Sophos AV - a disaster in waiting

[Tannin]

I have a customer who bought a Sophos Endpoint Protection site licence a little while back. The company which used to do their IT set it up on the various machines in the network such that it was centrally controlled from the dedicated server and workstations got their updates from there. Then the server went faulty and we decommissioned it.

This left the workstation Sophos installs in a locked down state, unable to update, and impossible to uninstall.

So I called Sophos. The phone was answered promptly, by a human, who was helpful, knowledgeable, polite and friendly. I had to set up a Sophos reseller account (at no cost) and then could "simply" uninstall the existing Sophos on each machine and reinstall a stand-alone version which would be under local control, and get its updates direct from Sophos. He provided me with a link to and passwords for the stand-alone installer.

So far so good. Then the fun started. "All" I had to do was uninstall Sophos cleanly enough to allow a reinstall. Believe me, this is a horrorshow. We are talking heavy-duty hard work here with safe mode, Hijackthis, Regedit, services.msc, commands to delete things on reboot, and endless hours on the web looking stuff up which mostly turns out to refer to a slightly different version of Sophos or a different Windows version. Worse, every machine was different! You find a method which works on Workstation A, apply it to Workstation B, and it doesn't work. Every bloody machine requires a different bloody fix.

I did the first one in about two hours.

I did the second and third ones together. I got the third one after almost four hours, but the second one refused to install the update component no matter what. Eventually, I got it to work by manually creating a dedicated user account and then hacking permissions in the registry twice. Why twice? Because there are several sets of instruction about what to do and they are not all the same. Total time wasted on three machines ~ about 1.3 days. And I still have to do the new server, which will mean anything from a couple of hours to a whole damn day on-site, plus however much extra we need to allow for working around their need to have it operating while they work.

And all of this because Sophos does not have an uninstall script. Hell even Norton has had an uninstall script for most of this century, why is Sophos so farnarkling backward and primitive?

Sorry Sophos. I liked the idea of having an actual human to answer the phone, and he was very good ..... but I shouldn't have to ring up your help line to do simple jobs, and I most certainly shouldn't have to waste an entire day on stupidity like your absurd inability to uninstall yourself.

When the Sophos site licence runs out, I will, of course, be getting rid of it and installing Bullguard.

 

[CougTek]

So far so good. Then the fun started. "All" I had to do was uninstall Sophos cleanly enough to allow a reinstall. Believe me, this is a horrorshow. We are talking heavy-duty hard work here with safe mode, Hijackthis, Regedit, services.msc, commands to delete things on reboot, and endless hours on the web looking stuff up which mostly turns out to refer to a slightly different version of Sophos or a different Windows version. Worse, every machine was different! You find a method which works on Workstation A, apply it to Workstation B, and it doesn't work. Every bloody machine requires a different bloody fix.

Ever heard of revo uninstaller? Would have saved you a lot of grief.

 

[mangyDOG]

It is for exactly this reason I have convinced every business client I have to get rid of Sophos.

 

[Tannin]

No, Coug, thanks for the heads up. I'll bear that in mind for another day.

MangyDog, it may interest you to know that this disgraceful rip-off of an IT system was foisted on my customer by a well known local firm. For a cash-strapped small non-profit charity organisation with a full-time-equivalent staff of one, yes that was not a typo, a FTE staff of one, they flogged:

• dedicated IBM server running Windows Server Small Business Edition
• Microsoft Exchange server
• Near top-of-range Hewlett-Packard laptops with docking stations, keyboards, mice and screens.
• A gigantic and very complicated printer costing Lord knows how much
• A sensibly modest desktop computer running a Core 2 Duo, 500GB drive and 2GB of RAM. (I suspect this last one was already there before our friends started selling the rest of this grossly inappropriate kit to honest people who didn't know they were being taken for the mother of all rides.)
• A three year Sophos Endpoint Protection site licence.
• Assorted other software licences.
• A full-on domain network setup with assorted stupid lock-down group policies on the workstations making every small operation difficult - and this in a tiny office where, if you want to access another machine that doesn't belong to you, all you have to do is turn around and use a different screen. The lock-down was, in other words, utterly pointless.

When I was called in, the network was giving lots of trouble, the Internet usage and bill had gone through the roof with no explanation, and our local friends had comprehensively failed to do anything at all to fix the problems, despite making I'm not sure how many very expensive on-site calls.

I was easily able to isolate the gross Internet over-use problem to the server itself. After examining their needs and the equipment available, I simply decommissioned the dedicated IBM server, added 2GB of DDR-2 to the desktop workstation (which runs XP Pro), and made that into the new server. It's only a small machine but on the other hand it hasn't got any workload worth mentioning, just a handful of Word files to store and a few similar things. Email I switched to my own hosting account in Texas. (Arvixe are excellent, highly recommended.)

The organisation has a staff of three: one man does three days a week, mostly outdoor practical tasks but he occasionally comes into the office to check his email or create an invoice. One woman does computer-based admin tasks one day a week, and another woman comes in to do the bookkeeping one afternoon a week. They now have a perfectly capable little desktop machine which doubles as the central file server (I have written batch files to create backups, and insisted that they get extra drives - the incompetents who set the gross overkill system up had just one single external backup drive), plus a laptop each. This is still more than is really necessary for the workload, but the system works well.

Or, to be precise, it will work well when I complete the final task in what has been a very long, tedious process of migration to a more appropriate setup: recommissioning the Sophos anti-virus on the little desktop server. (It would have been a lot quicker and easier to simply reinstall every machine from scratch, but I chose to do it the hard way. I'm not sure why, possibly just to prove that I am old and grey but I have not completely lost my ability to do the hard yards when I put my mind to it.)

I think it would be unethical of me to name the greedy bastards who pulled this outright shocker of a sales stunt, but you are a local lad and will know who I am talking about if quietly whisper that their initials are B & D Technologies.

 

[mubs]

Sheesh. You should outright publish this story on your website, Tannin. Of all the things difficult to understand, hitting the poorest of the poor, the weakest of the weak, the sickest patient - these defy all understanding.

Sick bastards. I don't know how they can sleep at night.

 

[Mercutio]

I encounter stuff like that pretty regularly, at least as far as IT spending by nonprofits goes. It's often because they have grant money they're allowed to spend on technology purchases and can't use for other things. I don't know if that's the case here, and yes the consulting firm did take advantage, but from another perspective it's entirely likely that the organization just had money that would have been left on the table.

On the other hand, I can't say that I've ever seen anyone actually using Sophos. I know it exists, but it's clearly not a common product by any standard.

 

[Chewy509]

On the main topic, we use Syphilis at work... Compared to the other "enterprise" AV solutions I've used, it's well... you read the name I used for it.

We had the main server component stop working for unknown reasons, so we decided to play the uninstall / install game. 2 days on the server side of it to have a what we believe is a working installation... Then, we had to go around and manually redo all the clients as none of the automated push out features worked... (either push to desktop or deploy via GPO). The reasoning we could gather was, it already had the client installed! But the existing clients wouldn't talk to the new server for some unknown reason, despite all settings we could see were the same between the old and new installation... Lucky for use we only have 6 desktops which we had to fix... (most of our infrastructure is non-Windows - we only have 2 Windows servers and 6 desktops/laptops - the rest are either Ubuntu 12.04LTS Server / Desktop or OpenIndiana).

Would I recommend this "product" to anyone - no...

As for the small shop with a huge IT setup - seen this way too many times... but will leave that for another post... (need to go to work).

 

[mangyDOG]

I love Bodgy and Dodgy! Every time I do a quote where a potiential client needs to get a second price, I point them there. Even with my highest levels of markup and hourly install rates I can beat their prices by at 30% or more.