Sophos Endpoint Security Eval Thoughts

This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating “sales lead” to themselves). Currently we’re using Symantec Antivirus 10. I’m looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I’ve been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I’ve also considered McAfee Total Protection because it has the McAfee HIPS technology.
Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.
When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.
1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.
Sophos’ answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.
This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn’t allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.
2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I’ll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).
I haven’t run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.
I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.
3. The Sophos install creates a local administrator account. Now I’m sure it has a very strong password, but I’m just not comfortable with my software creating a local admin account. Symantec didn’t do that. McAfee didn’t do that.
I’ve been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn’t matter if the rest of the eval is perfect, if Sophos can’t answer to my satisfaction why they are doing things this way and why it isn’t a problem, I can’t do with this product.
Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.
My sales engineer is out most of next week. I’m out Monday. I’ll post a followup when I get some answers back.

3 Comments

  1. hi Brian, nice to year from you. Sorry for the late posting of your comment and my reply, but for some reason Akismet didn’t like your comment. I dont normally have false positives from that filter.
    I do read your blog, and subscribe to it in my RSS reader as any Symantec AV admin should.
    I think I forgot the cardinal rule with Symantec. Always wait for MR2. I was kind of disappointed with MR1. I didn’t feel I was seeing the resource savings that was promised, particularly in the area of RAM. I also felt like it was really tough to configure. That lead me to doubt all of Symantec’s PR. I suspect that I’ll be giving MR2 a shot once I’m done with Sophos.

  2. Hi,
    not sure what you have done or how, but few corrections. I’ve been running Sophos in corporate environment for quite some time. Every two years we evaluate other AV products and decide to continue using Sophos. It is that good.
    To comment on your experience. Sophos install does create local accounts. However, it does not create account with local admin rights. It adds Sophos Administrator rights to your local Administrator account. And, that is different. Another thing is that in domain, our Sophos runs under domain accout, and users can not modify any changes. Not sure how you tried to configure it. Also, I would be more concerned about my users having local admin rights than about Sophos granting local admins right to manage AV product. Just my 2p.
    Finally, I would suggest you give Sophos support guys call. They are quite good and (from my personal experience) will happily answer any questions.
    And, I do not work for Sophos. But, after years and tons of issues with other AV products, I find Sophos to be the best by far. Just sits there and does what it is supposed to do without any fuss.
    Denis

Comments are closed.