Sophos EC and best practice

[FatBoy]

Dear all,

We have Sophos Enterprise Console 3.0.0.2321 installed up and running but I'm afraid it has been some what neglected for sometime.....

We have loads of machine with suspicious behaviour:
My question is this, there a place to centrally manage this (ok certain exe etc)? Basically anyway of doing this on multiple PC's and not doing it one by one!

A few with virus on:
Do you have to go around each machine removing the virus manually and then ok and clean the alerts on the server or is there a better way?

And basically any tips and tricks anyone has so I can clean up our Sophos EM console without having to go round loads of machines!
Thanks

[master]

enterprise console :
C:\Program Files\Sophos\Enterprise Console\EnterpriseConsole.exe

package updater :
C:\Program Files\Sophos\Enterprise Console\EMConsole\Console\Bin\Sophos Enterprise Manager.msc

is it up to date ? mine is set to update automatically and it deals with all issues on its own thankfully perhapse a forced update would help?
update the server and packages and then do a update on all the clients from the enterprise console an even schedule a full virus scan as part of the anti virus policy to clear off anything nasty on the systems ? you can alwase take it off the policy after
dont use it much it deals with its self i just check it evey so often here so cant be much more help

[KarlGoddard]

You can right click on an infected PC and do a Full System Scan in v3 of the console. So that would be my first choice.

Do you have HIPS enabled? When I had this enabled it was throwing up alert after alert all of which were 'false alarms'.

If you're using HIPS take some time to set up your exclusion list right.

The way I approached the general set up was to create a few policies - Desktops, Servers, DC's, Exchange etc and set the exclusions accordingly for each kind of box.

Do a search on the MS site as this will give you a list of files / folders to exclude for stuff like Exchange servers and your DC's etc otherwise Sophos may harm system performance.

[FatBoy]

Thanks for your input master but I can't see how it can completely look after its self! The suspicious behaviour is exactly that, behaviour that the console doesn't know whether to take action against or not as it's not a virus. From what I can gather you have to tell the console what is ok and what is a problem. I shall look into HIPS kgcs and see whether this is the cause of a lot of my problems

One other issue I have found (As I'm new to this network) is that there are lots of computer accounts on the domain that don't actually exist anymore ops: and Sophos is importing all these accounts into the enterprise manager and making the task 10 times harder....

Does anyone know of a way to scan the network and detect computer accounts that aren't used any more. I know it will never be exact due to computers being turned off etc but even a rough idea would help me!

[localzuk]

Regarding viruses - you can run a scan, yes, but you will more than likely need to reboot those individual machines into safe mode to run a scan - as a normal mode one probably won't be able to remove some of the viruses.

[FatBoy]

Thanks for all the help people your info has helped and will speed things up a bit for me. Anyone has anything else to add please do

[m25man]

I recently found an interesting caveat with EM

At one site I visited, the console was in a terrible state with machines mis-reporting, updates not working, the Sophos was pretty much a waste of space.

One of the tests I carried out was a reverse lookup, ping by name then a ping -a xxx.xxx.xxx.xxx

Low and behold the ping -a did not resolve the pc name!

Upon examining the DNS Zone I realised that the client had recently extended their DHCP scope but ommitted to add the new IP blocks into the reverse DNS zone.

Within minutes the clients began to populate the reverse zone we could ping them -a and the hostname was resolved and bingo! All of the Sophos policies updated installations worked and everything was back under control. Sophos was back and working as it should have been!

Moral, never ever under estimate the importance of DNS on your networks. DNS DNS DNS... get it right

[mattx]

Anyone has anything else to add please do

I do, as soon as your licence is up - dump Sophos and use an AV product that does the job properly.

[m25man]

I do, as soon as your licence is up - dump Sophos and use an AV product that does the job properly.

Ouch! Thats a bit strong.

I realise that Sophos has become a bit like a Citroen Saxo thats has spent too long in a Halfords store, but if setup correctly it does still get you from A to B!