Thread Info
  • State Verified Answer
  • Replies 5 replies
  • Subscribers 9 subscribers
  • Views 1030 views
  • Users 0 members are here
Options
Suggested

suitable product for scanning files, folders on RHEL with no internet connectivity

Kumar Bavandla


Hello

We are looking for a suitable Sophos product for our usecase. Have gone through the documentation, however would like to confirm below:

Usecase:
a. System is RHEL7.9 and RHEL9
b. Looking for an on demand scan capability to scan files/folder over nfs file system
c. Should not be required to connect to any external servers(our systems have no internet connectivity)
d. Signature based scanning method, so possible to download the databases to our systems regularly
e. Scan result should be readable/parsable

Following are the questions:
1) There is a product called "Sophos Protection for Linux". However, seems product installation and operation requires connectivity to Sophos Central ?
If true, our above case (c) won't be satisfied, please confirm.

2) If its true that system need connectivity to Sophos central, what specific domains and ports are to be opened from our side to be able to use on-demand file/folder scan ?
https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html#remote-assistance

page has information related to this, however does not talk about Sophos Protection for Linux specifically.

3) What kind of data does Sophos central fetch from the systems where Sophos Protection for Linux is installed ?

4) Could you describe briefly on scanning technique used in on-demand scan. Is it signature based or ?

5) Is there any way we could use on-demand scan without connecting to your servers and running locally with latest antivirus databases ?



Added tags
[edited by: GlennSen at 2:44 PM (GMT -7) on 3 Sep 2024]
Parents
  • +1

    Hi Kumar Bavandla,

    Thanks for reaching out to the Sophos Community Forum. 

    Related to your questions, it may be best for you to connect with one of our Sophos Sales Engineers so more in-depth answers can be provided. I will try my best to provide some information and resources below. 

    1. A direct network connection to the internet is not necessary. However, the Linux system will need to communicate with an Update Cache&Message Relay. The UC/MR will need to reach Sophos Central. This can be accomplished by ensuring the necessary domains/ports are whitelisted for this UC/MR system.

    2. When unknown/new files are encountered, some file telemetry will be sent to Sophos Central and Sophos Labs to check against the latest threat detection data. This communication will pass through the UC/MR.

    3. If you have a Sophos XDR License, data will regularly be queried from the system. Additional information on the data fields can be found at the following link. If you don't have an XDR License, this will not be relevant and the data sent to Sophos Central will be minimal/related to events and detections.
      https://docs.sophos.com/central/References/schemas/index.html?schema=xdr_schema_docs

    4. Sophos Protection Linux offers on-access/signature-based scanning and runtime detection. The following link provides some information.
      https://docs.sophos.com/esg/spl/en-us/help/ServerProtectionAgentTestDetectionFeatures/index.html

    5. It is possible to perform an on-demand scan locally if a system is disconnected from the internet. The device must be brought back online to update either by connecting to the UC/MR to update or via other means.

    Much of the appeal of Sophos Central is the ability to manage and monitor your environment from the web. In an ideal situation, the Update Cache and Message Relay will be used to maintain this connection so that you are immediately aware of any security concerns/detections. 

    Please feel free to reach out to me via private message, and I can help connect you with your regional Sales Engineering team.

    Another solution which will allow for more granular configuration and setup, is "SAV-DI". This solution is only available to OEM's at the moment, but if you would like to be put in touch with our OEM team to discuss implementation, do let me know.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • +1

    Hi Kumar Bavandla,

    Thanks for reaching out to the Sophos Community Forum. 

    Related to your questions, it may be best for you to connect with one of our Sophos Sales Engineers so more in-depth answers can be provided. I will try my best to provide some information and resources below. 

    1. A direct network connection to the internet is not necessary. However, the Linux system will need to communicate with an Update Cache&Message Relay. The UC/MR will need to reach Sophos Central. This can be accomplished by ensuring the necessary domains/ports are whitelisted for this UC/MR system.

    2. When unknown/new files are encountered, some file telemetry will be sent to Sophos Central and Sophos Labs to check against the latest threat detection data. This communication will pass through the UC/MR.

    3. If you have a Sophos XDR License, data will regularly be queried from the system. Additional information on the data fields can be found at the following link. If you don't have an XDR License, this will not be relevant and the data sent to Sophos Central will be minimal/related to events and detections.
      https://docs.sophos.com/central/References/schemas/index.html?schema=xdr_schema_docs

    4. Sophos Protection Linux offers on-access/signature-based scanning and runtime detection. The following link provides some information.
      https://docs.sophos.com/esg/spl/en-us/help/ServerProtectionAgentTestDetectionFeatures/index.html

    5. It is possible to perform an on-demand scan locally if a system is disconnected from the internet. The device must be brought back online to update either by connecting to the UC/MR to update or via other means.

    Much of the appeal of Sophos Central is the ability to manage and monitor your environment from the web. In an ideal situation, the Update Cache and Message Relay will be used to maintain this connection so that you are immediately aware of any security concerns/detections. 

    Please feel free to reach out to me via private message, and I can help connect you with your regional Sales Engineering team.

    Another solution which will allow for more granular configuration and setup, is "SAV-DI". This solution is only available to OEM's at the moment, but if you would like to be put in touch with our OEM team to discuss implementation, do let me know.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data
Unfiltered HTML