Sophos Endpoint Security Eval Thoughts

This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating "sales lead" to themselves). Currently we're using Symantec Antivirus 10. I'm looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I've been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I've also considered McAfee Total Protection because it has the McAfee HIPS technology.

Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.

When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.

1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.

Sophos' answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.

This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn't allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.

2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I'll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).

I haven't run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.

I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.

3. The Sophos install creates a local administrator account. Now I'm sure it has a very strong password, but I'm just not comfortable with my software creating a local admin account. Symantec didn't do that. McAfee didn't do that.

I've been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn't matter if the rest of the eval is perfect, if Sophos can't answer to my satisfaction why they are doing things this way and why it isn't a problem, I can't do with this product.

Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.

My sales engineer is out most of next week. I'm out Monday. I'll post a followup when I get some answers back.