Advisory: Bleedingbit vulnerabilities do not affect Sophos Access Points

The BLE protocol or Bluetooth Smart is a protocol designed for providing low powered connections to various devices, such as IoT appliances. A set of two new zero-day vulnerabilities have been announced which could cause various access points(APs) with BLE protocol enabled to be exposed to remote code execution attacks.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

Sophos AP

Sophos Firewall

Sophos Central Wireless

No Sophos Access Points are affected by this vulnerability. We recommend all customers check to ensure that their 3rd party wireless APs are not affected.

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: Suggested on-access exclusions on an Oracle Database server

This article describes the suggested exclusions for Sophos Anti-virus on a Linux server running an Oracle Database.

When an Oracle Data Base is installed and is running on a Linux server, a performance impact may be encountered which is caused by the on-access scanning. This is because during normal operations, many integral DB files are constantly being opened or used in the processing of the data. Sometimes these files are opened and scanned hundreds of times per minute.

On Windows platforms, these files can be excluded using the file extensions. On Linux, this is not an option as file extensions are not used by the operating system. So the file exclusions should be made with the help of the local DB Administrator.

The following table describes the Oracle file types that should be considered for exclusion with reference to their Windows equivalent extension:

File Type Description Example
Data Oracle data files have an extension of .dbf when found on a Windows platform

Generally found in:

ORACLE_BASE/oradata/

Log Have an extension of .log and these will be created when creating or restoring database backup copies

Generally found in:

ORACLE_BASE/inventory/logs/

Redo Real-time Oracle execution files and may also have a .log or a .rdo extension on a Windows platform. Redo logs will exist if the Oracle Development toolkit or backup and recovery is used
Control Oracle Control files have an extension of .ctl on a Windows platform

Generally found in:

ORACLE_BASE/oradata/

The files included in the above file types should be identified by the local Database Administrator so they can be considered for exclusion.

Exclusions can be made on an individual file name basis or as a block using wildcards and common name attributes. When any exclusions are made, it is recommended to review the file and consider whether a scheduled or named scan needs to be created to check the file or directory regularly.

NOTE:

SophosEnterprise Console only supports path-based Linux and UNIX exclusions. Other types of exclusion can be directly setup on the managed computers. Regular expressions can be used to exclude file types and files systems.

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 9.15.0

Sophos Linux Security 10.4.0

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Using mkinstpkg to create deployment packages for Sophos Anti-Virus for Linux, v 9

In Sophos Anti-Virus for Linux/Unix v9 there is a new location for the deployment package tool – mkinstpkg. This package is no longer available in the CID (Central installation directory).

Known to apply to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux/Unix 9

Operating systems

Linux

Unix

What To Do

To create a pre-configured deployment package, follow these instructions:

  1. Go to the directory /opt/sophos-av/update/.
  2. Do one of the following:
    • To create a tar format deployment package, called savinstpkg.tgz, type: ./mkinstpkg
    • To create an RPM format deployment package (Linux Only), called savinstpkg-0.0-1.i586.rpm, type:

      ./mkinstpkg -r

      Note: The filename may vary slightly depending on the RPM setup.
  3. Use your own tools to copy this package to the computers where you want to install Sophos Anti-Virus.

Configuration options can be set when creating the package with mkinstpkg such as setting the install package to default to Fanotify instead of Talpa for on-access scanning (please see 118231 and 118216). The example in this case would ./mkinstpkg –extra-options=”–preferFanotify”

More information on this configuration options can be found in section 11 Appendix “Command Line Options for Mkinstpkg” in the Sophos Anti-Virus for Linux Start-up guide.

For more information on creating and using deployment packages, please see the Enterprise Console guide for managing Linux and Unix computers:

http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx

Related:

  • No Related Posts

SAV for Linux – Oracle DB server, suggested exclusions to on-access scanning

This article describes the suggested exclusions to Sophos Antivirus for Linux on-access scanning where Oracle Data Base is installed.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 9.15.0

Sophos Linux Security 10.4.0

When an Oracle Data Base is installed and running on a Linux server, there may be a performance impact seen, which is caused by On-access scanning. This is because during normal running, many integral DB files are constantly being opened and written or used in the processing of the data. Sometimes these files are opened and scanned many 100s of times a minute.

On Windows platforms these files can be excluded using the file extensions to identify them. On Linux this is not so easy as file extensions are not used by the OS. So the file exclusions should be made with the help of the local DB Administrator.

The following table describes the Oracle file types that should be considered for exclusion with reference to their Windows equivalent extension:

File Type Description Example
DataFiles

Oracle data files would have an extension of “.dbf” when found on a windows platform.

These are generally found under …/oracle/oradata/
Log Files Log files may have an extension of “.log” and these will be created when creating/restoring database backup copies. These could be found under …/oracle/inventory/logs/
Redo files Redo files are Real-time Oracle execution files and may also have a .log extension or a “.rdo” extension on a Windows platform. NOTE: Redo logs will exist if the Oracle Development toolkit or backup and recovery are used.
Control Files Oracle Control files would have an extension of “.ctl” on a windows platform. Thes are often found under …/oracle/oradata/

The files included in the above file types should be identified by the local DBA so they can be considered for exclusion.

Exclusions can be made on an individual file name basis, or as a block using wildcards and common name attributes. When any exclusions are made made it is recommended to review the file and consider whether a scheduled or named scan needs to be created to check the file/directory regularly.

Note:

Enterprise Console only supports path-based Linux and UNIX exclusions. You can also set up other types of exclusion directly on the managed computers. Then you can use regular expressions, exclude file types and filesystems. For information on how to do this, see the Sophos Anti-Virus for Linux configuration guide or the Sophos Anti-Virus for UNIX configuration guide

  • Please see the Enterprise Console Help documentation for details of adding exclusions on Linux servers through SEC
  • Please see the Sophos Central Admin help documentation for details of adding exclusions on Linux Servers managed by Central

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central Managed Servers consume Intercept X Advanced for Server licenses though features are disabled

[Update 1 – 08/11/18 @ 11:20 GMT]

Changes have been made in Sophos Central to mitigate this issue. Customers should no longer find that disabling Intercept X Advanced on server consumes advanced licenses.

Customers are reporting that Central Managed servers are consuming Intercept X Advanced licenses even though all Intercept X Advanced features are disabled in their Threat Protection Policies.

This is due to a hidden policy option in Central that is not visible to customers and can only be modified by Sophos Support.

Servers assigned to the base policy in Sophos Central will not be affected by this – only servers assigned to customer created policies where Intercept X Advanced for Server is disabled.

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

Central Server Intercept X 2.0.3

Sophos Development are currently investigating this issue.

Affected customers will need to contact Sophos Support to disable the hidden option in their Threat Protection policy for the affected server(s).

Updates will be provided as the Development investigation continues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos PureMessage for Microsoft Exchange – Support for Windows Server 2016 Datacenter

This article describes the stance from Sophos on the compatibility of Sophos PureMessage for Microsoft Exchange and Windows Server 2016 Datacenter

The following sections are covered:

Applies to the following Sophos products and versions

PureMessage for Microsoft Exchange 4.0.3

PureMessage for Microsoft Exchange 4.0.4

Sophos has identified compatibility issues between PureMessage for Microsoft Exchange and Windows Server 2016 Datacenter. At this point in time there are no plans to resolve these compatibility issues and Sophos therefore suggests running the product on one of the other certified Server platforms. Sophos has updated the System Requirements documentation to reflect this incompatibility and apologizes for this inconvenience.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

RESOLVED Advisory: Sophos Central Email Held for a small number of customer email accounts

RESOLVED Advisory: Sophos Central Email holding email for a small number of customers

There was an upgrade applied to Sophos Central over this past weekend and we are noticing that a small subset of user mailboxes added by customer during that time may not be receive email. Engineering is actively investigating and working towards a fix as quickly as possible. Please note that the email not being delivered is being queued and will be delivered once a fix is in place. No email will be lost.

The following regions are affected

EU-WEST

Applies to the following Sophos product(s) and version(s)

Sophos Central Email

Some customer mailboxes will fail to receive email until this is resolved.

Mail boxes have been correctly link and mail flow has returned to normal.

Please check back on this article when more information becomes available.

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Puremessage for Unix fails to update with Permission denied randomly

Sophos Puremessage for Unix fails to update with Permission denied randomly

PPM was not updating the package as there was a file with the same name as the package name in the home directory of pmx6 user. When this happens PPM treat the file as the PPD file of the package and tries to open and parse the file. The file was not having read permission and hence it was failing

Applies to the following Sophos product(s) and version(s)

PureMessage for Unix

Customer may see the odd failure to update because of permission denied error.

This will be resolved in version 6.4.6 of PMX

PureMessage for Unix 6.4.5 and lower

This will be updated in version 6.4.6

“This article will be updated when information becomes available”

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

MacOS: Secure Kernel Extension Loading troubleshooting

Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.

Note: Due to an Apple security restriction, this cannot be done via a remote desktop connection. There must be a locally logged on user. The Allow button will show, but be grayed out if it is accessed via remote desktop.

After installing Sophos Anti-Virus go to Security & Privacy in the Apple System Preferences window.

Near the bottom of the window, it will list the blocked Kernel Extensions (kexts) by Sophos. Click Allow.

Once authorized, all future Sophos kernel extensions are allowed, even after uninstallation. This step is not needed again on a reinstall.

Some customers have had issues with this, and should do the troubleshooting below.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

If the kexts do not load after the above steps, or the prompt to allow the kext does not show, here are the steps to authorize the kext manually.

  1. Boot into Recovery mode (Apple Article ht201314)
  2. Open the Terminal (From the menu at the top)
  3. Run the command: /usr/sbin/spctl kext-consent add 2H5GFH3774
  4. Reboot

There are some customers who we have seen run into this issue even after these steps. Apple has acknowledged that there is a bug in 10.13 and 10.14.0 that can cause an issue. It is fixed in 10.14.1 (released October 30, 2018).

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos XG Firewall: Protect against UDP Amplification Attack – TA14-017A

A distributed reflective denial-of-service (DRDoS) is a form of distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP servers and bandwidth amplification factors (BAFs) to overwhelm a victim’s system with UDP traffic. (us-cert.gov,2018). This article describes the steps to help protect against UDP Amplification Attack – TA14-017A.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Firewall

Administrators need to enable and configure DoS settings on the XG by following the below steps:

  1. Navigate to Intrusion Prevention.
  2. Go to the DoS & Spoof Protection tab.
  3. Under DoS Settings set values in UDP Flood for:
  • Packet rate per Destination (Packet/min)
  • Burst rate per Destination (Packet/sec)
  • Check the boxes for applying the flag to the values set and click Apply.
  • Note: The values that are already populated work for most networks. If you are having trouble with any traffic that is UDP based, you may need to increase the values assigned.

    If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

    This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

    Related: