Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2675 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Detection Engine expired

wzie

G'day

We are using an offline/air gapped endpoint config and have a manual process to update the IDEs on each the clients (no Enterprise Console). A couple machines were missed and we now have their detection data older (4.74) than what is available from the oldest on the Sophos IDE page (4.77).

Anybody have a process to get the clients updated again to the latest version of the detection engine/IDEs? We tried just extracting the IDEs to C:\Program Files (x86)\Sophos\Sophos Anti-Virus, but then you end up with 1000+ IDEs...

Thanks

:26897


This thread was automatically locked due to age.
  • 0

    Hello wzie,

    it is recommended that you update the software (which also updates the detection data) at least every three months. You have no console at all or just none in your air-gapped network?

    Anyway, IMO the easiest procedure would be (you could also use it for IDE-only updates):

    1. Install SEC
    2. Subscribe to the desired version, wait for the CID to get populated
    3. Copy the contents of the CID (\\Server\SophosUpdate\CIDs\S000\SAVSCFXP) to a folder on a USB stick or CD/DVD (make sure no update of the CID is in progress)
    4. Insert the medium on the client, configure the folder as update location and request an update

    Steps 1 and 2 (if at all) and the configuration on the client (unless the device letter changes) are needed only once

    HTH

    Christian

    :26901
  • 0

    Hi,

    I have a few questions for you:

    1. Are the clients on the air-gapped side networked or are they all standalone?
    2. How many clients are airgapped?
    3. Is moving files accross the air-gap subject to bandwidth constraints?
    4. What transfer mechanism are files moved using or is available? USB/CD/Email?
    5. How often do you/can you move the files over?
    6. How up to date is acceptable for these clients?  Every Ide released, Once a day, one a week?

    If the air-gapped clients can access a central share on their side, one option is to use SEC on the "Sophos Connected" side and subscribe to the required packages, you can then use the procedure here:

    http://www.sophos.com/en-us/support/knowledgebase/64899.aspx

    to in effect, move the "warehouse" directory to the air-gapped side.  A SEC and SUM on the air-gapped side consumes this warehouse and creates a CID.  The SEC this side will then be able to manage the clients fully.

    A less complext system would be just to copy a CID from the "Sophos Connected" side and move that to a central point on the air-gapped side.  The downside here is that if RMS isn't allowed over the airgpap, which is highly likely you won't have any management of the clients centrally at least from SEC, you could make central changes using XML config files in the CIDs as mentioned here http://www.sophos.com/en-us/support/knowledgebase/13111.aspx.  You would have to manually configure the clients to use this location or generate a pre-configured client package to do it as along the lines mentioned here http://www.sophos.com/en-us/support/knowledgebase/67504.aspx.

    The final option is the "moving the CID" approach, but if the clients aren't connected and in effect are standalone, you would have to copy the CID directly to the client, for example: Create: C:\LocalCID\ and share it out as LocalCID for example.  You would then point AutoUpdate on the client to look to this location: \\127.0.0.1\LocalCID\.  The client will keep checking this local location, say every 60 minutes, When you move the new CID into place, it will find it an update and install.  With this approach you can still set the config in the CID as required, http://www.sophos.com/en-us/support/knowledgebase/13111.aspx.

    Hope there is something here that you can use.  Stopping the SAVService and dropping IDE files in, really isn't the best approach and isn't supported as far as I know.

    Regards,

    Jak

    :26903
  • 0

    Resolved this by copying the latest client install from the enterprise console server ..\SAVSCFXP folder onto a sanitized flash drive and manually installing on the non-network/isolated clients. Then downloaded the corresponding IDEs from Sophos to flash drive and installed. Machines updated. Thanks to all.

    :27059