This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restart Needed

Hi All,

I have started pushing version 9.5 to endpoint computers with most of the clients having Windows XP. After install a reboot is required. My query is how long are clients protected if not restarted.

Thanks

:9349


This thread was automatically locked due to age.
  • Hello Joetobai,

    as the advisory says Existing protection will not be compromised in the interim before the required reboot is completed. SAV(SCF it is a different story) will continue to run and the clients will update the IDEs so you don't need to reboot ASAP. Of course you shouldn't delay it for weeks or even months. 

    HTH

    Christian

    :9355
  • Hi,

    The need to restart was initially all about the drivers but as the solution introduced more components, these then started to required reboots to get them up and running, loaded in all processes they were intended to be loaded into and for them to be updated.  For example.

    When installing SAV on a clean machine (any operating system), the filter driver (on-access scanning driver that attaches to the file system) can be installed, will work straight away and doesn't require a reboot.  It is only if the driver is updated that it would require a reboot but even this is only true for operating systems where Sophos uses a legacy filter driver.  On Windows Vista, Windows 7 and Windows 2008, Sophos uses a mini filter (http://www.microsoft.com/whdc/driver/filterdrv/default.mspx) which can be loaded and unloaded without the need for a reboot.  On the above platforms the command FLTMC.exe will show the Sophos mini-filter.

    The Sophos Client firewall driver on the other hand requires a reboot to work on a fresh install and also if it is updated due to the nature of the driver.

    So at this point it was quite cut and dry, with SAV only (no SCF) on Windows 7 for example, the only time you might need a reboot is if Windows installer maybe requested one due to a locked file for example.

    You then have to factor in components such as Detours (http://www.sophos.com/support/knowledgebase/article/112099.html).  This DLL is loaded into processes as they launch for a variety of additional functionality, e.g.. Buffer Overflow, Data Control.  So for example if you deploy Data Control, which uses detours, this DLL has to be loaded into Explorer.exe.  So on initial install, Data Control is not functional as the mechanism for loading detours is the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    and
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs.
    (Both are set on a 64 bit machine as there is a 32 and 64 bit version of detours)
    So in order to "activate" DataControl, Explorer.exe would have to be restarted.  A forced restart of Explorer.exe on deployment wouldn't go down to well I imagine, so for this reason a reboot required message is sent to ensure it is loaded on the next reboot.

    Obviously if detours is updated, a reboot will be required in order for all processes to load the new one.  That's not to say the old one will not work with the new software it just may not have the latest fixes, etc..
    Another example is the new Layered Service Provider (LSP) component which implements the web protection feature, this DLL is loaded into Iexplore.exe, Chrome.exe, Firefox.exe as they launch so if this is updated as part of an update or a Chrome.exe process for example is already launched before you deploy SAV, that process would miss out and be, to some degree unprotected.  So the only sure way to know that all processes have the DLL would be to request a reboot.
    The Browser Helper Object (BHO) that provides the web scanning in Internet Explorer is a similar story, if IE is already running at deployment, the open IE process will not have the BHO DLL loaded into it.  So again ideally the process would be restarted.
    With all of these components, the original one is always compatible with the new software it's just that you will not benefit from any new features or bug fixes until you do reboot.
    I hope this helps you to decide if those machines really do need a reboot but essentially outside of the drivers there are now many processes on the system which have Sophos DLLs hosted in them and to ensure they do and have the latest, the safest bet is to reboot.  If you know what your doing you can restart all of the processes but the disruption and time makes it easier to just reboot.
    Regards,
    Jak
    :9373