Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2507 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use specific pattern version

shawn_38

Hi,

we're already using Sophos on our Windows Server and we now evaluate to use Sophos on our cash box systems.

The requirement from this department is to test new pattern versions in a test environment before deploying them.

I know that Sophos releases several pattern updates per day and that you should use always the latest pattern versions to be safe, but in this specific case, we have to test the pattern versions before deploying them.

The risk that a false-positive may block core components of our cashbox system and thousands of our customers can't pay in our shops is much higher than getting infected by malware because we are using multilevel firewalls, application whitelisting,...

So is it possible e.g. to test the latest pattern version on a test group for 1 day (with no automatoc update of the pattern version) and if no problems occured, deploy this version to the productive systems.

I know I can do this with software subscriptions for the scan engine. But is something like that possible for the scan engine.

Thanks.

:44171


This thread was automatically locked due to age.
Parents
  • 0

    This is a good question, and all good suggestions.  We had a similar requirement, and came up with what appears to meet our needs and remain functional.

    The challenge, as many pointed out, is the built-in method to which Sophos updates.  Even if you setup a second SUM, and some type of delay in replication, it still has a staggered effect and could still potentially download a false positive (we have seen this 2-3 x since September). 

    The only way to truly circumvent this, that we have come up with at least, is to replicate the content somewhere else for a period of time.  For example....

    Setup an AirGap network - your isolated/sensitive systems (cash box) will point to this.  http://www.sophos.com/en-us/support/knowledgebase/64899.aspx

    Take your internet facing SEC, and have that be your primary point of updates.  Use a script to copy data from the internet site, to a temporary location.  24 hours after that copy occurs, have a separate script copy data into the SUM used by the AirGap console.  This will allow for interception of individual .ide files, or an entire repository, assuming the issue is discovered within 24 hours.  If the issue occurs after the first replication, which means it won't be replicated for another 24 hours, and then imported 24 hours thereafter, your window is greater.

    There are obviously more detailed steps to it, but that's what we've done and it's worked great so far.  The downfall to AirGap is you can't get 100% accurate information with regards to the AirGap repository being up to date, and there is no Patch functionality.  There are methods you can implement to monitor the health of this, however.

    HTH,

    Derek

    :44197
Reply
  • 0

    This is a good question, and all good suggestions.  We had a similar requirement, and came up with what appears to meet our needs and remain functional.

    The challenge, as many pointed out, is the built-in method to which Sophos updates.  Even if you setup a second SUM, and some type of delay in replication, it still has a staggered effect and could still potentially download a false positive (we have seen this 2-3 x since September). 

    The only way to truly circumvent this, that we have come up with at least, is to replicate the content somewhere else for a period of time.  For example....

    Setup an AirGap network - your isolated/sensitive systems (cash box) will point to this.  http://www.sophos.com/en-us/support/knowledgebase/64899.aspx

    Take your internet facing SEC, and have that be your primary point of updates.  Use a script to copy data from the internet site, to a temporary location.  24 hours after that copy occurs, have a separate script copy data into the SUM used by the AirGap console.  This will allow for interception of individual .ide files, or an entire repository, assuming the issue is discovered within 24 hours.  If the issue occurs after the first replication, which means it won't be replicated for another 24 hours, and then imported 24 hours thereafter, your window is greater.

    There are obviously more detailed steps to it, but that's what we've done and it's worked great so far.  The downfall to AirGap is you can't get 100% accurate information with regards to the AirGap repository being up to date, and there is no Patch functionality.  There are methods you can implement to monitor the health of this, however.

    HTH,

    Derek

    :44197
Children
No Data