Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2506 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use specific pattern version

shawn_38

Hi,

we're already using Sophos on our Windows Server and we now evaluate to use Sophos on our cash box systems.

The requirement from this department is to test new pattern versions in a test environment before deploying them.

I know that Sophos releases several pattern updates per day and that you should use always the latest pattern versions to be safe, but in this specific case, we have to test the pattern versions before deploying them.

The risk that a false-positive may block core components of our cashbox system and thousands of our customers can't pay in our shops is much higher than getting infected by malware because we are using multilevel firewalls, application whitelisting,...

So is it possible e.g. to test the latest pattern version on a test group for 1 day (with no automatoc update of the pattern version) and if no problems occured, deploy this version to the productive systems.

I know I can do this with software subscriptions for the scan engine. But is something like that possible for the scan engine.

Thanks.

:44171


This thread was automatically locked due to age.
  • 0

    Hello shawn_38,

    test new pattern versions

    let's stick to the term IDEs, these aren't patterns.

    Nitpicking aside, I understand your concerns. I'm not sure though that your risk assessment is correct (not that I claim to be an expert). Do I understand correctly that your systems are "connected to the Internet"? Otherwise, what could be a potential path of infection (in other words, how could a threat get in) and what kind of threats do you expect could make it through your other defences?

    I see no simple way (if it is feasible at all) to add a time delay to the distribution of the IDEs. It's contrary to the design of the updating process which should always give you the latest available threat detection data (not necessarily the software) and the same for all subscriptions. Furthermore you can't schedule threat detection data updates, just define an interval.

    Christian

    :44173
  • 0

    Hi Cristian,

    thanks for your reply.

    I assumed it's not possible, now I'm sure.

    These systems are not connected to the internet. They are all in a separate VLAN and kind of isolated with firewalls. Additionally we do application whitelisting, hardened the os,... so we 've done a lot so far to secure these systems.

    All other systems are protected with antivirus software.

    The statement of our management is clear. If we can't test the IDEs or any other software/updates before applying them to these systems, we won't install/use it, because the risk described below is too high.

    :44175
  • 0

    Hello shawn_38,

    I see. Still someone seems to think that it could do some good :smileyhappy:.

    Do you have Sophos or some other AV on these systems yet and if, do they on-access (and are they managed or is management intended? Just thinking (and how you get the updates onto these systems aside) - with additional SUMs (could run on a workstation) you can introduce a delay although it wouldn't be watertight. Haven't thought it through but ...   

    Christian

    P.S.: If you have AV on these systems - has there ever been a detection?

    :44179
  • 0

    Hello Shawn,

    an idea from my side which might help you:

    We rsync our CID to a Linux web server for our Home-Users at specific intervals (5 minutes) from our local windows SUM CIFS share.

    This system could also be deactivated and only ran manually. You could build a staging and production CID for your hardened machines, where the staging CID is set to production after tests, e.g. via Apache virtual hosts or something. Maybe a kind of clumbsy but should do the job, so the hardened endpoints stay on the tested virus definitions until you test another bunch of updated definitions.

    Kind regards, -sd

    :44181
  • 0

    Hi Christian,

    we are implementing a new system, so there is also a kind of redesign. On the old systems we never had AV software running and we never had issues of malware. There was never suspicious behaviour detected on these systems. But now we considered to use antivirus software for additonal security.

    If we use av software, it has to be managed, cause there are too much systems.

    @sdengscherz:

    Cool idea.

    I will have a look, maybe that suits our needs.

    Thx.

    :44183
  • 0

    Hello shawn_38,

    as the endpoints have to communicate with the management server a message relay is perhaps a good idea. Guess you don't intend to use Live Protection which would help to avoid false positives (but as such issues arise either with a new IDE/established software or established IDE/new software combination this should have no effect in your setup).

    sdengscherz has already pointed out one way to do it. The advantage is that you can easily set the time of the copy. If you want to use a message relay you can't just copy a general CID though and you also have to consider the case of a software (i.e. version) update. Thus you need anyway an additional subscription (and therefore CID).

    A different approach would require two additional SUMs, one of them in the cash box network acting also as message relay. It would use the other SUM as source. If you set the Threat detection data updating interval to maximum (1440 minutes) on both of them and - that's the tricky part - make sure that the downstream SUM does its check shortly (say, 30 minutes) before the source SUM this would introduce a latency of slightly less than 24 hours. Dunno if the interval "persists" when the SUM service is restarted, I assume this is the case.

    A variation is to have the two SUMs (or at least the services) in a stopped state most of the time. Assuming you've found the "staged" IDEs to be safe you'd then start the downstream SUM (note that the upstream SophosUpdate share must be available), let it update and afterwards update the cash boxes (if they are managed I'd turn off automatic updates in their updating policy and trigger an update from the console). Stop the downstream SUM and update the other SUM and the test clients. 

     None of this is elegant and automated though but maybe it gives you some additional ideas.

    Christian

    :44187
  • 0

    This is a good question, and all good suggestions.  We had a similar requirement, and came up with what appears to meet our needs and remain functional.

    The challenge, as many pointed out, is the built-in method to which Sophos updates.  Even if you setup a second SUM, and some type of delay in replication, it still has a staggered effect and could still potentially download a false positive (we have seen this 2-3 x since September). 

    The only way to truly circumvent this, that we have come up with at least, is to replicate the content somewhere else for a period of time.  For example....

    Setup an AirGap network - your isolated/sensitive systems (cash box) will point to this.  http://www.sophos.com/en-us/support/knowledgebase/64899.aspx

    Take your internet facing SEC, and have that be your primary point of updates.  Use a script to copy data from the internet site, to a temporary location.  24 hours after that copy occurs, have a separate script copy data into the SUM used by the AirGap console.  This will allow for interception of individual .ide files, or an entire repository, assuming the issue is discovered within 24 hours.  If the issue occurs after the first replication, which means it won't be replicated for another 24 hours, and then imported 24 hours thereafter, your window is greater.

    There are obviously more detailed steps to it, but that's what we've done and it's worked great so far.  The downfall to AirGap is you can't get 100% accurate information with regards to the AirGap repository being up to date, and there is no Patch functionality.  There are methods you can implement to monitor the health of this, however.

    HTH,

    Derek

    :44197