Sophos -- Computers That Differ From Their Assigned Policy

In the Sophos Console, there is an area in the right container of the Dashboard that deals with Computers that Differ from policy. Here are some suggestions on how to deal with these systems:

Enterprise Console Approaches to Resolving Assigned Policy Errors
1. Easiest Approach -- <Right Click> on the computer and select Comply with All Group Policies
2. Confirm the Policy Violated Through the Computer Details -- There are 3 areas where the computer can differ from it's policy. There are only 2 policies you have to worry about: Updating and Anti-Virus/HIPS. Chances are the Anti-Virus/HIPS policy is what is being violated. The Updating Policy is pretty straightforward. <Right Click> on a computer that differs from its policy and determine from the View Computer Details area which area is in violation. Once it's determined, <Right Click> on the computer, again, and direct the system to Comply With either All Group Policies, or the specific policy it is violating:
  1. Anti-Virus and HIPS
  2. Updating Policy
  3. Tamper Protection Status and Protection Compliance
3. Is it "Differs From Policy" or Another Compliance Message? -- If the Status of the computer shows Differs From Policy, then try moving the computer to a different policy group (the Compliance Policy Group was set up for this). This will cause the SQL database to change the status of the system. Then, when you move it back, it will "force" compliance.
  1. A policy and policy group, Compliance Policy, has been created with a false Primary Server. Put the client into that policy group and force a "Comply with | Anti-Virus and HIPS policy"
  2. Once it changes to a primary server of Sophos4 (which does not exist), then put it back into its original group and force another "Comply with | Anti-Virus and HIPS policy"
4. Is it "Comparison Failure" or Another Compliance Message? -- Many times, a system may show that it fails in policy compliance with a comparison failure. This is normally a transient error, and will rectify itself within a fairly short time. However, if it does not resolve itself, perform the following steps:
  1. Check the local Sophos Anti-Virus Service -- It may be in a "stopped" state. Just restart it.
  2. Check the local Sophos Shield in the System Tray -- It may be grayed out, indicating a stopping of a Sophos Service. Start all "stopped" Sophos Services.
  3. Force the Client to comply with the Anti-Virus and HIPS policy -- *In the Enterprise Console, <Right Click>* on client and select "Comply with | Anti-Virus and HIPS policy"
Local Computer Approaches to Resolving Assigned Policy Errors
1. Reboot the Local System -- Of course, some problems can be always be resolved by rebooting the system. This may not work, but, hey, it's worth a try.
2. Reinstall the Client Software -- Try reinstalling the client software to the client.
3. Turn Off Process in the Task Manager and Restart Them in the Services Applet
  1. In the Task Manager, end the SavService.exe process
  2. Click Start / Run and type services.msc
  3. <Right Click> "Sophos Anti-Virus" and select "Start" to start the service
  4. If this does not fix the issue, re-protect the client computer
4. The Local Client May Have Scheduled Tasks Problems -- Many times, when it shows Differs from Policy, the problem is with the Scheduled Task being applied to the system. Remote to the local system and determine whether or not the policy shows in the Sophos Endpoint Security and Control client that was installed on the computer. It is located under the Scans option in the Anti-Virus and HIPS container on the Home page of the client. It "should" show the Scheduled Task. If it doesn't, work on that systems Task Scheduler in the Control Panel. There's a problem with it. You can also see Task Scheduler Problems *for additional ideas on resolving issues in the Task Scheduler.*