Sophos Antivirus

cancel
Showing results for 
Search instead for 
Did you mean: 

Sophos Antivirus

L4 Transporter

Greetings,

Was wondering if any one else has faced this problem.

I have Sophos antivirus and when I create a rule with the vulnerability protection set to Strict, it blocks my connection to sophos server for updates.  Once I relax the VP rule, it looks fine.  Interestingly, I cannot see anything in the traffic/threat logs as well.

Has anyone faced such a situation and if yes, how was it managed?

Cheers

Kalyan

6 REPLIES 6

L4 Transporter

Are you saying you have "log at session end" checked in the actions tab, and you still don't see them show up in the threat log?

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

Also, as debugging, create a new profile where you set everything to alert that is:

Critical: Alert

High: Alert

Medium: Alert

Low: Alert

Informational: Alert

and then create a new security rule (only for this particular srcip or if its dstip in your case) above the current one. In this new security rule attach the new vuln profile from above.

Now you should hopefully see what is being identified for this traffic flow.

If you are not comfortable with setting all levels to Alert you can set them to Block (since this is just debug) - blocked traffic should be logged if you have set the "log on session end" (I guess "log on session start" wont pickup any threat).

However isnt the Threat log on its own not depending on what the security rule itself is set to? I mean I though the security rule was regarding Traffic logging. If a vuln should log or not is set in the vuln profile itself (such as Alert means log only while Block means block and log, while Allow will not log at all (for this you use Alert instead)).

Yes, I do have it as Log at session end.

Mikand - I was under the impression that Vuln profiles with specific actions set does log the events under Threat Monitor.  None of the profiles have allow as an action, so I would ideally expect to see everything being logged in.  But that is not the case.  For some reason I cannot see any traffic or threat logs for Sophos updates.  But upon disabling the rule, the updates work but still nothing in the traffic or threat logs Smiley Happy

Cheers

L4 Transporter

Did you try the suggestion that Mikand gave to create a new VP profile and set everything to alert? Have you updated the the application and threat signatures to the latest? Each CVE has an associated default action (allow, alert, reset, block). If you don't see anything in the threat log going to the dst address of sophos even after setting everything to alert, then It should not get blocked at any setting. If you do see it after setting everything to alert (like under informational threat) check to see what the CSV is set to as default for that CSV. If you don't see anything, I would open a case with TAC.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

Tried all means possible.  I am now raising it with TAC.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!