The article describes the procedure to configure an L2TP VPN remote access on a Sophos XG Firewall. Secondary WINS Server: Optional. Visio Stencils for Sophos SG Appliances–Update 20. 5 online RAID calculator tools. Managing Sophos Antivirus Data Files. In this example, you configure the security device to update the data files automatically every 4320 minutes (every 3 days). The default data file update interval is 1440 minutes (every 24 hours). In my scenario, Sophos changed our update username and password while I had a few clients on the road so I had to edit the WebConfig_Secondary location. Change the AllowLocalConfig=0 to 1 and save the file.

Answer

MIT's Sophos antivirus clients transmit information back to the Sophos Management Console. Most of the information pertains to the status and health of the Sophos client installed on a given machine. IS&T has listed all of the information transmitted from the Sophos client to the Sophos Management Console below.

Note: red, bolded items reference Sophos modules that are not enabled, thus no information is transmitted to the Management Console and these fields are blank.

• Sophos Anti-Virus version
• HIPS rules
• HIPS configuration
• Detection data
• On-access scanning
• Anti-virus and HIPS policy
• Last scheduled scan completed
• Last message received from computer
• Up to date
• Updating policy
• Time installed package became available
• Time next package became available
• Primary update server
• Secondary update server
• Client firewall
• Sophos NAC policy
• Compliance Agent (NAC) version
• Sophos NAC compliance assessment
• Application control policy
• Application control on-access scanning
• Data control scanning status
• Device control scanning status
• Data control policy compliance
• Device control policy compliance
• Tamper protection status
• Tamper protection policy compliance
• Patch assessment (WIN domain only)
• Patch policy (WIN domain only)
• Patch agent version (WIN domain only)
• Web control status
• Web control policy
• Group
• Items detected
• Sophos AutoUpdate status

The non-Sophos information collected by the Sophos Management Console is listed below:

Why is this non-Sophos information important?

Find Server Url

The non-Sophos information collected is important in the event that a software update by an operating system vendor (Microsoft, Apple, etc.) adversely affects the functionality of Sophos. By collecting this information, IS&T can accurately determine the impact of such an event on our community and act accordingly.

Gmail Server Url

The Sophos Management Console also acts as a license server. By tracking the number of machines with Sophos installed, IS&T can accurately account for and license the product.

What does IS&T plan to do with this information?

Sophos Cannot Contact Server

The information gathered, specifically Items detected, will be used to examine broad trends within the Sophos-using community. The ability to enumerate the number of endpoints infected with a specific piece of malware will provide IS&T with the ability to act (if warranted) to help better protect the community.

Sophos Secondary Update Server Address

IS&T respects the privacy of its users and guards electronic data accordingly. For more information, please reference MIT's Polices and Procedures document: http://web.mit.edu/policies/13/13.2.html

I still have concerns...

Please send additional questions/comments to servicedesk@mit.edu.

The Sophos forums are buzzing today with reports of an issue with Sophos antivirus. The company released an update (as it does every day), but the latest update appears to incorrectly class innocent files as viruses.

The update detects any software that includes an updater, such as Adobe Flash Updater, Google Update or Adobe Reader Updater as a virus and repeatedly warns the user about it. If configured to send emails (as many corporates have), support desks have been inundated with requests for help from their users with the 'Updater-B' virus. Some very large clients are affected, such as the University of Texas.

On the Sophos forums there are 14 pages of users reporting issues already, and many are saying that their Sophos has crippled its own updating process, so even if the company does push out an update it will be near impossible to update the clients to resolve it.

Neowin contacted Sophos for comment who responded with 'we are aware of the problems and are working on this issue at this time.' They also responded to a forum user via email:

I am sorry currently this is a false positive, we have removed the bad detection and you should see the detections begin to go away. Please let me know if you have any further questions.
Regards,
Dave Pomerleau
Sophos Technical Support

Right now, we recommend you disable your Sophos Update Manager by stopping the service on your update server, to avoid corrupting the endpoint updating mechanism.

How To Update Sophos

Update: Sophos claims it will release a patch in the next hour, but it's not clear how they plan on getting end users to push that out. The bungled update actually causes endpoints to crash, so lets hope they have a workaround for that.

Update 2: Sophos have released the patch. The instructions to resolve the problem are as follows:

Please follow these steps in the console:
1. Turn-off 'on-access' scanning in all of your Anti-virus and HIPS policy.
2. Go to the Update Managers in your Enterprise Console, right-click your Update Managers and choose 'Update now'.
3. Wait for the update manager to finish downloading the latest updates (Download status changes to Matches)
4. Edit all of your 'Updating' policies in Enterprise Console. Click on 'Schedule' and change the check for update time to 5 minutes.
5. Wait 8-10 minutes.
10. The number of false-positive Virus/Spyware detection should start falling.
11. Enable the on-access scanner when the number of false-positive detection has fallen significantly.
12. If there are any computers still showing the false-positive alert then they have either not received the latest update or the 'on-access' scanner was still enabled when they tried to update. The above steps can be repeated for just those computers.