Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer

We are aware of a security risk only affects the initial installation of the endpoint protection for Mac. Once it is successfully installed there is no further risk.

There is a very narrow window of opportunity for an attacker to inject a program into the installation package and run it with elevated privileges on a macOS (OS/X) system. This opportunity exists only when the user is being prompted for their administrative credentials during initial installation. The injection cannot occur before the installer has been run or before the prompt, as the Sophos installer performs a self-check to mitigate against this type of attack. Only an attack while the prompt is displayed can be successful using this injection technique. Successful exploitation requires the attacker to be running their malicious code on the system prior to the user launching the Sophos installer.

This vulnerability will be addressed in an update in the last quarter of 2017.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Home

Sophos Anti-Virus for Mac Home Edition

Sophos Anti-Virus for Mac OS X

Sophos Cloud Managed Endpoint 9.6.3 (Mac)

An effective mitigation against this attack is to install using the command line. Secure the installation package first against tampering by unauthorized users then verify if it is a legitimate version of the installer.

How to validate and lock down the installation package using a terminal

  1. Elevate your privileges to root:

    sudo su -

  2. Change directory (cd) into the location containing the Sophos installation package, then change ownership and permissions on the entire package:

    chown -R root:wheel Sophos Installer.app

    chmod -R a-w Sophos Installer.app

  3. Verify the authenticity of the Sophos installation package:

    codesign -v Sophos Installer.app ; echo $?

    The expected success return value is zero. Any other return value indicates the package has been corrupted and must not be used. Do not proceed if the codesign tool returns error messages or a non-zero result code.

  4. Once verified, run the command line installation tool:

    Sophos Installer.app/Contents/MacOS/tools/InstallationDeployer --install

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Ghost Console Won’t Run Remote Batch File

I need a solution

We have been doing a two-Task process to deploy a piece of software to computers using Ghost Console 11.5.1.2266:

Task 1) Deploy an installer and batch file to a specified directory on the target machine(s).

Task 2) Run the batch file in the deployment directory on the target machine, which successfully installs the program.

I tried this with a new piece of software, and while Task 1 copies the installer and batch file into the directory successfully, Task 2 does nothing other than claim to have completed successfully. When I run the deployed batch file on the target machine it works properly, just not through the Ghost Console Task. I tried this on multiple machines with the same results.

When I run the batch file on the target machine I can see Windows Command Processor open in Task Manager, which does not happen when I run the Task through Ghost. I do see the Ghost System Tray Provider open while the warning window comes up, but then it closes and nothing else happens.

I took the successful Task 2 for the first piece of software and changed the target information to match the new program, and it still did nothing. Then I changed it back to the original target and it worked properly for that software.

Any ideas?

0

Related:

DPA: The dpa.config file is not created on new DPA Agent installation

Article Number: 495822 Article Version: 3 Article Type: Break Fix



Data Protection Advisor 6.2 SP3,Data Protection Advisor 6.3

After a new installation of a Data Protection Advisor (DPA) Agent, it is observed that the dpa.config file is missing from the installation. This file is normally present and is required for the DPA Agent to function properly.

This is an issue caused by User error.

In the one instance where this was observed a User had created the DPA Agent directory structure and copied in a custom dpaagent_config.xml file into the directory. The presence of the dpaagent_config.xml file in the directory caused the DPA Agent installer to skip over the dpa.config and other files normally created.

The DPA product is functioning as designed.

Before installing the DPA Agent, ensure the DPA Agent directories (if they exist) are empty of all files. If a custom file such as dpaagent_config.xml is required, it may be copied in after the DPA Agent installation.

Please contact Dell EMC Technical Support for further details or information.

Related:

  • No Related Posts

Silent Installation/Upgrade SEP Client V 14.2.770

I need a solution

We are using a software distribution tool to push the SEP Clients. So far we have been successful with the Windows Clients.

I got a .zip file from the SEP Admin that contains two folders “Additional Resources” & “Symantec Endpoint Protection Installer.app”.

The Folder “Additional Resources” contains the file SEP.mpkg which I tried installing with the following parameters:

installer __Download/SEP.mpkg -target /

However, it didn’t work. I haven’t found a document that explains how to install the client in silent mode. Whether the client is not installed or there is an older version, we want to get a script to install this version of the agent on MAC OSx.

What is the approach that we should follow? 

0

Related:

  • No Related Posts

7023377: Sequencing EXTRA! 9.x as a Virtual Application with Microsoft Application Virtualization 5.x

Before using the Microsoft Sequencer Package Configuration Wizard to sequence EXTRA! X-treme 9.5, document the sequencing requirements and steps by determining which EXTRA! X-treme components and features are to be installed, the location of installation files, and the location of any configured user data, such as session documents. Some EXTRA! application components may not be needed and it is recommended to install EXTRA! on a stand-alone PC to help identify and document the installation steps in advance.

If EXTRA! has any service packs or updates, ensure that the service pack installer file, *.MSP, is available for installation during the sequencing process. The EXTRA! Microsoft Office Tools have not been tested to work with Microsoft Office streamed as a virtual application.

Use the Custom Installation Wizard (CIW) to create customized installation packages. See https://support.microfocus.com/kb/doc.php?id=7021288. Also refer to the Preparing to Deploy EXTRA! X-treme – A System Administrator’s Guide as a resource, which is available from http://docs.attachmate.com/extra/x-treme/8.x/CentralManagementWalkthrough.pdf The following steps assume that an Administrative Installation has been performed per the system Administrator’s Guide.

Use the Application Virtualization Sequencer Wizard to start the sequencing process with EXTRA! X-treme 9.5:

1. Launch the Microsoft Application Virtualization Sequencer

2. Select “Create a New Virtual Application Package”

3. For the Packaging Method select “Create Package (default)”

4. Press Next

5. Resolve any issues shown on the Prepare Computer list

6. Press Next

7. For the Type of Application choose “Standard Application (default)”

8. Press Next

9. On the Select Installer dialog choose “Select the installer for the application”

Use the Browse button to find the EXTRA! X-treme SETUP.EXE program in the EXTRA! Administrative Installation location

10. Press Next

11. On the Package Name screen enter the Virtual Application Package Name of your choice, like ” EXTRA! X-treme 9.5″

Enter the Primary Virtual Application Directory (required) name:

For example: C:Program Files (x86)Micro FocusEXTRA!

12. Press Next

13. Wait for the Virtual Environment to load.

14. Select your install language, and then click OK.

15. In the Setup Wizard, click Next.

16. Accept the License Agreement, and then click Next.

17. Enter a User Name, Organization, and under “Install this application for,” select “Anyone who uses this computer (all users).” Click Next.

18. Specify a Destination Folder, and then click Next.

19. For User Data Location, select User Defined Directory, and then click Next.

20. On the User Data Destination Folder screen, click Browse. The Attachmate variable called USERID should be entered in the path string as shown below.

c:UsersUSERIDDocumentsMicro FocusEXTRA!

and click OK, and then click Next.

Note the following:

The USERID parameter needs to be all upper case. At EXTRA!’s runtime the USERID parameter will be resolved to the currently logged-in user.

The files located at

c:Program FilesMicro FocusEXTRA!macros | schemes | sessionsENU

or

c:Program Files (x86)Micro FocusEXTRA!macros | schemes | sessionsENU

will be copied to the user’s personal folders location the first time EXTRA! is run for that particular user.

21. Select Custom, and then click Next.

22. On the Custom Setup dialog, de-select any features not needed so that they will not install.

For example, de-select the following:

Application OptionsAPI Options

Application OptionsUtilities

UtilitiesKerberos Manager

UtilitiesKey Agent

23. Click Next.

24. Click the “Install” button.

25. When the Installation has completed successfully, click the Finish button.

26. If service packs or updates are to be installed to EXTRA! X-treme:

a. On the Installation dialog of the App-V sequencer, press the “Run” button

b. Select the appropriate *.MSP file(s) to install a service pack, update or patch.

27. When the update or patch is installed or if there is no further .MSP updates to install, continue on.

28. When the install is complete, check the box that says “I am finished installing”

29. Press Next

30. Wait while App-V collects the system changes and the Configure Software screen displays.

31. From the Configure Software screen, highlight the EXTRA! X-treme choice and click on “Run Selected” to launch the application.

(Do NOT click Run All.)

32. To create a new session document, select “Create a new session”.

Save the session file in the C:UsersPublicDocumentsMicro FocusEXTRA! folder to be available for all end-users.

33. Launch and then close any session document to create the App-V files that will be used for streaming.

If you launch the Reflection FTP client, or any session document, and a Sequencer error displays:

“The Sequencer could not stop the MSIServer service,” click OK and try again.

34. After all the applications and EXTRA! Host sessions have been run and closed, press Next.

35. Verify the data on the Installation Report screen and resolve any issues

36. Press Next.

37. On the Customize screen decide if further customization is needed.

For example: if restrictions are required concerning different operating systems this is the time to do it.

38. If no further customization is needed select “Stop now. Create a basic virtualization package (default).”

39. Press Next.

40. Select “Save the package now” and enter the Save Location for the package contents

41. Press Create.

By default the App-V package will be located on the desktop of App-V Sequencing PC.

42. After the package is created press Close to finish and exit the Application Virtualization Sequencer program.

43. Copy the completed sequenced App-V package files to the Distribution Point or Virtual Application Server.

Related:

  • No Related Posts

Re: Dell EMC Unity Laptop Demo Install error

Hello,

I am trying to install the Unity laptop demo on my Windows7 VM running on my Mac with Fusion 8.1.1. It appears that the Anywhere installer thinks there are multiple instances running and quits. See the attached screen shot. This seem to be an issue within the Fusion VM since I can install it on my home PC.

Checking Anywhere’s support website, there is an article that indicates there is a .tmp file that might need to be deleted in my home directory, but I am unable to find it.

Has anyone tried to install this demo on a Windows VM?

Thanks,

Alan Kobuke

Related:

7023270: An installation of MSS was not found on this system

Received message below when installing MSS for ZFE 2.2.x or 2.3.x on to Windows or Unix.

Message on Windows and UNIX using GUI installer:


Message on headless UNIX using command line installer:

Host Access Management and Security Server (MSS) is required for use with Reflection ZFE.

An installation of MSS was not found on this system.

An MSS installer was not found at the expected location or was deemed not

compatible with this release.

Select from one of the available options below.

Use remotely hosted MSS [1, Enter]

Related:

  • No Related Posts