"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This articles provides an overview of Sophos Patch Assessment and a list of questions and answers on how the Sophos Patch feature works.
We recommend you watch the video Patch Assessment in Sophos Endpoint 10.
Known to apply to the following Sophos product(s) and version(s) Sophos Endpoint Security and Control 10.0Sophos Patch Agent 1.0
90% of attacks can be prevented with an existing patch. Yet many computers remain at risk because patching is hard. With our Patch Assessment in Endpoint we prioritize the most critical patches for you by tying them to the threats they prevent. Our patch assessment identifies, prioritizes and scans for critical threat-related patches. And it’s ifntegrated into our EndUser Protection, delivered in one deployment and managed from a single console.
Patch Assessment Event Viewer:
Sophos Patch (also known as just "Patch") is installed as part of the single installer for Endpoint Protection Advanced, supporting the same O/S and DB platforms, and is well integrated with Sophos Enterprise Console. Patch is included in Endpoint Protection Advanced and all Enduser Protection licenses.
Licensing of Patch controls the management server’s ability to download Patch files from the live Sophos Patch data feed on the internet. No patches will appear in the Sophos Enterprise Console unless Patch has been licensed. If the license expires, then access to the feed will stop and the local Patch data will become more stale as each unlicensed day passes.
SophosLabs calculates ratings for each patch based on a number of parameters:
Patches are rated Low, Medium, High and Critical based on these parameters. Sophos recommends applying all relevant patches, but the SophosLabs rating is designed to enable a focus on patches that protect against the most active threats.
1Windows XP Pro SP3 supports 64-bit. Windows XP Pro SP2 does not.
Patches relating to the current operating system and supported applications on each endpoint computer are assessed. A status of missing is reported in the Patch Event Viewer (in the console) for missing patches. The following additional conditions apply:
The complete dataset, which is only downloaded in its entirety when Patch is first activated is around 300MB in size for Enterprise Console 5.0. For Console 5.1 release, this volume of data is compressed to around 150MB.
The Patch database default size, based on the patches currently supported, is around 350MB. This database will grow in size, as more patches are supported and also based on the number of endpoints being assessed and the number of patches missing on those endpoints. The database will grow at a rate of around 180 bytes per endpoint per missing patch.
For example, with an estate of 25,000 endpoints, each missing 100 patches, the database will currently grow to a total size of around 770MB.
The Patch server main use of memory is for efficiency reasons, to cache any new assessment files from the database that need to be distributed to the endpoints. It is recommended to allocate 512MB of memory for Patch on the management server.
Initial download and setup of Patch data for Enterprise Console 5.0 can take several hours, depending on WAN bandwidth and server performance.
For console 5.1, the reduced data volume downloaded and other efficiency improvements significantly reduce the initial download time to typically around 1.5-2 hours.
Patch ratings come directly from Sophos in the standard Endpoint Security feed. Whereas Patch definition files are received directly from Lumension, who are Sophos’ technology partner for the Patch capability. Therefore, additional gateway firewall exclusions may be needed to ensure the full data feed is not blocked. There are two parts to the Lumension feed, one HTTP, where the basic list of Patch files are downloaded and the second, HTTPS location, where the actual Patch data files are downloaded.
The wsusscn2.cab file is also downloaded from a Microsoft Update location:
You will also need to make sure that the endpoints are able to access the Microsoft Windows update address below:
The download status for the Patch feed is indicated in the Patch ‘event viewer’ window. The Patch status indicates, at a high level, whether the initial full download still needs to complete [Not Downloaded], whether the feed has downloaded successfully [OK], or whether the feed has been interrupted and caused the data to be incomplete or become stale [Out of Date].
Out of Date
The Patch server checks for updates every 24 hours. The frequency at which new patches are released means that there is no benefit in performing this check more frequently.
No, only new data files, or modified versions of existing files, are downloaded to the server.
No, air gap networks are not currently supported, as Patch needs continuous access to live data from Sophos to ensure the patches, and their associated SophosLabs ratings, are kept up to date.
The console policy allows scanning to be set to every 8 hours/24 hours/Week. If the period expires whilst an Endpoint is switched off, the scan will start the next time a machine is powered on.
Patching is not a time-critical process, so scans have been designed to run in the background and, as a result, typically take 10-20 minutes to complete.
Scans are carried out as a background process, to avoid impacting users, and also have a start-up delay to ensure they do not interfere at all with the boot process. The Scan start delay is also randomized so that VDI environments don’t get hit with all scans kicking off simultaneously.
Each endpoint checks the server for new patches before the start of each scan.
To optimize performance and minimize network traffic, Endpoints only download from the server the patches relevant to their O/S and language.
Each endpoint downloads around 35-40MB of Patch data.
No, after the initial download, Endpoints only download new or updated Patch data from the server. Note that around 27MB of the data is in a single file (mcescan.cab) that can update several times a month and needs to be re-downloaded in its entirety if it changes.
If you are running Enterprise Console 5.0, Endpoint Patch data does not support caching. However, enhancements have been added for Console v5.1 enable standard in-line transparent caches to be used at remote locations.
Each Endpoint uploads around 4kBytes of results data to the server at the end of each scan.
The Patch agent-server connection uses HTTP transport, with the Patch data itself protected using PKI encryption.
No, Patch has been designed using a separate HTTP based client-server communications channel to avoid the need for message relays. Customers using message relays to communicate back from remote locations will need to open up a separate channel for Patch communications.
By default, Patch uses the Enterprise Console proxy settings: Update Managers | <LocalServerName> | Sources | Sophos | Source Details | Proxy settings
Update Managers | <LocalServerName> | Sources | Sophos | Source Details | Proxy settings
though a different proxy can be used for Patch downloads if preferred: How to override Enterprise Console proxy settings for Sophos Patch data downloads
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.