"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article describes common WebCID configuration problems for Linux & Unix endpoints, when using an Internet Information Services (IIS) based web-server.
For full details on creating an IIS update server, see this KBA 38238.
First seen in Sophos Anti-Virus for Linux
Operating systems Windows 2003 Windows 2003 R2 Windows 2008 Windows 2008 R2 Windows 2012
This will guide you through the common issues that cause Linux and Unix endpoints to fail when updating from IIS Server.
All the commands require Administrator or equivalent rights to execute successfully. On Windows 2003 and R2 ensure you are logged on as an Administrator, on Windows 2008 and above, you must start the command prompt as Administrator.
IIS7 has a security feature called 'Request Filtering' that can prevent the web-server from serving files and directories. For example, files in a \bin directory will not be available. This only occurs if the 'Request Filtering' feature has been enabled.
To allow files in the \bin directory, run the following command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /-"hiddensegments.[segment='bin']"
For more information on Request Filtering and checking whether it is installed see this article.
Linux / Unix / OS X endpoints will not be able to download files that have no file extension for example: '\S000\savlinux\talpaversion', the error is visible to a browser and in IIS logging as 404.17.
To allow files without extensions to download, add a MIME Type of '.' within IIS Manager, this can also be achieved with the following command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.',mimeType='Sophos/Linux']"
IIS7 Request filtering may not allow files with multiple extensions to be downloaded, such as *.tar.gz. To allow IIS7 to host files with multiple extensions, add the 'AllowDoubleEscaping' parameter to the 'requestFiltering' element:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /allowdoubleescaping:true
IIS Manager may prevent you from adding MIME Types with multiple file extensions (More than one '.'), these must be added via the command line using the following:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.x.y',mimeType='Sophos/Linux']"
Note: Replace x.y, with the affected extension, for example '.so.0'.
In IIS 6/7/8 file extensions must be associated with a MIME type before they can be downloaded. For the simplest configuration, Sophos recommend to allow all file extensions. For more information see this article: Configuring Microsoft Internet Information Services for endpoint updating
Environments using a more restrictive control over file extensions, can cause a problem for Linux / Unix CIDs. The extensions for some files change on a monthly basis, for example, the virus engine:
In order to restrictively control file extensions, you will need to update your MIME type list every month. Sophos cannot change the name of these files as they are based on Linux library filename conventions.
SAV for Linux / Unix / OS X only support Basic or Digest authentication with web servers and proxies. When a web-server only allows NTLM (labeled Integrated Windows Authentication in IIS Manager) the update will fail.
In the properties for your IIS website select 'Directory Security' then click 'Edit' within Authentication and access control. The web-server must allow Basic, Digest, or Anonymous access for Linux / Unix clients to update.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.