3. 7
• Malware
(Virus, Worms, Trojans, Rookits, Spyware)
• Adware
• HIPS Rules
• Malicious URLs
• Spam Campaigns
• DLP (Sensitive data types)
• Application control
• Device control
• Web URL database
• Anonymising proxies
• Application patches
SophosLabs expertise (1)
SophosLabs
Active Protection
Malware
Data
Website URL
Database
HIPS
Rules
Reputation
Data
Malicious
URLs
Spam
Campaigns
Sensitive
Data Types
Application
Categories
Device
Data
Mobile
Application
Reputation
Anonymizing
Proxies
Application
Patches
4. 8
SophosLabs expertise (2)
SophosLabs
Active Protection
Identities
Genotype
Website URL
Database
HIPS
Rules
Reputation
Data
Malicious
URLs
Spam
Campaigns
Vancouver
Canada
Oxford
UK
Budapest
Hungary
Sydney
Australia
Live Cloud
Lookups
Continuous
Protection
Updates
Endpoint Endpoint Endpoint
5. 9
○ <server name>SophosUpdateCIDs
○ Web CIDs
Central installation directories
Endpoint Endpoint Endpoint
SophosLabs
Active Protection
Sophos Update
Manager CID
9. 13
• Controls the version of endpoint software
• Controls the network bandwidth
Updating multiple CIDs (continued)
10. 14
• Find and populate endpoints and groups
• Deploy
• Configure the client software
• Configure SUM
• Monitor the network
• Take actions
• Generate reports and alerts
• Store all data in SQL server database
Sophos Enterprise Console
14. 19
With VMware vShield Endpoint
• Same AV policy
• Alerts reported per VM
• Max 2 simultaneous
scheduled scans
Management server CID
RMS
VmTools
vShield drivers
VM (Windows only)
VmTools
vShield drivers
VM (Windows only)
vSphere/vShield
VMware ESX Server
UNC or HTTP
Message
router
Auto
Update
SAV for
vShield
SSVM (Linux)
17. 23
Upon completion of this section you will be able to:
• qualify the main system requirements for the management software
components and endpoint software components
• list the main steps of a simple deployment
• list additional steps required for advanced deployments
and for upgrades
• list the main steps involved in a typical endpoint deployment
Section objectives
19. 25
Endpoint client for Windows version 10.3
http://www.sophos.com/en-us/support/knowledgebase/118620.aspx for more details
20. 26
Endpoint client for Windows (continued)
Operating system Client
Firewall
Patch
Assessment
Web
Control
Full Disk
Encryption
Windows 2000
Professional Y Y Y
Windows XP / Vista / 7
Home Y Y
Windows XP
Professional Y Y Y 32bit only
Windows Vista / 7
Professional / Enterprise / Ultimate Y Y Y Y
Windows 8
Home / Professional / Enterprise Y Y
Y
(desktop mode)
Windows 2003/R2/2008/R2/2012
Standard / Enterprise / Web Y Y
Windows 2003/R2/2008/R2/2012
Datacenter Y
Windows 2000/2003/2008/2011
Small Business Y
http://www.sophos.com/en-us/support/knowledgebase/113278.aspx for more details
21. 27
Antivirus on other platforms
http://www.sophos.com/en-us/support/knowledgebase/118620.aspx for more details
Other platforms supported
Mac OS 10.6 or later (Intel and PowerPC)
Linux with libc6 on Intel
UNIX Solaris, AIX, HPUX, FreeBSD
NetApp with ONTAP 7.x and 8.x (off-board)
EMC VNX with CAVA
Sun Storage with ICAP
VMware ESX server with vShield Endpoint 5.1 or later
23. 29
• Main steps:
○ Components Selection
○ System Property Checks
○ Database details
○ Communication settings
○ SUM Credentials
○ Optional feedback to Sophos
○ Software installation
including SQL Express 2008 R2
○ Sophos download account
○ Selection of client platforms
○ Download of client software
Management server setup
24. 30
• Setup.exe to deploy
• Cac.pem & Mrinit.conf
• Managed SUM via SEC
• SEC manages:
○ subscriptions between parent
and child SUM
○ SUM configuration
○ updating hierarchy report
○ alerts
• Unmanaged SUM via XML
Additional SUM deployment
25. 31
• Additional versions and platforms: Subscription tab
• Additional CIDs on remote server: Distribution tab
• Web CIDs: Manual configuration on a web server
or on a reverse proxy*
Additional CIDs
*Web CIDs on a reverse proxy is
only supported by Sophos pro services
26. 32
• Upgrade guide
• Automatic upgrade
• System Property check
• Upgrade center
http://www.sophos.com/en-us/support/resource-
centers/endpoint/upgrade-center.aspx
Upgrades
27. 33
Steps for endpoint deployment
• Find new computers
• Create groups
• View/Edit policy
• Protect:
○ Sophos Enterprise Console’s Protect
○ Sophos Enterprise Console’s Synchronization with Active Directory
(see the slide on Finding new computers in the next section)
○ Using alternative deployment mechanisms
(see the next 2 slides)
○ option to specify the “group path” for unassigned endpoints
For more details on deployment from Sophos Enterprise Console:
http://www.sophos.com/en-us/support/knowledgebase/29287.aspx
28. 34
• Manual installation from one of the bootstrap locations
• Scripting
• Third party desktop deployment tools
(Including GPO, SCCM on Windows or Apple Remote desktop on Macintosh)
• Packaged self-extracting files
• Disk imaging and cloned virtual machines
Alternative mechanisms
30. 36
• detects 3rd party Antivirus
• detects 3rd party firewalls
(except Windows FW & VPN clients)
• stops installation upon detection
• optionally removes 3rd party security software
• can be customized
by Sophos
• Run avremove.exe
to test
Competitor Removal Tool (CRT)
31. 37
• List the operating systems supported by
○ Sophos endpoint client version 10
○ Other versions of Sophos Antivirus
○ Sophos Client-Firewall
○ Sophos Enterprise Console
• List 6 types of endpoint deployment mechanisms
Section review
33. 39
Upon completion of this section you will be able to
• describe the main management tasks which can be completed from
Sophos Enterprise Console
Section objectives
34. 40
• Update Manager
• Find new computers
• Create groups
• Updating
• Antivirus and HIPS
• Firewall
• Application Control
• NAC
• Data Control
• Device Control
• Tamper Protection
• Full disk encryption
• Patch
• Web Control
• Dashboard and Alerts
• Smart views
• Right click actions
• Event viewers
• Reports
• Role based administration
Section agenda
35. 41
• Centrally managed from SEC
• Control of Endpoint software versions and size of updates
(software subscription)
Update Manager
36. 42
Endpoints connected to the network can:
• be found on demand (Find new computers)
• be found, deployed, moved and removed on scheduled
(Synchronize with AD)
• be imported
(Import computer from file)
• appear automatically
(deployment using
alternative mechanisms)
Find new computers
52. 58
Patch
• What is a patch?
• Can prevent 90% of vulnerabilities
• What patches are needed?
• Are computers correctly patched?
• SophosLabs patch rating:
○ Vulnerability severity
○ Software popularity
○ Access conditions
○ Threat prevalence
63. 69
Full web control
• Use case for the Web Appliance as a proxy
• Still need the web appliance as gateway:
○ Mac + Linux endpoints
○ Guests
64. 70
Inappropriate and Full web control
• Main differences
Inappropriate Full web control
Console SEC only SEC +
Web or Management Appliance
Reports SEC event viewer Web or Management Appliance
Number of categories 12 54
Policies By computer groups by users, by user groups
by time of the day
Policy communication Via RMS Via Live Connect
72. 78
• Separate tool used to:
○ Extract data from the Sophos Database
○ Create customized reports for Crystal report
○ Create customized logs for Splunk
Reporting interface
79. 87
• User alerts
• Automatic clean up
• Quarantine manager
• Command line scanner
• Sophos Bootable Antivirus CD
• Further instructions and tools
from the website
Management of threats
82. 91
Section agenda
• Sophos POA
• Other recovery options
• Architecture
• Deployment
• Management from Sophos Enterprise Console
For more information on our Full encryption suite:
• Check the TO20 SafeGuard Enterprise technical cover course
83. 92
• Power on Authentication :
○ Increases security
○ With a user friendly interface
○ Provides multiple recovery features
○ Manages user machine assignment
Sophos POA
84. 93
• Before the operating system starts up
• Tampering protection
• Logon delays on false entries
• Legal text (optional)
• Audit logs
• Wake-on-LAN support
Sophos POA - Security
Computer
BIOS
Master
Boot
Record
Sophos
POA
Operating
System
87. 98
• Recovery via Sophos tools (including POA)
• Integration with 3rd party recovery tools:
○ Windows WinPE and Bart PE
○ Lenovo Rescue and Recovery (RnR)
○ AbsoluteSoftware Computrace
• Integration with 3rd party forensic tools:
○ Encase
○ AccessData
• Help from Sophos technical support
Recovery - Damaged disk
89. 100
Endpoint deployment
• Via the console
• Setup.exe, manually or via 3rd party deployment tool
• Computer MBR and volumes need to be checked before deploying
http://www.sophos.com/en-us/support/knowledgebase/57554.aspx
92. 105
• On premise Endpoint Protection
○ Managed via Sophos Enterprise Console
• Sophos Cloud Endpoint
○ Managed via Sophos Cloud
• Endpoint Protection in Sophos UTM
○ Managed via Sophos UTM
Main endpoint solutions
93. 106
Main differences
Cloud Endpoint 1.5 UTM 9.1 On-premise
with SEC 5.2.1
Console Web console
in the Cloud
Web console
in the UTM
SEC console
on Windows server
Centralized update
repository
Web proxy cache
(optional)
Web proxy cache
(optional)
Update Manager
on file servers
or on web servers
Endpoint platforms Windows
Mac
Windows Windows, Mac,
Linux, UNIX, Storage
(Netapp, EMC, Sun)
Main features Anti-Malware,
Device Control
(AD Sync coming
soon)
Anti-Malware,
Device & Web Control
Anti-Malware,
Device, Web &
Application Control,
Client Firewall, DLP,
Patch assessment,
Encryption, AD Sync
Management by Users
with simple policies
Computers
with detailed policies
Computers
with detailed policies
Target market Up to 1,000 users Up to 1,000 users Up to 25,000 users