Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 49 replies
  • Subscribers 6 subscribers
  • Views 158315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Anti-Virus for Mac version 9.0 Preview

bobcook

Hi everyone,

Today we published Sophos Anti-Virus for Mac version 9.0 Preview for your evaluation and use.

The headline feature for version 9.0 is Web Protection, offering protection to make web browsing safe. This is the same technology used by our corporate customers, learn more from our website: http://www.sophos.com/en-us/why-sophos/innovative-technology/web-protection.aspx

We've also worked hard to improve the existing features with a number of security and stability fixes. Version 9.0 supports Mac OS X 10.6 and up. This means we've discontinued support for all PowerPC systems and 10.4/10.5 Intel systems going forward.

This is a "preview" release. The product has passed all of our internal quality assurance testing but we are looking for additional feedback from real users in the real world. Barring any undiscovered defects, this version provides the same protection as version 8 plus protection for web browsing. The product will get regular updates too.

Download the version 9.0 Preview installer here: http://downloads.sophos.com/home-edition/savosx_90_he.zip

SHA-256 checksum of the 9.0.0 zip file: 0252e80845d38e43c9638983900d3f9a91dac4b2e9c028e787e4a8e40018d4c1

SHA-256 checksum of the 9.0.1 zip file: 4719154788e5e4251dc76bfecde842ea7fd08db32e36ecef0072335ca156bb4a

You can upgrade an existing version 8 installation, or set up a brand new installation with the same installer. Either way, just download and run the installer app. Today you need to "opt-in" by manually running the installer but later this year we'll migrate all version 8 installations.

If you find problems, please post about it here. If you don't have any problems we'd also love to hear that too. If you find a showstopper issue, please let us know and then reinstall version 8 until we can fix it.

Note that the version 8 installer is still available from our main website: http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

Regarding the Web Protection feature, you can test the two different types of protection with these two links:

URL reputation blocking: http://www.sophostest.com/ then click the "Malware" link about half-way down the page

Malicious content blocking: http://www.eicar.org/download/eicar_com.zip

In both cases, you will get a notification page instead of the real content when the protection features are enabled in the preferences.

Thanks in advance for your feedback.

:1012410


This thread was automatically locked due to age.
  • 0

    Hi maser,

    In general we expect (and therefore do more testing) for home edition to upgrade to home edition, and "corporate" version to upgrade to "corporate" version.

    There is a version 9.0.1 (soon to be 9.0.2) of the "corporate" version available through your management console or your MySophos account.

    Version 8 to 9 upgrades should work no matter which version you start with. Post your install.log file and we'll see what we can sort out.

    For future reference, we won't do automatic "cross-grades" from version 9 to another type of version 9. The software is starting to diverge enough across the different variants that it will become more difficult to support it going forward. We figured now is the right time to implement that change.

    :1012818
  • 0

    Hi Bob,

    i send you an Email :smileyhappy:

    :1012820
  • 0

    So, let me clarify my upgrade problems.

    I can download the "pro" 8.0.15 installer from Sophos and update that directly to 9.0.1 without issue.

    However, we can not upgrade our *customized installer* of Sophos (which starts with 8.0.6) to 9.0.1   The installer says it runs successfully, but does not.

    /var/log/install.log says:

    Aug 12 16:50:28 MYHOSTNAME Sophos Installer[34719]: Installing opm-sa-installer
    Aug 12 16:50:29 MYHOSTNAME Sophos Installer[34719]: "installer.localPayload.buildPlan" success: YES
    Aug 12 16:50:29 MYHOSTNAME Sophos Installer[34719]: "installer.localPayload.remoteRemove" success: YES
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[34719]: "installer.localPayload.installComponents" success: YES
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[34719]: "installer.localPayload.launchServices" success: YES
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[35989]: Installing opm-sa
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[35989]: Detected product opm. It will be removed before install. The install will be treated as an update.
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[35989]: Product opm already installed. Remove the existing product before installing product opm.
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[35989]: Installation complete
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[34719]: "installer.externalDeployer" success: YES
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[34719]: "installer.writeReceipt" success: YES
    Aug 12 16:53:07 MYHOSTNAME Sophos Installer[34719]: "installer" success: YES
    Aug 12 16:53:19 MYHOSTNAME Sophos Installer[34719]: Installation complete

    (we also have a "managed" install of Sophos on other systems where the same thing happens, but the last 3 lines say "NO" and the installer indicates an "incompatible version"...)

    This compares to the stock 8.0.15 installer upgraded to 9.0.1 on the same machine:

    Aug 13 10:40:47 OTHERHOSTNAMESophos Installer[489]: Installing opm-sa-installer

    Aug 13 10:40:47 OTHERHOSTNAMESophos Installer[492]: Starting receipt service for opm-sa-installer

    Aug 13 10:40:48 OTHERHOSTNAMESophos Installer[489]: Upgrade plan is empty. Nothing to upgrade

    Aug 13 10:40:48 OTHERHOSTNAMESophos Installer[492]: Fix plan is: ()

    Aug 13 10:40:48 OTHERHOSTNAMESophos Installer[489]: "installer.localPayload.buildPlan" success: YES

    Aug 13 10:40:48 OTHERHOSTNAMESophos Installer[492]: "receiptService.removeComponents.stopProcesses" success: YES

    Aug 13 10:40:48 OTHERHOSTNAMESophos Installer[492]: "receiptService.removeComponents.removeFiles" success: YES

    Aug 13 10:40:48 OTHERHOSTNAMESophos Installer[492]: "receiptService.removeComponents" success: YES

    Aug 13 10:40:48 OTHERHOSTNAMESophos Installer[489]: "installer.localPayload.remoteRemove" success: YES

    Aug 13 10:40:53 OTHERHOSTNAMESophos Installer[489]: "installer.localPayload.installComponents" success: YES

    Aug 13 10:40:53 OTHERHOSTNAMESophos Installer[489]: "installer.localPayload.launchServices" success: YES

    Aug 13 10:40:53 OTHERHOSTNAMESophos Installer[493]: Installing opm-sa

    Aug 13 10:40:53 OTHERHOSTNAMESophos Installer[493]: Detected product opm-sa. It will be removed before install. The install will be treated as an update.

    Aug 13 10:40:53 OTHERHOSTNAMESophos Installer[493]: "installer.preinstall.cacheComponent" success: YES

    Aug 13 10:40:54 OTHERHOSTNAMESophos Installer[493]: "installer.preinstall.stopProcesses" success: YES

    Aug 13 10:40:54 OTHERHOSTNAMESophos Installer[493]: "installer.preinstall.removeComponents" success: YES

    Aug 13 10:40:54 OTHERHOSTNAMESophos Installer[493]: "installer.localPayload.buildPlan" success: YES

    Aug 13 10:40:54 OTHERHOSTNAMESophos Installer[493]: "installer.localPayload.remoteRemove" success: YES

    Aug 13 10:40:58 OTHERHOSTNAMESophos Installer[493]: "installer.localPayload.installComponents" success: YES

    Aug 13 10:40:58 OTHERHOSTNAMESophos Installer[493]: "installer.postinstall.restoreCacheComponent" success: YES

    Aug 13 10:41:00 OTHERHOSTNAMESophos Installer[493]: "installer.localPayload.launchServices" success: YES

    Aug 13 10:41:03 OTHERHOSTNAMESophos Installer[493]: "installer.writeReceipt" success: YES

    Aug 13 10:41:03 OTHERHOSTNAMESophos Installer[493]: "installer" success: YES

    Aug 13 10:41:03 OTHERHOSTNAMESophos Installer[493]: Installation complete

    Aug 13 10:41:03 OTHERHOSTNAMESophos Installer[489]: "installer.externalDeployer" success: YES

    Aug 13 10:41:03 OTHERHOSTNAMESophos Installer[489]: "installer.writeReceipt" success: YES

    Aug 13 10:41:03 OTHERHOSTNAMESophos Installer[489]: "installer" success: YES

    Aug 13 10:41:03 OTHERHOSTNAMESophos Installer[492]: "receiptService" success: YES

    Aug 13 10:41:08 OTHERHOSTNAMESophos Installer[489]: Installation complete

    :1012824
  • 0
    maser wrote:

    However, we can not upgrade our *customized installer* of Sophos (which starts with 8.0.6) to 9.0.1   The installer says it runs successfully, but does not.

    Interesting issue, I'll need more information on how you customized the version 8 installer. As you've probably figured out, the installer in version 9.0 is radically different than the one used in version 8, so we are having to work through some of the "unique" workflows customers have set up.

    If you are covered by a maintenance agreement you should also contact our Support team. Otherwise let's keep going here to see if we can get to the root of the issue.

    :1012828
  • 0
    bobcook wrote:
    maser wrote:

    However, we can not upgrade our *customized installer* of Sophos (which starts with 8.0.6) to 9.0.1   The installer says it runs successfully, but does not.

    Interesting issue, I'll need more information on how you customized the version 8 installer. As you've probably figured out, the installer in version 9.0 is radically different than the one used in version 8, so we are having to work through some of the "unique" workflows customers have set up.

    If you are covered by a maintenance agreement you should also contact our Support team. Otherwise let's keep going here to see if we can get to the root of the issue.

    So, according to the guy that made this for our campus:

    Basically, I use the Sophos Enterprise Console (Windows) to generate a .mkpg of Sophos AV that contains our preferences and the auto-update credentials, then I wrap that in a custom .dmg

    Our distribution package starts with Sophos 8.0.6.   If somebody at Sophos would like a copy of this installer to see what's going on, just let me know who I should contact to send this to them.

    :1012840
  • 0
    maser wrote:

    Our distribution package starts with Sophos 8.0.6.   If somebody at Sophos would like a copy of this installer to see what's going on, just let me know who I should contact to send this to them.

    Yep looks like we'll need to get a copy to better understand this problem. You can reach out to me directly (my eamil is below) and we can arrange something for it.

    :1012904
  • 0
    bobcook wrote:
    ZRL1 wrote:

    I suspect that SophosWebIntelligence has to clear each of those links in the page before it lets them through so they seem to appear one at a time.

    Mostly correct, although we can process things in parallel if the browser does. There are three points where the system does a lot more processing for web traffic: (1) each network socket is filtered by SophosWebIntelligenceD to pick out the URL and the content; (2) the URL is given to SophosSXLD which communicates with our cloud infrastructure; and (3) the content is given to SophosScanD for the anti-malware scan...

    A different question on the same subject - the NY Times site was recently hacked, but it wasn't the NYT site itself but the DNS server that routes the user to the NYT; the user was instead routed to a potentially malicious site as a result of the hack. Would SophosWebIntelligence catch that?

    Since nothing is ever simple, I understand that if the user was using OpenDNS rather than whatever DNS support came with the ISP, that rerouting was detected and the user was transparently sent to the actual NYT site instead. Would SophosWebIntelligence have allowed the correct routing to pass through?

    :1013002
  • 0
    ZRL1 wrote:

    A different question on the same subject - the NY Times site was recently hacked, but it wasn't the NYT site itself but the DNS server that routes the user to the NYT; the user was instead routed to a potentially malicious site as a result of the hack. Would SophosWebIntelligence catch that?

    Since nothing is ever simple, I understand that if the user was using OpenDNS rather than whatever DNS support came with the ISP, that rerouting was detected and the user was transparently sent to the actual NYT site instead. Would SophosWebIntelligence have allowed the correct routing to pass through?

    Yep definitely a complicated issue, but here goes:

    (1) Web Protection checks the URLs and the IP addresses when the browser connects to the remote site. In this case, when using a spoiled DNS server, your machine is going to use the legit URL but a bad IP address. We should block that access.

    (2) Web Protection checks the content sent from the server back to the browser for signs of malicious content (either malicious code or stuff that looks suspicious). In this case we should block the bad content.

    The Internet is a very dynamic place and we don't always find the bad sites before they are used in an attack like the NYT situation. Nobody has prefect clarity, so it may be that we might not detect the bad IP. Same applies to all DNS-based protection (you can't block what you don't know about). This is why blocking via content inspection (e.g. scan the content before the browser gets it) is also important.

    Hope that helps.

    :1013004
  • 0

    Thank you! That explains the steps and highlights the need for the multi-stage protection very well indeed.

    :1013006
  • 0
    ZRL1 wrote:

    Thank you! That explains the steps and highlights the need for the multi-stage protection very well indeed.

    The old saying of "defense in depth" applies to equally well to castles and computers.  :smileyhappy:

    :1013008