How to analyze verbose logging for 'Differs from policy' errors

  • Article ID: 110458
  • Updated: 04 Mar 2015

This article is intended as a follow-on from article Differs from Policy - General and those product-specific articles that link off it.

This article:

  1. Assumes that you have enabled verbose agent logging (as described in the articles mentioned above) to capture detailed logs which can indicate why a computer is reporting 'differs from policy'.
  2. Explains how to check the logs to see if the cause can be found.

Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+

What To Do

1. Gather verbose Sophos Agent logs

  1. Ensure the loglevel parameter for the Sophos Agent as been increased as described in article 30496.
  2. Force a comply to the client from the console, and wait for the client to report back. Do this
    • by checking the last message time value in the Computer Details window and confirming it is current
    • by waiting for the client to revert back to differing

    This step is important to allow the client's Agent logs to record enough verbose information and log the exact sub-component of Sophos Anti-Virus that is differing.
    Note: Leaving the Agent logs at the verbose level for too long is not normally a problem - the number of logs is fixed at four, and the size of each log at 1MB. Therefore it is better to delay logging gathering until you are sure the comply message has reached the client.

  3. When the client has reported back/shows it again differs from policy, run the Sophos Diagnostic Utility (SDU) on the client only.

2. Confirm the information has been gathered correctly

When the sdulogs.sdu has been received, confirm that relevant information has been captured in the Agent logs. With verbose logging enabled the full policy and local configuration will be listed after their respective titles. Check that you have the following two sections of logging:

11.03.2012 09:35:54 0440 D SAVXP Adapter: --==Policy==--:
11.03.2012 09:35:54 0440 D SAVXP Adapter: --==Config==--:

  • The Policy section shows all of the settings as set centrally in the console.
  • The Config(uration) section shows what is currently set on the client. Normally, one or more sections of the config are different from what the system administrator chose to apply to the client in the policy.

If the above information is missing from the Agent logs check:

  • from the SDU that the loglevel value has been added to the registry correctly
  • the Sophos Agent service was restarted and a comply was done to the client.
  • that the logs were not gathered prematurely (see note in step 2 of previous section).

3. Identify the problem area

Beneath the main sections of Policy and Config are the sub-components that make up Sophos Anti-Virus. The following list highlights the main sub-components currently available in Sophos Anti-Virus.

Note: Only those components which are enabled in the policy will show. For example: if application control is not switched on in the policy is will not show in the logs. If it is enabled and the client fails to enable this component, it will be shown.

  • OnAccess - lists all settings related to the on-access scanner. This includes all components available to the on-access scanner. Example: exclusions, settings like on-read/ on-write/ on-rename.
  • OnDemand - lists all settings related to the on-demand scanner. This includes all components available to on-demand scans. Example: exclusions, scan schedules, days of the week, times.
  • ExclusionList set - lists exclusions.
  • EffectiveExtensionList - lists what will be scanned.
  • Scans set - lists on-demand scans - number, days to run, time, actions to take, etc.
  • Authorised - lists all settings related to the Potential Unwanted Applications (PUA) scanner.
  • Approved set - lists all the PUAs that have been approved.

  • Alerts - lists settings related to alerting - desktop, email, SNMP.
  • RTInspect - Buffer Overflow protection (BOPs)
  • SIPSApproved - Host Intrusion Prevention (HIPs)
  • APPCConfig - application control

3. Fixing the problem

Make a note of which part of the configuration is differing - what you've just done above should only need to be done once.

  • If only one component is differing, search the following areas for further advice,
  • Sophos knowledge base
  • SophosTalk
  • Contact Support
  • If a number of components are differing, do the following
    1. Create a new blank policy and group, and move the client to that container.
    2. Apply the basic policy and confirm it holds the policy.
    3. Gradually add complexity to the policy until you can recreate the differing. Then confirm if this portion of the policy on its own is enough to cause the differing.
    4. If necessary, seek advice on what to do next from the above sources.


If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent