Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 14 subscribers
  • Views 8801 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Server endpoints

B_B

Our vulnerability scans are showing all our servers are out of date on AV.  Below is the output of the scan as well as what the server is showing.   Of course everything is green on Central.  Another day another day of trying to figure out what Sophos has broke.

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Sophos hasn't broken anything, the information from Nessus is misleading.

    Sophos Server Protection is currently using Engine Version 3.70.2; we are rolling out an update that will use Engine Version 3.72.1

    Stephen

  • 0 in reply to StephenMcKay

    My apologizes, but can you tell me why all the policy received are so out of date?  A critical vulnerability on 100's of servers really isn't misleading, I would say it's wrong.  The questions I have are how are they wrong and what needs to happen to prevent it from happening again.  

     

    How does Nessus know what the latest version should be?  All our software tracking software cannot tell the difference between server and workstation Sophos installs.

     

    So how does Nessus know the difference between a workstation and server version of Sophos?  

  • 0 in reply to B_B

    Hello, I don't know enough about Nessus to comment on how it determines workstations vs servers. Apologies, I had overlooked your policy image; it is strange that the server hasnt received policy since the 18th June. 

    Is the policy issue common to all endpoints (or servers) or just one? If it is all, it would indicate an issue connecting to Sophos Central for all devices, an issue on only one might indicate an issue just with the MCS service on that device. 

    Regards,

    Stephen

  • 0 in reply to StephenMcKay

    It is on all the servers on all 8 of our central instances.  

     

    I am trying to apply vulnerability scan logic to this and please tell me if I am correct regarding how Sophos endpoints work. 

     

    1. Server and workstation Sophos updates are on different schedules.

    2. Server OS can only install server version of Sophos, and same for workstation.

    3. If I am scanning for correct version of Sophos I need to first figure out if its a workstation or server OS and then compare the file in the first screenshot?

     

    I will open a ticket with Tenable, but the more info I give them the quicker it will be fixed.  I will attach this thread with your response to the ticket I create to help it along.

     

    Thanks again for your help and sorry for jumping the gun.  It's been a rough night.

  • 0 in reply to B_B

    The Endpoint Self Help tool just passes the log files of MCS (C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\) to display that policy information.

    Are you changing policies that often for a new policy to be delievered?  If you haven't changed a policy recently, then I would expect as the MCS logs rotate out, then it ends up saying not since as it doesn't have any more recent info than the oldest log line.
     
    The policies that come down to the endpoint are stored here:

    C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\

    I assume none of those files have been updated either?  If you wanted to check, you could always make an innocuous change to a policy and then see it change.

    Regards,
    Jak

  • 0 in reply to B_B

    Hello,

    1. Server and workstation Sophos updates are on different schedules

    The updates to components in the Server and Workstation products are not tied together, therefore one may update before another. 

    2. Server OS can only install server version of Sophos, and same for workstation

    Correct

    3. If I am scanning for correct version of Sophos I need to first figure out if its a workstation or server OS and then compare the file in the first screenshot?

    We publish the component versions in our release notes: https://www.sophos.com/en-us/support/endpoint-release-notes/windows.aspx , this will enable you to check the latest versions of the components you are reporting on

  • 0 in reply to StephenMcKay

    I am putting the issue back in your court.  

    My server current status

    The link you sent me shows

     

    So either someone is posting about the updates before they are released or my agent is not up to date even though it says it is.

     

  • 0 in reply to B_B

    Hello,

    We update our release notes when we send out the update to the first group of customers. We are currently rolling out the update to customers in small groups, this will complete within the next two weeks.

    Regards,

    Stephen

  • 0 in reply to StephenMcKay

    I understand why you are pushing updates out in waves, but for everyone out there that has vulnerability scanners it will cause a lot of issues.  There needs to be a way to let company's like Tenable and other vuln scanners know that the current version isn't out of date until you push the updated version to all customers.  

Reply
  • 0 in reply to StephenMcKay

    I understand why you are pushing updates out in waves, but for everyone out there that has vulnerability scanners it will cause a lot of issues.  There needs to be a way to let company's like Tenable and other vuln scanners know that the current version isn't out of date until you push the updated version to all customers.  

Children
No Data
Unfiltered HTML