This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First steps with "Sophos Protection for Linux"

Hello everybody,

for testing purposes I've installed Sophos Protection for Linux on two machines (until now we are just using the agent for Windows). For starters I've read the pages under https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/ServerProtection/SophosProtectionLinux/index.html

Although the component seems to be installed fine, the agent seems to be nonfunctional.

After downloading the EICAR test nothing happens (I expected to be shown that a virus was automatically found). And does "Server Protection" mean complete antivurs protection? The Windows machines show "Intercept X Advanced for Server with XDR" there...

Some tips or a comprehensive user manual would be very much appreciated. Thanks in advance!

Andreas



This thread was automatically locked due to age.
Parents
  • Hi Andreas,

    Thanks for reaching out to the Sophos Community Forum. 

    Try running the following command to verify running processes.
    systemctl status sophos-spl

    The on-access scanning process will look like:
               ├─ 1116 /opt/sophos-spl/plugins/av/sbin/soapd    

    You can also find some additional steps in the thread below.
    - Sophos SPL Troubleshooting

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thank you for your help!

    The process is running and a log file is present. But your link to the SPL Troubleshooting helped. I missed the activated option "Apply scan to Server Protection for Linux Agent". After changing it the test virus was automatically recognized and removed.

    What's just left bothering me now:

    In the column "Protection" my server is shown with "Server protection", in the mentioned "SPL Troubleshooting" thread the serverthere  is shown with "Intercept X Advanced for Server with XDR and MDR". Why is that? In the my server details "XDR" is shown as installed but "Managed Detection and Response" is missing?

  • The "Managed Detection and Response" entry will only be present if you have an MDR license. You can find more information on Sophos MDR on the following product page, or by reaching out to your Sophos Account Manager.
    https://www.sophos.com/en-us/products/managed-detection-and-response

    If you'd like assistance in finding out who that may be for your account, please send me a private message and I'd be happy to help. 

    With an MDR license, a team of threat analysts here at Sophos will help to monitor your environment for any potential threats to keep you safe. If you do already have an MDR license, I suggest using the "Manage Endpoint Software" button to deploy this to any devices where it may be missing.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for explaining MDR to me! Relaxed I think MDR is not present on the Windows machines either.

    So I've probably misunderstood the different modules of Sophos protection.

    On a Windows machine I see these:

    Sophos Intercept X
    Server Protection
    XDR

    But on the Linux machine I do see only these two:

    Server Protection
    XDR

    With "Manage Endpoint Software" I can choose the following options:

    Could you explain the different modules in short as you did with MDR and tell me why there is no Sophos Intercept X on the Linux machine?

  • hve you already read this?

     Metasploit downloaded and installed - nothing from Sophos endpoint 

    we had the same issues with AV Plugin. There is a lot of debug steps included and also a workaround to get AV for linux available.

  • You can find some information on these components on the release notes page. 

    Intercept X - Also known as HitmanPro or HMPA facilitates the "Runtime Protection" features in the Threat Protection Policy.

    Server Protection - Refers to the antivirus and on-access scanning engine.

    Core Agent - Includes the base protection components which will be installed on the device for things like facilitating communication and updating as well as tamper protection.

    XDR - Is a license-based feature closely tied to the "Core Agent". The components will exist on a device, but may not be active unless you have a Sopohs XDR license or similar. 

    SPL - Installations are "plugin-based". I suggest checking the "Components" tab of the release notes page. The "Spl-Runtime-Detection-Plugin" will correspond to Intercept X.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • You can find some information on these components on the release notes page. 

    Intercept X - Also known as HitmanPro or HMPA facilitates the "Runtime Protection" features in the Threat Protection Policy.

    Server Protection - Refers to the antivirus and on-access scanning engine.

    Core Agent - Includes the base protection components which will be installed on the device for things like facilitating communication and updating as well as tamper protection.

    XDR - Is a license-based feature closely tied to the "Core Agent". The components will exist on a device, but may not be active unless you have a Sopohs XDR license or similar. 

    SPL - Installations are "plugin-based". I suggest checking the "Components" tab of the release notes page. The "Spl-Runtime-Detection-Plugin" will correspond to Intercept X.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data