Eh70_v6.0.1_engineer' Handout_sophos Central.pdf

Hello, and welcome to this Sophos Certified Engineer training course for Sophos Central. This is Module 700, Course introduction. Sophos Certified Engineer Sophos Central ET700 – Engineer Theory April 2016 Training version: 6.0.0 Product version: Sophos Central 6.0 © 2016 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

1

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1

Prior to taking this training you should:  Have completed and passed the Fundamentals – Certified Engineer course We recommend students have the following knowledge and experience:  Be able to setup a Windows server, with Windows workstations  Have knowledge of general Windows networking  Have familiarity with using Android or iOS mobile devices

2

To complete the Sophos Central course you need to complete and pass the online assessment that is available in the partner portal. The assessment contains questions on both theory and lab content. Remember that to become a Sophos Certified Engineer you need to complete and pass 2 product courses.

3

This course is split into six modules, with practical labs interspersed throughout the course to allow for application of the content discussed in the previous modules.

4

Once you complete this course, you will be able to:  Describe the main features of Sophos Central and their benefits  Demonstrate the use of the most commonly used features  Deploy and manage Sophos Central in a simple environment

5

Please take a few minutes to answer the following questions on what you already know about Sophos Central. Don’t worry if you don’t know all of the answers, as all of the content will be covered in this course.

6

7

8

Please download the course materials from the lesson contents in the training portal:  EH70 contains all of the module presentations as a single PDF  EL70 is the lab workbook

9

Feedback on our courses is always welcome – please email us at [email protected] with your comments.

10

Now that you have completed this module, you should proceed to Module 701: Overview.

11

12

Hello, and welcome to this Sophos Certified Engineer training course for Sophos Central. This is Module 701, Overview. Sophos Certified Engineer Sophos Central ET701 – Engineer Theory April 2016 Training version: 6.0.0 Product version: Sophos Central 6.0 © 2016 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

1

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1

This course is split into six modules, with practical labs interspersed throughout the course to allow for application of the content discussed in the previous modules. You are now in module one of six.

2

We’ll start this module by looking at an overview of Sophos Central, and then briefly cover the main features, which will be explored in more detail in the rest of the course.

3

Once you complete this module, you will be able to:  Explain what Sophos Central is  Describe the benefits of using Sophos Central to manage your device protection

4

Sophos Central is a web-based platform for delivering protection to all of your endpoint devices, no matter where they are located. Administered via a public-facing website, you can monitor and manage all of your users’ devices, and quickly spot any potential problems or threats. Sophos Central provides management for multi-platforms covering Windows, Mac, Linux, virtual servers and mobile devices, meaning that all of your devices are fully protected. The Sophos Endpoint agent delivers anti-malware protection and a host of other features to help you easily secure your devices, including: • Web Control • Application Control • Peripheral Control • Server Lockdown • And Security Heartbeat Over the coming slides we will take a closer look at each of these features, and how they help to create a package of protection for your devices.

5

The management console for Sophos Central is browser-based so that you can access it from anywhere, and contains all of the tools that you’ll need to monitor and manage your device protection. The dashboard view at login gives you a very clear summary of the protection status of your computers, servers, mobiles and users, and the Alerts section highlights any events you need to be aware of. You can create and edit policies to apply the protection settings that you require, and apply these to your users so that no matter what device they’re using, they get the same level of protection. Servers are protected by machine-based policies, so that they remain protected no matter who is using them. All of the activity on your endpoints can be monitored via a number of reports in the management console, broken down by category or by machine, so that you can keep an eye on the activity in your organization.

6

Sophos Central can manage devices located anywhere, and will protect your devices whether they are located in the office, in a home office, or out on the road.

7

The Sophos Central endpoint agent can be installed on Windows computers and servers, Mac computers, Linux servers, AWS Linux severs, and there is a mobile app for both iOS and Android mobile devices. Sophos Central also includes protection for virtual environments with a security VM that can be used with VMware vShield. We’ll cover deployment to these devices in more detail later in this course.

8

Sophos Central uses the same anti-malware technology that protects over 100 million computers already using Sophos products; the difference is that devices are managed via the cloud-based console, rather than having a dedicated server installation on your network. The HIPS system automatically detects and protects against malicious behavior and it is tuned daily by SophosLabs, based on the latest threat behaviors that we observe. Web protection automatically blocks access to malicious and infected web sites, and prevents web exploits from attacking browser vulnerabilities, while device control gives you protection for removable devices used on your network.

9

Web control adds productivity and data loss controls to the malware protection we discussed in the previous slide, and as it’s managed by the cloud, and enforced on the endpoint, the policy is enforced even when users aren’t connected to your network. Using the Cloud Web Gateway you can instantly add gateway features such as HTTPS and multi-protocol scanning and data protection to your endpoints, without the need to manage any dedicated hardware. It works over all of your devices, and manages both inbound and outbound traffic, so you can be confident that your data is protected. For example, if one of your users attempts to upload a file to Dropbox, the Web Gateway provides a number of features to manage and monitor this process. Initially, it can check to see if Dropbox is defined in the user’s policies as an allowed service, and then scan the file for malware. The contents of the file can then be scanned, looking for keywords or confidential information. If any of these checks trigger a warning, a number of things can take place, including simply blocking the upload, or stripping the confidential information out of the file before the upload is allowed. To use Cloud Web Gateway, you need to download and install a small agent onto your Windows or Mac workstations – this manages the communication between the endpoint and the Cloud Web Gateway servers, where the traffic monitoring and filtering takes place. We currently have 10 points of presence globally, with an

10

extremely low latency of ~15ms, so even though the traffic is being monitored in the Cloud, this is almost invisible to your users. And of course, as it’s in the Cloud rather than on local hardware, you get the benefit of scalable performance, no matter where your users are.

10

Application Control enables network administrators to block certain non-malicious applications from running on work computers. Typically Application Control is used to prevent users from running applications that are not a security threat, but that are considered unsuitable for use in the workplace environment, e.g., games or instant messaging programs. It may also be used to control which applications are allowed for compatibility reasons.

11

Device Control restricts access to devices on an endpoint such as USB sticks and wireless network cards. It allows an administrator to manage whether the device type is allowed, read only, or blocked. Supported devices include: • Removable storage, including thumb drives, USB keys, and external hard disks • Secure removable storage • Optical media drives (CD / DVD / Blu-ray) • Disk drives (Floppy drives) • Network interfaces such as wireless, modems, Bluetooth and Infrared • Media Transfer Protocol (MTP), including Blackberry, iPhone and various types of Android smart phone • Picture Transfer Protocol (PTP), commonly used on digital cameras

12

Sophos Central is the only solution that achieves lockdown with a single click, securing your servers in a safe state. When a user clicks lockdown, Sophos Central automatically scans the system and establishes an inventory and whitelists applications. It then locks the connections between applications and associated files such as DLL, data files, and scripts. During the lockdown process, Sophos automatically creates trusted change rules to ensure only trusted sources or processes can update the whitelisted applications. Sophos Server Authority, Sophos Central’s server application intelligence system, dynamically adapts to your server environment and creates trust rules for automatic change management. This makes it easy for your IT admin to apply patches and software updates to servers in lockdown mode.

13

The Sophos Security Heartbeat shares intelligence in real time across a trusted channel between your endpoints and your firewall. This simple step of synchronizing security products that previously operated independently creates more effective protection against advanced malware and targeted attacks. Security Heartbeat automates the important step of isolating compromised endpoints. Devices share their current security status with the Sophos Firewall OS, which instantly applies a customizable policy to restrict or isolate infected systems.

14

On completion of this module, you should now be able to:  Explain what Sophos Central is  Describe the benefits of using Sophos Central to manage your device protection

15

Please take a few minutes to answer the following questions on the material covered in this module.

16

17

18

19

Feedback on our courses is always welcome – please email us at [email protected] with your comments.

20

Now that you have completed this module, you should proceed to Module 702: Registration and management.

21

22

Hello, and welcome to this Sophos Certified Engineer training course for Sophos Central. This is Module 702, Registration and management. Sophos Certified Engineer Sophos Central ET702 – Engineer Theory April 2016 Training version: 6.0.0 Product version: Sophos Central 6.0 © 2016 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

1

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1

This course is split into six modules, with practical labs interspersed throughout the course to allow for application of the content discussed in the previous modules. You are now in module two of six.

2

We’ll start this module by looking at how you get up and running with Sophos Central, and then move onto deploying your PC and mobile devices, and the system requirements for them.

3

Once you complete this module, you will be able to:  Explain how to create an account for Sophos Central  Navigate the console  Create users  Configure system settings

4

To get started with Sophos Central, you first need to sign up for a trial, via the Sophos website. After entering your name, email address and company details, you’ll receive an email with details of how to activate your trial. Before activation, you will need to choose where you would like your data to be stored; please note that this location cannot be changed after activation, and the website will automatically suggest the best option based on your current location.

5

Once you have activated your account, you can login to the Sophos Central web interface with your email address and password. If you have purchased a license, you can now enter your Activation Code to convert the trial to a full version. While all of the Sophos Central features are available in the trial, it is time limited to 30 days, so you’ll want to apply your code as soon as possible to license the account. To enter the Activation Code, use the menu in the top-right and select Administration & Licensing, then enter your code in the box shown, above where the license details are displayed. Once this is done, the license status will be updated to show the details that relate to your license, such as the number of allowed users, and the current expiry date.

6

The Sophos Central management console is supported on all major browsers, and we would recommend that you install or upgrade to a supported version from the above list and that you always run an up to date version. We aim to support both the latest and previous versions of Google Chrome, Mozilla Firefox, and Apple Safari; if an unsupported browser is detected you will be redirected to a page that lists the currently supported browsers so that you can upgrade.

7

The dashboard view is the first thing you’ll see when you login to your Sophos Central account. It gives you an immediate overview of the state of your account and the devices and users connected to it, and is made up of three main sections: • Alerts • Usage Summary • Web Stats You’ll also notice the navigation bar across down the left-hand side of the page – this gives you access to the various parts of the Sophos Central interface, to be able to manage your users, devices and servers, and run reports. If you have Web Gateway you will also have a section below these three displaying its own set of stats. We’ll now take a quick look at each of the three main areas of the dashboard.

8

The Alerts section gives a very clear overview of whether there is any action that you need to, and breaks these down into three levels: • High – immediate action is required; for example if you need to carry out manual clean up • Medium – action may be needed, but not immediately; for example if a computer is non compliant with its policy • Info – for information only; for example if your APNs certificate has been renewed To remove an alert, you can either address and fix the issue, which will then remove the alert when the device next reports in, or select the checkbox next to the alert to display further options. These options will change based on the type of alert, and will appear as buttons at the top-right of the table. For example, for a Potentially Unwanted Application (PUA) alert, you can choose to clean-up or authorize the PUA on the device, or simply ignore the alert. A PUA is an application that is identified as such due to it’s nature or behaviour – it may be perfectly legitimate, but it’s flagged so that you have the chance to review it first.

9

The Usage Summary panel tabbed, which display information in: • Users • Computers • Mobile devices • Servers • And Web Gateway It quickly shows you the status of the objects in each of these categories, broken down by their protection status and recent activity. The status changes slightly depending on what type of object is being shown. For example computers, servers and users are split by those that are active, inactive for over two weeks, inactive over two months and those that aren’t protected, whereas mobiles are shown in relation to their policy compliance and management status. Each tab has a ‘See Report’ link, which will take you to the respective report that provides more detailed information.

10

Finally, the Web Stats panel gives you summary information on web activity that allows you to monitor the Internet usage and behaviour of your users. This is divided into four categories: • Web Threats Blocked • Policy Violations Blocked • Policy Warnings Issued • And Policy Warnings Proceeded By clicking on any of these you will be taken to the relevant report where you can find more information.

11

Users can be created in Sophos Central in three ways: • They are created automatically when you install onto a Windows or Mac computer based on the user that is logged in • You can create users manually in the console • Users can be synchronized from Active Directory When you create a user, you provide their first and last name, email address, and optionally their login name for Exchange, which can be used to configure email access on mobile devices. The user can be assigned to one or more groups, that can either be created manually in Sophos Central, or synchronized from Active Directory. While you are creating a user, you can also select to generate a setup email for them. We will look at these in a bit more detail in a few slides time.

12

The third way to add users into your Central account is to set up a synchronization with your Active Directory (AD). This uses a small background service on a computer in your domain to perform a regular, one-way sync from your AD to your Central account, so that you can manage the users that already exist in your domain, and automatically add in any new ones over time. The computer running this service can be your domain controller, but doesn’t have to be if you’d prefer to run it from elsewhere. The AD Sync utility can be downloaded from the Central console in CONFIGURE > System Settings > Active Directory Sync Status. You set it up by providing credentials for an AD account that will be used for the synchronization, and then can configure how often it runs to perform the sync, or set it to manual. We’d recommend that you set it to run daily. The account that you use needs read-access to the AD. Once AD Sync has performed its first synchronization from Active Directory you will be able to review the status if from the same location you downloaded the tool. If you have multiple domains that you want to sync with, you just need to install the Sync utility on multiple machines, and configure each to synchronize to a different forest. You should also try and schedule the synchronizations at different times of the

13

day, so that they don’t overlap. Please note that other directory services such as OpenLDAP and eDirectory are not currently supported.

13

Clicking on an individual user in the users list will open up the details page for the user, which is divided into four tabs: • Summary, which contains an overview of the other three tabs • Devices • Events • And Policies The ‘Devices’ tab displays all of the devices the users associated to them, and allows you to perform a number of actions on the devices, depending on whether they’re mobiles or computers. The ‘Events’ tab displays all of the events for a user, which can be filtered by time range. The ‘Policies’ tab displays the policies that apply to them, with the policies at the top taking precedence.

14

There are separate device pages for Computers, Mobile Devices and Servers.

On the ‘Computers’ page you will see the security status of the devices, indicated by the icon next to it, the user that was last logged in and when it last reported into Sophos Central. The ‘Mobiles’ page shows similar information to the ‘Computers’ page. Should you wish to delete a device, this can be done for all types of devices by using the Delete button at the top of the page. This will remove the entry from the Central console and stop the device from synchronizing, but it won’t uninstall the endpoint software on the device. The ‘Servers’ page, you will see the IP address rather than the last logged in user, and you can also enable and disable Server Lockdown.

15

Policies are used in Sophos Central to define the security measures that will be applied to your users’ devices. They are used to manage malware scanning, peripherals, mobile devices and web control, and can be applied to individual users or user groups. Policies for computers and devices are user-based, meaning that you specify the settings you want to apply to a particular user, rather than for anyone using a particular device or computer. In contrast, server policies are device based to ensure consistent protection that is not affected by the user that logs in. Sophos Central comes pre-configured with the Base Policy, which contains Sophos’ best practice settings, and is applied to all users. It’s perfectly safe to use only this Base Policy for all of your users and devices. However, if you want to exercise more granular control, you can create additional policies with different settings, and apply these to specific users and groups. You can clone an existing policy to give you a base to work from, or create a brand new policy from scratch. The ‘Policies’ page shows you all of your policies, and the icons in each column indicates which of the settings have been enabled for the selected policy in the list. Policy settings can be inherited, and the order that the policies appear in the list in the Sophos Central console dictates which order their settings are applied in; those at the top of the list have priority and are applied first, but if a particular setting is not defined in a policy, the next policy in the list that does define it will be used for that

16

setting only. In this way, you can manage which policies will be applied to which users. For example, if you wanted to specify certain AV settings for a particular group of users, to override those set for all of your users, you would define the general settings in one policy and then create another policy that overrode the required settings. You then just need to place this policy above the general one in the list, and the settings would be applied in the required order. It’s sensible to have more specific policies at the top of the list, and more general policies further down, and the Base Policy will always be applied last of all.

16

You can edit all of the settings in your own policies, and make limited changes to the Base Policy; if you want to reset the Base Policy settings after making changes, you can do this with the Reset button at the top-right of the ‘Policies’ page. Your individual policies can be enabled or disabled, or set to expire at a certain time, but the Base Policy is always enabled. You can use the buttons at the top of this panel to enable and disable the policy, and edit or clone it.

17

Over the next few slides we will look at some of the global configuration that can be applied in the ‘System Settings’ section. Scanning exclusions can be applied at a policy level, and also at a global level if you want to ensure that a certain website, file or application is exempt from scanning no matter which device or user accesses it. These global exclusions will apply alongside any policy-level exclusions that are set.

18

By default, users are prevented from uninstalling protection or modifying their protection settings via a tamper protection password. This means that certain parts of the client software are read-only, unless the user authenticates themselves with this password. As you can see here, you can enable or disable the feature for all computes and servers. Each device is assigned a unique tamper protection password that can be view and regenerated in the device’s details. Tamper Protection can also be disabled per device.

19

Compatible servers can be configured as update caches. With this feature installed other servers and computers can use it as a local update source rather than all going directly to Sophos, which can save office bandwidth. Server need at least 5GB of disk space, and port 8191 must be available for serving the updates. Details of all of the configured updated caches is published to the endpoints, and they will automatically select the nearest cache on the same network they are connected to based on ping latency.

20

The installers for the Endpoint agent can be downloaded from the ‘Protect Devices’ section of the console. The downloaded installer can be run immediately to protect the device you are on, or transferred to the device you need to protect. The installers you download are unique to your Sophos Central account, and will configure the device to register with your account to be managed. For computers, the user that installs the software will be created in Sophos Central and assigned to the device. Note, that the installers you see may depend on the license or licenses you have. For more information about the installers, please see knowledgebase article 119625. https://www.sophos.com/en-us/support/knowledgebase/119265.aspx

21

Alternatively, a setup email can be sent to users. When creating a setup email, you can select which software packages will be included; Endpoint Protection for computers and Android mobile devices, Web Gateway or Mobile Device Management, or any combination of these. The user will receive personalized emails that will allow them to install the client software and automatically link them to your Central account. Note, that the only way to deploy to a mobile device is by sending a setup email. The ‘Computers’ option gives personalized links for the installers for both Windows and Mac OS X, and the user would just need to follow the appropriate link and install the software on their computer or server. The installer will automatically detect what type of machine it’s running on, and install the relevant version. When complete, the installation will be configured to link to your Central account as soon as it has completed, and the device will be associated to that user. The ‘Web Gateway’ option provides links for ChromeOS, Mac OS X and Windows. As you can see from the screenshot, the ‘Mobile devices’ email contains instructions as well as a QR code. This code contains a link to download the ‘Sophos Mobile Control’ app from the relevant app store, and also all of the information that the app

22

needs to configure itself to link to your Central account. So the process for the user is very simple; they just need to follow the instructions in the email to install the app and then configure it by either entering the provided details manually, or just by scanning the QR code. There are a number of free apps available to scan QR codes on both iOS and Android. The steps and links in both of these emails can be re-used multiple times by the user for any of their additional computers, servers or devices, but they shouldn’t be shared with other people, as the information is specifically for that user entry in your Sophos Central account.

22

If you need to deploy the Sophos Central client software to a large number of Windows computers, you can download the installer once and then use Active Directory scripts or SCCM to distribute and install it, which will automate and facilitate the process for you. When running the installer from a script or with SCCM you will need to use the ‘-q’ switch to supress the user interface. You can also use the ‘-tps’ switch to configure how the installer will handle the presence of third-party security software. For more information, please see knowledgebase article 120611. http://www.sophos.com/en-us/support/knowledgebase/120611.aspx

23

We have already looked at how you can activate a license, but there are also a number of other account management tasks that you can perform via the ‘Administration’ page. In addition to license management, you can change your login email address and password for Sophos Central, and also add additional administrator accounts, if you want to give access to other people via a separate login. The final thing you can do from this page is to enable assistance. This has two parts; the first is ‘Remote Assistance’, which gives Sophos Support full troubleshooting access to your Sophos Central session for 72 hours. This may be useful if you are experiencing issues that are best investigated by someone looking at your individual account. The second part is ‘Partner Assistance’, which we will look at over the next few slides.

24

When Partner Assistance is enabled in a Central account, a customer’s associated partner is granted access to their Sophos Central console which allows them to make configuration changes, just as if they were the Cloud account owner. This functionality is really useful for partners who have a number of customers using Sophos Central, as it allows you both to see a list of all of these customers, and manage their accounts from a single place. The login to their account from the Partner Portal is performed via single sign-on, so you don’t even need to have any login details for their account. To access the Sophos Central Dashboard, use the link in the Sophos Partner Portal, or directly via cloud.sophos.com/manage/partner.

25

In the Partner Central Dashboard you will see aggregated information across all of your managed customers giving you instant visibility into items that need to be actioned. There are three main areas on the Dashboard: Alerts – separated into the same high, medium and info categories, with an additional category for PSA sync alerts for the ConnectWise billing integration Usage for your customers across all products License information for all Sophos Central customers, highlighting customer licenses which require attention

26

Aggregated alerts allow you to see all alerts across the customers that you currently manage, and take some limited resolution actions, with more coming in the future. Alerts can also be filtered on the customers name and by severity, and exported to a CSV file.

27

In the ‘Sophos Central Customers’ section you can get a view of who is using which products, and what is being trialled. It provides a single view for your business status, and opportunities such as cross selling and renewals. You can easily see which licenses are near to expiration, have already expired, or are over their usage limit. You can also launch Sophos Central with admin access to their account if you are an MSP, apply an activation key, and view a detailed breakdown of the license usage.

28

In the ‘Sophos Central Licenses’ section you can filter the view by the license state, and convert trial licenses to either a monthly billing or annual term customer.

29

On completion of this module, you should now be able to:  Explain how to create an account for Sophos Central  Navigate the console  Create users  Configure system settings

30

Please take a few minutes to answer the following questions on the material covered in this module.

31

32

33

34

35

36

37

38

Feedback on our courses is always welcome – please email us at [email protected] with your comments.

39

Now that you have completed this module, you should complete Lab 1 in the lab workbook and then proceed to Module 703: Endpoint protection for computers.

40

41

Hello, and welcome to this Sophos Certified Engineer training course for Sophos Central. This is Module 703, Endpoint protection for computers. Sophos Certified Engineer Sophos Central ET703 – Engineer Theory April 2016 Training version: 6.0.0 Product version: Sophos Central 6.0 © 2016 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

1

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1

This course is split into four modules, with practical labs interspersed throughout the course to allow for application of the content discussed in the previous modules. You are now in module three of six.

2

In this module we will cover protecting and managing computers.

3

Once you complete this module, you will be able to:  Protect Windows and Mac computers  Manage computers  Configure user policies

4

Now that you have a Central account setup, you can start deploying the protection software to your devices. In this module we will look at protecting your Windows and Mac OS X computers. The physical system requirements for your computers are fairly simple, with all of them only requiring 1GB of memory and free disk space for the endpoint client. In terms of operating systems, as you can see, a wide range are supported, so you should be able to easily protect all of your machines.

5

Let’s start by looking at the installation on a Windows computer.

There are two ways to get the installer for the Windows Endpoint agent, [Click] using the link in the setup email, or downloading it from the ‘Protect Devices’ section of the console. [Click] The installer starts by performing a compatibility check on the computer, assuming everything is okay, you can proceed with the installation. [Click] The Windows computer software includes a tool to remove any previously installed antivirus software, which is important to avoid conflicts with the Sophos protection software. [Click] The installer will then begin by installing the updating tool which will download and install the rest of the Endpoint security software.

6

The Cloud Web Gateway is a separate installer for Windows computers.

[Click] Once the license is accepted the installer will download and install the Web Gateway software. [Click] At the end of the installation, Web Gateway will be registered with your user in Sophos Central. If you do not have the Endpoint agent installed you will be prompted to confirm which user the installation should be registered to. [Click] The icon in the system tray will initially be grey, [Click] But once Web Gateway has connected and retrieved a policy it will become blue.

7

The installation on a Mac is very similar to Windows and really straight forward.

The installer can be downloaded using the link in the setup email or from the Sophos Central console. [Click] To install on a Mac, you need to enter the password of an admin user. [Click] The installer will then download and install the software. [Click] Once the installation is complete, [Click] Sophos can be managed using the icon in the menu bar.

8

A final option for deployment is to migrate in endpoints that are already protected by the on-premise Sophos Enterprise Console (SEC), which provides protection for workstations and servers. If you already have a SEC installation, with your computers and servers protected, you can move these to be managed by your Central account. There are some pre-requisites that you must meet, and the most important two of these is that your computers must meet the Sophos Central system requirements, and all of policy settings/enabled features for them must be supported by Sophos Central. You can download a tool which will step you through the process from KBA 122264 (http://www.sophos.com/en-us/support/knowledgebase/122264.aspx). This article also has more information on the migration process, and the preparation steps that you need to undertake. The tool will identify whether your machines are ready to be migrated – as you can see in the screenshot here there are a number of areas that need to be addressed before these particular machines can be moved, such as disabling policy settings. Please also note that the SEC management server itself cannot be migrated.

9

All of your protected computers can be viewed in Sophos Central console. Next to each computer is an icon that indicates the status of the computer, ranging from green to yellow to red. The computers can be filtered using the drop-down box to show computers with medium or bad status, no user, or a server operating system. There is also a search field that can be used to filter by computer name. If a server has been add as a computer, it can be selected and migrated to the servers. This is important to ensure that the right protection is configured. Note that this is a one way process and servers cannot be migrated to computers.

10

On the left-hand side of the computer details page are buttons that allow you to trigger an update or a scan on the computer. The rest of the computer’s details are separated into four tabs: • Summary • Events • Status • And Policies The Summary tab shows the five most recent events, and details about the computer, including the IP address, operating system, last user and when it last reported in. [Click] At the bottom of this tab are the Tamper Protection controls. If Tamper Protection is enabled globally, here you can disable it for a specific computer, or view and regenerate the password.

11

On the Events tab you can filter the events based on a date range.

12

The Status tab displays more detail about the security status of the computer and any alerts. [Click] Here we can see that this computer has no detections, and that the services are running normally.

13

The final tab shows the policies that apply to the computer, with the policies at the top taking precedence over lower policies. We will now take a look at how to configure a user policy.

14

When you open up an policy to edit it, you are presented with a page that is split into a number of sections, each covering different aspects of the policy. [Click] The first section contains settings for the users and groups that you want the policy to apply to. All of your users and groups will be displayed in the left hand pane, and you just need to move all of the required accounts to the right hand pane. [Click] The second section is where you decide whether the policy is enabled or disabled, and if you want to specify an expiry time, after which the policy will be automatically disabled.

15

The malware policy section allows you to configure how your Windows and Mac devices will be scanned and monitored to provide protection against threats such as viruses, spyware and other PUAs. Scanning is performed on both local files and accessed websites, and our proprietary technology means that you are protected against existing, new, and even unknown threats, so you can be confident that you have the most up to date protection. [Click] Malware scanning can be performed in real-time and set on a schedule; we’d recommend that you leave your policies set to the default of real-time scanning, so that your devices are always protected. If you do want to specify a schedule, this can be configured for a given time on any or all days of the week. [Click] You can specify exclusions for scanning, which might be useful to allow certain files, websites or applications to be used even if they are being detected as malware by the scanning engine. For example, you may wish to use diagnostic tools such as PsExec; this would normally be detected as a PUA and therefore blocked from running, but you can add an exclusion to allow its use on your devices.

16

The policy section for peripherals lets you both monitor and block the use of removable devices and other peripherals on your Windows and Mac computers. [Click] By setting the access policy to allow or block, you can control access to these peripherals on your users’ devices. For storage media, such as USB or optical drives, you can also set them to be read-only, and wireless devices can be prevented from being used in bridged mode. [Click] When set to just monitor, any detected peripherals will be recorded and can then be used in the ‘Exemptions’ section to specify an explicit rule for a particular peripheral. For example, in the screenshot shown, optical drives are blocked in the overall policy settings, but an exemption has been created for a particular optical drive ID detected on a device.

17

Application control in Sophos Central lets you monitor and manage the Windows applications that your users have access to. In the policy, you can define all of the applications that you want to control, and whether you want them to be detected on user access and/or during scans. You can also then choose to allow or block the controlled applications, so this feature can be used to track and restrict your users’ activities. You’ll be notified of any detections in the device’s properties page in the Central console. [Click] To get started, click on the ‘Add/Edit List’ button, and you’ll see a popup containing a comprehensive list of applications, organised into categories. This list is populated and maintained by Sophos, and contains all of the applications that you’re likely to want to control. If you have an application that isn’t in the list, just let us know via the link at the bottom of the policy section, and we’ll add it for you. You can choose a single application within a category, or select everything currently in that set, [Click] and also choose to automatically add any new applications that Sophos adds to the category in the future. So, if you wanted to block all browser toolbars, you’d just select everything currently in the ‘Toolbar’ category, and check the box shown to automatically add any future toolbars that are added.

18

The next policy section relates to web control. As we saw in the malware policy section, malicious websites and web content are already blocked and scanned by default to protect your devices, and the web control policy section gives you even more security and further filtering options for your Windows and Mac computers. [Click] For the additional security options section, you can choose how risky files, advertisements and uncategorized files are dealt with on the device. You can use the Sophos recommended settings or specify yourself how each type of file should be processed, based on the categories shown in the screenshot, such as ActiveX controls and PDF files. [Click] The web usage section allows you to control which websites your users are allowed to visit. There are four pre-set categories; ‘Keep it clean’, ‘Gentle guidance’, ‘Conserve bandwidth’ and ‘Business only’, all of which apply different settings to Allow, Block or Warn for various categories and sub-categories of websites. Alternatively, you can choose to specify your own settings, should you want to have more granular control over certain websites or categories. [Click] The data loss section lets you block or allow websites that are associated with data

19

sharing, and similarly to the last two sections, you can specify your own settings should you want more control. [Click] You can choose to log all attempts to visit blocked sites, along with instances where users proceeded past warnings, or choose only to log attempts to visit infected sites. All logged events will be visible in the reports section, which we’ll cover in the next module. [Click] The custom sites section allows you to specify custom categories and websites, and then define specific actions for them that might override the settings elsewhere in the policy. Before they can be selected here the websites need to be configured in the System Settings, which we will take a look at now.

19

It is possible to change the default behaviour of Web Control to specific websites by either applying tags to them, which can them have an action configured for them in the policy, or overriding the default category for the website. This can be done for single URLs, domains, TLDs (top-level domains), IP addresses and CIDR ranges (subnets).

20

Similarly to the Web Control policy section, with Web Gateway you have the ability to prevent downloading of risky files, and define what type of web usage you want to allow. You can tag websites and take a specific action on them, such as to audit or block access to them, and log either all or only specific types of traffic passing through the gateway. When storing the logged information, you can choose to remove URL parameters, which may contain sensitive information.

21

The Web Gateway can scan SSL traffic to ensure that you’re fully protected and aware of what your users are accessing, even when they’re protected by SSL encryption. If you want to trust a destination IP or domain, you can specify this in the policy, and then any traffic to those destinations will route directly, rather than through the Web Gateway. Similarly, if you want traffic from a source IP to be trusted, you can specify this and it will be routed directly via the local agent. This might be relevant when inside a corporate network. The final thing that you can specify in the policy is data filtering – this can examine traffic for specific keywords and regular expressions, and then perform a defined action on a match.

22

On completion of this module, you should be able to:  Protect Windows and Mac computers  Manage computers  Configure user policies

23

Please take a few minutes to answer the following questions on the material covered in this module.

24

25

26

27

Feedback on our courses is always welcome – please email us at [email protected] with your comments.

28

Now that you have completed this module, you should complete Module 704: Endpoint protection for mobile devices.

29

30

Hello, and welcome to this Sophos Certified Engineer training course for Sophos Central. This is Module 704, Endpoint protection for mobile devices. Sophos Certified Engineer Sophos Central ET704 – Engineer Theory April 2016 Training version: 6.0.0 Product version: Sophos Central 6.0 © 2016 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

1

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1

This course is split into four modules, with practical labs interspersed throughout the course to allow for application of the content discussed in the previous modules. You are now in module four of six.

2

In this module we will cover enrolling devices into Sophos Central and managing the mobile policy settings.

3

Once you complete this module, you will be able to:  Create and install an APNs certificate  Enrol a mobile device into Sophos Central  Manage mobile policy settings

4

Mobile devices are supported for the most current and recent versions, and support will continue to be provided for new iOS and Android versions as they are released. As we covered in the first module, managing mobile devices uses cloud services provided by Apple and Google for iOS and Android respectively. For Android devices, this works automatically; however for Apple devices, you need to install an Apple Push Notification service (APNs) certificate on the management server, Sophos Central in this case, to allow trusted communication between the management server and the mobile device. Creating and installing the APNs certificate is fairly simple, let’s take a look at how to do this.

5

To create the APNs certificate, click the Enable iOS support now link in CONFIGURE > System Settings > iOS Settings for MDM in the Sophos Central console. This will take you to a page that explains the process as shown here, which is as follows: 1. Download Certificate Signing Request – Firstly you need to download a certificate signing request from your Central account 2. Create APNS Certificate – Next, log into the Apple Push Certificate Portal with an Apple ID, and create and download a certificate. It is recommended that you create a new Apple ID for your Sophos Central account, and you’ll need to remember the login details, as the ID will be needed for all future certificate renewals for the account 3. Upload APNS Certificate – Finally, upload the newly created certificate into your Central account When this is complete, your APNS Certificate status will be displayed at the top of the page. By default, this certificate will be valid for 1 year, after which time you’ll need to renew it via the same process.

6

We will now look at how to enrol an Android and an iOS device into Sophos Central. The process start in exactly the same way as for computers, by sending a setup email to the user. The first thing the user will need to do is to install the Sophos Mobile Control app from their device’s app store. The setup email contains a link to the app, or if they are reading the email on a computer and have a QR code scanner installed, they can scan the QR code in the email as it contains a link to the app. When installing the Sophos Mobile Control app, the user will also be prompted to install the Sophos Security & Antivirus Guard app, which protects the Sophos Mobile Control app from being terminated. Once these are installed, the user needs to scan the QR code in the setup email with the Sophos Mobile Control app to configure it with details to connect to your Sophos Central account. If the user is reading the email on the device they want to enrol, a link is provided. The user will be prompted to grant the Sophos Mobile Control app the privileges it needs. In this case the Sophos Mobile Control app needs to have device administration rights

7

activated. On Samsung devices, users may also be prompted to accept Samsung's KNOX terms and conditions. If the Android protection option was selected when sending the setup email the user will be prompted to install Sophos Mobile Security from the Play Store. Sophos Mobile Security will also prompt the user to activate the permissions it requires, then it will perform a scan on the device and report the results back to Sophos Central.

7

The iOS enrolment process is similar to Android but simpler.

The users will need to install the Sophos Mobile Control app from the App Store, then scan the QR code with the app. The user will then be prompted to install the management profile, and confirm that they trust the source. Once the profile is installed the device it is managed by Sophos Central.

8

Mobile Devices are displayed in the console like computers, but shows slightly different information that focuses on the devices compliance state, management state, and whether Mobile Security is installed. The details of mobile devices has the same four tabs for ‘Details’, ‘Events’, ‘Status’ and ‘Policies’, but they have different set of actions that can be used to manage them. For those Android devices with Mobile Security installed you can initiate a scan from the console, and for all devices you can send a message, lock and unlock the device, locate the device, and wipe the device.

9

We will now take a look at the settings available in the Mobile Device Management and Mobile Security sections of the user policies. The mobile devices policy section gives you a large amount of control over the iOS and Android devices used with Sophos Central, such as defining a password policy, which device features are available, and which OS versions are allowed. All of this means that you can ensure that your users’ devices are protected, and also prevent them from being used to perform malicious or unwanted activity. The password policy settings let you specify whether a password is required for the device, and what form and length it must take. You can also configure extra settings relating to passwords, such as the maximum age, and the maximum auto-lock timeout. Please note that if you use the setting to restrict the number of login attempts, the device will automatically be wiped when this number is exceeded, so use with caution!

10

You can disable or hide certain features on your users’ mobile devices such as the App Store or access to the camera, which will help ensure that devices remain compliant. The full list of supported features is shown in the screenshot, along with which settings are available for both iOS and Android, as certain features aren’t relevant to both platforms.

11

You can use Sophos Central to configure access to an Exchange ActiveSync enabled account. Before you can select the configuration in the policy, you need to configure it in CONFIGURE > System Settings > Exchange Settings. In the configuration you define details for the server, and can either choose to specify the account credentials directly in the configuration, or use the Exchange login from the user account. In the policy you will see the configurations listed for each Exchange server.

12

Similarly to Exchange, Wi-Fi settings need to be configured from CONFIGURE > System Settings before they can be selected in the policy. Including Wi-Fi configuration in the policy is an simple way to give network access to managed mobile devices, without having to share the Wi-Fi key making it impossible for unmanaged devices to connect.

13

The final part of the Mobile Device Management settings relates to device compliance. You can set the policy to report the device as non-compliant if it is jailbroken or rooted, if it hasn’t checked in or synced for a certain period of time, or if a certain OS version is or isn’t installed. Depending on your requirements, you can then trigger all Wi-Fi or email settings to be removed from the device. As you can see, there are a lot of settings that can be applied to mobile devices through Sophos Central, all of which mean that you can keep your users’ devices safe, and protect your network.

14

Sophos Mobile Security scans the mobile device for malware and reports any malicious apps. It automatically scans apps when they are installed. In addition, you can schedule scanning of the entire device, including system apps, SD cards and external USB devices, as well as configure scanning for potentially unwanted apps (PUA) and low reputation apps. In the policy you can define the scanning schedule, whether to scan for PUAs and low reputation apps, and which locations and apps to include in the scan. You can define apps that the users are allowed to use and are not reported as potentially unwanted apps (PUAs) or low reputation apps during a mobile device scan. Like the Exchange and Wi-Fi settings, allowed apps need to be configured in System Settings before they can be added to the policy.

15

On completion of this module, you should now be able to:  Create and install an APNs certificate  Enrol a mobile device into Sophos Central  Manage mobile policy settings

16

Please take a few minutes to answer the following questions on the material covered in this module.

17

18

19

20

Feedback on our courses is always welcome – please email us at [email protected] with your comments.

21

Now that you have completed this module, you should complete labs 2 and 3, and then proceed to Module 705: Server protection.

22

23

Hello, and welcome to this Sophos Certified Engineer training course for Sophos Central. This is Module 705, Server protection. Sophos Certified Engineer Sophos Central ET705 – Engineer Theory April 2016 Training version: 6.0.0 Product version: Sophos Central 6.0 © 2016 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

1

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1

This course is split into four modules, with practical labs interspersed throughout the course to allow for application of the content discussed in the previous modules. You are now in module five of six.

2

In this module we will look at managing servers, server policies and how to use Server Lockdown. We will also briefly cover how Sophos Central can be used to protect virtual environments and AWS Linux servers.

3

Once you complete this module, you will be able to:  Configure server policies  Enable Server Lockdown

4

The physical system requirements for your Windows servers are fairly simple, with versions only requiring 1GB of memory and free disk space for the endpoint client. For details of which Linux distributions are supported, please see knowledgebase article 118624 on the Sophos website.

5

Windows and Linux servers appear in the Sophos Central console in a similar way to computers and mobile devices. You access the ‘Servers’ view via the dedicated ‘Servers’ section, where you will see a list of the servers that are linked to your account; these will have been deployed in the same way as computers, as we covered in module 703, and the installer will detect whether it’s running on a workstation or server and report back to Sophos Central accordingly.

6

Clicking on a server in the list will open up its properties page, where you can see details such as the IP, OS and applied policies, as well as a summary of the server’s events. There is a separate ‘Lockdown Events’ tab, which we will look at separately with Server Lockdown later in this module. You’ll also notice the ‘Exclusions’ tab, where you can see any files or applications that are excluded from scanning for threats. The last tab shows the policies that apply the server, with the policies at the top taking precedence.

7

Policies for servers are configured in the same way as for devices as we saw earlier; you can just use the existing base policy, or create new policies to be applied to different servers. The main difference to note is that server policies are machinebased, meaning that they apply to the server itself, irrespective of the user logged in. This means that your server will always be protected by the settings you define, and you don’t need to ensure that any of your users have anything specific set in their policies in the event that they login to the server.

8

In your server policies, you can configure real-time scanning of local and network files, including website downloads, block access to malicious websites, and also use the intelligent Sophos protection technology to detect malicious behaviour, by a notyet discovered threat. Similarly to device scanning policies, scans can also be scheduled, and you can define exclusions for particular files, websites and applications that you want to be exempt from scanning. A number of applications used on servers such as Exchange have files which must be excluded from scanning in order to prevent issues when using them; Sophos Central provides automatic exclusions for these applications, and you can find an up to date list of them in KBA 121461 (http://www.sophos.com/enus/support/knowledgebase/121461.aspx)

9

The Server Lockdown feature in Sophos Central allows you to restrict the applications that can run on your servers, and also which of them can interact with each other. It uses drivers that reside in the operating system kernel and works by creating an initial whitelist of known ‘good’ applications – when you enable Lockdown, all existing applications that are installed on the server are trusted. After this point, new applications won’t be able to run unless explicitly approved by the Sophos Central administrator.

10

To Lockdown the server, first make sure that it’s in the state that you want to start from by checking the following: • all applications that are installed are trusted by you • you’ve installed any required server roles or features and any relevant Windows updates • you’ve removed any unwanted installers that you may have downloaded. You should also define the policy that will apply to your server, which allows you to specify any excluded files or folders. This helps to ensure that your whitelist will be created as intended. You should also note that software shouldn’t be installed or updated while the Lockdown process is taking place. To begin the process, simply click the ‘Lock Down’ button on the server’s properties page, or the link on the ‘Servers’ page, and then click ‘Begin Lockdown’ in the dialog that appears. The process will start on the server, and should take around 30 minutes to complete. You can continue to use the server while this is happening, but as mentioned, don’t install or update any software. You’ll see a status message indicating the progress on the left-hand side of the server’s properties page, under ‘Lockdown Status’. When the Lockdown is complete, any new applications will not be able to run or be installed, nor will changes be allowed for any installed applications, including

11

renaming, moving and deleting them. Any user attempting to run an un-approved application will see an ‘Application Blocked’ error message. You’ll also see a new ‘Lockdown Events’ tab on the server’s properties page, showing any triggered warnings or events relating to the Lockdown status of the server. Once the server is in a Lockdown state, if you wish to allow new software to be run or installed, you will have to explicitly specify a file or folder in the server’s policy, in the lockdown preferences section. You can also block currently allowed software here, if you wish to revoke access to an application.

If you want to completely unlock the server, you can click the ‘Unlock’ button on the server’s properties page; this will allow all applications to run once again, without approval. Server Lockdown events can be viewed in the servers details on the specific ‘Lockdown Events’ tab. To get the latest alerts, click the Update Report button.

11

You can use Sophos Central to protect your virtual machines (VMs) in VMware environments with vShield for Endpoint. To do this, you must install a Sophos security VM (SSVM) on your host to provide central anti-virus scanning for all the guest VMs on that host. When the SSVM is installed, it will appear in Sophos Central in the ‘Servers’ section, and get a policy, by default this will be the base policy. Guest VMs must have the vShield Endpoint Thin Agent installed for the SSVM to be able to protect them. There is also an optional Sophos guest agent that makes automatic cleanup of threats possible. For more information please see knowledgebase article 122846. https://www.sophos.com/en-us/support/knowledgebase/122846.aspx

12

You can protect AWS Linux servers with Sophos Secure OS. Sophos Secure OS consists of a pre-built image of CentOS 6.6 Linux containing a self-compiled copy of standalone Sophos Anti-Virus for Linux, and is only made available via Amazon Web Services (AWS). Once you have deployed Sophos Secure OS on AWS, you can register it with your Sophos Central account to manage it. The command for enabling management in your Central account can be found in the ‘Protect Devices’ section of the console. For more information please see knowledgebase article 121414. https://www.sophos.com/en-us/support/knowledgebase/121414.aspx

13

On completion of this module, you should now be able to:  Configure server policies  Enable Server Lockdown

14

Please take a few minutes to answer the following questions on the material covered in this module.

15

16

17

18

Feedback on our courses is always welcome – please email us at [email protected] with your comments.

19

Now that you have completed this module, you should complete Module 706: Reporting.

20

21

Hello, and welcome to this Sophos Certified Engineer training course for Sophos Central. This is Module 706, Reporting. Sophos Certified Engineer Sophos Central ET706 – Engineer Theory April 2016 Training version: 6.0.0 Product version: Sophos Central 6.0 © 2016 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

1

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

1

This course is split into four modules, with practical labs interspersed throughout the course to allow for application of the content discussed in the previous modules. You are now in the last module.

2

In this module we will look at the different reports that are available in Sophos Central.

3

Once you complete this module, you will be able to:  Run reports for your Sophos Central account

4

Sophos Central contains a number of reports, which give you a summary of various aspects of your account, such as your users, computers and servers. All of the reports are accessible via the ‘Logs & Reports’ section in the management console, as shown in the screenshot here. The available reports which are split into four categories: • Endpoint Protection • Application Control • Web Control • And Web Gateway. We will start by looking at a couple of the reports from the Endpoint Protection section.

5

The Events report allows you to see all of the events that have been generated in your Central account by your users and devices. You can filter the date range of the view via the slider at the top of the report, and also filter on event type via the panel to the left of the graph. This filter would be useful if you just wanted to see all policy violations, or malware detections, for example. These filters can be further expanded for each event type so that you can report on the specific actions taken for that event type. For example, malware that has been detected, cleaned up, not cleaned up, or locally cleared. You can export this and other reports in Sophos Central to CSV or PDF via the buttons at the top-right of the report, which will assist with offline manipulation or presentation of the data outside of the Central console.

6

The reports for Users, Computers, Servers, Mobiles and Peripherals all take a form similar to the screenshot shown here, with a summary view at the top. Clicking on the numbers in the summary view will apply a filter to the report for the relevant category. The detailed information varies depending on the particular report, but it will show details like associated devices, the scanning status, the OS and the last active and updated times. You can use all of this information to monitor the objects linked to your account and spot any inconsistencies, or hone in on a particular user or device to get more information.

7

In the Application Control section there are three reports available: • Blocked • Allowed • And Policy Violators. Each of these reports can be filtered by date to display the data you want.

8

The next section of reports is for Web usage, covering Blocked Categories, Warned Sites, Blocked Sites, Policy Violators and Malware Downloaders. These reports can be filtered by date, and present you with a summary of web usage over these five categories so that you can monitor potentially unwanted web behaviour by your users and on your devices.

9

The final section of reports is for the Web Gateway. You can see a summary of all of the Web Gateway events as shown here – this is really useful if you want to both monitor the gateway activity, and if you want to drill into a particular device or user to see the details of a particular Allow or Block event. The filters at the top of the report mean that you can tweak the view to focus in on the date range or type of event that you want to see, and all of the report data can be exported for further manipulation offline. In addition to the gateway activity, you can also see a set of reports that summarise the activity data in terms of categories such as blocks, events and users – you’ll get a bar chart to give a visual representation, and again, you can export the data for offline viewing.

10

On completion of this module, you should now be able to:  Run reports for your Sophos Central account

11

Please take a few minutes to answer the following questions on the material covered in this module.

12

13

On completion of this course, you should now be able to:  Describe the main features of Sophos Central and their benefits  Demonstrate the use of the most commonly used features  Deploy and manage Sophos Central in a simple environment

14

Feedback on our courses is always welcome – please email us at [email protected] with your comments.

15

Now that you have completed this module, you should complete Labs 4 to 6, and then take the Sophos Central Engineer assessment in the Partner Portal.

16

17