Anyone else missing the 10.3.2 package from their console?
This thread was automatically locked due to age.
Hello emiliob,
as said, the issue likely arose because you weren't aware that 10.3.2 was on the Preview "trunk". There's always only one version (currently 10.3.3.494) in Preview which therefore can't be "fixed" (if there is no actual preview available then you get the Recommended version). As the Recommended trunk has now been upgraded to 10.3 (please note that it's 10.3.1 and thus neither the first Preview, which was 10.3.0, nor the last, the "missing" 10.3.2) the current 10.3.1.494 will be around another month (as Previous Recommended - this label is not yet in use).
I'm neither Sophos nor does it concern me but I'm trying to help you to present the "right" questions to your TSAM. For one thing, it seems that a Recommended fixed packages' lifespan will be just two (instead of three to four) months. Also it looks like only select versions (not all which have been Recommended) will appear on the Extended trunk and thus it might be that Extended (or a fixed package from this trunk) is the better choice for you. Guess the SEC/SUM hack is just there to ease the migration to the new concept. It does not affect the underlying pacing of versions.
Again - this is not knowing, just guessing. But I hope it helps somewhat
Christian
10.3.1 is the version now in Recommended, there will only be two versions of Recommended available at any given time: Recommended and Previous Recommended, however, for customers with access to fixed packages there will be three versions available.
We may change this in the future when we have adjusted the way the Extended subscriptions work as they will give access to two versions with an overlap so that you can test and move to the new version under your own control but for now the "old rules" still apply to versions published under the Recommended and Previous Recommended lines.
As you have now realized Preview does not follow the old rules, we are currently discussing the behavior of the Extended and Previous Extended subscriptions but it is likely that we will change these to be similar to Preview, however, to mitigate this there would always be an overlap between the two subscriptions.
At first I had a hard time understanding the article and what's the rationale for the change(s), so I felt somewhat disgruntled. While most of my reservations have meanwhile been dispelled I still don't come to terms with the removal of the version information from the tags. For the Windows AV product it is more an inconvenience as the Details show what a subscription contains. For the other products this not only a shortcoming but an outright fault give that for them no Details are available. Thus it is, at least right now, impossible to determine what e.g. the Mac OS X Preview contains (unless you subscribe to it, wait for the download/deployment to complete and then View bootstrap locations - if there is a better way I haven't found it). It can't be that I have to set up a "dummy" subscription just to find out what's in there. While 119216 states that Sophos will normally announce when any new Preview version is released the wording is not definite (normally) and doesn't tell where and how.
Otherwise I think I now can see the point. When we think of change control and fixed versions we mostly think of the part which is (in SUM's terminology) called Software, and there especially updated components and new features (like the LSP). These are valid concerns but they do not address all aspects.
The constant updates are only in part driven by the (business) requirement to introduce new features and to adapt to OS and technology evolution. Threats are changing fast and AV vendors have to respond. For a long time scanning is much more than searching for "signatures" (i.e. comparing strings). Instead detection identities are instructions for a VM. Efficiently scanning for and dealing with new threats not only requires new identities to be written but also updates to the VM.
Thus we have at least three layers of software - the infrastructure/components/features, the scanning engine and the threat detection "data". While it is acceptable to make controlled changes to the foremost it isn't so for the others and subjecting them to strict change control is not reasonable as not updating detection data as soon as possible might expose you to the latest threats.
Scanning engine and detection data are obviously not independent. Data have to be tested with all supported versions of the engine. Furthermore effective and efficient scanning for the latest threats might not be possible without the latest engine.
With this in mind I think Sophos' approach is not only practical but will in the end facility change control (I'm not sure if I should also add if you dispense with change control, seems derisive):
Preview is for the adventurous, or if you need (to test and evaluate) a new feature. You can't control its pace and might encounter some bugs or defects
Recommended is to the best of Sophos' knowledge fit for most customers while providing (almost) maximum possible protection. For the cautious there's also Previous Recommended, last month's version (unless it has - surprisingly - been found to be problematic). It's not intended though that you switch between Recommended and Previous Recommended to effect a bimonthly update.
Extended is for customers with strict change control requirements. It will not get each Recommended version but only those with accumulated proven updates (perhaps they are not even identical to a Recommended version). As there might nevertheless surface issues in combination with the latest scanning/detection Extended Previous provides an additional delay.
In the light of this I can't see a real advantage in fixed versions - especially if you are alerted to a new package in Extended. If you fixed package is about to be retired (which it eventually will be) you have to choose a newer one. How do you know which is the "right" (or a good) one? And - none of the current Recommended packages might be the next Extended.
Just my two cents
Christian
That's the problem - these are not fixed packages and are liable to disappear at any time.
I was running SEC 5.2 when the first 10.3 came out. Like you I thought it was a fixed version and I updated my clients to this. A little while later, that version disappeared and another appeared so I had to manually change the subscription to that. Pain.
After upgrading to SEC 5.2.1 the new 'Preview' option appeared. OK, so I applied that to the clients, but there was no Recommended or Extended option available. Rather than force a downgrade to 10.2 Recommended, I left them as they were.
Now with the release of the latest 10.3.1, I've moved all my clients from Preview to Recommended and they have all changed from 10.3.2 VDL4.93 to 10.3.1 VDL4.94 - I have about 20 (out of 2500) in a failed state which will require a manual reinstall.
It would have been much better if Sophos had made it clear that it was not a good idea to move from 10.2 until after 10.3 was released.
