In this section:
This page does not apply to SBC 1000/2000Cloud link units featuring the Microsoft® Cloud Connector Edition application and Intel® Xeon® CPUs, because Microsoft defines alternative procedures to protect against malware.
Overview
Ribbon recommends the deployment of an approved third party anti-malware solution to SBC 1000/2000 ASMs with SBA (Applications Solutions Modules running the Skype for Business/Lync 2013 Survivable Branch Appliance application) units as an added measure of security to inspect and “cleanse” devices of viruses and ransomware, such as the 2017 WannaCry https://en.wikipedia.org/wiki/WannaCry_ransomware_attack and Petya attacks.
Ribbon approves the following Antivirus and Ransomware protection software for any SBC 1000 or SBC 2000unit with an Applications Solutions Module shipped with a Microsoft® Skype for Business/Lync Survivable Branch Appliance (SBA) application.
- Sophos® Server Protection for Virtualization, Windows and Linux
- Sophos Endpoint Exploit Prevention
Note that these are Sophos marketing titles. Depending on the country and partner/reseller, the orderable product names may differ. For example, one partner website shows the product names as Sophos Server Protection for Windows, Linux and vShield.
Sophos antimalware software contains a Management Interface (Console+Server+Update Manager) that runs in a separate Windows Server and Antivirus (Agent) software that runs in the ASM/SBA.
Prerequisites
We recommend running the Management Interface and Antivirus separately to conserve CPU processing in ASM/SBA.
- Ribbon requires a separate off-board server (distinct and separate from the SBC 1000/2000ASM) to be the execution platform of the Sophos Management Interface. This deployment model provides the following benefits:
- A single management interface can manage multiple SBC 1000/2000's with the SBA.
- The Sophos Agent minimizes the extra processing load on the SBC 1000/2000's ASM.
The deployment of the Sophos management interface on the SBC 1000/2000ASM is not supported
- Server is reachable to the ASM node, and ready to manage the antivirus installation.
- This document assumes installation on the ASM/SBA running on Windows Server 2008 R2 and Windows Server 2012 R2.
Supported Versions
Installing the Approved Sophos Anti-Malware Solution to Protect SBC 1000/2000 With SBAs
You do not need to configure or modify the ASM in order to install Sophos.
Here are the key steps performed when installing:
Task | Installation Instructions Covered in Sophos Deployment Guide | Installation Instructions unique to the Ribbon SBAs
|
---|---|---|
Download the Enterprise Console installer | ||
Check the system requirements | ||
Create the accounts you need | ||
Prepare for installation | ||
Install the Enterprise Console | ||
Download security software | ||
Create computer groups | ||
Set up security policies | ||
Search for computers | ||
Prepare to protect computers | ||
Protect computers | ||
Check the health of your network | ||
Add Exclusions | ||
Activate Exploit Prevention | ||
Protect the ASM |
Installation Instructions Unique to the RibbonSBAs
The following are the steps to protect the SBC Edge device with an SBA-targeted ASM:
- Activating Exploit Prevention.
Protecting the ASM.
Adding Exclusions (AntiVirus File/Folder Scan Exclusion List)
Create the antivirus and Host Intrusion Prevention System (HIPS) policy with the file and folder exclusions recommended by Microsoft SBA deployments.
C:\windows\SoftwareDistribution\Datastore\
C:\windows\SoftwareDistribution\Datastore\Logs\
C:\Windows\security\database\*.edb
C:\Windows\security\database\*.sdb
C:\Windows\security\database\*.log
C:\Windows\security\database\*.chk
C:\Windows\security\database\*.jrs
C:\Windows\System32\LogFiles\
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\
- C:\UX\PUBLIC\LOGS\
- C:\Program Files\Microsoft Lync Server 2010\
- C:\Program Files\Microsoft Lync Server 2013\
C:\Program Files\Skype for Business Server 2015\
C:\Program Files\Common Files\Microsoft Lync Server 2010\
C:\Program Files\Common Files\Microsoft Lync Server 2013\
C:\Program Files\Common Files\Skype for Business Server 2015\
C:\Program Files\Microsoft SQL Server\MSSQL11.LYNCLOCAL\MSSQL\Binn\SQLServr.exe
C:\Program Files\Microsoft SQL Server\MSSQL12.LYNCLOCAL\MSSQL\Binn\SQLServr.exe
C:\Program Files\Microsoft SQL Server\MSSQL11.RTCLOCAL\MSSQL\Binn\SQLServr.exe
C:\Program Files\Microsoft SQL Server\MSSQL12.RTCLOCAL\MSSQL\Binn\SQLServr.exe
ABServer.exe
- UXSBA.exe
ClsAgent.exe
LysSvc.exe
MediationServerSvc.exe
ReplicaReplicatorAgent.exe
ReplicationApp.exe
RtcHost.exe
RTCSrv.exe
Fabric.exe
FabricDCA.exe
FabricHost.exe
Note that the preceding list of items can be saved in a file using a third party simple text editor and imported into exclusions.
Activating Exploit Prevention
Enter the Exploit Prevention credentials and activate it by performing the following steps:
Step | Action |
---|---|
1 | Open the console and click View and then Update Managers. |
2 | In the Update managers pane, click the appropriate computer name and then View/Edit Configuration.
|
3 | Click Sources > Edit. When the Source Details dialog box opens, apply the credentials and then click OK.
|
4 | In the Sophos Enterprise Console - Protect Computers Wizard, select Exploit Prevention, Sophos Clean and then click Next.
|
Protecting the ASM
Step | Action |
---|---|
1 | Create a group. |
2 | Add the ASM node into the group. Note: Make sure to choose the Exclusion policy for the group and select Exploit prevent only.
This will install the Agent software with Exploit Prevention and also apply the exclusions.
|
3 | To verify the installation, log on to the ASM node by establishing a Remote Desktop Connection. |
4 | Find and open the installed Sophos program and then navigate to Configure antivirus > On-access scanning > Exclusion to verify the exclusions you added in Adding Exclusions (AntiVirus File/Folder Scan Exclusion List). |
5 | Confirm that the Exploit prevention is active on the Agent by viewing its listing on View Product Information. |
Sophos Anti-Malware Operation Modes
Continuous Operation:
- Sophos Anti-Malware runs in the background and continuously protects the ASM in real time.
- Sophos Anti-Malware contributes a negligible additional load on the CPU. The SBC ASM can be driven to maximum call capacities without regard to the Sophos software.
Full-Scan Operation
- Sophos Anti-Malware can perform a complete system scan ("full scan") and the period of the full scan should be initiated according to Sophos instructions
- When performing a full scan, Sophos Anti-Malware uses a significant proportion of RAM and CPU resources. Full scans should be scheduled for off-peak periods.