blocked application (fill in the blank). There's a couple of things I'd like to see improved. In our case this is normal for our VPN software to do this. These events along with other AV events can make it seem like something worse is happening at the endpoint, and can be misleading.

-What was the firewall or application that was seen blocking another application? Can the event also contain this information?
-Ability to ignore or make an exception for these alerts.
-These alerts are also not seen at the client side. It seems right to me that the client events and the server events match each other, however in this instance they do not.

Allow for deployment of the Sophos Endpoint Control in a monitor only mode. This mode should enable all features of Sophos Endpoint Control but only log and not block anything. This would be extremely helpful when protecting endpoints with custom configurations and hardware. The current method of "try and change" where you deploy then constantly tweak and change settings to get the device/software to work is far too time consuming. Having a monitor only mode would allow the device to work while reporting issues/non-compliance which then we can create policies and apply, while still in monitor mode, to determine if items will be blocked/reported.

My understanding from the FAQs is that malicious traffic detection just checks HTTP traffic for connections to known bad infrastructure. So that means a domain/IP must be known to be bad for Sophos MTD to detect it.
If it's not already being done, I'd like to request the HTTP request be analysed to find suspicious indicators, for example a connection to URI's like /fre.php or /gate.php could be indicative of evil, but if the domain is not in your list then it would be missed.

Also, does malicious traffic detection decrypt and analyse HTTPS traffic? Is DNS traffic monitored for call outs to known bad infrastructure as well? If not these would be good to incorporate as well.

You could also look to detect domains with high entropy, newly registered domains, etc