Having enabled verbose agent logging (as described in the articles linked from article 113069) to capture why a computer is reporting a 'differs from policy' you want to interpret the logs and see if the cause of the differing can be found without contacting us.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
What To Do
Note: This article picks up from and explains how to perform log analysis for a differs from policy issue. If you have not already read the article above please do so to confirm if the reason for differing can be resolved without log analysis.
Correct procedure for gathering verbose Sophos Agent logs:
- First you must ensure the loglevel parameter for the Sophos Agent as been increased as described in article 30496.
- Now force a comply to the client from the console and await for the client to report back (i.e. either check the last message time value in the Computer Details window and confirm it is current or wait for the client to revert back to differing. This step is important to allow the client's Agent logs to record enough verbose information and log the exact sub-component of Sophos Anti-Virus that is differing. NOTE: Leaving the Agent logs at the verbose level for too long is not normally a problem - the number of logs is fixed at four and the size of each log at 1MB. Therefore it is better to delay logging gathering until you are sure the comply message has reached the client.
- When the client has reported back/ shows differing again run the Sophos Diagnostic Utility (SDU) on the client only.
Confirm the information has been gathered correctly:
When the sdulogs.sdu has been received confirm that relevant information has been captured in the Agent logs. You are looking for two sections of logging the line that being with the lines...
11.03.2012 09:35:54 0440 D SAVXP Adapter: --==Policy==--:
11.03.2012 09:35:54 0440 D SAVXP Adapter: --==Config==--:
The Policy section contains all of the settings as set centrally in the console. The Config(uration) section is what is currently set on the local client. Normally one or more sections of the config are different from what the system administrator chose to apply to the client in the policy. With verbose logging enabled the full policy and local configuration will be listed after their respective titles
If the above information is missing from the Agent logs confirm from the SDU that the loglevel value has been added to the registry correctly. Then confirm with the customer the Sophos Agent service was restarted and a comply was done to the client. The next most likely cause is that the logs were gathered prematurely.
Breaking down the problem:
Beneath the major titles of Policy and Config are the sub-components that make up Sophos Anti-Virus. Some of currently available sub-components of Sophos Anti-Virus are listed below. Note: Only components enabled in the policy will show. For example: if application control is not switched on in the policy is will not show in the logs. If it is enabled and the client fails to enable this component it will be shown.
- OnAccess - lists all settings related to the on-access scanner. This includes all components available to the on-access scanner. Example: exclusions, settings like on-read/ on-write/ on-rename.
- OnDemand - lists all settings related to the on-demand scanner. This includes all components available to on-demand scans. Example: exclusions, scan schedules, days of the week, times.
- ExclusionList set - lists exclusions.
- EffectiveExtensionList - lists what will be scanned.
- Scans set - lists on-demand scans - number, days to run, time, actions to take, etc.
- Authorised - lists all settings related to the Potential Unwanted Applications (PUA) scanner.
Approved set - lists all the PUAs that have been approved.
- Alerts - lists settings related to alerting - desktop, email, SNMP.
- RTInspect - Buffer Overflow protection (BOPs)
- SIPSApproved - Host Intrusion Prevention (HIPs)
- APPCConfig - application control
The above list is not meant to be exhaustive but highlights the main components that are listed.
How that you have located the part of the configuration that is differing be sure to make a note of it (in the case) for quick reference by all - what you've just done above should only be done once.
If only one component is differing search the following areas for further advice...
- Sophos knowledge base
- Contact Support
If a lot of components are differing create a new blank policy and group and move the client to that container. Apply the basic policy and confirm it holds the policy. Gradually add complexity to the policy until you can recreate the differing. Then confirm if this portion of the policy on its own is enough to cause the differing. Now seek mentoring from an engineer, post to the forum or escalate to Global Escalation support for further advice.
This article is just to write down some thoughts on how to troubleshoot a client that is showing as differing from policy for sub-component of Sophos Anti-Virus using log analysis.