Sophos Anti-Virus for Linux : Communication with Central Update Server uses HTTPS by default

This article is to advise that Central managed Sophos Anti-Virus (SAV) for Linux will use TLS secure protocol HTTPS to communicate with the configured Update Servers.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux 9.14.2

Sophos Linux Security 10.4.0

  • Linux (supported Linux platforms)

From version 10.4 and Central managed 9.14.2 of SAV for Linux, SAV will use the secure TLS HTTPS protocol for communicating with the configured Update Server. If an HTTPS connection cannot be established after a 10 minute timeout, it switches back to an HTTP connection automatically.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Researchers discover highly stealthy Microsoft Exchange backdoor

An extremely stealthy Microsoft Exchange backdoor can read, modify or block emails going through the compromised mail server and even compose and send new emails.

Microsoft Exchange backdoor

LightNeuron – as the backdoor has been dubbed by ESET researchers – is remotely controlled via emails using steganographic PDF and JPG attachments and is believed to have been used by the Turla cyber espionage group.

About LightNeuron

The LightNeuron backdoor is the first known instance of a backdoor employing a malicious Microsoft Exchange Transport Agent as a persistence mechanism.

“Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can be created by Microsoft, third-party vendors, or directly within an organization,” the researchers explained.

“The typical events handled by a Transport Agent occur when the mail server sends or receives an email. Before the event is actually executed, the Transport Agents are called and have the possibility to modify or block the email.”

They are usually used for legitimate purposes, but as we can see in this instance they can also be used for malicious ones.

Aside from the Transport Agent, which is dropped in the Exchange folder located in the Program Files folder and registered in the mail server’s configuration, the backdoor also uses a DLL file containing most of the malicious functions needed by the Transport Agent.

As mentioned before, the backdoor can block emails, modify their body, recipient and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.

It can create email and attachment logs, encrypt emails and store then, and parse JPG/PDF attachments and decrypt and execute the commands found in them.

LightNeuron can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.) and perform automatic file exfiltration at a particular time of the day and night.

Microsoft Exchange backdoor

During their investigation, the researchers also noticed alongside LightNeuron the presence of tools like Remote Administration Software, RPC- based malware or .NET web shells targeting Outlook Web Access. By leveraging them, the attackers are able to control other machines on the local network using emails sent to the Exchange server.

Finally, judging by some strings decrypted from the malware samples, they believe its likely that a Linux variant of the malware exists and is used.

“That would not be surprising, given that many organizations have Linux mail servers,” they noted.

About Turla

Turla (aka Snake, aka Uroburos) is believed to be a Russian-speaking group of attackers that is likely state-sponsored. They’ve been active for more than a decade.

Their usual targets are government entities, diplomatic entities, military organizations and defense contractors, regional political organizations and research and education organizations around the world.

Even though LightNeuron dates back to at least 2014, it was discovered and analyzed by security researchers only now because of the previously unseen persistence mechanism, because it is hard to detect at the network level (no standard HTTP(S) communications), and because Turla deploys it only against its most important targets.

“This malware is not highly prevalent in the wild so it was able to stay under the radar for a long period of time,” ESET malware researcher Matthieu Faou told Help Net Security.

“We found LightNeuron while investigating machines already infected with known Turla malware. That’s how we were able to make the link between LightNeuron and Turla.”

The researchers pinpointed two targets hit with the backdoor: a Ministry of Foreign affairs in an Eastern European country and a regional diplomatic organization in the Middle East.

Removing the malware

ESET researchers have released IoCs for companies to check whether they’ve been with the malware, but warned against removing the two malicious files as the first order of business, as this will break Microsoft Exchange and prevent everybody in the organization from sending and receiving emails.

Administrators must first disable the malicious Transport Agents and then move to remove the two malicious files.

“If you do not plan to re-install the mail server, an important last step is to modify the passwords of all accounts that have administrative rights on the compromised server. Otherwise, attackers could access the server again to compromise it again,” they advised.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: How to verify if Sophos anti-virus is correctly installed

This article provides the steps on how to verify that the Sophos anti-virus for Linux has been successfully installed.

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

  1. Verify that the kernel modules are loaded.
  • If you are using Talpa, run the command lsmod | grep talpa and this should list the following:
  • [..]

    talpa_vfshook

    talpa_pedconnector

    talpa_pedevice talpa_pedconnector

    [..]

    talpa_vcdevice

    talpa_core talpa_vfshook,talpa_vcdevice

    [..]

    talpa_linux talpa_vfshook,talpa_vcdevice,talpa_core

    talpa_syscallhook talpa_vfshook

  • If you are using Fanotify, check it is loaded or that it is in the kernel of the file config which is located below /boot.
  • grep -ir FANOTIFY /boot/`uname -r`.config

  • Check that the RMS and MCS processes are running.
    • For RMS, run the commands ps aux | grep mrouter, ps aux|grep magent and ps aux | grep sophosmgmtd
    • For MCS, run the command ps aux | grep sophosmgmtd
    • Notes::

      • Remote Management System (RMS) – A component of the Sophos Anti-Virus for Linux that is responsible for sending and receiving messages from the Enterprise Console or Message Relay server.
      • Management Communication System (MCS) – This component is responsible for sending and receiving messages from the Sophos Central or Message Relay server.

  • Run the commands ps aux | grep savd and ps aux | grep savscand to verify that the Sophos anti-virus process is running.
  • Note: This should result in one savd and two savscand processes. If Fanotify is used for on-access module, only one savscand process will appear.

  • Test that the Sophos on-access is working.
    1. Download the EICAR test file or copy X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* then paste it on a notepad or any text application and save it as EICAR.com
    2. Look for the file and then run the command cat EICAR.com which will then result to an access denied message.

    If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

    This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

    Related:

    • No Related Posts

    Sophos Anti-virus for Linux – start and stop commands

    This article describes the commands to start and stop Sophos Anti-virus processes on Linux and UNIX installations. When Sophos Anti-virus is running on a Linux or UNIX server, there are two key parts to the running program and the procedure for starting and stopping them are described below and depend on the type of server. The two key parts to SAV are savd which drives all scanning and sophosmgmtd which drives the messaging and management communication processes.

    The following sections are covered:

    Applies to the following Sophos products and versions

    Sophos Anti-Virus for Linux

    Sophos Anti-Virus for Linux 9.15.0

    Sophos Linux Security 10.4.0

    Most modern Linux platforms utilise the systemd software control system which among other things, is used to start and stop system services and applications and manage them after booting.

    The key command is systemctl and it can be used in the following ways:

    # systemctl start [name.service]

    # systemctl stop [name.service]

    # systemctl restart [name.service]

    # systemctl status [name.service]

    To check what SAV services are running:

    # systemctl list-units | grep sav

    sav-protect.service loaded active running "Sophos Anti-Virus daemon"

    sav-rms.service loaded active running "Sophos Management Agent"

    To start and stop use:

    # systemctl start sav-protect.service

    # systemctl start sav-rms.service

    # systemctl stopsav-protect.service

    # systemctl stop sav-rms.service

    Older Linux platforms used the init structure for managing the start-up and stopping of system services and applications.

    This normally follows the format of a single directory /etc/init.d containing the start-up and shutdown scripts for all the services and applications that require initialisation on system start. The scripts in this directory are then called via links in other directories which determine which services to call for a given start-up state.

    To start and stop use:

    # /etc/init.d/sav-protect start

    # /etc/init.d/sav-rms start

    # /etc/init.d/sav-protect stop

    # /etc/init.d/sav-rms stop

    To identify the current status of the running service use:

    # /etc/init.d/sav-protect status

    # /etc/init.d/sav-rms status

    On AIX systems, they use a variation of the init process.

    To start and stop use:

    # /etc/rc.d/rc2.d/Ssav-protect start

    # /etc/rc.d/rc2.d/Ssav-rms start

    # /etc/rc.d/rc2.d/Ssav-protect start

    # /etc/rc.d/rc2.d/Ssav-rms start

    AIX [only AIX] also supports stopping and starting using:

    # /opt/sophos-av/bin/savdctl start sav-rms

    # /opt/sophos-av/bin/savdctl stop sav-rms

    Solaris systems uses the Service Management Facility (SMF). It also breaks the SAV services down to three services.

    To list the running services and check for SAV services:

    # svcs | grep sav

    online Nov_21 svc:/com/sophos/sav/sav-rms:default

    online Nov_21 svc:/com/sophos/sav/sav-protect:default

    online 15:18:50 svc:/com/sophos/sav/sav-update:default

    To start and stop SAV services:

    # svcadm enable sav-protect

    # svcadm enable sav-update

    # svcadm enable sav-rms

    # svcadm disable sav-protect

    # svcadm disable sav-update

    # svcadm disable sav-rms

    If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

    This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

    Related:

    • No Related Posts

    Sophos Anti-Virus for Linux and Unix: Communication with Update Server uses HTTPS by default

    This article is to advise that Sophos Anti-Virus (SAV) for Linux and Unix will use TLS secure protocol HTTPS to communicate with the configured Update Servers.

    The following sections are covered:

    Applies to the following Sophos product(s) and version(s)

    Sophos Anti-Virus for Unix 9.15.0

    Sophos Anti-Virus for Linux 9.14.2

    • Linux (supported Linux platforms)
    • Unix (Supported Unix platforms)

    From version 9.15.0 of SAV for Unix and version 9.14.2 of SAV for Linux, SAV will use the secure TLS HTTPS protocol for communicating with the configured Update Server. If an HTTPS connection cannot be established after a 10 minute timeout, it switches back to an HTTP connection automatically.

    If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

    This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

    Related: