Thanks for making it possible to receive email alerts from multiple sub-estates! Now can you add the sub-estate name to the alert?

Please include the sub-estate name in the email alert subject line of the messages sent to addresses in the "Email Alerts settings" of individual sub-estates. This can be done since the upgrade on 7/14/18 now includes the sub-estate name for email alerts sent to administrators of a sub-estate.

Now that my email address is in the "Email Alerts Settings" and I'm receiving email alerts from different sub-estates, I can tell there is a problem, I just don't know in which sub-estate the endpoint is located.

The Sophos Central API should be greatly explained so that one could easily obtain the entire status of any and all devices. This will allow daily merging with data from other systems to create worklists and reports for the day. The key is to get all the devices and their status (and any linked Alerts and Events).

This should also include removal of the 24 hour limit in the Alert and Event API calls, and also the status of those items (in case they were corrected since being posted).

All of this data needs to be relatable, i.e id values that correspond to tables for devices, statuses, severity and other items and all of those table should be readable via the API.

SUBJECT: Tamper Protection application by organizational policy (rather than globally)

Currently, tamper protection can only be enabled or disabled at the global level. But what happens if I want to uninstall Sophos from a subset of computers? And what happens if I want to do this efficiently, by using our Remote Patch Management software to push the uinstaller and script?

With the current Sophos setup, you'd have to go to each computer individually, enter a unique TP code, and uninstall. Or you would need to disable tamper protection for the *entire* organization -opening up a gaping security hole-, wait for the change to push, complete the uninstallation from the targeted subset using our Remote Patch Management tools, then re-enable tamper protection.

I would like for Sophos to either:
1) move Tamper Protection from a global setting to an org-policy level setting, or
2) allow creation of a single Tamper Protection code that can be deployed across the entire organization, so that we can bake it into our uninstaller scripts that are pushed through our Remote Patch Management solution.

Raffi Patatian
President, Smart Sourced IT
+1 (415) 483-1700

We need better options in order to deal with the high amount of generated alerts within Sophos Central.

1. Quarantine - cleanup of files often fails, in these cases we need to have options which don't involve visiting the machine as it may not be local to the admin. We need to be able to message the end user, or enforce reboot and cleanup, or option to do a more destructive cleanup, or a lockdown option, and mostly when a cleanup fails we need the option to try again (say, after asking user remotely to close an application).

2. Quarantine again - I've found old alerts that are no longer recorded in central but still have the yellow marker, in these cases I've had to go to the machine, stop the health service, delete the health database and start it up again. This could be implemented or fixed in central.

3. Reboot needed- I've seen the comments from senior engineers saying reboots are not needed. So either stop alerting on them, or provide us with a way to message users, or a way to remote reboot.

4. A policy option to clean out alerts which are no longer relevant (such as things that have been fixed).

The main points here would address a need to improve administration of larger estates as currently it is difficult to see where our real issues are.