This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How often are virus DAT updates published?

Silly question, but how often are updates published, and more importantly how can i get notification of them? because of the McAfee DAT problem a couple weeks ago, I'm now planning on configuring the EC to not automatically update clients until after I've downloaded and tested them in my sandbox/lab. However, I need to know when Sophos releases the updates so I can test them...etc.

Also what is the appropriate way to tell managed clients not to automatically update? I assume removing the check on the update policy under schedule "Enable networked computers to use Sophos updates automatically"

This thread was automatically locked due to age.

0 QC over 14 years ago

Hello,

there is a recent thread Preventing Sophos potential false positive. I can only repeat what I've said there: carefully calculate the risk. As updates (IDEs) are issued whenever new detections are available (several times a day when necessary) you'd have to check "all the time". Until you did the checks your clients would be exposed to the latest threats - and preventing exactly this is what automatic updates are about. Of course you could delay only the engine and library updates but it's not worth the hassle.

Since it is expected that you use automatic updates whenever possible you are not notified for every update but you can subscribe to the Sophos daily update digest. Yes, you'd uncheck the box. After testing you'd then use Update Computers Now. The message is queued for computers offline at this time so these clients should get it the next time they contact the management server (unless of course you clear the envelopes folder).

But once more - I advise against turning off automatic updates.

Christian
:2808
Cancel
Vote Up 0 Vote Down

Cancel
0 VCU over 14 years ago

IDE updates:
Sophos is not McAfee. That is the very reason we went with Sophos over McAfee. McAfee has had this type of wide spread damage done through their updates back in 2005 and again this year. Their view has been if McAfee breaks things to bad. Sophos released one false positive back in 2005 that impacted Adobe products on Mac. Sophos stated they were very sorry and would increase their QC checks before releasing updates to reduce this from happening again. Since 2005 Sophos only had one wide case of a false positive causing a minor issue for us. In Dec 2009 they released a false positive that flaged pdf files. It was resovled in 2 hours are so.
EMC:
The EMC has been redesigned so that endpoints do not check in on a scehduled 5 minute time. Now the endpoints only check in when something has changed on their side. If you disable updates on the endpoints the only way to get them to update would be to many push a policy or use the update now option. This is going to take a lone time to reach all your endpoints and you may find that the number of temp files created on the server will cause you an issue. Endpoints that are off line would have to get infected or have a policy change occur before they would report in to the EMC since they had been told not to do updates.
Controlling Engine updates:
We deploy Sophos with quarantine in place so items seen as a false positive if it happens can be resolved without damaging the OS or end user data. The files would be blocked from running but not deleted or moved from their orginial location.
We control the enigne updates by running IDE only fixed update sites for Windows servers. We let the full engine updates run for about two weeks before upgrading the Windows servers sites.
Daily IDE updates:
I tracked the number of family IDE updates released each day for about a year and found Sophos was deploying over 30 packages of updates a day. This was done back in 2007, since then I'm sure they are doing more.
:2928
Cancel
Vote Up 0 Vote Down

Cancel