| Monash home | About Monash | Faculties | Campuses | Contact Monash |
| Staff directory | A-Z index | Site map |
| Monash home | About Monash | Faculties | Campuses | Contact Monash |
| Staff directory | A-Z index | Site map |
|
Sophos Sweep anti-virus software technical details1. Installation2. ConfigurationNOTE: The following applies to Sophos version 6, which ITS is deploying in January and February 2007. The SAV software can use either virus-only search engine or an engine that includes detection of both viruses and "potentially unwanted applications". This list of applications includes a number of games, system tools, utilities, chat clients, etc that an organisation such as Monash may not wish to have deployed on computers in a work environment. These applications are not viruses or trojans and may be completely harmless, however the engine will detect them and notify the management system of their presence. The virus-only engine will be used by systems that update from http://sophos.monash.edu.au/ESXP, the virus+PUA engine by systems that update from http://sophos.monash.edu.au/ACSAVXP. The installation distribution is pre-configured to access the ESXP system, once computers have installed SAV and registered with the management system they are reconfigured automatically to either the ACSAVXP or ESXP URL via an update policy. 2.1. Update policyOnce imported, the applied default update policy will reconfigure workstations and servers in student and staff environments to use the ACSAVXP (Virus+PUA) detection engine. 2.2. Workstation Anti-Virus policyOnce imported, the anti-virus policy that is applied by default to workstations has the following settings: 2.2a. On-access scanning
2.2b. MessagingDesktop pop-up messaging is enabled for both virus detection and cleanup and PUA detection and cleanup. The text of the pop-up message is below: Please contact your local IT support staff Email alerting is not enabled. SNMP alerting is not enabled. 2.2c. Scheduled Daily scanA daily scan is scheduled to run every day at 10:00PM scanning all local hard disks. This scan is configured with:
2.2d Authorized applicationsThe following Potentially Unwanted Applications from the vendor's list have been added to the Authorized applications list so that they do not generate warnings and system events:
2.3. Server Anti-Virus policyOnce imported, the anti-virus policy that is applied by default to servers has the following settings: 2.3a. On-access scanningThis is configured the same as #2.2a above with one exception:
2.3b. MessagingThis is configured the same as #2.2b above. 2.3c. Scheduled Daily scanA daily scan is scheduled to run every day at 6:30PM scanning all local hard disks. This scan is configured the same as #2.2c above with the exception that:
2.3d Authorized applicationsThe following Potentially Unwanted Applications from the vendor's list have been added to the Authorized applications list so that they do not generate warnings and system events:
3. Installation problemsWhen debugging installation problems it is necessary to identify whether the problem is with the Sophos installer or the mechanism used to launch it (ie Novell login script or ZENworks application launcher.) Problems with the Sophos installer can be further isolated by manually running the INSTALL.BAT batch file from an unpacked ZIP copy (or from APPS:ITS\SOPHOS on the Novell servers ITS-FZEN-A01 or ITS-TZEN-A01), or even more detail by running the setup executable from that directory with the following switches: .\ESXP\setup -mng yes 3.1. Installer not runningThe Sophos installer may exit if it detects some forms of virus, ad-ware or competitors product already installed. If this is the case then there will generally be a log file describing the problem in the %TEMP% directory. The usual fix is to remove the offending software and re-attempt the Sophos installation. 3.2. ZENworks agents not present or correctThe ZENworks software may not launch the Sophos installer if out-of-date or unsupported versions of the Novell client and ZENworks agents are present. 3.3. Installer failing to uninstall version 4The installer for version 6 may fail to uninstall version 4, either manually uninstalling version 4 and then retrying the version 6 install, or rebooting and retrying the version 6 install may be necessary. In some instances it is necessary to manually delete the Sophos 4 services, all files from C:\Program Files\Sophos sweep for NT and/or registry settings as the version 6 installer fails to do this. 3.4. Installer fails to install "Error 00000067"A number of machines appear to uninstall version 4, then fail to install version 6. Investigation shows that they register with the Enterprise Manager system but then report "Error code 00000067" "The MSI failed to install". The Sophos knowledgebase article 15140 is for error code 00000067, and suggests that "the log files" be reviewed. We have typically found that this problem can often be resolved by rebooting the PC, manually uninstalling version 4 of the Sophos Anti-virus software, and then re-attempting the version 6 installation. The file "Sophos Anti-Virus install log.txt" should be present in C:\WINDOWS\TEMP, and is usually the logfile that must be investigated. 3.5. Vanishing "shield" iconThe blue "shield" icon may sometimes not appear until after the first reboot, or will appear on install, but disappear when an update occurs. This seems to be cosmetic only, once an initial reboot has occurred, this problem does not seem to recur. 3.6 Reboot required loop "Error 3000"Some machines generate an "Error 3000" or enter a loop where the log files continually indicate that a reboot is required. (Possibly due to a perceived inability to uninstall Sophos version 4) The Sophos. knowledgebase article 13764 states that it applies to Sophos version 5, however it appears to also apply to version 6, as does the suggested fix. 4. Configuration ProblemsSophos update and anti-virus policies are applied to workstations once they register with the management system and are imported from the Unassigned group into faculty-based groups. This importation process runs hourly, and the destination group is chosen on the basis of the computer's network address. Managed workstations have the registry keys HKLM/Software/Sophos/Remote Management System, "CertificationIdentityKeys" and have the update URL grayed out when viewed by right-clicking the "shield" icon and selecting the Update details menu. Unmanaged workstations are configured by local administrators. The Sophos Remote Management System software is the component that recieves and applies the policies, this is installed automatically as part of the product installation. This software requires TCP/IP in order to communicate with the management system (on subnet 130.194.12.240/28), and uses ports TCP 8192, 8193 and 8194. The supplied installations (batch file and ZENworks) make the appropriate Windows firewall exceptions, however third-party firewalls or other network software may interfere. Check that the computer can communicate directly with sophos.monash.edu.au. See Sophos knowledgebase article #12340 for more details. If the Windows %PATH% does not include the default directories of C:\WINDOWS, C:\WINDOWS\System32 and C:\Windows\System32\WBEM then the Sophos policies will not be able to be applied (Assuming Windows XP installed into C:\WINDOWS). Some workstations have had their paths corrupted by other application installations and this problem will not be apparent until Sophos SAV is installed. Computers on private networks, eg 10.0.0.0/8 or 192.168.0.0/16 cannot be identified automatically as belonging to a given faculty and will be left in a default group unless a request is lodged with the ITS Service Desk detailing the computer's Windows name, IP address, and desired group. 5. Operational Problems5.1 "Update has failed" on System tray iconThe Sophos system tray icon appears to incorrectly display the red cross and "update has failed" when many machines are first switched on. To investigate whether this is a spurious error: Right-click on the icon and select "Open Sophos Anti-Virus", then select "Help | View Product Information" displays the current number of IDE files and a recent (ie since startup) update time — 207, and 09:24am in this case. Close Sophos anti-virus Right-click on the icon and selecting "Update now" results in the three update dialog boxes appearing briefly, no update occurring (as none is required), and the red cross clears from the system tray icon. Repeating the check on the version, right-click on the icon and start Sophos, then select "Help->View Product Information" displays the same number of IDE files and a more recent (ie the previous update) update time — 207, and 09:48am in this case. This appears to be a misleading bug in the user interface of the product. 6. UninstallationIf it is necessary to uninstall the Sophos software, do so from the Add or Remove programs control panel. Ensure that you first remove the Sophos AutoUpdate and then Sophos Anti-Virus and Sophos Remote Management System. (This will ensure that an automatic update will not replace the software as you are removing it) History |
|