Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 1037 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client status when "restart needed"

bhami

What precisely is the security status of a client when it shows "Restart needed for updates to take effect" in the Enterprise Console 4.5? Is the client still protected, but with older definitions and/or detection engine? I need to know if I can nod and smile at the security auditors in such a situation.

Thanks,

--Bruce

:5399


This thread was automatically locked due to age.
  • 0

    Hi Bruce,

    That depends a little on the component requesting the reboot and the scenario but for the most part yes, you can smile and here's why. :)

    At initial install, SAV will install a filter driver which will be operational from the initial install. The software does however request a reboot in order for sophos_detoured.dll to be loaded into processes that are already running such as Explorer.exe.

    This is due to the way sophos_detoured.dll is injected into processes.  Sophos uses the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    such that as a new process is started, the Sophos dll can load into it.  Obviously many of the processes that Sophos might want to load into are already started at initial install so a reboot is requested to ensure all processes are covered.  This "hook" is used for data control, buffer overflow and to ensure the first page of IE8+ is scanned.  So if you don't use buffer overflow, data control of IE then you're risk of not rebooting is close to zero in this scenario. 

    If you deploy the firewall as well however this will require a reboot due to the nature of the firewall driver.  So you will be asked to do a reboot and the firewall is essentially in allow all mode until you do so,

    Then comes the first upgrade when the driver of SAV changes (driver changes are quite rare, kept to a minimum and usually Support notify us 3 months in advance at this site), at this point it depends a little on the OS.  If the OS is Vista, Windows 7 or 2008, the driver is a mini filter.  These are preferable as a reboot is not required to unload and load them, so no reboot required for the driver update.  It may however still request a reboot if sophos_detoured.dlll is updated in the same verison to ensure the latest verison is loaded by all processes.  In this case you are protected as you were with the initial install, you just might need a reboot for all components to be running but at least this time you still have the original dll loaded.

    If the OS is 2000, XP, 2003, the driver is a legacy style filter driver, in order to unload a reload a new one a reboot is required but the good news is, you're still protected before you reboot as the original filter driver is still loaded, it just might not have the latest bug fix for example.  Sophos ensures that the previous driver is compatible with the new service so you are not left unprotected until you reboot.

    I hope this helps explain why are reboot is often required.

    Thanks,

    Jak

    :5402
Unfiltered HTML