This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone else not yet received latest versions?

Our Intercept X version is currently 2.0.22 and our Core Agent is 2.20.4.1 yet despite being assured we'd receive the latest versions "at some point in January" we do not appear to have yet received them.

Updates both from our local Cache servers or direct from Sophos do not appear to be pushing down the latest versions.

We're UK-based, not using any "Controlled Updates" settings and are not members of the EAP - anyone else still waiting? We need the latest versions for compliance reasons.

This thread was automatically locked due to age.

Top Replies

Yashraj S over 2 years ago in reply to Sophos User5562 +1 verified

I have checked internally, and this update is being gradually rolled out. As some devices are pulling the update, the rest of the devices in your environment should be updated soon.

Parents

0 Sophos User930 over 2 years ago

I'm curious about the "compliance reasons" you mention. It can only be the latest version that has completed rollout by Sophos?

Who defines what the "latest version" is? I'm interested as to the wording and where this might be stipulated?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User5562 over 2 years ago in reply to Sophos User930

For us we have to adhere to CyberEssentials, which is a UK government-backed cyber security standard. We are meant to apply software updates within 14 days to maintain compliance, and the assessors use the version numbers advertised as latest versions on the Sophos website to determine which versions we should be running.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to Sophos User5562

Thanks! That's interesting but I can't find anything specifically related to checking the advertised versions on vendor websites and 14 days as a grace period.

I see the following guidance for AV/security software:

https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software

Ensure you keep AV software updated - When a new version is released you should update immediately. Configure automatic updates where possible.

https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/keeping-devices-and-software-up-to-date

Anti-virus: If you use anti-virus or endpoint security apps, you'll want to ensure that these are updated regularly. Like other software, anti-virus updates include bug fixes and new features, but also include new signatures which can be used to detect new malware that's recently been detected by the AV companies.

https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/using-third-party-applications-on-devices

Support and security updates - When using third-party applications on your devices, you should regularly update them to ensure that the latest security fixes are included. See keeping your devices and applications up-to-date for further advice on this. (above link)

--

I believe you can ask Sophos for your account to be added to the early deployment groups. This does carry some risk I suppose but then someone has to go first! This is different than you controlling the updates with controlled updates or updating policies.

Is there something on https://www.ncsc.gov.uk/ that points to checking the vendor website for versions and the 14 days? What is the source for the expected version? The release notes? https://www.sophos.com/en-us/support/endpoint-release-notes/windows

I appreciate your time.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sophos User930 over 2 years ago in reply to Sophos User5562

Thanks! That's interesting but I can't find anything specifically related to checking the advertised versions on vendor websites and 14 days as a grace period.

I see the following guidance for AV/security software:

https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software

Ensure you keep AV software updated - When a new version is released you should update immediately. Configure automatic updates where possible.

https://www.ncsc.gov.uk/collection/device-security-guidance/managing-deployed-devices/keeping-devices-and-software-up-to-date

Anti-virus: If you use anti-virus or endpoint security apps, you'll want to ensure that these are updated regularly. Like other software, anti-virus updates include bug fixes and new features, but also include new signatures which can be used to detect new malware that's recently been detected by the AV companies.

https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/using-third-party-applications-on-devices

Support and security updates - When using third-party applications on your devices, you should regularly update them to ensure that the latest security fixes are included. See keeping your devices and applications up-to-date for further advice on this. (above link)

--

I believe you can ask Sophos for your account to be added to the early deployment groups. This does carry some risk I suppose but then someone has to go first! This is different than you controlling the updates with controlled updates or updating policies.

Is there something on https://www.ncsc.gov.uk/ that points to checking the vendor website for versions and the 14 days? What is the source for the expected version? The release notes? https://www.sophos.com/en-us/support/endpoint-release-notes/windows

I appreciate your time.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Sophos User930 over 2 years ago in reply to Sophos User930

I think I have something here:

https://www.ncsc.gov.uk/files/Cyber-Essentials-Plus-Illustrative-technical-specification-2-2.pdf

Using the output of the scan, identify vulnerabilities that are high risk or security critical, as defined by the following CVSS v3 parameters:

• attack vector: network only

• attack complexity: low only

• privileges required: none only

• user interaction: none only

• exploit code maturity: functional or high

• report confidence: confirmed or high

If there are any vulnerabilities which meet the above criteria, and for which the vendor provided patch has been available for more than 14 days prior to testing, record a Fail result for the sub-test. Otherwise, record a Pass result.

It also has in Test case 3:

Sub-test 3.1 (for EUDs that use antivirus software) For each EUD in the sample set, check that:

• all antivirus definitions released within the 24 hours prior to testing have been installed

• all antivirus engine updates released within the 30 days prior to testing have been installed

and I also found this comment on it:

https://www.ncsc.gov.uk/blog-post/cyber-essentials-it-isnt-a-risky-business

-

Example 2: Security updates
My second example relates to the technical specification which requires that organisations apply security updates (also known as patching) within 14 days, where the vendor defines the severity as ‘critical’ or ‘high risk.’

This is probably the one requirement that attracts the most debate! It’s always worth reiterating the scope of the assessment, which is:

“Any device that accepts incoming network connections from untrusted Internet-connected hosts; establishes user-initiated outbound connections to arbitrary devices via the Internet; or controls the flow of data between any of the above devices and the Internet.“

I always like to reiterate the scope of the assessment, as it clearly influences what must meet the 14-day update requirement and what should meet it.

It’s easy to say “update within 14 days” but for many, this is challenging. Even so, we have 60,000 certificates issued to companies big and small who, to their credit, have managed to achieve this. That said, I’m starting to hear of cases where the 14 day rule has not been applied consistently in the past.

As companies are coming forward to be re-certified, it’s clear that their previous assessment took a more risk managed approach and allowed for updating beyond the 14 days. That has never been allowed within the requirements, so I would expect the Certification Bodies to follow the requirements laid down in the standard.

-

So it seems that as long as detection identities are being installed with 24 hours and engine updates are in 30 days, general product updating is fine. It's only where there is a vulnerability in the software and the update is to resolve that does it need to be updated to the version that fixes it in 14 days?
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User5562 over 2 years ago in reply to Sophos User930

Our organisation is certified under the 'CyberEssentials Plus' certification and we always stick to the 14 day rule when it comes to BIOS, Firmware and software-based security updates.

In our case, specifically with Sophos, we needed to address this issue Sophos Central Intercept X, Central Server Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix which has been addressed satisfactorily now our machines have installed the 2.0.24 update of Intercept X

I believe our assessors use Latest version of Sophos products to determine latest Sophos versions but I am not sure entirely, and other assessors may use other sources.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to Sophos User5562

Thanks, so that one does make more sense given it's a security vulnerability with a CVE. It does bring up an interesting question as to what up to date means and what the comparison considers.

As I say, you could drop Sophos Support an email asking to be placed in a latter deployment group, I believe there are 3 at the last time I asked.
Cancel
Vote Up 0 Vote Down

Cancel