Managing an enterprise organization antivirus with Sophos Endpoint Security and Control, one thing that I have found weird about Sophos is the way that it handles policies. You can use group policies to control a setting on the client. However, if the client changes its configuration away from the settings, for example, removing a scheduled scan or changing any setting without tamper protection enabled, the client will show in the Sophos Enterprise Console as ‘Differs from policy’.
Once the client shows up as ‘Differs from policy’ there are two ways to get the client re-aligned with your preferred settings:
- Right-click on the computer in the Sophos console and choose ‘Comply with’ and click ‘all policies’ or one of the other corresponding options that will work for you.
- Make a change to the assigned policy, at which point the console will push out the new policy to any clients receiving it.
Beyond that, the console nor the clients automatically enforce compliance with the policies. By enabling tamper protection, you are able to avoid most scenarios with traditional clients.
In one particular scenario, I was working with non-traditional clients of non-persistent VDI clients. These behaved like DeepFreeze computers and refreshed every reboot. This meant that they lost their policies as well. They would update the console and list their status as ‘Differs from policy’.
In order to trigger compliance with the policies, I needed the antivirus client to forget the policies that it had captured in the application layer of the VDI. In order to do that, I was able to use a startup script assigned through Group Policy to accomplish the rough suggestion I got through an old Sophos support thread. Essentially, we needed to stop the Sophos service, empty a folder with the local copies of the policies, and start the service again. Running as a startup script is required because we need this to run as Administrator level. The service to stop is called “Sophos Agent”.
Once the service starts up and realizes that it has no policies, it checks into the console with the status “Awaiting policy from console”. Less than two minutes later for my test system, it checked in again with the status “Same as policy”.
The simple four-line PowerShell script is embedded below.
https://gist.github.com/jhamilton09/58fda5b893daea3dce5570603887054c