Anyone else missing the 10.3.2 package from their console?
This thread was automatically locked due to age.
At first I had a hard time understanding the article and what's the rationale for the change(s), so I felt somewhat disgruntled. While most of my reservations have meanwhile been dispelled I still don't come to terms with the removal of the version information from the tags. For the Windows AV product it is more an inconvenience as the Details show what a subscription contains. For the other products this not only a shortcoming but an outright fault give that for them no Details are available. Thus it is, at least right now, impossible to determine what e.g. the Mac OS X Preview contains (unless you subscribe to it, wait for the download/deployment to complete and then View bootstrap locations - if there is a better way I haven't found it). It can't be that I have to set up a "dummy" subscription just to find out what's in there. While 119216 states that Sophos will normally announce when any new Preview version is released the wording is not definite (normally) and doesn't tell where and how.
Otherwise I think I now can see the point. When we think of change control and fixed versions we mostly think of the part which is (in SUM's terminology) called Software, and there especially updated components and new features (like the LSP). These are valid concerns but they do not address all aspects.
The constant updates are only in part driven by the (business) requirement to introduce new features and to adapt to OS and technology evolution. Threats are changing fast and AV vendors have to respond. For a long time scanning is much more than searching for "signatures" (i.e. comparing strings). Instead detection identities are instructions for a VM. Efficiently scanning for and dealing with new threats not only requires new identities to be written but also updates to the VM.
Thus we have at least three layers of software - the infrastructure/components/features, the scanning engine and the threat detection "data". While it is acceptable to make controlled changes to the foremost it isn't so for the others and subjecting them to strict change control is not reasonable as not updating detection data as soon as possible might expose you to the latest threats.
Scanning engine and detection data are obviously not independent. Data have to be tested with all supported versions of the engine. Furthermore effective and efficient scanning for the latest threats might not be possible without the latest engine.
With this in mind I think Sophos' approach is not only practical but will in the end facility change control (I'm not sure if I should also add if you dispense with change control, seems derisive):
Preview is for the adventurous, or if you need (to test and evaluate) a new feature. You can't control its pace and might encounter some bugs or defects
Recommended is to the best of Sophos' knowledge fit for most customers while providing (almost) maximum possible protection. For the cautious there's also Previous Recommended, last month's version (unless it has - surprisingly - been found to be problematic). It's not intended though that you switch between Recommended and Previous Recommended to effect a bimonthly update.
Extended is for customers with strict change control requirements. It will not get each Recommended version but only those with accumulated proven updates (perhaps they are not even identical to a Recommended version). As there might nevertheless surface issues in combination with the latest scanning/detection Extended Previous provides an additional delay.
In the light of this I can't see a real advantage in fixed versions - especially if you are alerted to a new package in Extended. If you fixed package is about to be retired (which it eventually will be) you have to choose a newer one. How do you know which is the "right" (or a good) one? And - none of the current Recommended packages might be the next Extended.
Just my two cents
Christian
At first I had a hard time understanding the article and what's the rationale for the change(s), so I felt somewhat disgruntled. While most of my reservations have meanwhile been dispelled I still don't come to terms with the removal of the version information from the tags. For the Windows AV product it is more an inconvenience as the Details show what a subscription contains. For the other products this not only a shortcoming but an outright fault give that for them no Details are available. Thus it is, at least right now, impossible to determine what e.g. the Mac OS X Preview contains (unless you subscribe to it, wait for the download/deployment to complete and then View bootstrap locations - if there is a better way I haven't found it). It can't be that I have to set up a "dummy" subscription just to find out what's in there. While 119216 states that Sophos will normally announce when any new Preview version is released the wording is not definite (normally) and doesn't tell where and how.
Otherwise I think I now can see the point. When we think of change control and fixed versions we mostly think of the part which is (in SUM's terminology) called Software, and there especially updated components and new features (like the LSP). These are valid concerns but they do not address all aspects.
The constant updates are only in part driven by the (business) requirement to introduce new features and to adapt to OS and technology evolution. Threats are changing fast and AV vendors have to respond. For a long time scanning is much more than searching for "signatures" (i.e. comparing strings). Instead detection identities are instructions for a VM. Efficiently scanning for and dealing with new threats not only requires new identities to be written but also updates to the VM.
Thus we have at least three layers of software - the infrastructure/components/features, the scanning engine and the threat detection "data". While it is acceptable to make controlled changes to the foremost it isn't so for the others and subjecting them to strict change control is not reasonable as not updating detection data as soon as possible might expose you to the latest threats.
Scanning engine and detection data are obviously not independent. Data have to be tested with all supported versions of the engine. Furthermore effective and efficient scanning for the latest threats might not be possible without the latest engine.
With this in mind I think Sophos' approach is not only practical but will in the end facility change control (I'm not sure if I should also add if you dispense with change control, seems derisive):
Preview is for the adventurous, or if you need (to test and evaluate) a new feature. You can't control its pace and might encounter some bugs or defects
Recommended is to the best of Sophos' knowledge fit for most customers while providing (almost) maximum possible protection. For the cautious there's also Previous Recommended, last month's version (unless it has - surprisingly - been found to be problematic). It's not intended though that you switch between Recommended and Previous Recommended to effect a bimonthly update.
Extended is for customers with strict change control requirements. It will not get each Recommended version but only those with accumulated proven updates (perhaps they are not even identical to a Recommended version). As there might nevertheless surface issues in combination with the latest scanning/detection Extended Previous provides an additional delay.
In the light of this I can't see a real advantage in fixed versions - especially if you are alerted to a new package in Extended. If you fixed package is about to be retired (which it eventually will be) you have to choose a newer one. How do you know which is the "right" (or a good) one? And - none of the current Recommended packages might be the next Extended.
Just my two cents
Christian
