Extended Anti-Virus support for Windows XP/2003

I'm under the understanding that these subscriptions are only for specific updates that Sophos may release for Windows XP and Server 2003. These machines will still receive virus definition updates as per normal without being applied to a group / update policy / subscription for Windows XP & Server 2003 extended support.

Is this true? We have remote sites which all have there own group, and update policy, and use the "Recommended" subscription. These remote sites use there own update managers as well.

Most of the remote sites have some XP and Server 2003 machines, if I was to create one group for the XP machines, then these machines won't be using there designated update manager.

I'm not sure how to proceed, creating a group for every site, we have over 60 might be a bit messy, and would add a lot more groups and update policies.

Any advice would be appreciated.

 

  • Hello Thomas Newman,

    depends on how long you intend to run XP/2003 but first a question: You've posted here in the UTM section but do you use the UTM managed version or the on-premise SESC as you mention designated update managers?

    Christian

  • In reply to QC:

    We use on-premise SESC, as we have update managers for each site. What I'm worried about is the XP and Server 2003 machines not getting there updates. If there not in a group that has the extended support subscription, will they still get the Sophos updates?

  • In reply to Thomas Newman:

    Hello Thomas Newman,

    I'm not Sophos so I can't say how it will behave until it's definitely retired. The Extended Support article isn't absolutely clear, it says that the extended subscription is based on 10.6.3, the not so few remaining XP/2003 I have did upgrade to 10.7.6 though. So guess they will continue receive IDE updates for at least some months (but as the article says they will not be supported meaning Support will not accept support requests/queries for them). And 10.7.6 will perhaps be available as a fixed package until the end of this year.

    As I don't have an Extended Support subscription I can't say if the package is indeed based on 10.6.3. Anyway at present end-of-support is scheduled for end of March 2019. Thus the question is how long will these legacy machines still be around? And how mission-critical are they?
    As you have to re-protect your endpoints with the special package you must either create the required CIDs (is done automatically when you add a subscription to a SUM) and groups or use it for all your endpoints (and thus forgo the newer features for "the rest"). Again: I have no experience with the package so I can't say if 10.7.x would automatically downgrade to it - components added after 10.6.3 would remain on the machines in an unmanaged state and you'll likely get updating errors as well.

    Christian   

  • In reply to QC:

    We have purchased extended support as we have a large number of "legacy" machines ( I know, I know :) ) and i came across this article 

     

    https://community.sophos.com/kb/en-us/125237

     

    It isn't totally clear how you get 10.6.3 to be installed? I have just built a blank test XP machine and the version installed is 10.7. I can't seem to find a clear way of putting 10.6.3 on it. The machine is a in a dedicated XP OU and the subscription is pointing to Windows XP and 2003 Support.

  • In reply to pdturbo80:

    Hello Peter,

    as the image on the article shows

    the Extended Support package appears as additional "platform". As I don't have it I can't say which version(s) should be available in the Version drop-down. You might be fooled by the wording of the article though - it says (emphasis mine) a new package (based on the 10.6.3 release), it doesn't say it is 10.6.3.
    IIRC there hasn't been a SESC 10.7.1 (10.7.1 briefly existed as Central Preview) so this seems to be correct.

    Christian

  • In reply to QC:

    Hi Christian,

    Thanks and well spotted. Its a bit of a odd choice of wording.

    It says that XP no longer has the option of the Firewall anymore-however our existing XP machines still are showing as protected with it Are they really or not?

    Confused!

  • In reply to pdturbo80:

    Hello Peter,

    if SEC gives you the firewall option when you try to use Protect then it's still there. Again quoting from the article with emphasis by me: Extended Anti-Virus support for Windows XP/2003 does not include .... The strict formal interpretation would be that for Extended Support (Support in the sense that you will get help - not that it won't work in principle - with issues on the endpoint) only if these components have been removed. In practice it means that it's not guaranteed that these two will work and naturally you won't get any help with them. ... these two components [...] will remain [...] but fail to update. If this occurs .... Can't say whether the If is a synonym for When or deliberate, given that XP machines still update with 10.7.6, that SCF hasn't received any updates since 10.6.4 and Patch only a minor one I assume that it means that although it isn't planned they could be withdrawn at any time and when this happens you'll encounter the errors.
    My interpretation, just my interpretation. In short and other words: The core components (SAV proper, AutoUpdate, and RMS) will be updated as necessary, they won't touch the rest but reserve the right to withdraw SCF and Patch before the end of Extended Support.

    Christian

  • In reply to QC:

    Hi Christian,

    Thanks. I have just checked and looks like you can install a Windows XP "Sophos" Firewall when I tried to protect the test endpoint. I am guessing that support for this will be withdrawn at anytime so its just a waiting game...

    Peter

  • In reply to pdturbo80:

    Hello Peter,

    just saw that the Extended Support package is supposedly version 10.7.2.4. Did you see 10.7.1 in ViewBootstrap Locations ...?

    Christian

  • In reply to QC:

    Hi,

    Good spot, just checked and we have this in our main SUM

     

  • In reply to QC:

    An update on this.

    We moved a existing XP machine into the test OU and Sophos done and update and "downgraded" the version to the supported extended support version. Great.

    I removed the Patch as per the article

    https://community.sophos.com/kb/en-us/125237

    (I did however leave the firewall on).

    After a short while the update happened and it appears that it failed. Looking into alc.log it looks like it attempts to download the patch?

  • In reply to pdturbo80:

    Hello Peter,

    so apparently Patch is no longer in the CID but SCF is.
    Patch should UnregisterWithAutoUpdate upon uninstall. It seems it hasn't done so. AutoUpdate considers it for downloading/installing if the following key is present: HKLM\Software\Sophos\AutoUpdate\Products\{C58B1255-C24E-43d6-B2EB-9FB302B42E99}. As said, AFAIK uninstalling should take care of it. Is HKLM\Software\Sophos\Sophos Patch Agent also still there (though I think it doesn't make a difference).

    Christian

  • In reply to QC:

    Morning,

    Hi that key is still present for both you mentioned. Should I delete them both?

    The patch has definitely been removed from Add/Remove Programs. 

    Thanks

    Peter

  • In reply to pdturbo80:

    Hello Peter,

    can't say why they are still there (unless I misunderstand the Unregister), it's safe to remove them  - and necessary to remove at least the Products subkey so that AutoUpdate no longer considers Patch.

    Christian

  • In reply to QC:

    Hi Christian,

    I have done that, but the error still persists after a reboot and an update

    It has also recreated the keys I deleted :(