Best Practice: setting up home users

  • Article ID: 63182
  • Rating:
  • 20 customers rated this article 2.9 out of 6
  • Updated: 05 Sep 2014

Sophos believes that, if possible, an organization should seek to extend its security strategy beyond its official infrastructure. Even with the best security in a professional setting, when home users connect USB drives and other devices to the corporate network, all sorts of malware can make its way into the environment, since home computers can visit web sites and download files that a network administrator would never allow on their networks. An excellent way to protect yourself from inadvertent cross-infection is to allow your users to install your anti-virus product on their home computers.

Known to apply to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control

Sophos is pleased to extend our anti-virus protection to your licensed users’ home computers to help control accidental infection of your network from sites and content that you cannot control.

This best practice article is designed to be the only source you need to set up your home users. Because there are special terms and conditions for this extended use of Sophos security software at home, other knowledgebase articles don’t apply. For more information see the Sophos End-User Licence Agreement.

Note: This licensing extension applies only to users of Endpoint Security and Control. Small Business and Endpoint Security users do not have the right to extend anti-virus protection to users' home computers.

You have two options for installing Sophos security software on your end users’ home computers:

  1. the first way (downloading a standalone installer from Sophos.com) may seem simpler, but it places more of a burden on your users to understand the settings and know how to apply them.
  2. The second way (creating an installation package yourself that includes policies that you set up) may seem like more work at first, but it may help your end users by giving them ‘sensible’ settings for the home environment.

When deciding which approach to take, you should consider the eventual load on your helpdesk, since a condition of this home use is that you will have to support your end users with any issues that may arise from their use of Sophos software at home.

Distributing the standalone installer to your home users

This is the easiest way to distribute the software to your end users at home, but as it is set to the defaults for just about everything, you might spend a lot more time helping your end users configure their home computers than you bargained for!

  1. Download the standalone installer from https://secure2.sophos.com/en-us/mysophos/login.aspx. You will need to enter your MySophos credentials in order to access this page.

  2. Create a new update location in Update Manager that uses the web publishing folder on your web server.
    Under the terms of your licence agreement, any of your end-users who install Sophos software on their home computers must update from your network. The easiest way to do this is to share an update location on a web server. Your web server documentation should explain how to do this.

    Note: If you’re using IIS, you’ll need to add the Sophos extensions to the approved MIME types list. If you use a wildcard, you must also add .conf to the extensions list if you upload Sophos Anti-Virus for Mac OS X update files to the web. 38238: Configuring Microsoft IIS for Endpoint Updating

  3. Place the standalone installer in the web folder.
  4. Prepare some documentation for your customers about the product and include details about:
    • who to contact for Support (your helpdesk!);
    • the URL that should be used to download the installation program;
    • how to set the primary update source to the URL that will be used for updating and include the credentials they may need to access it.

Also include a link the associated Sophos Standalone Startup Guide.

If you think they will use them, include links to the Best Practice Guides for Anti-Virus and HIPS settings: guide to on-access settings, Anti-Virus and HIPS settings: guide to scheduled scan settings, and the Best Practice: Firewall settings guide for more information.

Creating an installation package for your home users

In this scenario, you define the policies that your end users use at home - this helps them as they won’t need to understand technical jargon to set up HIPS, etc.

Here’s a quick summary of how to create an installation package for your home users:

  1. Open Enterprise Console.

  2. Create a new anti-virus policy, name it something like ‘SAVHomeUse’.

    Edit the policy as described below. Check the Anti-Virus and HIPS settings guide on our Best Practice page to read more information about any of the Anti-Virus and HIPS policy settings.

    Some of the settings we would consider verifying and updating if needed for home use would be:

    On -access scan settings

    Scan inside archive files. Especially when users download files from unknown sources, archives can represent a security threat. You can’t enforce a policy of having users scan archives using the right-click scan feature in Sophos at home, so you may want to consider enabling this scan to protect your home users from malicious files they may pick up from the Internet.

    Scan for Macintosh viruses. This setting should be on if your network contains Macs.

    Scan for adware/PUAs. This setting is off in a regular Anti-Virus and HIPS policy because of the number of alerts that would be generated if all computers on your network started detecting adware and PUAs all at once. But for home use, you may want to alert your employees to adware and PUAs as soon as they’re detected. This is doubly true if you suspect that your end users may not do a full scan of their home computer very often.

    On access scanning - On write. With the increased risk presented by home computer use, it is recommended that this be enabled.

    On access scanning - On rename. This is another setting that can help detect malware quickly. We recommend that this option be enabled.

    Automatically clean up items that contain a virus/spyware. Many end users won’t know what to do when malware is found on their computer. They also might not understand that choosing ‘delete’ may delete a file that was very important to them. We think you should switch this setting on to reduce the number of calls you receive from your end users when they encounter malware. Remember that your end users can’t call Sophos for support directly when their home computers are infected, so you will need to help your end users clean up their computers when they have a detection.

    HIPS settings

    Alert only. It’s important to protect your home users from a buffer overflow, but switching off alert only may cause you a few support calls when a user can’t get a program to run because it’s exhibiting suspicious behavior. Perhaps you should tell your end users to leave this setting in alert only mode for the first month or so to get a feel for any possible alerts, create exclusions if they’re needed and then switch off ‘alert only’ to prevent buffer overflows created by malware.

    Scheduled scans

    You can’t create a scheduled scan for your end users’ home computers, so we recommend leaving this unset.

  3. Under the terms of your licence agreement, any of your end-users who install Sophos software on their home computers must update from your network. The easiest way to do this is to share an update location on an external facing web server. Your IIS or Apache server help should explain how to do this.

    Either create new software distribution location to the web publishing folder on your external web server and populate with the appropriate subscription 113936: How to Create an Additional Distribution Point, or install SUM on the web server and configure with the appropriate subscription 51068: How to Install An Additional Update Manager.

    Note: If you’re using IIS, you’ll need to add the Sophos extensions to the approved MIME types list. If you use a wildcard, you must also add .conf to the extensions list if you upload Sophos Anti-Virus for Mac OS X update files to the web. 38238: Configuring Microsoft IIS for Endpoint Updating

  4. Create a new updating policy for your home users named 'SAUHomeUse'. Set the policy to update from the web location you set up in step 3.

  5. In Enterprise Console, create a new computer group named HomeUse. Apply the SAVHomeUse and SAUHomeUse policies to this group.

  6. Add a template client computer to the HomeUse group to ensure that it complies with the new policies. The template computer should preferably be running XP, Vista or Windows 7. If you'll be supporting Macs or Linux computers, ensure that you've made a template computer for each of these as well. Don't forget to first prepare the computer(s) as per section 11 of the Advanced Startup Guide or the Endpoint Security and Control Startup Guide for Linux, Netware and Unix.

  7. Ensure that you are logged on with admin rights and create a folder on the desktop called C:\HomeUse.

    You will export the updating and anti-virus policies and then package them together in this folder.
  8. In the Enterprise Console, click View->Bootstrap Locations, and locate the share and software you want to deploy to home users.  Browse to the directory listed for it (Normally in the format \\server\SophosUpdate\CIDs\SXXX\)

  9. Copy the SAVSCFXP folder to the folder you created on the C: drive. (If you do not see SAVSCFXP, but see savxp instead, go up one directory).

  10. Export from Enterprise Console the policies you wish to apply to the endpoint (13111: Using ExportConfig.exe to create XML configuration files):
    1. Open an Administrative-mode command prompt (On Windows 7/2008: Search for cmd, right-click and Run As Admnistrator)
    2. Navigate to 32-bit: c:\program files\Sophos\Enterprise Console  64-bit: c:\program files (x86)\Sophos\Enterprise Console
    3. Run this command: exportconfig.exe -type SAV -policy SAVHomeUse -output "C:\HomeUse\SAVSCFXP\savxp\savconf.xml"

  11. To integreate this policy, follow the instructions in 13112: Using ConfigCid to Implement XML Configuration File Changes, but using the final command below.

    configcid.exe "C:\HomeUse\SAVSCFXP"

  12. Using the guide 67504: How to Create a Standalone or Custom Installer Package to create the package you want. It is recommended to use the Sophos Deployment Packager.  The following settings should be used for a home use package:
    • Source folder is c:\HomeUse\SAVSCFXP
    • Do not include RMS, Firewall or Patch
    • Included selected components: In the Package
    • Installation type: Non-interactive (So the users can see it is installing)
    • Output package: a directory you wish to write the EXE to
    • Updating - Primary Update Location: The HTTP address of your WebCID configured in Step 3 (Including the HTTP://)
    • Updating - Username and Password (If required by your Web Server)
  13. Provide the .EXE to the users for installation, or host on the Web Server and provide the HTTP URL.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments