Advisory: Sophos Phish Threat New Campaign wizard hangs if content customized

Advisory: Sophos Phish Threat New Campaign wizard hangs if content customized

Making changes to a campaign at the customize stage (e.g from name/email, subject etc) and clicking ‘Next’ results in the wizard hanging with the spinning progress circle.

Applies to the following Sophos product(s) and version(s)

Phish Threat

Will not be able to customize a Campaign before sending to users.

[Update] 15.11.2019. The root cause of this is understood and we are hoping to apply resolve this within 24 hours.

Sophos Phish Threat Version 2

Please monitor this KBA for updates

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Central Update Caches failed to update since 12th November

Support received a number of reports from customers of their Central Update Caches failing to update after the 12th November.

This issue was caused by a missing file in the Sophos Warehouses – this was fixed at 09:30 GMT on the 13th November.

Update Caches and affected Endpoints should recover on their next update.

Affected customers will have seen that their Update Caches are marked as ‘Stale’ in Central and their Endpoints will instead update from Sophos rather than their local Update Cache.

Customers can confirm that they were affected by this issue by reviewing the downloader.log located in C:ProgramdataSophosUpdateCacheLogs. The below errors would be seen:

[2019-11-13T07:09:30Z] [<main>] Info: [Downloader::Impl::ProgressLogFunction:468] [I96736] sdds.WIN_MTR_1-0-1-44.1: adding primary package WindowsCloudMDR 1.0.0.301 baseVersion=

[2019-11-13T07:09:32Z] [<main>] Error: [Downloader::Impl::ProgressLogFunction:471] [E83521] 404 Not Found: http://d1.sophosupd.net/update/catalogue/sdds.SSPL_telemsupp_1_0_0.1.xml

[2019-11-13T07:09:32Z] [<main>] Error: [Downloader::Impl::Synchronise:163] SULException: SU_synchronise failed: [4] unspecifiedFailure

For most customers the impact would have been minimal and Endpoints will fail over to download their updates from Sophos warehouses directly. For air-gapped customers their downloads would fail to complete and Linux Endpoints may report as out of date.

Applies to the following Sophos product(s) and version(s)

Central Server Update Cache 1.4.0

The warehouse has been republished and the issue should be resolved.

Affected customers should find that their Update Caches automatically recover from this issue on their next update.

No further updates are expected.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: System requirements

This knowledge base article lists the system requirements of the Sophos Anti-Virus for Linux for Sophos Central, Sophos Enterprise Console and the standalone versions.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 10

Sophos Anti-Virus for Linux 10 offers additional capabilities which include Malicious Traffic Detection and Sophos Security Heartbeat™ (applies to Central Server Protection license).

Here is the list of its minimum system requirements:

Sophos Anti-Virus for Linux 9

Sophos Anti-Virus for Linux 9 is the only version available for the standalone and Enterprise Console-managed versions.

Here is the list of its minimum system requirements:

  • Supported Distributions (latest minor point or LTS version):
    • Amazon Linux, Amazon Linux 2
    • CentOS 6/7
    • Debian 9, 10
    • Oracle Linux 6/7
    • Red Hat Enterprise 6/7/8
      • Red Hat Enterprise Linux 6 32-bit version supported until Nov 30th 2020
    • SUSE 12/15
    • Ubuntu 16/18 LTS
  • System type:x86_64
  • Free disk space: 1 GB
  • Free Memory: 1 GB
  • Stack sizes: Non-default stack sizes are not supported.
  • Language version: English and Japanese (EUC and UTF-8). Shift JIS and JIS are not supported.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Live Protection: Overview

This article provides a high level overview of what Sophos Live Protection is. More details on how it works can be found here.

Applies to the following Sophos product(s) and version(s)

Not product specific

As malware continues to rapidly evolve and grow, Sophos has realized that it needs a way to enhance existing data updates with a system to keep endpoint protection up to date in real-time. This was done to both improve the response time to new malware and reduce the amount of data delivered to the endpoints.

LiveProtection was added to give the endpoint the ability to ‘lookup’ files in real-time to verify if they are malicious. Over the past few years it has proven very effective at stopping new malware outbreaks and protecting our customers.

Sophos Live Protection can perform the following tasks:

  • Perform cloud look-ups against individual files to determine if safe/malicious

    If the anti-virus scan on an endpoint computer has identified a file as suspicious, but cannot further identify it as either clean or malicious based on the threat identity (IDE) files stored on the computer, certain file data (such as its checksum and other attributes) is sent to Sophos to assist with further analysis. This is known as ‘in-the-cloud’ checking: it performs an instant lookup of a suspicious file in the SophosLabs database. If the file is identified as clean or malicious, the decision is sent back to the computer and the status of the file is automatically updated.

  • Automatically send sample files to Sophos

    If a file is considered suspicious, but cannot be positively identified as malicious based on the file data alone, you can allow Sophos to request a sample of the file. If this option is enabled, and Sophos does not already hold a sample of the file, the file will be submitted automatically. Submitting sample files helps Sophos to continuously enhance detection of malware.

    Note: Consider your individual IT data compliance needs before enabling this option.

LiveProtection will perform a lookup for any file it suspects of being malware; the following events will trigger a lookup

  • Whenever a file is added to the endpoint’s quarantine manager.
  • Whenever reported internally by the anti-malware engine that a file is deemed suitably suspicious.
  • Whenever reported internally by anti-malware engine that a file is to be checked against a allow list defined by SophosLabs. (The allow list is maintained by SophosLabs and contains a list of common and system files which the product should cache to improve performance.)

LiveProtection performs a lookup to ensure the most up to date protection as new information could have been discovered about the file since the last time it was scanned.

Lookups contain a limited amount of information and are designed to help SophosLabs analysts to package up specific malware related information (such as function bytes or other properties required) to increase accuracy of detections.

Lookups are performed over DNS and the average endpoint perform a large number lookups per day depending on the level of activity. During scheduled and on-demand scans the number will increase as all files on the system will be accessed which triggers an increased number of lookups compared to normal operations.

Related:

Advisory: [RESOLVED] Sophos Central Email – Admin quarantine fails to complete loading for customers in UTC +0 timezone

Sophos Email customers with their system clocks set to the UTC +0 timezone may be unable to view the contents of the quarantine page via Central Admin.

Applies to the following Sophos product(s) and version(s)

Sophos Central Email

Attempting to load the quarantine page will be unsuccessful.

[Resolved] As of Saturday 9th November this is issue is now resolved.

This issue is now resolved.

There are 2 viable options to workaround this problem

  1. Users can access the contents of their quarantine via the User Portal
  2. Alternatively if admin quarantine access is required, temporarily changing the timezone on the client machine to UTC +1:00 and reloading the quarantine page will allow the content to load.

No further update expected

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Mac OS 10.15 Catalina Support and Known Issues

This article provides information about support for MacOS 10.15 Catalina, as well as known issues. It is highly advisable to read the known issues as there are several unavoidable issues in this OS release.

Apple has new enforced per application permissions in this version. Some permissions (such as user folders) will present a pop-up notice to the user to allow access, however for system level access, no notification is presented by the OS. Several Sophos services require this system level of access in order to detect and clean threats. This means that Apple will not notify users if these issues are being experienced.

All of our applications and installers are 64-bit, and will not be limited by Apple’s 32-bit restriction.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

Operating systems

MacOS 10.15 Catalina

MacOS 10.15 Catalina overview

With the release of macOS 10.15 Catalina, Apple has added additional security lock downs to the operating system, including per application disk access lock downs. This results in several large impacting issues that must be corrected for full protection. Please see the Known Issues section below for full details. It is not recommended upgrading to 10.15 until your organization has a transition plan in place.

Required version: Sophos Endpoint 9.9.4 or above

In order to support macOS 10.15 Catalina, Sophos Endpoint 9.9.4 or above is required. Earlier versions will run if present during an upgrade, but are subject to the same known issues below, but not all permissions can be added (SophosServiceManager and SophosScanAgent cannot be added with 9.9.3), 9.9.3 and below will not install on a 10.15 system, and Central clients 9.9.2 or below will fail to communicate with Central until they update.

Sophos released 9.9.4 to Central in September 2019. 9.9.4 is also Preview subscription for Enterprise Console customers as of mid-September 2019.

For both Central and Enterprise Console, 9.9.5 releases in mid-October 2019 (to Recommended and Preview for Enterprise Console), and includes permissions popup to make installations a bit easier.

Apple has locked down the following User Folders in OS 10.15.

  • Desktop
  • Documents
  • Downloads
  • Mail
  • Safari cache

The agents will need to be added to the Full Disk Access area of security and privacy, unless otherwise noted.

All Versions

The following issues will be experienced after upgrading to macOS 10.15 and before applying the corrective steps.

  • SophosCleanD – Unable to clean up threats in the above folders
  • SophosScanAgent – On Demand scans / Scheduled scans will not detect threats in the above folders
  • Sophos Finder Scan (Through SophosScanAgent) – Will not detect threats in the above folders
  • SophosServiceManager – Parent process for SophosScanAgent
  • Sophos Diagnostic Utility (Standalone only) – User prompted to allow access to the above folders, This is “Files and Folders” access.
  • sweep – Command line scanning tool. Only used manually and only needs to be added if command line scans are being run.
  • SDU4OSX / Sophos Diagnostic Utility – Unable to access all logs

Sophos Central 9.9.4 and above

  • SophosEndpointUIServer – User is not notified of threat detection (no popup)
  • SophosCleanD – Unable to restore files (Cryptoguard) in the above folders
  • Sophos MCS Server Change – MCS has been changed to use SHA2+TLS1.2 for its connection. This uses different servers than before, and should only be an issue if specific firewall allow rules are required for the communication). (note: 9.9.3 has this change in place already)

Sophos Endpoint (Enterprise Console Managed) 9.9.4 and above

  • For initial install, all install files must be copied from the CID share locally first before running the install.
  • SophosAutoUpdate – Cannot update from SMB shares. Only HTTP/HTTPS will work until approved

Older Endpoint versions

  • Subject to the same limitations as above
  • May have other issues not covered
  • Will upgrade to 9.9.4 (other than if impacted by SophosAutoUpdate issue) even with errors
  • 9.9.2 and below will fail to communicate with MCS (Central)

The following can be performed on OS 10.14, before upgrading to 10.15, or after 10.15 has been installed. The only exception to this is SophosServiceManager, which can only be added on 10.15.

  1. Open System Preferences.
  2. Open Security & Privacy.
  3. Go to the Privacy tab.
  4. Click the lock in the lower left and authenticate to make changes
  5. Select “Full Disk Access” on the left side
  6. Leave this window open.
  7. Open a Finder window
  8. Go, go to folder
  9. Enter: /Library/Sophos Anti-virus and click go.

  10. Drag and drop the following item from the Finder window to the Security & Privacy Full Disk Access window
    • SophosAutoUpdate (Enterprise Console managed only)
    • SophosCleanD
    • SophosScanAgent
    • SophosServiceManager
    • Sophos Endpoint UIServer (Central Managed only)
    • Sophos Diagnostic Utility (from /Library/Sophos Anti-virus/tools/)

  11. You may receive a notice that some applications will not have full access until it is quit. This is fine, Later or Quit Now are both valid.

Note: The tool “sweep”, which is /usr/local/bin/, cannot be added via this method as it is not a .app. It will prompt the user the first time the tool is run in order to be allowed. It will only be called if you are using it via command line.

Alternate Method of correction:

Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes. Visit the following kba articles for further instructions:

KNOWN ISSUE: “Full disk access required” message displays on Catalina when using an MDM solution with the correct access (with Sophos 9.9.5). Please see this KB134833

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Central Endpoint: Dashlane Mozilla Firefox extension may not function correctly

The Mozilla Firefox extension for Dashlane Password Manager may not function correctly when installed alongside Sophos Central Endpoint. Customers may see that the browser extension icon is grayed out and cannot be accessed.

The Dashlane Firefox extension requires anti-virus and firewall software to be configured in a particular way to allow access to the extension.

This knowledge base article describes the steps to resolve this issue.

Applies to the following Sophos products and versions

Sophos Cloud Managed Endpoint

Initially, please follow the guidance published by Dashlane in this article.

Note: See the article’s section regarding Anti-Virus software.

Additionally, please run through the steps below on the affected machines to exclude the Dashlane ports from the Sophos Web Filter:

  1. To allow the editing of the registry, disable first the tamper protection on the endpoint by following KBA 119175.
  2. Click the keys Windows + R.
  3. Type regedit then click OK.
  4. In Registry Editor, navigate to and make a backup of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesswi_callout
  5. Create or modify the multi-string value LoopbackBypass.
  6. Add the below values (each one as a new line):

    • 11456
    • 15674
    • 17896
    • 21953
    • 32934
  7. Restart the service Sophos Web Filter.

Note. You may also need to restart your browser for the changes to take affect.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central Email – Admin quarantine fails to complete loading for customers in UTC +0 timezone

Sophos Email customers with their system clocks set to the UTC +0 timezone may be unable to view the contents of the quarantine page via Central Admin.

Applies to the following Sophos product(s) and version(s)

Sophos Central Email

Attempting to load the quarantine page will be unsuccessful.

[Update] The root cause here has been identified and this will be addressed in the next Central release Saturday 9th November.

Affected customers should see the positive impact of this on their accounts between the 9th and 12th of November

In the short term, see the Workaround sections below for viable workarounds.

This article will be updated once the issue is resolved.

There are 2 viable options to workaround this problem

  1. Users can access the contents of their quarantine via the User Portal
  2. Alternatively if admin quarantine access is required, temporarily changing the timezone on the client machine to UTC +1:00 and reloading the quarantine page will allow the content to load.

This article will be updated once we have confirmed the issue is resolved

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Partner Portal – Partner unable to change or make edits to their Primary Admin configuration in their Partner Portal

Within Partner Portal – Partners are currently unable to edit and change their Primary Admin/(“Central Partner Dashboard Admin” ) field in their Partner Portal Dashboard See screenshot below:

Applies to the following Sophos products and versions

Sophos Central Partner

  • If you would like to change who is your current/primary “Central Partner Dashboard Admin” – please contact our Customer Care team with details of who currently is assigned this role, and who you would like to have it changed to.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: Additional steps required for SAV on Red Hat Enterprise Linux 8

This article provides the additional steps required to install and run Sophos Anti-Virus for Linux on Red Hat Enterprise Linux 8. For both Central and SEC managed environments

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Operating systems

Red Hat Enterprise Linux 8

With the release of Red Hat Enterprise Linux 8, a number of new and tighter security features have been introduced and these have meant some additional steps are required to install and run SAV for Linux.

  1. Set a variable to refer to the SAV install point.

    # INST=/opt/sophos-av

  2. Create a context to label all files in $INST/talpa with the ‘is-kernel-module’ label.



    # semanage fcontext -a -t modules_object_t "$INST/talpa(/.*)?

  3. Set the SELinux Boolean to allow all root processes to load kernel modules. [see note 1]

    # semanage boolean --modify --on domain_kernel_load_modules

  4. Install libnsl for UNC updating to work on SEC managed environments. [see note 2]

    # yum install -y libnsl

  5. Install SAV without starting savd.

    # ./install.sh $INST --autostart=False

  6. Apply the correct labels to $INST/talpa. [see note 3]

    # restorecon -R -v $INST/talpa

  7. Start savd.

# systemctl restart sav-protect

Additional Notes:

  • SAV for Linux requires the ability to load modules to kernel. This is disabled by default in SELinux. The SELinux Boolean option will allow all root processes to load kernel modules. By default SELinux on Red Hat Enterprise Linux 8 prevents daemons from loading kernel modules.

  • The libnsl step is only needed where SAV version 9 is updating via UNC cifs/windows share location.

  • The restorecon command is for restoring SELinux Context of the directory and will need to be done every time SAV is re-installed.
  • If on-access is required with Talpa the for on-access scanning, the following packagers are required

# yum install kernel-devel

# yum group install “development Tools”

# yum install elfutils-libelf-deveplease

Please see compiling Talpa for further details

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts