+ Post New Thread
Results 1 to 9 of 9
Windows Thread, Sophos EC and best practice in Technical; Dear all, We have Sophos Enterprise Console 3.0.0.2321 installed up and running but I'm afraid it has been some what ...
  1. #1
    FatBoy's Avatar
    Join Date
    Oct 2007
    Location
    Kent, UK
    Posts
    249
    Thank Post
    55
    Thanked 20 Times in 16 Posts
    Rep Power
    17

    Sophos EC and best practice

    Dear all,

    We have Sophos Enterprise Console 3.0.0.2321 installed up and running but I'm afraid it has been some what neglected for sometime.....

    We have loads of machine with suspicious behaviour:
    My question is this, there a place to centrally manage this (ok certain exe etc)? Basically anyway of doing this on multiple PC's and not doing it one by one!

    A few with virus on:
    Do you have to go around each machine removing the virus manually and then ok and clean the alerts on the server or is there a better way?

    And basically any tips and tricks anyone has so I can clean up our Sophos EM console without having to go round loads of machines!
    Thanks

  2. #2

    Join Date
    Nov 2007
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Sophos EC and best practice

    enterprise console :
    C:\Program Files\Sophos\Enterprise Console\EnterpriseConsole.exe

    package updater :
    C:\Program Files\Sophos\Enterprise Console\EMConsole\Console\Bin\Sophos Enterprise Manager.msc

    is it up to date ? mine is set to update automatically and it deals with all issues on its own thankfully perhapse a forced update would help?
    update the server and packages and then do a update on all the clients from the enterprise console an even schedule a full virus scan as part of the anti virus policy to clear off anything nasty on the systems ? you can alwase take it off the policy after
    dont use it much it deals with its self i just check it evey so often here so cant be much more help

  3. #3
    KarlGoddard's Avatar
    Join Date
    Jul 2005
    Location
    Bolton, Lancashire
    Posts
    272
    Thank Post
    37
    Thanked 18 Times in 18 Posts
    Rep Power
    25

    Re: Sophos EC and best practice

    You can right click on an infected PC and do a Full System Scan in v3 of the console. So that would be my first choice.

    Do you have HIPS enabled? When I had this enabled it was throwing up alert after alert all of which were 'false alarms'.

    If you're using HIPS take some time to set up your exclusion list right.

    The way I approached the general set up was to create a few policies - Desktops, Servers, DC's, Exchange etc and set the exclusions accordingly for each kind of box.

    Do a search on the MS site as this will give you a list of files / folders to exclude for stuff like Exchange servers and your DC's etc otherwise Sophos may harm system performance.

  4. #4
    FatBoy's Avatar
    Join Date
    Oct 2007
    Location
    Kent, UK
    Posts
    249
    Thank Post
    55
    Thanked 20 Times in 16 Posts
    Rep Power
    17

    Re: Sophos EC and best practice

    Thanks for your input master but I can't see how it can completely look after its self! The suspicious behaviour is exactly that, behaviour that the console doesn't know whether to take action against or not as it's not a virus. From what I can gather you have to tell the console what is ok and what is a problem. I shall look into HIPS kgcs and see whether this is the cause of a lot of my problems

    One other issue I have found (As I'm new to this network) is that there are lots of computer accounts on the domain that don't actually exist anymore ops: and Sophos is importing all these accounts into the enterprise manager and making the task 10 times harder....

    Does anyone know of a way to scan the network and detect computer accounts that aren't used any more. I know it will never be exact due to computers being turned off etc but even a rough idea would help me!

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,652
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831

    Re: Sophos EC and best practice

    Regarding viruses - you can run a scan, yes, but you will more than likely need to reboot those individual machines into safe mode to run a scan - as a normal mode one probably won't be able to remove some of the viruses.

  6. #6
    FatBoy's Avatar
    Join Date
    Oct 2007
    Location
    Kent, UK
    Posts
    249
    Thank Post
    55
    Thanked 20 Times in 16 Posts
    Rep Power
    17

    Re: Sophos EC and best practice

    Thanks for all the help people your info has helped and will speed things up a bit for me. Anyone has anything else to add please do

  7. #7

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,622
    Thank Post
    49
    Thanked 451 Times in 334 Posts
    Rep Power
    137

    Re: Sophos EC and best practice

    I recently found an interesting caveat with EM

    At one site I visited, the console was in a terrible state with machines mis-reporting, updates not working, the Sophos was pretty much a waste of space.

    One of the tests I carried out was a reverse lookup, ping by name then a ping -a xxx.xxx.xxx.xxx

    Low and behold the ping -a did not resolve the pc name!

    Upon examining the DNS Zone I realised that the client had recently extended their DHCP scope but ommitted to add the new IP blocks into the reverse DNS zone.

    Within minutes the clients began to populate the reverse zone we could ping them -a and the hostname was resolved and bingo! All of the Sophos policies updated installations worked and everything was back under control. Sophos was back and working as it should have been!

    Moral, never ever under estimate the importance of DNS on your networks. DNS DNS DNS... get it right

  8. #8

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,240
    Thank Post
    1,058
    Thanked 1,068 Times in 625 Posts
    Rep Power
    740

    Re: Sophos EC and best practice

    Anyone has anything else to add please do
    I do, as soon as your licence is up - dump Sophos and use an AV product that does the job properly.

  9. #9

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,622
    Thank Post
    49
    Thanked 451 Times in 334 Posts
    Rep Power
    137

    Re: Sophos EC and best practice

    Quote Originally Posted by mattx
    I do, as soon as your licence is up - dump Sophos and use an AV product that does the job properly.
    Ouch! Thats a bit strong.

    I realise that Sophos has become a bit like a Citroen Saxo thats has spent too long in a Halfords store, but if setup correctly it does still get you from A to B!

SHARE:
+ Post New Thread

Similar Threads

  1. DFS/FRS: best practice?
    By Oops_my_bad in forum Windows
    Replies: 3
    Last Post: 4th June 2007, 11:18 AM
  2. Sharepoint features - good practice examples
    By meastaugh1 in forum Virtual Learning Platforms
    Replies: 6
    Last Post: 30th March 2007, 07:14 AM
  3. DHCP best practice and advice again
    By tosca925 in forum Windows
    Replies: 11
    Last Post: 23rd November 2006, 08:49 PM
  4. Laptops / Disconnected Practice Tests
    By Frazer in forum ICT KS3 SATS Tests
    Replies: 2
    Last Post: 20th March 2006, 09:19 AM
  5. Implementing best practice ICT management and support
    By FITS in forum Courses and Training
    Replies: 16
    Last Post: 8th September 2005, 02:24 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •