We have a secure Red Hat environment, which is almost entirely air-gapped. Incoming connections are forbidden, although outgoing requests from the clients to our server can initiate connections such as virus updates. Sophos Enterprise Console is one of the few services which we can communicate with, to download virus updates. Two days ago, our init scripts for sav-protect and sav-rms changed and the services were restarted. The only change is that the copyright date was revised from 2015 to 2016, so we feel confident that this is a legitimate code change. This set off our TripWire alarms, of course. If needed, we can supply the logs showing the services being restarted.
Our concern is that this change may have been initiated by the server (outside of the secure zone), instead of the clients (which are inside the secure zone). Was this initiated by the server, or was this a routine update? Should we have been anticipating this event?
This thread was automatically locked due to age.
