This article describes common WebCID configuration problems for Linux, Unix and macOS endpoints, when using an Internet Information Services (IIS) based web-server.
For full details on creating an IIS update server, see this KBA 38238.
Applies to the following Sophos products and versions Sophos Anti-Virus for Linux
This will guide you through the common issues that cause Linux and Unix endpoints to fail when updating from IIS Server.
All the commands require Administrator or equivalent rights to execute successfully. On Windows 2003 and R2 ensure you are logged on as an Administrator, on Windows 2008 and above, you must start the command prompt as Administrator.
IIS7 has a security feature called 'Request Filtering' that can prevent the web-server from serving files and directories. For example, files in a \bin directory will not be available. This only occurs if the 'Request Filtering' feature has been enabled.
To allow files in the \bin directory, run the following command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /-"hiddensegments.[segment='bin']"
For more information on Request Filtering and checking whether it is installed see this article.
Additionally, under the "Request Filtering" option, edit the "Feature Settings" and make sure the tick-box for "Allow double escaping" is ticked.
Linux / Unix / OS X endpoints will not be able to download files that have no file extension for example: '\S000\savlinux\talpaversion', the error is visible to a browser and in IIS logging as 404.17.
To allow files without extensions to download, add a MIME Type of '.' within IIS Manager, this can also be achieved with the following command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.',mimeType='Sophos/Linux']"
IIS7 Request filtering may not allow files with multiple extensions to be downloaded, such as *.tar.gz. To allow IIS7 to host files with multiple extensions, add the 'AllowDoubleEscaping' parameter to the 'requestFiltering' element:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /allowdoubleescaping:true
IIS Manager may prevent you from adding MIME Types with multiple file extensions (More than one '.'), these must be added via the command line using the following:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.x.y',mimeType='Sophos/Linux']"
Note: Replace x.y, with the affected extension, for example '.so.0'.
In IIS 6/7/8 file extensions must be associated with a MIME type before they can be downloaded. For the simplest configuration, Sophos recommend to allow all file extensions. For more information see this article: Configuring Microsoft Internet Information Services for endpoint updating
Environments using a more restrictive control over file extensions, can cause a problem for Linux / Unix CIDs. The extensions for some files change on a monthly basis, for example, the virus engine:
In order to restrictively control file extensions, you will need to update your MIME type list every month. Sophos cannot change the name of these files as they are based on Linux library filename conventions.
SAV for Linux / Unix / macOS only support Basic authentication with IIS web servers and proxies. When a web-server only allows NTLM (labeled Integrated Windows Authentication in IIS Manager) or Digest (which uses md5-sess) the update will fail.
In the properties for your IIS website select 'Directory Security' then click 'Edit' within Authentication and access control. The web-server must allow Basic or Anonymous access for Linux / Unix clients to update.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.