Sophos

With the continued rise of ‘Next Generation’ Anti-Virus like Sophos Intercept X and PaloAlto Traps the question from many SysAdmins might be well how do I deploy these?

If you are looking at Intercept X and you already are Running Sophos Central (with Endpoint Protection) the simple answer is a press a few buttons in the Admin Console.

In short, login to Sophos Central (https://cloud.sophos.com/manage/login) go to Endpoint Protection > Computers > Manage Endpoint Software > Intercept X > Add your computers from the displayed list > click Save.

For a more in depth walkthrough take a look at the screenshots below. One quick note – due to the changing nature of Sophos Central (previously Sophos Cloud) its quite possible that the look/feel of the Admin Console will have changed between the time I published this article and you read it.

Once you have deployed Intercept X to your existing machines be sure to update your installers to use when deploying new computers. You can download these from the ‘Protect Devices’ button on the Admin Console Dashboard.

Recently I have been doing a lot of movements of server roles, one of those was changing our DCs to newer servers that will be pure best practice based (nothing else on them other than AD/DNS/File Storage). One of the old server however had the Sophos Enterprise Console (v4.7 for anyone who is keeping count) on and after removing AD DS from the server I was getting the following error when trying to get to the Sophos Enterprise Console-

Cannot open Sophos Enterprise Console

The user “DOMAIN\Administrator” is not assigned to any sub-estates. You must be a member of at least one sub-estate to run this console.

Contact your Administrator to resolve this issue.

Upon inspection (in Server Manager > Configuration > Local Users and Groups) it appeared that the user group Sophos Full Administrators no longer existed.

The simple solution is to create a new group (called Sophos Full Administrators) and assign your Administrative account to it, the screen shots below show this in a little more detail.

While setting up our new backup server (System Centre Data Protection Manager 2012) one of the issues we came across was with it failing the data synchronizations with a error message like this one-

Type:     Synchronization
Status:  Failed
Description:        Changes for Volume C:\ on <servername><domainname> cannot be applied to \\?\Volume{4fac41a1-0f58-11dc-8993-806d6172696f}\ProgramData\Sophos\AutoUpdate\Cache\savxp\. (ID 112 Details: Cannot create a file when that file already exists (0x800700B7))
More information

End time:             11/06/2012 14:29:16
Start time:           11/06/2012 14:28:14
Time elapsed:    00:01:01
Data transferred:             0 MB
Cluster node      –
Source details:  C:\
Protection group:            <servername>

The simple solution here is to exclude the Sophos AutoUpdate folder from the DPM backup, its quite a pain if you have to do it for a whole lot of servers but not much else that can be done!

The screenshots below go into a little more detail