"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article describes the supported methods regarding how to set up and maintain Sophos Update Manager (SUM) in an air gapped network.
Important: The version of Enterprise Console should be the same on either side of the air gap. If it is not same, then this can lead to errors as described in article: A child update manager shows the error Threat detection data update failed.
The following sections are covered:
Applies to the following Sophos product(s) and version(s)
To install Endpoint Security and Control on your air gapped network, you have two options:
Install Enterprise Console on one of the servers in the air gap to centrally manage and update the Endpoint Windows or Linux computers in the air gap.
NOTE: If an update is in progress when copying the files, you will see the error could not create catalogue sdds.local when configuring the air gapped SUM.
could not create catalogue sdds.local
Windows Server 2000/2003: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\Warehouse
C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\Warehouse
Windows Server 2008 and above: C:\Program Data\Sophos\Update Manager\Update Manager\Warehouse
C:\Program Data\Sophos\Update Manager\Update Manager\Warehouse
Install the standalone version of Endpoint Security and Control on each of the computers in the air gap.
If you choose this option, you will not be able to ensure compliance with policies on the endpoint computers in the air gap, nor will you be able to take advantage of all the features of Endpoint Security and Control/Sophos Anti-Virus for Linux/Unix, because Application Control, Device Control, and Data Control policies are all configured using Enterprise Console.
To verify the CID can be copied in a consistent state (is not being updated at the time of the copy is taken), ensure the update interval is at least 15 minutes. Wait for any current updates to finish (wait for the Downloading Binaries message to change to Last checked for updates on… on the SEC machine), then stop the SUM service before taking the copy.
Any feature that rely on a connection to Sophos for protection lookups work, will not work in an air gapped environment. Features such as Live Protection, Download Reputation, Malicious Traffic Detection, Web Protection, Web Control and Sophos Clean will not work without a connection to the internet.
If the SUM is performing any actions, these actions can be viewed using the Logviewer.exe program with log level set to DEBUG.
Each time the SUM has finished any operations, Dispatcher Programs-2017-03… have completed appears on the log viewer and Downloading Binaries changes to Last checked on… on the SEC machine.
When restarting the service SUM should continue without error.
For installing Endpoint Security and Control, refer Endpoint Security and Control standalone startup guide.
For installing Sophos Anti-Virus for Linux/Unix, refer to Sophos Anti-Virus for Linux startup guide and Sophos Anti-Virus for Unix startup guide
Once you have followed this guide and the standalone version is installed on each of the computers in the air gap, you will have to configure them to update from a shared folder in the air gap, as follows:
Windows Server 2000/2003: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
Windows Server 2008 and above: C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
Linux Server: C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\savlinux
C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\savlinux
Unix Server : C:\Program Data\Sophos\Update Manager\Update Manager\CIDs\S000\EESAVUNIX
To update the air gapped network, copy the update files from the non-air gapped network using a removable device or CD. After you have subjected this medium to your necessary checks, copy the contents to the shared folder on the air gapped network. It is recommended to update your air gapped network once a day.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.