Advisory – Sophos Central Email: Certain characters from Office 365 emails are being rewritten as question marks

An inbound email received from an Office 365 (O365) domain which contains a URL link, will cause Time of Click (ToC) to re-write apostrophes and other characters as question marks.

Emails will still be delivered successfully.

Applies to the following Sophos product(s) and version(s)

Sophos Central Email

Apostrophe (‘) and dash (-) characters are being replaced with a question mark (?) in the email body.

Sophos is actively investigating this issue.

Please review the workaround below and check this article for the latest updates.

Option 1

If you are aware of the URL that will be sent, you can add the URL to the Time of Click allow list. This can be found under Central Email Settings.

Option 2

If you trust the sender of the email, you can add them to your Inbound Allow / Block list under Central Email Settings.

Option 3

Disable Time of Click for the user or group having the issue. This can be done by creating a new policy and only disabling this setting for users that are affected by the issue. This can only be applied to the recipient of the email.

This article will be updated when more information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: How to do a manual uninstallation

This article describes the steps to remove SAV for Linux manually in the event that a standard removal does not work or is not possible.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sometimes it is necessary to remove SAV for Linux from a Linux server. One reason may be that an initial installation has gone wrong or been corrupted in some way. Before reinstalling, all parts of the original installation must be removed.

The first removal step should always be to attempt removal by running the normal uninstaller:

# /opt/sophos-av/unistall.sh

If this does not complete or will not run for some reason, the following steps can be used to remove SAV for Linux:

  1. Stop Daemons/services.

    # /etc/init.d/sav-protect stop

    # /etc/init.d/sav-rms stop

    # systemctl stop sav-protect

    # systemctl stop sav-rms

    # stop sav-protect (on upstart systems)

    # stop sav-rms (on upstart systems)

    # svcadm disable sav-protect

    # svcadm disable sav-rms

  2. Remove the startup configuration. Note that some of the commands are platform specific, so use the appropriate command for the given Linux/Unix platform.

    1. Remove the systemctl configuration.

      # systemctl disable sav-protect

      # systemctl disable sav-rms

      # rm -fv /lib/systemd/system/sav-{protect,rms,update}.service

      # rm -fv /usr/lib/systemd/system/sav-{protect,rms,update}.service

    2. Remove the Upstart configuration.

      # rm -fv /etc/init/{sav-protect,sav-rms,sav-update}.conf

    3. Remove the SVC configuration.

      # svccfg delete -f sav-protect

      # svccfg delete -f sav-rms

      # svccfg delete -f sav-update

    4. Remove SysV and compatibility scripts.

      # rm -fv /etc/init.d/sav-{protect,rms}

      # rm -fv /etc/init.d/rc*.d/S*sav-{protect,rms}

      # rm -fv /etc/init.d/rc*.d/K*sav-{protect,rms}

      # rm -fv /etc/rc*.d/S*sav-{protect,rms}

      # rm -fv /etc/rc*.d/K*sav-{protect,rms}

      # rm -fv /sbin/rc*.d/S*sav-{protect,rms}

      # rm -fv /sbin/rc*.d/K*sav-{protect,rms}

  3. Remove savscan/sweep symlinks.

    # rm -fv /usr/local/bin/{savscan,sweep} /usr/bin/{savscan,sweep}

  4. Remove man-pages.

    # rm -fv /usr/local/share/man/man1/savscan.1

    # rm -fv /usr/local/share/man/man8/savconfig.8 /usr/local/share/man/man8/savdstatus.8 /usr/local/share/man/man8/savscand.8 /usr/local/share/man/man8/savd.8 /usr/local/share/man/man8/savlog.8 /usr/local/share/man/man8/savsetup.8 /usr/local/share/man/man8/savdctl.8 /usr/local/share/man/man8/sav-protect.8 /usr/local/share/man/man8/savupdate.8

    # rm -fv /usr/local/share/man/ja/man1/savscan.1 /usr/local/share/man/ja/man8/savconfig.8 /usr/local/share/man/ja/man8/savd.8 /usr/local/share/man/ja/man8/savdctl.8 /usr/local/share/man/ja/man8/savdstatus.8 /usr/local/share/man/ja/man8/savlog.8 /usr/local/share/man/ja/man8/sav-protect.8 /usr/local/share/man/ja/man8/savscand.8 /usr/local/share/man/ja/man8/savsetup.8 /usr/local/share/man/ja/man8/savupdate.8

    # rm -fv /usr/local/share/man/ja_JP.UTF-8/man1/savscan.1 /usr/local/share/man/ja_JP.UTF-8/man8/savconfig.8 /usr/local/share/man/ja_JP.UTF-8/man8/savd.8 /usr/local/share/man/ja_JP.UTF-8/man8/savdctl.8 /usr/local/share/man/ja_JP.UTF-8/man8/savdstatus.8 /usr/local/share/man/ja_JP.UTF-8/man8/savlog.8 /usr/local/share/man/ja_JP.UTF-8/man8/sav-protect.8 /usr/local/share/man/ja_JP.UTF-8/man8/savscand.8 /usr/local/share/man/ja_JP.UTF-8/man8/savsetup.8 /usr/local/share/man/ja_JP.UTF-8/man8/savupdate.8

  5. Delete installation directory.

    # rm -rf /opt/sophos-av

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Using mkinstpkg to create deployment packages for Sophos Anti-Virus for Linux, v 9

In Sophos Anti-Virus for Linux/Unix v9 there is a new location for the deployment package tool – mkinstpkg. This package is no longer available in the CID (Central installation directory).

Known to apply to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux/Unix 9

Operating systems

Linux

Unix

What To Do

To create a pre-configured deployment package, follow these instructions:

  1. Go to the directory /opt/sophos-av/update/.
  2. Do one of the following:
    • To create a tar format deployment package, called savinstpkg.tgz, type: ./mkinstpkg
    • To create an RPM format deployment package (Linux Only), called savinstpkg-0.0-1.i586.rpm, type:

      ./mkinstpkg -r

      Note: The filename may vary slightly depending on the RPM setup.
  3. Use your own tools to copy this package to the computers where you want to install Sophos Anti-Virus.

Configuration options can be set when creating the package with mkinstpkg such as setting the install package to default to Fanotify instead of Talpa for on-access scanning (please see 118231 and 118216). The example in this case would ./mkinstpkg –extra-options=”–preferFanotify”

More information on this configuration options can be found in section 11 Appendix “Command Line Options for Mkinstpkg” in the Sophos Anti-Virus for Linux Start-up guide.

For more information on creating and using deployment packages, please see the Enterprise Console guide for managing Linux and Unix computers:

http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx

Related:

  • No Related Posts

Resolved – Advisory: Sophos Central Firewall Manager (SCFM): Devices disconnected and are unable to be added

We are currently investigating reports of XG devices being disconnected in SCFM. Device IP/Domain configuration has been removed and is unable to be added.

Applies to the following Sophos product(s) and version(s)

Sophos Central Firewall Manager

Some customers are unable to manage their XG devices on SCFM.

Development have confirmed services to be stable and working fine.

Please check your SCFM instance and log a case if you are still experiencing problems.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory – Sophos Central Firewall Manager (SCFM): Devices disconnected and are unable to be added

We are currently investigating reports of XG devices being disconnected in SCFM. Device IP/Domain configuration has been removed and is unable to be added.

Applies to the following Sophos product(s) and version(s)

Sophos Central Firewall Manager

Some customers are unable to manage their XG devices on SCFM.

Sophos is actively investigating this issue.

Affected customers please raise a support case and mention this article.

This article will be updated when more information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

RESOLVED – Advisory: Sophos Central customers in the NA region may experience intermittent install failures

Some Central customers who are hosted in one of our North American regions may experience intermittent install failures. Please wait five minutes and re-attempt with the same installation package if an installation failure is experienced.

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

Sophos Central Enterprise Dashboard

Sophos Central Partner

Sophos has resolved this issue on March 13 2019 at 00:10 (UTC).

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

RESOLVED – Advisory – Sophos Endpoint: Updating failure on package IDE564

We received reports of Sophos Endpoints experiencing update and installation issues starting at 17:00 UTC March 12, 2019. This was caused by a bad IDE package update. Sophos resolved this issue at 19:00 UTC March 12, 2019 by rolling back the IDE package.

Applies to the following Sophos product(s) and version(s)

Sophos Endpoints (Central, Home, On-prem, UTM Managed, Standalone)

Sophos Endpoints were experiencing issues updating and new installations were failing.

No protection impact caused to existing endpoints.

Resolved as of 19:00 UTC March 12, 2019.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer

We are aware of a security risk only affects the initial installation of the endpoint protection for Mac. Once it is successfully installed there is no further risk.

There is a very narrow window of opportunity for an attacker to inject a program into the installation package and run it with elevated privileges on a macOS (OS/X) system. This opportunity exists only when the user is being prompted for their administrative credentials during initial installation. The injection cannot occur before the installer has been run or before the prompt, as the Sophos installer performs a self-check to mitigate against this type of attack. Only an attack while the prompt is displayed can be successful using this injection technique. Successful exploitation requires the attacker to be running their malicious code on the system prior to the user launching the Sophos installer.

This vulnerability will be addressed in an update in the last quarter of 2017.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Home

Sophos Anti-Virus for Mac Home Edition

Sophos Anti-Virus for Mac OS X

Sophos Cloud Managed Endpoint 9.6.3 (Mac)

An effective mitigation against this attack is to install using the command line. Secure the installation package first against tampering by unauthorized users then verify if it is a legitimate version of the installer.

How to validate and lock down the installation package using a terminal

  1. Elevate your privileges to root:

    sudo su -

  2. Change directory (cd) into the location containing the Sophos installation package, then change ownership and permissions on the entire package:

    chown -R root:wheel Sophos Installer.app

    chmod -R a-w Sophos Installer.app

  3. Verify the authenticity of the Sophos installation package:

    codesign -v Sophos Installer.app ; echo $?

    The expected success return value is zero. Any other return value indicates the package has been corrupted and must not be used. Do not proceed if the codesign tool returns error messages or a non-zero result code.

  4. Once verified, run the command line installation tool:

    Sophos Installer.app/Contents/MacOS/tools/InstallationDeployer --install

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos XG Firewall: Device booting into safe mode after upgrade to v17.5

A small subset of XG Firewall customers upgrading to SFOS v17.5 are experiencing an issue where the firewall is in a hung state and booting into safe mode due to a dead Garner service. This issue is related to an error caused by the Upstream Proxy configuration. This issue is to be resolved in SFOS v17.5.4 MR-4

Applies to the following Sophos product(s) and version(s)

Sophos XG Firewall

Affected customers will need to rollback to their previous firmware version to recover the XG Firewall. If affected customers wish to continue the upgrade to v17.5, they will first need to rollback to their previous firmware version, remove the listed port in the Upstream Proxy configuration, then upgrade to v17.5.

  1. SSH to the device and access the Advanced Console
  2. Revert to the previous firmware version:

    SG125_XN03_SFOS 17.5.1 MR-1# showfw

    FW0=SFLoader

    FW1=17_1_4_254

    FW2=17_5_1_347

    SG125_XN03_SFOS 17.5.1 MR-1# loadfw -d -f 17_1_4_254

    SG125_XN03_SFOS 17.5.1 MR-1# reboot

    System will reboot

    The system is going down NOW!
  3. After the device has rebooted, access the Web Admin and navigate to the Upstream Proxy configuration:

    Routing > Upstream proxy > edit the IPv4 Parent Proxy settings by first enabling the Parent Proxy > remove the listed port > disable the Parent Proxy > then click Apply.

    Repeat the same process to remove the IPv6 Parent Proxy Port.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: System requirements

This article lists the system requirements of the Sophos Anti-Virus for Linux for Sophos Central, Sophos Enterprise Console and the standalone versions.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 10

Sophos Anti-Virus for Linux 10 offers additional capabilities which include Malicious Traffic Detection and Sophos Security Heartbeat™ (applies to Central Server Protection Advanced licenses only).

Here is the list of its minimum system requirements:

Sophos Anti-Virus for Linux 9

Sophos Anti-Virus for Linux 9 is the only version available for the standalone and Enterprise Console-managed versions.

Here is the list of its minimum system requirements:

  • Supported Distributions (latest minor point or LTS version):
    • Amazon Linux, Amazon Linux 2
    • CentOS 6/7
    • Debian 8/9
    • Novel Open Enterprise Server 2015 SP1
    • Oracle Linux 6/7
    • Red Hat Enterprise 6/7
      • Red Hat Enterprise Linux 6 32-bit version supported until Nov 30th 2020
    • SUSE 11/12/15
    • Ubuntu 14.04/16.04/18.04
  • System type:x86_64
  • Free disk space: 1 GB
  • Free Memory: 1 GB
  • Stack sizes: Non-default stack sizes are not supported.
  • Language version: English and Japanese (EUC and UTF-8). Shift JIS and JIS are not supported.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related: