Differs from policy - Application Control policy

  • Article ID: 113072
  • Rating:
  • 1 customers rated this article 2.0 out of 6
  • Updated: 15 Apr 2011

Issue
One or more clients report to the Enterprise Console that they "differ from policy". This is displayed under the "Application Control" tab | "Application control policy" column.

Known to apply to the following Sophos product(s) and version(s)

Enterprise Console

Cause
There are one or more items in the local quarantine manager.  These items are preventing the application control policy to be applied.

What to do

Confirm the client has recently reported to the console

Initially it is important to confirm the client has sent a message to the Sophos management server recently.  If the client has not reported to the console recently then the warning message may not be accurate.

  1. Right-click the computer in the console.
  2. Select "View Computer Details".
  3. In the computer details windows locate the line "Last message received from computer".
  4. If the client is switched on and connected to the network ensure the date and time is within the last 30 minutes.  If the date and/ or time is outside of this period you should look to troubleshoot why the client is not reporting to the console.

Force the client to comply

If the server has received a recent message from the client then you attempt to force a comply to the client.  This will undo any local changes an administrator may have made to the client's configuration.

  1. Ensure that the client(s) are shown as connected in the console.   To do this: From the "View:" drop down box select "Connected computers".
  2. Right-click the client and select "Comply with" > "Group Application Control Policy".

WARNING:  Forcing a comply for disconnected clients will generate message build-up in the management server's envelopes folder as these messages cannot be sent to offline clients.

Reboot the client

Occasionally the client may have trouble complying the current configuration until it has been rebooted.  This is especially true if the client has just been upgraded.  If you have not already done so, reboot a client and wait for the client to report (see Confirm the client has recently reported to the console above).

Clear the local client's quarantine manager

  1. Stop the Sophos Anti-Virus service (Start | Run | Type: services.msc | Press return).
  2. Delete the quarantine.xml file from: %allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml.
  3. Start the Sophos Anti-Virus service.
  4. From the console force a comply for the Application control policy to the client.

Further logging

If the above steps fails to resolve the differs from policy issue please follow the steps below:

  1. Enabled verbose agent logging on the client:
    1. Stop the 'Sophos Agent' service.
    2. Open the Registry Editor. See Registry Editor for more information.
    3. Browse to HKEY_LOCAL_MACHINE\software\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent.
    4. Create a new DWORD value named 'LogLevel'.
    5. Change its value to 2.
    6. Re-start the 'Sophos Agent' service.
  2. From the console force a comply for the Application control policy to the client.
  3. Allow the client to report/ differ from policy.
  4. Run the Sophos Diagnostic Utility (SDU) on the client and forward the output file.  For more information on the SDU program please see: Sophos Diagnostic Utility (SDU): how to download and install

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments