munki vs Sophos AntiVirus

[Gregory Neagle]

This is the second time this issue has come to me in the last week, and both times were not on this list, so reposting to get this in the list archives...

Reported by guillaum...@gmail.com, Today (33 minutes ago)

We are using Munki to deploy Sophos Antivirus.
The thing is: Sophos self updates silently.
The base package available in munki is 7.3.0 but it self updated to 7.3.1 so there is a mismatch and munki starts offering 7.3.0 again which is not the expected behavior.
Is there any way to avoid the advertisement if a program is already installed?

Thanks

I responded:

This happens because Sophos' updater removes the receipts for the originally installed product. If the pkginfo for a pkg does not contains an "installs" array, Munki uses the "receipts" array to determine if an item is installed. If any of the receipts are missing, munki thinks the item is not installed and attempts to install.

Working around this issue is the same as for any package that has untrustworthy receipt info: add an "installs" array. Here's mine for an older version of Sophos AV (7.2.4):


	<key>installs</key>
	<array>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>com.sophos.sav</string>
			<key>CFBundleName</key>
			<string>Sophos Anti-Virus</string>
			<key>CFBundleShortVersionString</key>
			<string>7.2.4</string>
			<key>path</key>
			<string>/Applications/Sophos Anti-Virus.app</string>
			<key>type</key>
			<string>application</string>
		</dict>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>com.Sophos.SophosServer</string>
			<key>CFBundleName</key>
			<string>SophosAntiVirus</string>
			<key>CFBundleShortVersionString</key>
			<string>7.2.4</string>
			<key>path</key>
			<string>/Library/Sophos Anti-Virus/SophosAntiVirus.app</string>
			<key>type</key>
			<string>application</string>
		</dict>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>com.sophosautoupdate</string>
			<key>CFBundleName</key>
			<string>Sophos AutoUpdate</string>
			<key>CFBundleShortVersionString</key>
			<string>7.2.0</string>
			<key>path</key>
			<string>/Library/Sophos Anti-Virus/SophosAutoUpdate.app</string>
			<key>type</key>
			<string>application</string>
		</dict>
	</array>

You can generate such an array using /usr/local/munki/makepkginfo, like so:

/usr/local/munki/makepkginfo -f "/Applications/Sophos Anti-Virus.app" -f "/Library/Sophos Anti-Virus/SophosAntiVirus.app" -f /Library/Sophos Anti-Virus/SophosAutoUpdate.app

Using the -f flag, I pointed makepkginfo at several of the applications installed by Sophos AV.
When munki checks for installs, it will look to see if these applications exist, and if they are at least the version numbers specified. If those tests pass, munki will consider Sophos AV installed, and won't offer to install it again.

See also the FAQ at http://code.google.com/p/munki/wiki/FAQ -- the question "munki successfully installed some software, but now each time munki runs, it wants to install the software again. Why is this?" is related to this issue.

[Timothy Sutton]

Having decided to make Sophos an optional install for our
organization, I also wanted to make sure users had a way to remove it
cleanly. (If anyone knows how to let non-admins remove threats
detected in their own files/disks, I'd love to know how. We don't
currently run our own console.)

Sophos provides a pkg uninstaller, located at /Library/Sophos Anti-
Virus/Remove Sophos Anti-Virus.pkg. This is payload-free and has
binary pre/postflights to perform the uninstall. I've tested it at the
loginwindow and running as a non-admin, and it seems to work, whether
Sophos has since updated itself or not.

I've added these keys to my pkginfo to allow for the uninstall:

<key>uninstall_method</key>
<string>uninstall_script</string>
<key>uninstallable</key>
<true/>
<key>uninstall_script</key>
<string>#!/bin/sh

/usr/sbin/installer -pkg /Library/Sophos\ Anti-Virus/Remove\ Sophos\
Anti-Virus.pkg -target /
exit 0
</string>


Sophos does have a KB article on this, updated Feb. 2011, so this
seems to be supported. Note that the path they specify is, however,
incorrect. And, since Sophos updates without your control, there's no
guarantee this uninstall pkg will remain there.

http://www.sophos.com/support/knowledgebase/article/14179.html


Hope that's helpful for someone. I'd be interested to hear others
thoughts on any issues they've run into with Sophos in their
organization.


Tim

>                         <string>com.sophos.autoupdate</string>

>                         <key>CFBundleName</key>
>                         <string>Sophos AutoUpdate</string>
>                         <key>CFBundleShortVersionString</key>
>                         <string>7.2.0</string>
>                         <key>path</key>
>                         <string>/Library/Sophos Anti-Virus/SophosAutoUpdate.app</string>
>                         <key>type</key>
>                         <string>application</string>
>                 </dict>
>         </array>
>
> You can generate such an array using /usr/local/munki/makepkginfo, like so:
>
> /usr/local/munki/makepkginfo -f "/Applications/Sophos Anti-Virus.app" -f "/Library/Sophos Anti-Virus/SophosAntiVirus.app" -f /Library/Sophos Anti-Virus/SophosAutoUpdate.app
>
> Using the -f flag, I pointed makepkginfo at several of the applications installed by Sophos AV.
> When munki checks for installs, it will look to see if these applications exist, and if they are at least the version numbers specified. If those tests pass, munki will consider Sophos AV installed, and won't offer to install it again.
>

> See also the FAQ athttp://code.google.com/p/munki/wiki/FAQ-- the question "munki successfully installed some software, but now each time munki runs, it wants to install the software again. Why is this?" is related to this issue.

[John Lockwood]

Sophos Anti-Virus for Mac (aka. SAV8 or SAV9) can be configured and updated in one of four ways.

1. Download the standalone version, then install it, and then manually configure the update settings
   
2. For SAV8 only, download the network install version, install on a Mac server which then installs both an installer folder and the Sophos Update Manager tool to manage the installer folder. The SUM tool lets you configure the installer to include the update settings. Unfortunately SUM only officially runs on OS X 10.7 and earlier and only supports SAV8, it does not support SAV9. SAV8 is being discontinued in April 2014 and does not support Mavericks
   
3. Have a Windows server running Sophos Enterprise Console, subscribe to the Mac SAV8 and/or SAV8 library. This will then download a copy to a folder on your Windows server, the Macs can then access this folder and run the installer. Sophos Enterprise Console will pre-configure the installer for you

Mac only sites would have previously benefitted from using Sophos Update Manager unfortunately as mentioned above this is being discontinued. With it, it would have then been possible to create a Disk Image of the installer folder to deploy via Munki. For those with a Windows server option 3 is just as good a solution. However if your a Mac site with no Windows server then option 1 is not at all helpful as it cannot be automated for deployment.

There is however fortunately an option 4 -

   4. It is possible to download the standalone SAV9 installer and pre-configure it and then this can be deployed. There is a hidden tool included in the 

       installer package to do this. See the following Sophos KB article - http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

Once you have built your pre-configured installer then this can be made in to a Disk Image and deployed via Munki.

I would however urge everyone interested to contact Sophos and ask them to reconsider producing an updated SUM tool for Mac as without it the only way to have updates distributed internally is now to use a Windows server. Options 1 and 4 result in your Macs individually and directly downloading updates from Sophos.

Personally I think Sophos Enterprise Console should have a long time ago been re-written in to a more platform agnostic tool based on open-source components e.g. wget to download files, Apache to serve them along with a web app to access the management information, and something like MySQL as the backend database instead of Microsoft SQL Server. This would then have worked on Macs, Linux and probably even Windows servers. Gee, that sounds like the approach used by a certain project called Munki. :-)

[John Lockwood]

Argh!

I am getting really pissed off with Sophos, their crass decision to discontinue support for the Sophos Update Manager tool which runs on Mac servers to manage installers and updates for Sophos Anti-Virus continues to cause problems.

SUM is/has been discontinued in that it only supports SAV8 which is being discontinued in April 2014. We will ignore the fact SUM only officially runs on OS X 10.7 and earlier servers. We could in theory use a Windows server running Sophos Enterprise Console but that is only going to happen if Sophos pay for the cost of buying a Windows Server and licenses - like that is going to happen. We could in theory use Sophos Cloud but that looks like it will turn out to be an extra cost thereby penalising their non-Windows using customers. We can use the standalone version of the Sophos SAV9 installer and this as per  http://www.sophos.com/en-us/support/knowledgebase/119744.aspx can be pre-configured to define the auto-update settings so client Macs get updates directly from Sophos.

I was therefore going down this route. Unfortunately Sophos appear to have stabbed their Mac customers in the back again!

While the version of SAV8 managed by SUM is a standard Apple installer package (actually an mpkg) and so is the version managed by Sophos Enterprise Console for Windows, and I would expect so is the version managed by Sophos Cloud - the standalone version you download is not an installer package. It is an Application that itself does the installation. This means you cannot deploy it as normal via Apple Remote Desktop, or Munki! Munki would presumably just copy it to the Applications folder. This is the same sort of stupidity that Adobe do with their installers, but at least Adobe have produced a solution for making a package for Enterprise clients.

So, how do we get Munki to deploy the Sophos standalone installer.

Note: Effectively the standalone installer for SAV9 is the same as the free 'home edition' of SAV9, except the home edition has the free update account pre-configured and the free home edition license does not allow business use. So while the home edition is not appropriate to use in business environments anyone interested in testing this situation could use it. If one can get the free home edition to be deployed via Munki then the standalone version will be deployable as well.

In theory building a package by taking a snapshot before and after manually installing SAV9 would be a solution but I hate this type of installer. Is there any other way to re-package this. It maybe that similar workarounds as possibly previously used for (ugh!) Adobe Flash would be applicable.

Would there be any chance of Munki being 'upgraded' to detect and process the Sophos Installer.app as a special case?

So far my own thoughts on an approach involve writing a shell-script that would 'run' the installer and putting them together in a disk image. Maybe then using an Apple installer package to run the shell script. All this hassle because Sophos are screwing their Mac customers. :(

[Gregory Neagle]

On Feb 20, 2014, at 2:56 AM, John Lockwood <jeloc...@gmail.com> wrote:

Would there be any chance of Munki being 'upgraded' to detect and process the Sophos Installer.app as a special case?

I sure wouldn't count on it!

-Greg

[Ricky Chilcott]

I haven’t done this, but look inside the .app file (‘Show Package Contents’) and see in Contents/Packages that there is a SophosAV.mpkg.  You might also have to muck with the binaries at Contents/MacOS to bend it into submission.

It should be possible though.

Ricky Chilcott

ri...@rickychilcott.com

--
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[John Lockwood]

I had already before I posted had a look in the Application and unfortunately it does not contain any pkg or mpkg files. :(

Good idea though. (Great minds think alike.) :)

On Thursday, 20 February 2014 Greg Neagle wrote:

I sure wouldn't count on it!

Didn't think so, it is Sophos' problem, it should be them to solve it. I am currently working my way up their food chain kicking asses and taking numbers.

[Ricky Chilcott]

The home version that I downloaded did.

Ricky Chilcott

ri...@rickychilcott.com

[Erik]

Here is what I have found:

sudo Sophos\ Anti-Virus\ Home\ Edition.app/Contents/MacOS/InstallationDeployer --install --product_name he

Running this results in a full installation of Sophos Home Edition silently. I was able to figure out the product name by looking in Sophos\ Anti-Virus\ Home\ Edition.app/Contents/Install/Manifests/index.plist

Towards the bottom you will find the different product names. You will still need to test this out and make sure it works without a gui or on the loginwindow.

[John Lockwood]

Yes but it is an empty pkg.

[darrenw]

Hi John,

check this out Rich put it up yesterday, if it's Sophos 9 you are using:

http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/

Hope that helps

Darren

[John Lockwood]

Hi yes I spotted it, Rich had spotted my post on the same topic in the JAMFnation forums. I have just finished some minor updates to his post-processing script to add support for the paid for version of SAV9, the file names and locations are slightly different to the free Home Edition.

I have just tested my modified version of the package successfully running locally, and via ARD. Next step will be via Munki.