If the Domain Controller is running Windows Server 2003, it is strongly advised that the Group Policy Management tool is installed.

Link2ICT - Service Birmingham

Derek Potter08/05/2009

pa

ge 1 of 6

BGfL Proxy Servers – Slow Internet

Following a number of calls to the Link2ICT Service desk reporting slow Internet,

Investigations were carried out by the BGfL team who identified that slow internet

performance may be a result of Policy Central and a higher than normal number of virus

alerts.

In order to reduce the activity on the proxy servers, schools are advised to apply the

configuration changes to Policy Central and Sophos Enterprise.

The BGfL team have also installed additional proxy servers. Once schools have started to

implement the instructions below, we should see a large improvement in Internet

performance.

1. Policy Central Proxy Server by-pass Exception

Schools should add an exception within Internet Options. The most effective method of

applying this exception is via Group Policy, although many schools will already have this in

place.

Group Policy Management tool

If the Domain Controller is running Windows Server 2003, it is strongly advised that the Group

Policy Management tool is installed.

This can be downloaded from the following URL:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Applying the Proxy Bypass Exception

Click

Start

>

Programs

>

Administrative Tools

>

Group Policy Management

Expand the

DOMAINS

folder and beneath that click ‘

+

’ to expand the School Domain.

Right Click ‘

Default Domain Policy

’ then click ‘

Edit

’, to open the

Group Policy Object

Editor

.

Click ‘

+

’ next to ‘

User Configuration

’ then ‘

Windows Settings

’ then ‘

Internet Explorer

Maintenance

’

Link2ICT - Service Birmingham

Derek Potter08/05/2009

pa

ge 2 of 6

Within the Proxy Settings dialogue box there should be settings for the proxy already

populated i.e.

eduproxy.bgfl.org

on port

80

– Add this if it does not already exist.

Click on the window to the right, beneath the ‘

Exceptions

’ window

There may already be exceptions within the box, such as ePortal settings –

Please leave

these settings

and add:

10.*

<domain>.bham.sch.uk

(replacing the ‘domain’ with the schools internet domain name.

pceconsole.bham.org.uk

Use a semi-colon between entries i.e.

10.122.33.*;10.*

To check that the workstation(s) are accepting the settings, open a Command Prompt by

selecting

Start

>

Run

type

CMD

and press

Enter

Type

GPUPDATE /FORCE

and Press

Enter

- Accept an appropriate response of either log

off or reboot.

Note: if you have selected reboot, please ensure that no users are on the network when this

option is selected.

Link2ICT - Service Birmingham

Derek Potter08/05/2009

pa

ge 3 of 6

2. Authorising Policy Central within Sophos Anti-Virus

Overview of problem

The presence of Policy Central (PCE) client software on a computer where Sophos Anti-Virus software is installed, will trigger an alert from the HIPS feature of Sophos Anti-Virus that denies PCE client executables the ability to start.

A window similar to this will be displayed on

the client desktop

HIPS (Host Intrusion Prevention Program) is specifically designed to examine the behaviour of files and processes running on the computer to identify any potential threats from malware or similar types of programs. The nature of PCE client software is such that it is often identified as this form of software and so is summarily blocked from working.

More details on the HIPS feature of Sophos are available from www.sophos.co.uk.

The solution to this problem is to configure Sophos HIPS to allow the executables that relate to PCE client software to run. Sophos will then ignore these files if they are detected and PCE client can function normally.

Using Sophos Enterprise Console to ‘Authorise’ Policy Central

In establishments where Sophos Anti-Virus is managed by Sophos Enterprise Manager, the Sophos Enterprise Console ‘Anti-Virus and HIPS’ policy can be used to deploy the Authorisation to all Sophos Anti-Virus clients. Both the ‘Default’ and the ‘Servers’ policy will need to be amended.

 Right-click the applicable ‘Anti-Virus and HIPS’ policy (e.g. Default)

 Choose 'view/edit policy' from the menu.

Link2ICT - Service Birmingham

Derek Potter08/05/2009

pa

ge 4 of 6

 Click the ‘On-Access Scanning’ button.

 Click the ‘Windows Exceptions’ tab.

 Click ‘Add’

 Enter

C:\WINDOWS\System32\PCENT\PCClient.exe  Repeat for the following files:

extrac32.exe SysServer.exe

SysMonP32.exe (Windows Vista Only)

SSSTool.exe

 Click OK

 Click the ‘Messaging’ button

 Click the ‘Email alerting’ tab

 Un-tick ‘Suspicious Behaviour detection’

 Un-tick ‘Suspicious File detection’

Link2ICT - Service Birmingham

Derek Potter08/05/2009

pa

ge 5 of 6

 Click the ‘Authorisation’ button

 Click the ‘Suspicious behaviour’ tab

 Look for the following files in the ‘Known Applications’ box on the left hand side:

PCClient.exe extrac32.exe SysServer.exe

SysMonP32.exe (Windows Vista Only)

SSSTool.exe

 If these files are present, click on these files to highlight them and click the ‘Add’ button to move them to the ‘Authorised Applications’ box on the right hand side.

 Click OK

 Click the ‘Extensions and Exclusions’ button against the ‘Scheduled Scanning’

 Click the ‘Exclusions’ tab

 Click ‘Add’

 Enter

‘C:\WINDOWS\System32\PCENT\PCClient.exe’

 Repeat for the following files:

extrac32.exe SysServer.exe

SysMonP32.exe (Windows Vista Only)

SSSTool.exe

 Click OK

 Click OK

 Repeat for the ‘Servers’ policy

 In Sophos Enterprise Console, ensure that all computers on the network are protected, managed and assigned to appropriate groups in Sophos Enterprise Console.

 Click on each group in Sophos Enterprise Console and select all computers using Ctrl A

 Right click on the selected computers and select Comply With.. and then All Group Policies

 Ensure all computers say ‘Same as policy’ under the ‘Anti-Virus and HIPS policy’ and ‘Updating policy’.

Link2ICT - Service Birmingham

Derek Potter08/05/2009

pa

ge 6 of 6

Using Authorization Manager on Standalone computers

In an un-managed Sophos environment, this is performed from the 'Authorization Manager' dialog accessed from within the local Sophos Anti-Virus Console.

 Open Sophos Anti-Virus by right clicking on the blue Sophos Shield in the Windows Task bar

 Select ‘Configure Sophos Anti-Virus’

 Click on the ‘Authorisation’ link

 Click the ‘Suspicious behaviour’ tab

 Look for the following files in the ‘Known Applications’ box on the left hand side:

PCClient.exe extrac32.exe SysServer.exe

SysMonP32.exe (Windows Vista Only)

SSSTool.exe

 If these files are present, click on these files to highlight them and click the ‘Add’ button to move them to the ‘Authorised Applications’ box on the right hand side.

 Click OK

Note: If these files have not already been detected, they can be manually added using the ‘New Entry’ button to navigate to the files and add them.

3.

Virus Alerts

Link2ICT will be reviewing the number of alerts received. Where it has been identified that

there are a large number of alerts, schools will be notified with a request that they act to

eradicate the virus from the school network.

If you have any questions, queries or require assistance with the instructions above, please

contact the Link2ICT Service Desk on 0121 303 5100 or email

servicedesk@link2ict.org