Differs from policy - Anti-Virus and HIPS policy

  • Article ID: 113070
  • Rating:
  • 14 customers rated this article 4.4 out of 6
  • Updated: 05 Sep 2014

Issue

One or more clients report their status to the Sophos Enterprise Console as "differs from policy", under the "Anti-Virus Details" tab | "Anti-Virus and HIPS policy" column.

First seen in

Enterprise Console 3.0

Cause

There are various reasons for the client's local Anti-Virus and HIPS policy to differ from the centrally controlled version.  This article will help you identify which component is causing the warning message.

What To Do

Confirm the client has recently reported to the console

Initially it is important to confirm the client has sent a message to the Sophos management server recently.  If the client has not reported to the console recently then the warning message may not be accurate.

  1. Right-click the computer in the console.
  2. Select "View Computer Details".
  3. In the computer details windows locate the line "Last message received from computer".
  4. If the client is switched on and connected to the network ensure the date and time is within the last 30 minutes.  If the date and/ or time is outside of this period you should look to troubleshoot why the client is not reporting to the console.

Force the client to comply

If the server has received a recent message from the client then you attempt to force a comply to the client.  This will undo any local changes an administrator may have made to the client's configuration.

  1. Ensure that the client(s) are shown as connected in the console.   To do this: From the "View:" drop down box select "Connected computers".
  2. Right-click the client and select "Comply with" | "Group Anti-Virus and HIPS Policy".

Warning:  Forcing a comply for disconnected clients will generate message build-up in the management server's envelopes folder as these messages cannot be sent to offline clients.

Reboot the client

Occasionally the client may have trouble complying the current configuration until it has been rebooted.  This is especially true if the client has just been upgraded.  If you have not already done so, reboot a client and wait for the client to report (see Confirm the client has recently reported to the console above).

Check if the schedule task has been created on the client.

If your Anti-Virus and HIPS policy does not contain a scheduled scan of the client you can dismiss this section as a cause of the differs from policy issue.  If you have configured a scan from the console note the name of the scan.

If your Anti-Virus and HIPS policy does contain a schedule scan (i.e. running a full on-demand scan once a week, or similar) the client may not be able to implement this part of the configuration due to security restrictions.  To check if the schedule task has been created on the client:

  • Windows 2000/XP/2003:
    • Browse to C:\Windows\Tasks\ - there should be an icon with the name of the scheduled task listed.
    • If there is no task listed for the scheduled scan:
      • Ensure the Task Scheduler service can be started (Start | Run | Type: services.msc | Press return).  Scrolled down to the "Task Scheduler" service.
      • There are no group policy restrictions stopping a scheduled task from running.
      • Ensure permissions on the C:\Windows\Tasks\ folder allow the SYSTEM account and administrators group full control.
        Note: These permissions may have been altered due to Microsoft advice on mitigation steps for a Conficker malware infection.
    • If there is a task listed:
      • Right-click the task and select "Properties".  Check the "Schedule" tab to ensure the desired settings are enabled.
        Note:  If you receive an error when opening the scheduled task's properties please see below*.
  • Windows Vista/2008/7:
    • Select Start | Run | Type: taskschd.msc | Press return
    • Select "Task Scheduler Library" on the left-hand tree.  In the middle panel the active task are listed.
    • Scroll down the list and check if the name of the scan appears in the list.  Example:
    • If there is no task listed for the scheduled scan:
      • Ensure the Task Scheduler service can be started (Start | Run | Type: services.msc | Press return).  Scrolled down to the "Task Scheduler" service.
      • There are no group policy restrictions stopping a scheduled task from running.
    • If there is a task listed:
      • Double-click the scheduled task's name.  Then select "Properties" from the right-hand panel.
      • Select the "Triggers" tab | "Edit" button.  Ensure the desired settings are enabled.

If you are unsure whether you have restrictions on the task scheduler please test by creating a scheduled task to open a small application like notepad.exe or the calculator program:

  1. Open a command prompt (Start | Run | cmd.exe | Press return).
  2. Paste in the following command and replace the "<yourDomainName>" and "<administratorPassword>" values as required.
    schtasks /create /s 127.0.0.1 /ru <yourDomainName>\administrator /rp <administratorPassword> /sc once /st 11:59:59 /tn "Sophos Test Task" /tr "%windir%\System32\calc.exe"
  3. Refresh the task scheduler window.
  4. Check if a new scheduler task called "Sophos Test Task" has been created.

*If you receive an error when editing the properties of the scheduled task then follow these additional steps:

Delete the crypto keys from the local client

WARNING: The deletion of the crypto keys will remove the cached credentials for each scheduled task on the machine. Thus prior to deleting the files it would be worth noting that any existing scheduled task will still remain but credentials for each task may need to be re-entered. The impact of this will depend on the existing software/scheduled tasks on the machine.

  1. Delete the crypto keys from the following folder:
    • Windows 2000/XP/2003: %allusersprofile%\Microsoft\Crypto\RSA\S-1-5-18\
    • Windows Vista+: %allusersprofile%\Application Data\Microsoft\Crypto\RSA\S-1-5-18\
  2. Force a comply for the Anti-Virus and HIPS policy from the console.
  3. Allow the client to report/ differ from policy.

Alter the Host Intrusion Prevention System (HIPS) policy setting

WARNING:  The steps below should only be applied to a test policy on one group containing test computers.  Following these steps will block all unauthorised suspicious behaviour and may stop some applications from functioning normally.

  1. From the console edit the Anti-Virus and HIPS policy (Right-click the policy name | Select "View/Edit policy...").
  2. Select "Suspicious Behavior (HIPS)".
  3. Uncheck the "Alert Only" option.
  4. Force a comply for the Anti-Virus and HIPS policy from the console.
  5. Allow the client to report/ differ from policy.
  6. Record if the client holds its policy while HIPS is set to block ("Alerty Only" option is unchecked).
  7. Edit the policy again and check the "Alert Only" option.
  8. Record if the client now holds its policy.

Further logging

If the above steps fails to resolve the differs from policy issue please follow the steps below:

  1. Enabled verbose agent logging on the client:
    1. Stop the 'Sophos Agent' service.
    2. Open the Registry Editor. See Registry Editor for more information.
    3. Browse to HKEY_LOCAL_MACHINE\software\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent.
    4. Create a new DWORD value named 'LogLevel'.
    5. Change its value to 2.
    6. Re-start the 'Sophos Agent' service.
  2. From the console force a comply for the Anti-Virus and HIPS policy to the client.
  3. Allow the client to report/ differ from policy.
  4. Run the Sophos Diagnostic Utility (SDU) on the client and forward the output file.  For more information on the SDU program please see: Sophos Diagnostic Utility (SDU): how to download and install

thank you for the feedback

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments