When I look in "Sophos Central Admin --> Server Protection Dashboard --> Servers --> [server name]" I often see "Update Succeeded." Does that mean the server's agent updated, or that the server downloaded new virus definition files?
I ask because I have one server that is saying it hasn't updated in a couple days, yet all of its Assigned Products have green check marks, plus under the Status tab, all services are showing green and the "Security Health" list is all green as well. Yet the server still shows an entry in the Events tab that says "Out of date." If that means the virus definitions are out of date, how can I use the portal to find the virus definitions available on the server? Usually a reboot fixes this, so I am not worried about a resolution to the problem, since the server will be replaced soon.
Lastly... why isn't there a Sophos Central Admin forum under "Community & Product Forums!"
Thank you for reaching out to the Sophos Community.
The "Update Succeeded" event will correspond with a software update.
The virus definition updates will occur independently…
The virus definition updates will occur independently of the software updates. You can check the virus definition list by using the following steps. - Go to: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\- Open the following link in a web browser: https://downloads.sophos.com/downloads/ide/- Select the hyperlink "latest_IDE.xml" - The line that begins <name> will have the latest IDE file listed next to it.
Confirming that the latest one is on the device will confirm that the virus definitions are up to date. If you were looking to verify this from Sophos Central Admin, it's possible to use "Live Response" to run a "dir" command from the directory "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\ ".
We can also use one of the existing queries present under "Live Discover" to query for the existence of the latest ide file. IE: - Open Live Discover- Select the "File attributes and metadata" query- Use the base path "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\"- Supplement this with the "Latest Ide" returned from the browser: msil-rts.ide- Query argument: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\msil-rts.ide
To add some additional information, the "Live Protection" feature will ensure that your devices always have the latest threat detection information. Whenever new or unknown files are encountered, the AV will send data back to Sophos to see if any new detections match the file. If a new/matching detection is present in our database that hasn't yet been released, the device in question will be sent the detection data so that it's able to convict the file.
If your updating failures are typically resolved by rebooting the device in question, I would consider using "Controlled Updates". From the behavior mentioned, it sounds like the AV needs the device to be rebooted so that newer drivers can be loaded. If there's already one pending restart that has yet to be completed, any future updates will fail until that driver re-load is done first.
Hopefully, this information helps, though if anything is unclear or you have further questions, please update this thread.
Regarding your question about a "Sophos Central Admin" page being added to our forums, I've provided your feedback to our team.
Excellent post! Thank you, Qoosh. I might just make myself a Live Discovery query and run it regularly, just to soothe my paranoia.
Thank you for the kind words, I am glad I was able to help you out.
I agree. An excellent post. Thanks a lot!