This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

schedule Sophos software updates

Hi,

 

Currently I see options are to pause or set updates to manual. We got a customer requesting Sophos software updates only happen after hours. Does anyone know if this can be configured?

 

JT



This thread was automatically locked due to age.
Parents
  • Definitely interested in this one as well.  I don't mind def updates whenever, but not being able to schedule other updates is a serious missing for an enterprise solution (and having my servers go red because they took an update, but our change window to trigger a reboot is three weeks out is annoying).

    I wonder if there's a way to disable automatic updates, but then manually trigger it through a command line.  You could then deploy an application through SCCM (using a script detection method), that would trigger the update within your maintenance window...  That's more work than we should have to do, but could do the trick.

  • Hello Steve Custer,

    manually trigger [a product update] through a command line
    I'm not aware that AutoUpdate has two modes - definition and product updates - let alone that you could trigger them individually.
    Couldn't Controlled Updates in principle provide the functionality you need? Admittedly as global setting it doesn't provide granularity, thus you'd have to delay product updates for all your endpoints and you can have only one maintenance window..

    Christian

Reply
  • Hello Steve Custer,

    manually trigger [a product update] through a command line
    I'm not aware that AutoUpdate has two modes - definition and product updates - let alone that you could trigger them individually.
    Couldn't Controlled Updates in principle provide the functionality you need? Admittedly as global setting it doesn't provide granularity, thus you'd have to delay product updates for all your endpoints and you can have only one maintenance window..

    Christian

Children
  • When we questioned our Sophos contacts about the "Reboot required to complete update" messages we were getting we were told that we would continue to get definition updates, but no other software updates would be applied, nor would the advanced stuff (InterceptX, etc) kick in.  Further, most AV products differentiate between def updates and product updates.

    I have almost no problem with uncontrolled definition updates, but we definitely need to be able to control when new versions of the software are installed, more granularly than hat you have available currently.

  • the settings in the policy are better than nothing but I would like to be able to configure it for after-hours for every day not just have to pick one day of the week. I suppose to go around this limitation we could create 7 copies of this policy for each day of the week.

  • Hello JT,

    can't say how it's implemented, i.e. how this functionality is achieved. AFAIK the endpoint's AutoUpdate (AU) has no timer logic (except the regular schedule) so I guess (but might be completely wrong) it can either request any updates (including software/product), which is the default, or the installed version that translates to don't offer me product updates until my installed version is expired. And the policy tells AU what to request. Turn on/turn off would require additional logic in the cloud and turn off would not be guaranteed to work.

    for after-hours for every day
    as said, I'm not familiar with Central Admin - so you can select just one day?
    7 copies of this policy
    even if you are able to assign all of them to a computer or group they won't be merged - only one of them will win and it'll always be the same.

    Christian

  • Hello Steve Custer,

    no other software updates would be applied
    not sure what they could mean by other software updates (if this is indeed their wording). The AV proper (definitions and software) updates dynamically, the reboot requirement comes from those components that inject a DLL. Naturally processes have to be restarted in order to pick up the new DLL and for certain system processes it has to be done with a reboot. Most components nevertheless continue to update, HMPA is an exception (dunno about the other newfangled components not available in the on-premise product), if a new version comes out while the previous one has not yet been installed (i.e. the reboot is still pending) it will not be downloaded and you'll see a download error.
    Please note that, AFAIK, like the definition updates HMPA is independent of the product version and thus not subject to Controlled Updates.

    Christian