PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
Sophos Endpoint Security and Control software has supported virtualization for a few years. Over this time, we've amassed the following practical information about how you can optimize our software to work with this technology. The advice is grouped into three main themes: deployment, provisioning dynamic machines and scheduled scans.
Applies to the following Sophos product(s) and version(s) Enterprise Console 4.0.0Sophos Anti-Virus for Windows 2000+
For information on supported software and availability of technical support, see the following:
A common challenge of protecting virtual machines is ensuring that they have current protection. Virtual machines tend to be created dynamically from template images, but the anti-virus software included in the Gold image is obsolete within a few months of its creation. So how can you ensure that the latest software is loaded into the new machine? Here are four ways that you can prepare virtual machines for deployment that will overcome this challenge.
You can embed an agent deployment task into a virtual machine using a script. This will ensure that when the machine is brought online the latest version of Endpoint Security and Control (Sophos Anti-Virus) is deployed from a network-based central installation directory, which is kept up-to-date by Enterprise Console.
To embed a startup script in the machine image, you will need to configure a start up task (using Active Directory for example) and then call the Sophos setup application with arguments appropriate for the type of machine.
For details of how to do this in Active Directory (AD), refer to the knowledgebase article Deploying Endpoint Security and Control (Sophos Anti-Virus) through Active Directory group policy. For other methods, use Sophos Endpoint Security and Control: command line parameters used by setup.exe as your guide to the settings.
Certain virtualization products like VMware vSphere allow you to stage your systems for preparation before they are put into production. You can take advantage of these staging capabilities to put servers in to a staging virtual network which isolates them from other computers until they have done their preparation workloads. This is a useful technique if you have a wide variety of preparation tasks for your servers -- though it’s somewhat overkill if you just want to deploy an anti-virus program to them.
If you're going to stage the server before deploying it, we recommend creating a virtual network which provides access to your patching infrastructure, anti-virus updates and other such systems whilst preventing access to the network at large (some customers run a penetration test against the system whilst it is being staged to check that it can't access the outside network). This ensures that by the time the system is put into production it is appropriately up-to-date. You will need to use either technique 3 or 4 in this list to make sure the anti-virus software updates appropriately once it is put on the main network.
If you already have a Sophos agent on your virtual machine you can trigger an update as soon as the machine comes online. This ensures that protection is updated as early as possible to minimize the risk of out-of-date clients. You can use Alupdate.exe with arguments to trigger an update, or you can use a script with ALsvc.exe. For details of how to do this, refer to the sections on ALsvc.exe and ALUpdate.exe in the 'Significant Files' section of the knowledgebase article Sophos AutoUpdate: significant files and registry entries.
The most common way to create new virtual machines is to clone them from a library or an existing working machine. If you intend to clone your virtual machines with the product installed, you will need to make some changes to the product on the disk image to ensure that correct certificates are issued to each cloned machine. This ensures that machines appear as new systems and are allocated the correct policies. For more details, refer to the knowledgebase article Sophos Anti-Virus for Windows 2000+: incorporating Sophos Anti-Virus current versions in a disk image, including for use with cloned virtual machines.
In the early days of server virtualization, most virtual machines were static - simply virtual equivalents of their physical counterparts. But as virtualization is now able to deliver high availability and resilience, it has become increasingly typical for network administrators with virtual infrastructures to create/remove machines dynamically to deal with load or user requests. A new challenge of using Enterprise Console is emerging: being able to distinguish between virtual machines and physical machines (such as laptop users) that are roaming and expected to return. These different machines may also require different anti-virus (or other) policies, depending on their business purposes. For instance, a web server might require different protection/performance settings to a database server, or thin client. To overcome both of these challenges, the following steps set out a simplified system to categorize your machines when you have a virtual infrastructure running alongside a physical one. These steps will help you both to identify and remove machines from Enterprise Console when they are no longer required and to assign appropriate policies to all machines on the network.
Most enterprise virtualization products enable you to place virtual machines into a specific AD group as part of their provisioning process. In most organizations, various policies are applied through AD to the virtual systems depending on their use.
The benefit of this approach is that Sophos Enterprise Console can synchronize with Active Directory and automatically apply the correct Endpoint Security and Control policies to the systems as they are created. Furthermore, should a system be provisioned which does not have appropriate anti-virus protection, Enterprise Console can be configured to automatically deploy the software, which is a great fail safe. This feature will ensure that any dynamically created systems have the correct policies - this is particularly useful if you allow users to provision their own machines, or anytime a department outside of IT might miss this step in the provisioning workflow.
Security products sometimes need to perform tasks which are CPU or disk I/O intensive. One of the best examples of this is scheduled scanning for latent malware or when you must complete a scan for clean up purposes. Scheduled scans can significantly degrade the performance of virtual machines if they are not managed appropriately. There are a number of ways to manage this impact, including using other system management tools for which you have already created policies.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.