Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2508 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use specific pattern version

shawn_38

Hi,

we're already using Sophos on our Windows Server and we now evaluate to use Sophos on our cash box systems.

The requirement from this department is to test new pattern versions in a test environment before deploying them.

I know that Sophos releases several pattern updates per day and that you should use always the latest pattern versions to be safe, but in this specific case, we have to test the pattern versions before deploying them.

The risk that a false-positive may block core components of our cashbox system and thousands of our customers can't pay in our shops is much higher than getting infected by malware because we are using multilevel firewalls, application whitelisting,...

So is it possible e.g. to test the latest pattern version on a test group for 1 day (with no automatoc update of the pattern version) and if no problems occured, deploy this version to the productive systems.

I know I can do this with software subscriptions for the scan engine. But is something like that possible for the scan engine.

Thanks.

:44171


This thread was automatically locked due to age.
Parents
  • 0

    Hello shawn_38,

    as the endpoints have to communicate with the management server a message relay is perhaps a good idea. Guess you don't intend to use Live Protection which would help to avoid false positives (but as such issues arise either with a new IDE/established software or established IDE/new software combination this should have no effect in your setup).

    sdengscherz has already pointed out one way to do it. The advantage is that you can easily set the time of the copy. If you want to use a message relay you can't just copy a general CID though and you also have to consider the case of a software (i.e. version) update. Thus you need anyway an additional subscription (and therefore CID).

    A different approach would require two additional SUMs, one of them in the cash box network acting also as message relay. It would use the other SUM as source. If you set the Threat detection data updating interval to maximum (1440 minutes) on both of them and - that's the tricky part - make sure that the downstream SUM does its check shortly (say, 30 minutes) before the source SUM this would introduce a latency of slightly less than 24 hours. Dunno if the interval "persists" when the SUM service is restarted, I assume this is the case.

    A variation is to have the two SUMs (or at least the services) in a stopped state most of the time. Assuming you've found the "staged" IDEs to be safe you'd then start the downstream SUM (note that the upstream SophosUpdate share must be available), let it update and afterwards update the cash boxes (if they are managed I'd turn off automatic updates in their updating policy and trigger an update from the console). Stop the downstream SUM and update the other SUM and the test clients. 

     None of this is elegant and automated though but maybe it gives you some additional ideas.

    Christian

    :44187
Reply
  • 0

    Hello shawn_38,

    as the endpoints have to communicate with the management server a message relay is perhaps a good idea. Guess you don't intend to use Live Protection which would help to avoid false positives (but as such issues arise either with a new IDE/established software or established IDE/new software combination this should have no effect in your setup).

    sdengscherz has already pointed out one way to do it. The advantage is that you can easily set the time of the copy. If you want to use a message relay you can't just copy a general CID though and you also have to consider the case of a software (i.e. version) update. Thus you need anyway an additional subscription (and therefore CID).

    A different approach would require two additional SUMs, one of them in the cash box network acting also as message relay. It would use the other SUM as source. If you set the Threat detection data updating interval to maximum (1440 minutes) on both of them and - that's the tricky part - make sure that the downstream SUM does its check shortly (say, 30 minutes) before the source SUM this would introduce a latency of slightly less than 24 hours. Dunno if the interval "persists" when the SUM service is restarted, I assume this is the case.

    A variation is to have the two SUMs (or at least the services) in a stopped state most of the time. Assuming you've found the "staged" IDEs to be safe you'd then start the downstream SUM (note that the upstream SophosUpdate share must be available), let it update and afterwards update the cash boxes (if they are managed I'd turn off automatic updates in their updating policy and trigger an update from the console). Stop the downstream SUM and update the other SUM and the test clients. 

     None of this is elegant and automated though but maybe it gives you some additional ideas.

    Christian

    :44187
Children
No Data