This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Bootable Anti-Virus / sbvac.exe ISO-creator feature suggestion

 Good day everyone,

and especially to the Product Manager for the sbvac tool. I have been advised by technical support Germany to post my request/suggestion here for you to find.

Our suggestion/request is a modification to the sbvac.exe tool which we think should be rather easy to do: allow the user to specify a folder on the command line that is then included into the ISO image. F.i.:

c:\temp\sophosCD\> sbavc.exe sophos.iso -include="c:\temp\sophosCD\CurrentUpdates"

Why would we need this? Here is our scenario:

We are running a fleet of 50 ships around the world which never have an internet connetction, i.e. we have a huge "Air Gap".

On board we have one server with a network share "AVupdates" from which all workstations update themselves.

To get the latest updates on board and into the AVupdates folder we use the following:

1) In our office we run one management machine that daily updates the SAV folder, i.e. ....\CIDs\S000\SAVSCFXP

2) Every 4 to 8 weeks we create a CD (50 copies) with the latest state of the SAVSCFXP folder and add one "update.bat" file to this CD.

3) These CDs we send on board the ships.

4) On board, they insert the CD into one network computer, run "update.bat", and the whole SAVSCFXP folder is copied to "AVUpdates".

5) All client computers on board check "AVUpdates" once a day and update themselves.

Now, as we can provide updates only with 4 to 8 weeks delay, we do face infections from time to time. In a recent case we had to use some "offline cleaning CD", for which Sophis has the "Sophos Bootable Anti-Virus" solution created by means of sbvac.exe

We would now like to always include an up-to-date sbavc-created CD with the 4/8weekly update envelope.

However, as the SAVSCFXP only takes about 200MB max, and the sbavc-CD has only about 170MB, we could nicely make one combined Update-and-EmergencyBoot-CD by simply inlcuding the SAVSCFXP folder onto the sbavc-CD.

All that would be needed is the "-include" feature.

Alternatively, as the sbvac tool apparently works in several stages, we would need a version that stops just before calling mkisofs. Then we could let sbvac do the first steps (download and prepare the linux side of things, add the latest definitions ides.zip file), and then we can introduce our own step (copy the SVASCFXP folder to the temp area), and then call the final mksiofs step.

The benefit of either way would be that we can totally automate this whilst over the year preventing about 600 half-full CDroms to be "wasted". Not a huge financial impact of course, just "ugly" and not in line with our environmental attitudes.

Appreciate if the above could be considered, and of course comments on the idea.

brgds

blue

:5397


This thread was automatically locked due to age.
  • Hello blue,

    quite an interesting post. we do face infections from time to time - where do they come from? The malware has to negotiate the very same "Air Gap" I assume :smileyhappy:.

    In all these years I have not yet requested this tool. For those who might wonder what this is, here's the article about Sophos Bootable Anti-Virus. I have been advised by technical support Germany to post my request/suggestion here for you to find. Hm, I thought Support should have access to a more direct route for feature requests.

    Thinking about it it might be a good idea to have an option to include additional data in the image. If you have to take a computer off-net you might want to get it up to date (not only Sophos but perhaps also critical patches) before connecting it again.

    Christian

    :5398
  • Hi Blue and QC,

    My name is Shai Gelbaum and I am the product manager in charge of Sophos Bootable Anti-Virus(SBAV),

    Looking at the use case described, I can see the value in having an option to include additional content in the CD. I will need to check if some of our other customers in the shipping industry use a similar system and could benefit from this.

    There are plans to release a new version of SBAV in the first half of next year and I am now in the process of collecting requests to add to the new release and I will add it to the list.

    In the meantime have you looked at adding the folder to the ISO post creation? It is possible to just mount the ISO and add the folder in before burning.

    Hope this helps,

    Shai Gelbaum

    Product manager

    Oh and support do have better ways to raise feature requests, I think they were trying to get me off my backside

    :5421
  • Hi Shai and QC

    >>> where do the infections come from and how do they get over the air gap?

    Well, USB Sticks and Floppies. Three things happen (at least):

    1) Ships go to ports, where so called "cargo planners" come on board to check with the guys on board if the cargo can be stowed the way they have worked out in their Ivory Tower ashore. For that, they bring a so-called "baplie" file, either on a stick or floppy (don't ask what that is, never seen one in real life :smileyvery-happy: ) Where the sticks are, the viruses are....

    2) "Service Technicians" come on board, do some work, fill out a form on their laptops and need to print them for signature by the ship's command. There comes the stick.....

    3) Crew members go ashore, internet cafe, some chatting and emailing with the beloved at home, there comes the pics from the babie, stick in, stick out, show the pics to the friends on board, there comes the virus.....

    For the regular busines of 1 above, we cannot disable sticks (USB ports), no way. Also, limiting it to "authorized" ship-owned sticks is not an option, give them to a planner and they won't come back on board because the planner maybe does not have to come back. Just not feasible.

    For the inclusion of data into the image:

    Have of course worked out a way using mkisofs: Make the standard ISO with the tool, use 7z to unpack the ISO, add your own data, then use mkisofs to make an iso again. Actually, I used a script made by Bart Lagerweij called "BCD - Build CD-Rom", needs some special ISO/Joliet FS related parameters to be tweaked as otherwise the CD will not boot afterwards or may fail due to long file names, but then works like a charm. With that we have a double-click-once-and-go solution now.

    For the link of support to product manager:

    Well, I had explained the issue in length to the german support by email. Reply was "not supported, best regards".

    Then I phoned them and got "not supported, have a nice day" which made me a bit unfriendly (to put it mildly) given that we have quite a little money spent for I think 600 Sophos licenses for 5 years. Go figure. The friendliness got me through to a head of support or so, who after some more words was convinced he'd better try to get a proper answer if a customer has an improvement suggestion. He indeed came back a little later telling me he had check with the PM for this tool and for security reasons such a feature could not be included (as it could be abused to create "infected" CDs under the name of Sophos). Well, if you, Shai, are the PM, you should know about this, as that German guy would have checked with you according to his words.

    Though solved for us I would still appreciate to see this feature in the next version, as a sinlge "-include <pathname>" would be much easier to handle for many users without the need to dig into the ins and outs of ISO standards and format versions.

    Also, I would much appreciate if that new version would not "block" the approach we've taken by doing some fancy additional protection things to the ISO it creates, as it would ruin our efforts and make it useless compared to the current version. With that goes that your download sources should not be changed in a way that would prevent the current version from doing its job. Basically, all I ask for us is to leave the old version operational.

    Thanks and regards

    blue

    :5593
  • Why do we need to contact suppor to get access to Sophos SBAV?  If I am a customer I should be able to just download it? 

    Jason

    :5677
  • Hi Jason,

    The main reason is that SBAV does not use 'cleanup', so it is not intelligent.  It can delete/disinfect files, so it could be dangerous for a customer to use blindly so we prefer customers to tell us what they have before giving it out.

    Imagine if someone had a file infector on their system and ran it with 'delete viruses', the system would have a LOT less files.

    After you have contacted support and discussed this you are free to create new isos whenever you like.

    OD

    :5681