Sophos Anti-Virus for Linux: Mrouter temporarily incorrectly detected

Between July 20th and July 24th, 2018, a small number of AV vendors incorrectly detected Sophos Anti-Virus for Linux mrouter file as malicious. This incorrect detection might appear in Nessus scanner results. This has since been resolved by the 3rd parties and no vendors are now reporting the mrouter file as malicious. Please contact Sophos Support should you have any questions.

File details:

Name
mrouter
MD5 4c32f7d46cdcbee55e7bbf3422eca4b7
SHA-1 03e0de54b9b69c8364bc24f1a8780f6a1465795b
File type ELF

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

PMX 6.4.8 upgrade and ignore_policy_error option

Puremessage for Unix 6.4.8 includes an upgrade for the built in Postfix to version 3.4.5

As a result of this the previous main.cf configuration option “ignore_policy_error” is now deprecated. Installs that are currently utilizing this will need to update their main.cf file with the new configuration options to prevent Postfix rejecting mail with the following errors:

Aug 22 12:22:43 hostname postfix/smtpd[80254]: warning: unknown smtpd restriction: "ignore_policy_error"

Aug 22 12:22:43 hostname postfix/smtpd[80254]: NOQUEUE: reject: RCPT from server.domain[1.1.1.1]: 451 4.3.5 Server configuration error; from= to= proto=SMTP helo=

We understand this is far from ideal and are monitoring how many people are affected by this.

[Update]: This is now documented in the release notes for 6.4.8

Note: This article doesn’t apply if you are using your own version of Post fix or an alternative MTA

The following sections are covered:

Applies to the following Sophos products and versions

PureMessage for Unix

  1. Check for the existence of this configuration option within your current configuration. This will be present in your Postfix /opt/pmx/postfix/etc/main.cf file and will look like the following:

    smtpd_client_restrictions = ignore_policy_error,check_policy_service inet:[127.0.0.1]:4466

  2. If the ignore_policy_error option is not present then no action is necessary

  3. If however ignore_policy_error is present then that line will need replacing with the following 2 lines immediately after upgrading to 6.4.8:

    smtpd_client_restrictions = check_policy_service inet:[127.0.0.1]:4466

    smtpd_policy_service_default_action = DUNNO

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central Firewall Manager – us-e1.cfm.sophos.com periodically unreachable

Periodically, when navigating to us-e1.cfm.sophos.com, the following error is seen:

Reloading the page a few times usually allows for a successful connection.

Applies to the following Sophos product(s) and version(s)

Sophos Central Firewall Manager

Access to us-e1.cfm.sophos.com has stabilized. Currently under monitoring.

This article will be updated when more information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Exim CVE-2019-15846 and Sophos Products

This article provides information on Exim vulnerability CVE-2019-15846 and how it impacts Sophos products

Applies to the following Sophos product(s) and version(s)

PureMessage for Unix

Sophos Central Email

Sophos Email Appliance

Cyberoam

Sophos UTM Software Appliance

PureMessage for Microsoft Exchange

Reflexion

CVE-2019-15846 outlines a vulnerability in Exim whereby a specially crafted SNI ending can be utilized to run arbitrary code on the vulnerable server

This vulnerability is not exploitable on any Sophos products, see the table below for more information.

Sophos Email Products and CVE-2019-15846

Product Vulnerable Further information
Sophos XG Firewall No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
Sophos UTM No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
Sophos Email on Central No Product doesn’t utilize Exim
Sophos Email Appliance No Product doesn’t utilize Exim
Puremessage for Unix No Product doesn’t utilize Exim
Puremessage for Exchange No Product doesn’t utilize Exim
Cyberoam No Product doesn’t utilize Exim
Reflexion No Product doesn’t utilize Exim


* Despite this vulnerability not being exploitable due to the current architecture of the Sophos XG and Sophos UTM products, we do still plan on releasing a patch for Exim on these platforms in an upcoming Maintenance Release.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Mac OS 10.15 Catalina Support and Known Issues

This article provides information about support for MacOS 10.15 Catalina, as well as known issues. It is highly advisable to read the known issues as there are several unavoidable issues in this OS release.

Apple has new enforced per application permissions in this version. Some permissions (such as user folders) will present a pop-up notice to the user to allow access, however for system level access, no notification is presented by the OS. Several Sophos services require this system level of access in order to detect and clean threats. This means that Apple will not notify users if these issues are being experienced.

All of our applications and installers are 64-bit, and will not be limited by Apple’s 32-bit restriction.

Applies to the following Sophos product(s) and version(s)ma

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

Operating systems

MacOS 10.15 Catalina

MacOS 10.15 Catalina – overview

With the release of MacOS 10.15 Catalina, Apple has added additional security lockdowns to the operating system, including per application disk access lockdowns. This results in several large impacting issues that must be corrected for full protection. Please see the Known Issues section below for full details. It is not recommended to upgrade to 10.15 until your organization has a transition plan in place.

Notice:

All information presented in this KB is current as of 10.15 beta 7. It may change in the final release of 10.15. This article will be updated closer to the release and after release if any further changes are needed. It is recommended to check this article again at the time of 10.15’s release in late September 2019.

Required version – Sophos Endpoint 9.9.4 or above

In order to support MacOS 10.15 Catalina, Sophos Endpoint 9.9.4 or above is required. Earlier versions will run if present during an upgrade, but are subject to the same known issues below, but not all permissions can be added (SophosServiceManager and SophosScanAgent cannot be added with 9.9.3), 9.9.3 and below will not install on a 10.15 system, and Central clients 9.9.2 or below will fail to communicate with Central until they update.

Sophos is releasing 9.9.4 to Central by mid-September 2019. 9.9.4 will also be available in the Preview subscription for Enterprise Console customers in mid-September 2019, moving to Recommended in October 2019.

Known Issues

Apple has locked down the following User Folders in OS 10.15.

  • Desktop
  • Documents
  • Downloads
  • Mail
  • Safari cache

The agents will need to be added to the Full Disk Access area of security and privacy, unless otherwise noted.

All Versions

The following issues will be experienced after upgrading to macOS 10.15 and before applying the corrective steps.

  • SophosCleanD – Unable to clean up threats in the above folders
  • SophosScanAgent – On Demand scans / Scheduled scans will not detect threats in the above folders
  • Sophos Finder Scan (Through SophosScanAgent) – Will not detect threats in the above folders
  • SophosServiceManager – Parent process for SophosScanAgent
  • Sophos Diagnostic Utility (Standalone only) – User prompted to allow access to the above folders, This is “Files and Folders” access.
  • sweep – Command line scanning tool. Only used manually and only needs to be added if command line scans are being run.

Sophos Central 9.9.4 and above

  • SophosEndpointUIServer – User is not notified of threat detection (no popup)
  • SophosCleanD – Unable to restore files (Cryptoguard) in the above folders
  • Sophos MCS Server Change – MCS has been changed to use SHA2+TLS1.2 for its connection. This uses different servers than before, and should only be an issue if specific firewall allow rules are required for the communication). (note: 9.9.3 has this change in place already)

Sophos Endpoint (Enterprise Console Managed) 9.9.4 and above

  • For initial install, all install files must be copied from the CID share locally first before running the install.
  • SophosAutoUpdate – Cannot update from SMB shares. Only HTTP/HTTPS will work until approved

Older Endpoint versions

  • Subject to the same limitations as above
  • May have other issues not covered
  • Will upgrade to 9.9.4 (other than if impacted by SophosAutoUpdate issue) even with errors
  • 9.9.2 and below will fail to communicate with MCS (Central)

How to correct issues:

The following can be performed on OS 10.14, before upgrading to 10.15, or after 10.15 has been installed. The only exception to this is SophosServiceManager, which can only be added on 10.15.

  1. Open Mac Settings
  2. Open Security & Privacy
  3. Go to the Privacy tab
  4. Click the lock in the lower left and authenticate to make changes
  5. Select “Full Disk Access” on the left side
  6. Leave this window open.
  7. Open a Finder window
  8. Go, go to folder
  9. Enter: /Library/Sophos Anti-virus and click go.
  10. Drag and drop the following item from the Finder window to the Security & Privacy Full Disk Access window
    • SophosAutoUpdate (Enterprise Console managed only)
    • SophosCleanD
    • SophosScanAgent
    • SophosServiceManager
    • Sophos Endpoint UIServer (Central Managed only)
  11. (Optional) Click the + in the Security & Privacy section, select /usr/local/bin/sweep
  12. You may receive a notice that some applications will not have full access until it is quit. This is fine, Later or Quit Now are both valid.

Alternate Method of correction:

Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes. Instructions will be provided as we determine them.

Related:

  • No Related Posts

Advisory: Sophos Central – MFA option disabled after changes were made to their login and sync d via the Central AD-Sync utility.

Sophos is investigating an issue between Central Admin AD sync utility and MFA enabled Central Administrators (eg. Read only, Helpdesk, Admin, or Super Admin).

Update: 8/19/19 – The original issue had been resolved since June 15th. Since that time, there have only been a handful of reports of this happening for one or more logins.

This KBA has been updated to remove the previous information that is no longer valid (eg. what we knew to trigger this) as well as the what to do has been changed (eg. with this scenario, just adding them back into the MFA list resolves the issue. they no longer have to reset up the MFA.)

The following login configurations are NOT Affected or part of this Advisory/article:

  • Federated/Azure logins.
  • Customers who enable MFA for ‘all admins’

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

  • Affected Central logins that had MFA previously enabled, will be able to login with just their Central login password.
  • They will no longer show up in the ‘Select admins who need MFA’ (see screenshot below)

Updated Status: August 19th

Development are still actively investigating what can trigger this from happening. This KBA has been updated to remove previously known triggers and workaround, as these have changed since the first fix for this was introduced June 15th.

Please continue to follow the steps indicated in the “What to Do” section below:

If you experience this behavior, please let us know by raising a Technical Support case with us and provide as much of the following information that can be remembered.

  1. Provide details how the user is being managed in Central, IE: ad sync, cloud managed.
  2. Provide the user/email for the user who had their MFA disabled.
  3. Provide any changes that were done to the user prior to them experiencing the disablement of MFA.

Affected customers should follow the ‘Workaround‘ section below.

  • The only update needed to resolve this if experienced, is to re-add the users login back to the list of MFA users (select the ‘add admins’ url)

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos UTM – Issue with RED 50 after upgrade to v9.6

An issue has been identified which affects RED 50 devices in UTM 9.6.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

The UTM 9.6 release introduced a new unified RED firmware which, in some cases, causes RED 50 devices to incorrectly apply a new firmware image. This has resulted in the devices becoming unusable or ‘bricking’.

Currently, the unified firmware will only be applied to installations with fewer than 20 RED devices configured.

This issue was fixed with UTM 9.605.

Users who want to migrate to UTM 9.6 and are using RED 50 devices should take the following steps to avoid this issue:

  • Customer coming from pre-9.6 should update from 9.5xx directly to 9.605.
  • Customers from any previous 9.6 version need to update in one go to 9.605 ( update to latest in webadmin).

Background of this recommendation is that the available firmwares on the provisioning service include the fix but older firmwares delivered with older UTM versions prior to 9.605 still might cause this issue.

FAQ

  1. Are any other REDs in danger of being bricked, or is it just the RED 50?

    This is only seen in RED 50 so far.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Partner Portal – Partner unable to change or make edits to their Primary Admin configuration in their Partner Portal

Partners are unable to edit and change their Primary Admin/(“Central Partner Dashboard Admin” ) field in their Partner Portal Dashboard See screenshot below:

Applies to the following Sophos products and versions

Sophos Central Partner

  • Contact support to request for your partner primary admin to be changed in your partner portal.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: System requirements

This article lists the system requirements of the Sophos Anti-Virus for Linux for Sophos Central, Sophos Enterprise Console and the standalone versions.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 10

Sophos Anti-Virus for Linux 10 offers additional capabilities which include Malicious Traffic Detection and Sophos Security Heartbeat™ (applies to Central Server Protection Advanced licenses only).

Here is the list of its minimum system requirements:

Sophos Anti-Virus for Linux 9

Sophos Anti-Virus for Linux 9 is the only version available for the standalone and Enterprise Console-managed versions.

Here is the list of its minimum system requirements:

  • Supported Distributions (latest minor point or LTS version):
    • Amazon Linux, Amazon Linux 2
    • CentOS 6/7
    • Debian 9, 10
    • Oracle Linux 6/7
    • Red Hat Enterprise 6/7
      • Red Hat Enterprise Linux 6 32-bit version supported until Nov 30th 2020
    • SUSE 12/15
    • Ubuntu 16.04/18.04
  • System type:x86_64
  • Free disk space: 1 GB
  • Free Memory: 1 GB
  • Stack sizes: Non-default stack sizes are not supported.
  • Language version: English and Japanese (EUC and UTF-8). Shift JIS and JIS are not supported.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti-Virus for Linux: On-Access filesystem support

This article describes the filesystems supported for on-access scanning on Linux platforms.

The following sections are covered:

Known to apply to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux 9 and Sophos Anti-Virus for Linux 10

Good filesystems

The following filesystems are known to work with Sophos Anti-Virus for Linux:

Filesystem Name Talpa Support? Fanotify Support?
btrfs Yes Yes
cifs Yes No
ecryptfs Yes Yes
ext2 Yes Yes
ext3 Yes Yes
ext4 Yes Yes
fuse Yes Yes
fuseblk Yes Yes
iso9660 Yes Yes
jfs Yes Yes
minix Yes Yes
msdos Yes Yes
ncpfs Yes Yes
nfs Yes Yes
nfs4 Yes* No
nssadmin Yes No
oes Yes No
overlayfs Yes Yes
overlay Yes Yes
ramfs Yes Yes
reiserfs Yes Yes
smbfs Yes Yes
tmpfs Yes Yes
udf Yes Yes
vfat Yes Yes
xfs Yes Yes
zfs Yes No

*Note: Talpa does not support locally mounted (non-network) nfs4 filesystems.

Unsupported filesystems

The following filesystems are unsupported. The majority of these are pseudo-filesystems that do not contain regular files and cannot be scanned.

Filesystem Name Talpa Support? Fanotify Support? Notes
aufs No No Pseudo-filesystem
autofs No No Pseudo-filesystem
binfmt_misc No No Pseudo-filesystem
bpf No No Pseudo-filesystem
cgroup No No Pseudo-filesystem
configfs No No Pseudo-filesystem
debugfs No No Pseudo-filesystem
devfs No No Pseudo-filesystem
devpts No No Pseudo-filesystem
devtmpfs No No Pseudo-filesystem
fuse.gvfs-fuse-daemon
No No See KBA 118982
fusectl No No Pseudo-filesystem
inotifyfs No No Pseudo-filesystem
mqueue No No Pseudo-filesystem
nfsd No No Pseudo-filesystem
nsspool No No Pseudo-filesystem
proc No No Pseudo-filesystem
romfs No No Pseudo-filesystem
rootfs No No Pseudo-filesystem
rpc_pipefs No No Pseudo-filesystem
securityfs No No Pseudo-filesystem
selinuxfs No No Pseudo-filesystem
squashfs No No
subfs No No Pseudo-filesystem
sysfs No No Pseudo-filesystem
usbdevfs No No Pseudo-filesystem
usbfs No No Pseudo-filesystem

Other filesystems

Behavior with other filesystems will depend on the on-access interception method:

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts