Sophos Anti-Virus for Linux and UNIX: Changes to supported platforms


Announced 30 June 2017 – As part of Sophos’ ongoing product lifecycle review process, we plan to update the platforms that are supported by the Sophos Anti-Virus for Linux and UNIX offerings. The changes are designed to enable Sophos to provide the strongest protection for the most popular platforms, and will affect the following:

The following sections are covered:

Applies to the following Sophos products and versions

Central Managed Threat Response [MTR] for Linux


The number of customers requiring Anti-Virus capabilities for legacy UNIX platforms continues to decline. Sophos plans to support the most popular platforms going forward, and plans to retire support for HP-UX.


The latest versions of many popular Linux distributions are now only available for 64-bit platforms. After June 30, 2018, with the exception of Red Hat Enterprise Linux 6, Sophos Anti-Virus for Linux will support 64-bit versions of Linux distributions only.

Update July 1, 2018: In line with previous communications, Sophos Anti-Virus for Linux now supports 64-bit platforms only, with the exception of Red Hat Enterprise 6.


The Sophos Anti-Virus for Linux agent currently includes a large number of pre-compiled Talpa Binary Packs for on-access scanning, many of which are for very old and deprecated kernel versions. Most customers use newer kernels in order to benefit from kernel enhancements and improved security, therefore Sophos plans to reduce the number of pre-compiled Talpa Binary Packs that are provided with the product.

  • When a new kernel version is introduced for a specific Linux distribution, Sophos typically aims to provide a Talpa Binary Pack for the new kernel version within approximately two to four weeks.
  • After June 2018, Talpa Binary Packs for kernel versions that are older than 18 months for that Linux distribution will be removed from the agent download. Update: This change is now scheduled for release October 22, 2018.
  • Talpa Binary Packs for kernel versions that are older than 18 months for that Linux distribution will be removed from the agent download.
  • Sophos will continue to provide Talpa Binary Packs for all kernel versions for supported Red Hat Enterprise Linux 6/7 distributions.

  • A definitive list of kernel versions for which Talpa Binary Packs are provided will continue to be published and updated on a regular basis. See TalpaBinaryPacks.txt for the current list. Note: this list is updated automatically when Talpa Binary Packs are added and removed.
  • Existing Sophos Anti-Virus for Linux installations will not be affected by this change. Talpa on-access scanning will continue to function without interruption and Sophos will continue to support customers using the product.
  • If on-access scanning is required and Sophos does not provide a pre-compiled Talpa Binary Pack for your kernel, the following options are available:

Related:

Sophos Anti-Virus for Linux: How to install when /tmp is mounted as noexec

This knowledge base article describes the two options to install the Sophos anti-virus for Linux when /tmp is mounted as noexec.

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux 10

The first thing to do is to check if the /tmp is mounted as noexec. To do this, run the command mount|grep tmp

If the result shows /tmp noexec, proceed in doing either of the options below:

  1. Mount the /tmp exec using this command mount -o remount,exec /tmp
  2. Run install.sh, SophosInstall.sh or use the package manager of your choice to install the package rpm -i SophosInstall.rpm / deb -i SophosInstall.deb
  3. Mount the /tmp noexec again using this command mount -o remount,noexec /tmp

The TMPDIR is a variable used by the Sophos anti-virus for Linux install script to extract the archives for the installation. Another way to install the Sophos anti-virus for Linux when /tmp is mounted as noexec is to set the TMPDIR variable to a mount point which is not mounted as noexec.

If the TMPDIR has already been set to a location, restore it to its previous value.

  1. Set the TMPDIR to /var/tmp by using the command export TMPDIR=/var/tmp
  2. Run the installer as described above.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti-Virus for Linux and for UNIX: Communication with Sophos Update Server uses HTTPS by default

This article is to advise that Sophos Anti-Virus (SAV) for Linux and for UNIX will use TLS secure protocol HTTPS to communicate with the online Sophos Update Servers.

The following sections are covered:

Applies to the following Sophos products and versions

SAV for Linux 10.4.0

SAV for Linux 10.4.1

SAV for Unix 9.15.0

SAV for Unix 9.15.1

From version 10.4 and 9.14.2 of SAV for Linux, SAV will use the secure TLS HTTPS protocol for communicating with the configured Update Server. This also applies to Enterprise Managed and standalone installations of SAV for Linux and SAV for UNIX, where updates are configured to the Sophos online Update location.

If an HTTPS connection cannot be established after a 10 minute timeout, it switches back to an HTTP connection automatically.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

PureMessage for Unix: FAQ for version 6.4 Delay Queue

This article has a list of Frequently Asked Questions and links to answers for PureMessage for Unix version 6.4 and the new Delay Queue feature.

The following sections are covered:

Applies to the following Sophos products and versions

PureMessage for Unix 6.4.0 and above

How do you upgrade to PMX 6.4?

PureMessage for UNIX: How to upgrade to version 6.4 with Delay Queue

How does Delay Queue work in PMX?

PureMessage for UNIX: How Delay Queue works

What are the new log entries for PMX 6.4?

PureMessage for UNIX: How to read new log entries for Delay Queue

What commands can be used to view the Sender History Database?

PureMessage for UNIX: How to view the Sender History Database

What changes have been made to the database?

PureMessage for UNIX: Database changes for Delay Queue

Configuration Files

PureMessage for UNIX: Configuration file details for Delay Queue

How do you check sizing requirements for the Redis server?

PureMessage for UNIX: How to check sizing requirements for the Redis server

What is an example of the policy.siv file with Delay Queue enabled?

PureMessage for UNIX: Sample policy.siv file for Delay Queue

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti-virus for UNIX: Migrating a protected UNIX server managed by Sophos Enterprise Console to a Standalone (unmanaged) implementation

This article provides details on how to migrate a Sophos Enterprise Console (SEC) managed UNIX server to a Standalone implementation.

Note: This command is irreversible. To re-register the UNIX server to Sophos Enterprise Console after running this command, you will need to re-install Sophos Anti-virus.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)

Enterprise Console 5.5.0

Enterprise Console 5.5.1

Sophos Anti-Virus for Unix version 9.15.x

Operating systems

Solaris SPARC, Solaris Intel, HP-UX and AIX running Sophos Anti-Virus version 9.15.x

Support for SEC-management of UNIX servers is due to end after 31 December 2019. Sophos will continue to support standalone deployments of Sophos Anti-virus for UNIX after this date. See Sophos Anti-Virus for Linux and UNIX: Changes to supported platforms.

Sophos recommends customers migrate SEC-managed Sophos Anti-virus for UNIX deployments to standalone configurations before December 2019.

In a SEC-managed configuration, the UNIX server receives updates and policy changes from the Sophos Enterprise Console (SEC) and reports any detected threats back to the console. After migration to a standalone configuration, SEC will not receive any alerts or events and the SEC entry for the UNIX server will display the machine as inactive. The UNIX server will continue to receive updates from the Central Installation Directories (CIDs) on the SEC server, but the Sophos Enterprise Console will no longer manage the updates. If the SEC server is turned off, updates on the standalone UNIX server will stop unless a secondary update source is defined.

In order to obtain alerts for the standalone UNIX server following migration from Sophos Enterprise Console you will need to configure a valid email address.

Actions before migration

Before starting please confirm whether scheduled scans have been created within the Sophos Enterprise Console and named using a double-byte non-ASCII character set. If so, please refer to the notes below for additional actions.

The ability to perform a migration to a standalone implementation is available as a new de-registration command line option with SAV for Unix v9.15.0 and later. After migration all configuration and management tasks for the UNIX server will require the use of the SAV command-line interface. There are some tasks which are simpler to perform on the SEC server before migration, including:

  • Setup all necessary email alerting. Please review the chapter titled Setting up alerts and messages in the Sophos Enterprise Console help guide for details on setting email alerting.

To initiate the migration to a standalone deployment, run the following command on your UNIX server.

Note: This command is irreversible. To re-register the UNIX server to Sophos Enterprise Console after running this command, you will need to re-install Sophos Anti-virus.

# /opt/sophos-av/bin/savdctl deregisterRMS

  • The de-registration process first stops the UNIX server reporting to the Sophos Enterprise Console (SEC) by stopping and removing Sophos’ Remote Management Services(RMS).
  • AutoUpdate is then configured on the standalone server with the update period that was configured in SEC.
  • The update source details are then copied from the Sophos Enterprise Console.
  • Any configured named scans are migrated to the standalone server. The name used to identify the scans is changed slightly from SEC:nameofscan to SEC_nameofscan. This is to help you to distinguish scan configurations that are migrated from SEC, from any newly created scans.
  • The process then migrates the email alert and messaging configurations from the Sophos Enterprise Console to the standalone deployment.
  • The output of the migration can be viewed in /opt/sophos-av/log/deregisterRMS.log

After migration

The entry for the migrated UNIX server is not removed from Sophos Enterprise Console. If required, entries remaining in SEC can be cleaned up after migration by deleting them in the console.

Note: If the UNIX updates are removed from the subscriptions in the Sophos Enterprise Console, then the CID UNIX update location will no longer be updated. This could cause the protection on the migrated standalone UNIX server to become out of date, even if a secondary source is available. In this situation, reconfigure the standalone server with a current and valid update source.

Air Gapped: In an Air Gapped environment, where the UNIX endpoint was receiving updates from a SEC server. The process used to update SEC should continue to include UNIX updates. This will ensure the UNIX server receives updates after moving to a standalone un-managed state.

Additional considerations for non-ASCII character scheduled scans

The deregisterRMS command needs to migrate scheduled scans that have been created within the Sophos Enterprise Console. The command can not process scans named using non-ASCII characters: Running deregisterRMS in C locale will fail.

As a workaround you can either

  1. Change names of scheduled scans only use ASCII characters
  2. OR Run deregisterRMS in a UTF-8 locale (LC_ALL and LANG environment variables)

    for example change environment:

AIX: LANG=JA_JP

HP-UX: LANG=ja_JP.utf8

Solaris: LANG=ja_JP.UTF-8

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

SEP 15 Web traffic redirection

I need a solution

Hello community,

i have another question where i need your help.

Since yesterday im using SEP15. Additionaly im using WSS and Web Isolation.

Currently WSS is configured as explicit proxy. But i found an article that the SEP agent can redirect the web traffic to WSS.

HOWTO127870

According to this, i have to edit the Integration Policy. But there is none in the SEP 15 console, so my first thougt was “its not possible with SEP 15”

But during an LiveUpdate i saw that the WSS Traffic Redirection component exists.

screen

My question is now, how can i configure the WSS Traffic Redirection when using SEP15 ?

Thanks in advance for your help.

Kind regards

Christopher

0

Related:

The Citrix App Layering Agent is trying to communicate with a deleted ELM

Looking in the applayering.agent.log file, you see that the Citrix App Layering Agent service is trying to communicate with an ELM that no longer exists. The logs will include blocks like this every 2 minutes:

2019-03-19 07:08:51,618 INFO 9 ElmRegistrationService: Calling UpdateInfrastructure on ELM at 10.195.16.203:443 (with passcode: False)

2019-03-19 07:09:12,636 WARN 9 ElmRegistrationService: Call to UpdateInfrastructure on ELM at 10.195.16.203:443 failed. Will retry in 00:02:00. Exception:

System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.195.16.203:443

at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

— End of inner exception stack trace —

at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)

at System.Net.HttpWebRequest.GetRequestStream()

at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

at Citrix.AppLayering.Agent.Service.MaApiReference.Api.UpdateInfrastructure(UpdateInfrastructureCommand command)

at Citrix.AppLayering.Agent.Service.Services.ElmRegistrationService.<>c__DisplayClass13_1.<BeginUpdateRegistrationsWithELMs>b__2()

Related:

Event detail: Integrity checksum changed for: ‘HKEY_LOCAL_MACHINESystem CurrentControlSetServiceseventlogApplicationSymantec WSS Traffic Redirection’

I need a solution

We recently got this event detail on 2 production servers.. what would cause this? Client Version 14.2.x

Event detail: Integrity checksum changed for: ‘HKEY_LOCAL_MACHINESystemCurrentControlSetServiceseventlogApplicationSymantec WSS Traffic Redirection’

0

Related:

Using mkinstpkg to create deployment packages for Sophos Anti-Virus for Linux, v 9

In Sophos Anti-Virus for Linux/Unix v9 there is a new location for the deployment package tool – mkinstpkg. This package is no longer available in the CID (Central installation directory).

Known to apply to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux/Unix 9

Operating systems

Linux

Unix

What To Do

To create a pre-configured deployment package, follow these instructions:

  1. Go to the directory /opt/sophos-av/update/.
  2. Do one of the following:
    • To create a tar format deployment package, called savinstpkg.tgz, type: ./mkinstpkg
    • To create an RPM format deployment package (Linux Only), called savinstpkg-0.0-1.i586.rpm, type:

      ./mkinstpkg -r

      Note: The filename may vary slightly depending on the RPM setup.
  3. Use your own tools to copy this package to the computers where you want to install Sophos Anti-Virus.

Configuration options can be set when creating the package with mkinstpkg such as setting the install package to default to Fanotify instead of Talpa for on-access scanning (please see 118231 and 118216). The example in this case would ./mkinstpkg –extra-options=”–preferFanotify”

More information on this configuration options can be found in section 11 Appendix “Command Line Options for Mkinstpkg” in the Sophos Anti-Virus for Linux Start-up guide.

For more information on creating and using deployment packages, please see the Enterprise Console guide for managing Linux and Unix computers:

http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx

Related: