Sophos Anti-virus

[Kum Dana]

SoI decided to have a meeting in London a few months ago with @sophossecurity and it literally blew my mind. They showed me how easy it is for cyber criminals to hack you - but also how easy it is to stop those trying to get to you.

All clients have had their previous antivirus uninstalled using the same method. While deploying Intercept X on a few remaining clients the installer is failing. I have verified that the old antivirus is completely removed and even ran the manual uninstall tool that is provided. The Sophos logs show the following when attempting to install Intercept X:

I will give the Sophos the benefit of the doubt for the moment and go by the logs. However, there is no trace on my side of this version of Trend Micro being installed on the client (I've looked). Does anyone know where in the Sophos logs that might point to the paths of where it detected the old antivirus is installed? Any other suggestions are more than welcomed as this is where Sophos Support team keeping saying "uninstall the old antivirus.", but I that isn't an available option as it doesn't exist.

I understand that you'd like to see what parts of TM were detected during the sophos installation. I'd prefer to see that in the sophos install logs, too. Probably because of some compliance stuff they cannot provide you that information here.

The path to the ProductCatalog.xml was brilliant. Once I was able to look in that location I was able to see that this was the culprit: 0A07E717-BB5D-4B99-840B-6C5DED52B277 within the registries. By removing it, I was able to install Intercept X with no problem. Thanks for the help.

The UW license for Sophos Central grants protection for many computers. This suite provides a web-based console to deploy and manage client applications and protection policies for your department/unit.

The Sophos Central Console should be used to deploy and manage protection for large groups of UW-owned devices. The UW license for this product is provided to the department free of charge.

Do I have to first uninstall other anti-virus software before installing the Sophos product?Usually, yes. The Sophos installer will usually find and remove older versions of Sophos successfully. Still, anti-virus software from other vendors should be removed, following the procedure recommended by the vendor, before the Sophos software is installed.

Sophos Central, a web-based Enterprise Console, is available to UW departmental IT and system administrators to install and manage Sophos Endpoint Protection on their departmental computers free of charge.

Sophos is trying to update the AntiVirus software on my Mac. The left side of the Sophos Shield is just blinking up and down and the Sophos AutoUpdate Status window just says Updating Sophos AntiVirus with a blue barber pole that just keeps going. This has been going on for 24 hours with no end in sight. I cannot find a way to stop the AutoUpdate. I also cannot use Mail as messages just say "Loading....". I do not know if there is a way to stop the Update or Remove Sophos entirely. Any help woul d be appreciated. Would love to be able to use my Mac again. Thanks!

SAV 8 should be attempting to update from 8.0.3 to 8.0.4. Try rebooting and running the update again, preferably with mail.app and time machine off, if either of those is having issues. The update should take 5 min max. Then try rebooting again after the update, just to make sure everything is stable and in place.

Hi Andrew, i have the same problem, updating never ends, and the major problem is that within 3 mins, my mac needs to be restart as it is too hot because sophos is updating continously, i have a white mac, and the OX system, keeps appearing on the screen a grey sign saying to restart it as it has detected kernels, what is that? i would really like to use my mac again, i have tried to uninstall it dragging it to the trash but continues to be there, can you help me uninstalling it , as i dont think i will be needin you software anymore, please, it is really frustrating, beside, it can burn my mac down, thanks

This issue is significantly different than the other; I would need more information to figure out what is going on, but the update process will definitely not do this to your Mac -- the on-access scanner may do this in specific circumstances. This will not cause your Mac to melt down -- although it may cause your fan to blow harder than you're used to.

The issue you seem to be experiencing is called a kernel protection fault -- basically, a process at the core of your computer's operating system is not releasing the computer's processor to work on other things, causing it to spend all its energy on a task that will never complete. When this happens, Apple brings up a kernel error screen, which can only be exited by restarting the computer.

If you look on these forums, you will find an incompatibility between SAV 8.0.3 and earlier and certain configurations of OS X 10.4.11 that exhibits this behavour. SAV 8.0.4 is now out and is supposed to fix the issue. Prior to 8.0.4, users of 10.4.11 were recommended to stay with SAV 7.3.x.

The problem is that even when I stop this service via System Services > Services, some hours after the service restarts due to the /scripts/avira_post_update.sh that updates signatures and starts the service again.

the script is launched by the pattern updates which occurs every 2/4 hours (it depends on your pattern update interval). If you disable the anti-virus engine under services from GUI, the service starts again?

So now Avira script will not run anymore (for now) and the service remains stopped by just disabling it from the GUI (as long as the appliance doesn't reboot, because it will start the service again).

Yeah, if there is a firewall rule using HTTP/HTTPS scanning enabled with the anti-virus service disabled, some websites won't open due to a "security risk detected". It is important to make it clear. [Y]

I have Sophos antivirus and when I create a rule with the vulnerability protection set to Strict, it blocks my connection to sophos server for updates. Once I relax the VP rule, it looks fine. Interestingly, I cannot see anything in the traffic/threat logs as well.

If you are not comfortable with setting all levels to Alert you can set them to Block (since this is just debug) - blocked traffic should be logged if you have set the "log on session end" (I guess "log on session start" wont pickup any threat).

However isnt the Threat log on its own not depending on what the security rule itself is set to? I mean I though the security rule was regarding Traffic logging. If a vuln should log or not is set in the vuln profile itself (such as Alert means log only while Block means block and log, while Allow will not log at all (for this you use Alert instead)).

Mikand - I was under the impression that Vuln profiles with specific actions set does log the events under Threat Monitor. None of the profiles have allow as an action, so I would ideally expect to see everything being logged in. But that is not the case. For some reason I cannot see any traffic or threat logs for Sophos updates. But upon disabling the rule, the updates work but still nothing in the traffic or threat logs

Did you try the suggestion that Mikand gave to create a new VP profile and set everything to alert? Have you updated the the application and threat signatures to the latest? Each CVE has an associated default action (allow, alert, reset, block). If you don't see anything in the threat log going to the dst address of sophos even after setting everything to alert, then It should not get blocked at any setting. If you do see it after setting everything to alert (like under informational threat) check to see what the CSV is set to as default for that CSV. If you don't see anything, I would open a case with TAC.

Multi-platform organisations are likely to have a Windows server (or more than one) and can therefore run Sophos Enterprise Console to create and manage a Mac installer for Sophos Anti-Virus. I have done this in previous companies.

Previously Mac only organisations could use Sophos Update Manager to do much the same on a Mac server. Unfortunately SUM only supports SAV8 and does not support SAV9. SAV8 is being discontinued in April 2014 and does not officially support Mavericks. It is therefore urgent to move all Macs to SAV9 by April 2014.

If you have no Windows Server, and can no longer use SUM, this leaves two more possibilities, first you could use the standalone SAV9 installer. It is even possible to pre-configure the auto-update account details for this. Unfortunately Sophos have made this installer an application and not an installer package. As a result it cannot be deployed using Apple Remote Desktop, Casper, Munki, or any other Mac management tool. (The application needs to be run as an application on each client Mac to do the actual installation.) This stupid design is like the equally stupid approach taken by Adobe and Flash. However at least with Adobe Flash you can find if you look hard enough a standard package file to install Flash.

The final possibility and the one Sophos are pushing Mac only customers to, is to sign up for an extra cost subscription to Sophos Cloud. This does let you manage via the Cloud your Macs, it does let your Macs directly update from Sophos, but a) the website for Sophos Cloud is not 100% Safari friendly, and much more importantly b) the installer it produces is yet again an application and not an installer package!

3a8082e126