MacOS: Secure Kernel Extension Loading troubleshooting

Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.

Note: Due to an Apple security restriction, this cannot be done via a remote desktop connection. There must be a locally logged on user. The Allow button will show, but be grayed out if it is accessed via remote desktop.

After installing Sophos Anti-Virus go to Security & Privacy in the Apple System Preferences window.

Near the bottom of the window, it will list the blocked Kernel Extensions (kexts) by Sophos. Click Allow.

Once authorized, all future Sophos kernel extensions are allowed, even after uninstallation. This step is not needed again on a reinstall.

Some customers have had issues with this, and should do the troubleshooting below.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

If the kexts do not load after the above steps, or the prompt to allow the kext does not show, here are the steps to authorize the kext manually.

  1. Boot into Recovery mode (Apple Article ht201314)
  2. Open the Terminal (From the menu at the top)
  3. Run the command: /usr/sbin/spctl kext-consent add 2H5GFH3774
  4. Reboot

There are some customers who we have seen run into this issue even after these steps. Apple has acknowledged that there is a bug in 10.13 and 10.14.0 that can cause an issue. It is fixed in 10.14.1 (released October 30, 2018).

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory: Cloud web gateway reporting and logs in the US region may not be accessible at this time.

Advisory: Cloud web gateway reporting and logs in the US region may not be accessible at this time.

Applies to the following Sophos product(s) and version(s)
Sophos Cloud Web Gateway

Cloud web gateway logs/reporting may be inaccessible at this time for accounts held in the US region.

Infrastructure team is currently investigating

Please contact Sophos Technical Support if you are experiencing this issue and reference this article.

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Diagnostic Utility (SDU): Using the utility and sending files to Sophos Technical Support

The Sophos Diagnostic Utility (SDU) collects vital system information as well as log files for all Sophos products that are installed on the computer.

If you have not already done so you can download and install or locate the SDU by following article Sophos Diagnostic Utility (SDU): How to locate and download. The instructions below describe how to run and send the results to Sophos Technical Support.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Diagnostic Utility

Sophos Anti-Virus for Linux 9.15.0

Sophos Linux Security 10.4.0

In managed Sophos environments, the Sophos Diagnostic Utility may be available in more than one location.

Running Sophos Diagnostic Utility from Autoupdate cache, Distribution Location, or ZIP extraction

  • Double-click on sdugui.exe to launch the Sophos Diagnostic Utility user interface.
  • Double-click on sducli.exe to run the Sophos Diagnostic Utility via Command Prompt.

Running an installed version of the Sophos Diagnostic Utility (EXE Version)

  • Go to Start | Programs | Sophos | Sophos Diagnostic Utility and select Sophos Diagnostic Utility.

Related:

  • No Related Posts

Advisory: SQL injection vulnerability on Cyberoam Firewall devices

A SQL injection vulnerability has been discovered in Cyberoam appliances running the Cyberoam operating system (CROS) that allows for unauthenticated remote code execution.

A small percentage of appliances have been impacted by a cryptominer that consumed CPU cycles, and our investigations have found no evidence that any data has been compromised or exfiltrated from those appliances.

For customers running CROS version 10.6.1 and above that use the default setting of automatic updates, the hotfix was automatically installed, and there is no action required. Customers who have changed their default settings will need to apply the update manually.

The following sections are covered:

Applies to the following Sophos products and versions

Cyberoam UTM with Cyberoam OS

CROS Version

Patch Distributed

Version 10.6.3 and above

December 7, 2017

Version 10.6.1, 10.6.2.x

December 8, 2017

All versions prior to 10.6.1

Upgrade to current CROS version

If you have any further questions please contact Sophos Support.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

CVE-2018-5390: SegmentSmack: kernel: tcp segments with random offsets may cause a remote denial of service

There is a new CVE 2018-5390 for a flaw named SegmentSmack that changes the way the Linux kernel handles specially crafted TCP packets.

Sophos Central makes use of Amazon AMI services which may be affected.

  • There is no risk of data leakage, but there was a Denial of Service (DoS) risk on affected Central Services.
  • The patch to mitigate CVE-2018-5390 was rolled out to our Amazon Instances on August 11th, 2018.
  • No further action is required for Sophos Products.
  • Read the CVE information and check if your non-Sophos systems are affected.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory: Sophos Central – MFA option disabled after login change and Central AD-Sync

Sophos is investigating an issue between Central Admin AD sync utility and MFA enabled Central Administrators (eg. Read only, Helpdesk, Admin, or Super Admin).

Some customers are reporting that after changes are made to a Central Login that has Central Multi-Factor Authentication (MFA) enabled (either a change within Central itself, or change within Active Directory) – the MFA requirement for login is being incorrectly disabled. When this happens, users will only be asked for their Central Login.

Some changes to a logins record that may trigger this issue after re-syncing via the Central AD sync utility include:

  • Adding, or removing user from groups (AD)
  • Adding, or removing email aliases (AD)
  • Changing email, or login info (AD)
  • Changing name (AD)
  • Editing logins (Central)

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

  • Affects Central Admin customers that use MFA login option AND use the Central AD sync utility AND a change has been made to that users record within either Active Directory or within Central Dashboard.
    • Affected Central logins that had MFA previously enabled, will be able to login with just their Central login password.
  • There are no errors or indication if this issue occurs. An administrator will only notice that they are no longer being asked to enter MFA when logging into Sophos Central.
  • Sophos is actively working on a resolution for this with a high priority.
  • While this issue being resolved, Sophos recommend not making any changes to a users record within Active Directory or within Central Admin if they also have an MFA Central login.
    • Federated/Azure logins are not affected by this.
  • Affected customers should follow the ‘Workaround‘ section below.
  • Turn off and re-enable MFA for the affected user(s).
    • Any user who was affected will be re-prompted to set up MFA again on next login
    • Any user who was not affected, will not see any changes.
  • To do this, go to Global Settings–>Multi-Factor Authentication (MFA) which is under the ‘General‘ section.

    Note: that this Global setting is available to Super Admin level logins only.

    • Whether you currently have the option ‘All admins need MFA‘ or ‘Select admins who will need MFA‘ selected, perform the following steps:
      • Turn off MFA (the first radio button)
      • Choose the ‘Save’ button.
      • Until issue is resolved, make any changes you need for your users with MFA logins and perform an AD sync before re-enabling MFA.
      • Re-enable the MFA option you had previously selected (previously selected admins are remembered)
      • Choose the ‘Save button.
    • Any impacted Admins will now be prompted to re-set up MFA during the next login to Central Admin.

This article will be updated when more information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Central Endpoint: Dashlane Mozilla Firefox extension may not function correctly

The Mozilla Firefox extension for Dashlane Password Manager may not function correctly when installed alongside Sophos Central Endpoint. Customers may see that the browser extension icon is greyed out and cannot be accessed.

The Dashlane Firefox extension requires anti-virus and firewall software to be configured in a particular way to allow access to the extension.

This article describes the steps to resolve this issue.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Cloud Managed Endpoint

Initially, please follow the guidance published by Dashlane in this article.

Additionally, please run through the steps below on the affected machines to exclude the Dashlane ports from the Sophos Web Filter:

  1. Open regedit
  2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesswi_callout
  3. Create or modify the multi-string value LoopbackBypass
  4. Add the below values in (each one as a new line)
    • 11456
    • 15674
    • 17896
    • 21953
    • 32934
  5. Restart the Sophos Web Filter service

Note. You may also need to restart your browser for the changes to take affect.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-virus for UNIX: Migrating a protected UNIX server managed by Sophos Enterprise Console to a Standalone (unmanaged) implementation

This article provides details on how to migrate a Sophos Enterprise Console (SEC) managed UNIX server to a Standalone implementation.

Note: This command is irreversible. To re-register the UNIX server to Sophos Enterprise Console after running this command, you will need to re-install Sophos Anti-virus.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)

Enterprise Console 5.5.0

Enterprise Console 5.5.1

Sophos Anti-Virus for Unix version 9.15.x

Operating systems

Solaris SPARC, Solaris Intel, HP-UX and AIX running Sophos Anti-Virus version 9.15.x

Support for SEC-management of UNIX servers is due to end after 31 December 2019. Sophos will continue to support standalone deployments of Sophos Anti-virus for UNIX after this date. See Sophos Anti-Virus for Linux and UNIX: Changes to supported platforms.

Sophos recommends customers migrate SEC-managed Sophos Anti-virus for UNIX deployments to standalone configurations before December 2019.

In a SEC-managed configuration, the UNIX server receives updates and policy changes from the Sophos Enterprise Console (SEC) and reports any detected threats back to the console. After migration to a standalone configuration, SEC will not receive any alerts or events and the SEC entry for the UNIX server will display the machine as inactive. The UNIX server will continue to receive updates from the Central Installation Directories (CIDs) on the SEC server, but the Sophos Enterprise Console will no longer manage the updates. If the SEC server is turned off, updates on the standalone UNIX server will stop unless a secondary update source is defined.

In order to obtain alerts for the standalone UNIX server following migration from Sophos Enterprise Console you will need to configure a valid email address.

Actions before migration

Before starting please confirm whether scheduled scans have been created within the Sophos Enterprise Console and named using a double-byte non-ASCII character set. If so, please refer to the notes below for additional actions.

The ability to perform a migration to a standalone implementation is available as a new de-registration command line option with SAV for Unix v9.15.0 and later. After migration all configuration and management tasks for the UNIX server will require the use of the SAV command-line interface. There are some tasks which are simpler to perform on the SEC server before migration, including:

  • Configure a Secondary Update Server via SEC server before the migration. Please review the chapter titled Configuring the updating policy in the Sophos Enterprise Console help guide for details on configuring a Secondary Update server.
  • Setup all necessary email alerting. Please review the chapter titled Setting up alerts and messages in the Sophos Enterprise Console help guide for details on setting email alerting.

To initiate the migration to a standalone deployment, run the following command on your UNIX server.

Note: This command is irreversible. To re-register the UNIX server to Sophos Enterprise Console after running this command, you will need to re-install Sophos Anti-virus.

# /opt/sophos-av/bin/savdctl deregisterRMS

  • The de-registration process first stops the UNIX server reporting to the Sophos Enterprise Console (SEC) by stopping and removing Sophos’ Remote Management Services(RMS).
  • AutoUpdate is then configured on the standalone server with the update period that was configured in SEC.
  • The update source details are then copied from the Sophos Enterprise Console.
  • Any configured named scans are migrated to the standalone server. The name used to identify the scans is changed slightly from SEC:nameofscan to SEC_nameofscan. This is to help you to distinguish scan configurations that are migrated from SEC, from any newly created scans.
  • The process then migrates the email alert and messaging configurations from the Sophos Enterprise Console to the standalone deployment.
  • The output of the migration can be viewed in /opt/sophos-av/log/deregisterRMS.log

After migration

The entry for the migrated UNIX server is not removed from Sophos Enterprise Console. If required, entries remaining in SEC can be cleaned up after migration by deleting them in the console.

Note: If the UNIX updates are removed from the subscriptions in the Sophos Enterprise Console, then the CID UNIX update location will no longer be updated. This could cause the protection on the migrated standalone UNIX server to become out of date, even if a secondary source is available. In this situation, reconfigure the standalone server with a current and valid update source.

Air Gapped: In an Air Gapped environment, where the UNIX endpoint was receiving updates from a SEC server. The process used to update SEC should continue to include UNIX updates. This will ensure the UNIX server receives updates after moving to a standalone un-managed state.

Additional considerations for non-ASCII character scheduled scans

The deregisterRMS command needs to migrate scheduled scans that have been created within the Sophos Enterprise Console. The command can not process scans named using non-ASCII characters: Running deregisterRMS in C locale will fail.

As a workaround you can either

  1. Change names of scheduled scans only use ASCII characters
  2. OR Run deregisterRMS in a UTF-8 locale (LC_ALL and LANG environment variables)

    for example change environment:

AIX: LANG=JA_JP

HP-UX: LANG=ja_JP.utf8

Solaris: LANG=ja_JP.UTF-8

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti-virus for Linux: Linux endpoint not reporting as registering to Central though the MCS.log file and config file show that it has registered.

A LInux endpoint is not reporting as registering to the Cloud though the MCS.log file and config file show that it has registered. The following error may be seen if the Linux machine is not registered in the DNS A records or hosts file so the lookup against itself fails:

subprocess.CalledProcessError: Command '['hostname', '-f']' returned non-zero exit status 1

This will probably be due to a name resolution issue when the Endpoint is trying to register itself to Cloud. During this process two DNS queries are performed from the EP, one to the AWS cloud server,the other is to the Linux machine itself

The lookup process is as follows:

  1. DNS lookup from EP for AWS cloud
  2. Once IP address is identified by DNS lookup, TLSv1 session to AWS cloud is made. (typically ‘Server Hello’ is communicated.)
  3. DNS lookup for the Linux machine itself.
  4. Once the lookup for itself is successful, the next TLSv1 session with AWS cloud is made. (typically ‘Client Hello’ is communicated.)

When this error is seen the Linux machine is not registered in the DNS A records or hosts file so the lookup against itself fails.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Once a record in the DNS server for the Linux machine has been specified the registration with Sophos Central should proceed. Alternatively, the hosts file can be updated by adding the machine name of the Linux machine itself.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos XG, UTM, Cyberoam and Central Email may be quarantining legitimate emails

Sophos is investigating reports from Sophos XG, UTM, Cyberoam and Central customers that legitimate email is being quarantined.

Note: This issue seems to be mostly affecting customers with British domains (co.uk, ltd.uk, .uk).

Applies to the following Sophos product(s) and version(s)

Sophos XG, UTM, Cyberoam and Centra Email

Impact

Some Sophos customers may experience legitimate emails being blocked or quarantined. Inbound and outbound emails are affected.

Some appliances are still reporting false positive SPAM detections due to cached lookups. Sophos has released a hotfix via a pattern update to clear the cache automatically on SG/XG appliances. This has now been released for all versions of the UTM and XG.

Note: If you are still experiencing false positive detections, the steps below will clear the cache manually for each affected product.

We also recommend reviewing the content of your quarantine to ensure that any erroneously quarantined emails are released. This can be done by either the administrator or by the end user if the respective product end user portal is enabled.

UTM

To clear the cache manually, run the following commands as root:

/var/mdw/scripts/ctasd_inbound stop

/var/mdw/scripts/ctasd_outbound stop

mv /var/cache/ctasd /var/cache/ctasd.old

/var/mdw/scripts/ctasd_inbound start

/var/mdw/scripts/ctasd_outbound start

In order to review the quarantine and release any affected mail please refer to the Mail Manager section (Page 336) of the UTM Adminsitrator Guide

Mail Manager can be located under Email Protection > Mail Manager in the UTM user interface

Sophos XG Firewall:

To clear the cache manually, login as admin and run the following commands:

service antispam:stop -ds nosync

rm -rf /sdisk/as/*

rm -rf /sdisk/os/*

service antispam:start -ds nosync

In order to review the quarantine and release any affected mail please refer to the Sophos XG Firewall online help section.

SMTP Quarantine can be located under Email > SMTP Quarantine in the XG Firewall user interface

Cyberoam:

Affected customers please contact support.

In order to review the quarantine and release any affected mail please refer to page 41 of the Cyberoam OS Administration Guide

Sophos Email:

No action required to clear the cache. Services were restarted at noon on 8th May and no new mail should be affected by this issue after this time. In order to review the quarantine for Sophos Email and release any affected mail please refer to the Sophos Email online help

The issue with the live lookup data has been resolved however some cached data may still be causing problems. Any customers still experiencing issues with false positive detections should carry out the steps above for their impacted product.

If symptoms are still being experienced after carrying out these steps, please contact Sophos Support with a sample of the released email if possible.

Moving forward, customers should subscribe to the Sophos SMS Mobile Notification service to be notified of product issues such as this.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts