Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH2UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
AUTH1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
JIRAIDAUTHSYM-23324
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26ce340b42, userName='null'}
 

Panel

In this section:

Table of Contents
maxLevel2
minLevel1
Warning

This page does not apply to SBC 1000/2000 Cloud link units featuring the Microsoft® Cloud Connector Edition application and Intel® Xeon® CPUs, because Microsoft defines alternative procedures to protect against malware.

Overview

Sonus recommends the deployment of an approved third party anti-malware solution to SBC 1000/2000 ASMs with SBA (Applications Solutions Modules running the Skype for Business/Lync 2013 Survivable Branch Appliance application) units as an added measure of security to inspect and “cleanse” devices of viruses and ransomware, such as the 2017 WannaCry https://en.wikipedia.org/wiki/WannaCry_ransomware_attack and Petya attacks.

Sonus approves the following Antivirus and Ransomware protection software for the ASM/SBA (WS 2008R2 and WS 2012R2) :any SBC 1000 or SBC 2000 unit with an Applications Solutions Module shipped with a Microsoft® Skype for Business/Lync Survivable Branch Appliance (SBA) application.

  • Sophos® Sophos Server Protection for Virtualization, Windows and Linux
  • Sophos Endpoint Exploit Prevention

Note that these are Sophos marketing titles. Depending on the country and partner/reseller, the orderable product names could may differ. For example, one partner website shows the product names as Sophos Server Protection for Windows, Linux and vShield.

Sophos

AV

antimalware software contains a Management Interface (Console+Server+Update Manager) that runs in a separate Windows Server and Antivirus (Agent) software that runs in the ASM/SBA.

Prerequisites

Info

We recommend running the Management Interface and Antivirus separately to conserve CPU processing in ASM/SBA.

Prerequisites

 

  • Sonus requires a separate off-board server (distinct and separate from the SBC 1000/2000 ASM) to be the execution platform of the Sophos Management Interface. This deployment model provides the following benefits:
    • A single management interface can manage multiple SBC 1000/2000s with the SBA.
    • The Sophos Agent minimizes the extra processing load on the SBC 1000/2000's ASM.
Warning

The deployment of the Sophos management interface on the SBC 1000/2000 ASM is not supported

 

  • Server running with the Sophos Management Server and Console.
  • Server is reachable to the ASM node, and ready to manage the antivirus installation.
  • This document assumes installation on the ASM/SBA running on Windows Server 2008 R2 and Windows Server 2012 R2.

Installing the Approved Sophos Anti-Malware Solution to Protect SBC 1000/2000 With SBAs

 

Note
For detailed installation instructions

You do not need to configure or modify the ASM in order to install Sophos.

Info
iconfalse
titleYou'll Perform Most of the Install Steps on a 3rd Party Server

The deployment of the approved Sophos anti-malware solution occurs almost entirely on a third party server, and is largely related to configuration settings on the management interface.

For installation instructions not covered in this article, refer to Sophos documentation at https://docs.sophos.com/esg/enterprise-console/tools/deployment_guide/en-us/index.html.

 

Here are the key steps performed when installing:

Deploymnent Covered on This
Wiki Page
TaskInstallation Instructions Covered in Sophos
Deployment Guide

Installation Instructions unique to the Sonus SBAs
covered in this WIKI article

 

Download the Enterprise Console installer

(tick) 

Check the system requirements

(tick) 

Create the accounts you need

(tick) 

Prepare for installation

(tick) 

Install the Enterprise Console

(tick) 

Download security software

(tick) 

Create computer groups

(tick) 

Set up security policies

(tick) 

Search for computers

(tick) 

Prepare to protect computers

(tick) 
Protect computers(tick) 

Check the health of your network

(tick) 
Add Exclusions (tick)
Activate Exploit Prevention (tick)
Protect the ASM (tick)
Activate Exploit Protection

Installation Instructions Unique to the Sonus SBAs

The following are the steps to protect the SBC Edge device with an SBA-targeted ASM:

Adding Exclusions


  1. Activating Exploit Prevention.

  2. Protecting the ASM.

Adding Exclusions (AntiVirus File/Folder Scan Exclusion List)

Create the antivirus and Host Intrusion Prevention System (HIPS) policy with the file and folder exclusions recommended by Microsoft SBA deployments.

Caption
0Figure
1On-Access Scan Settings

 

  • C:\windows\SoftwareDistribution\Datastore\

  • C:\windows\SoftwareDistribution\Datastore\Logs\

  • C:\Windows\security\database\*.edb

  • C:\Windows\security\database\*.sdb

  • C:\Windows\security\database\*.log

  • C:\Windows\security\database\*.chk

  • C:\Windows\security\database\*.jrs

  • C:\Windows\System32\LogFiles\

  • C:\Windows\Microsoft.NET\assembly\GAC_MSIL\

  • C:\UX\PUBLIC\LOGS\
  • C:\Program Files\Microsoft Lync Server 2010\
  • C:\Program Files\Microsoft Lync Server 2013\

  • C:\Program Files\Skype for Business Server 2015\

  • C:\Program Files\Common Files\Microsoft Lync Server 2010\

  • C:\Program Files\Common Files\Microsoft Lync Server 2013\

  • C:\Program Files\Common Files\Skype for Business Server 2015\

  • C:\Program Files\Microsoft SQL Server\MSSQL11.LYNCLOCAL\MSSQL\Binn\SQLServr.exe

  • C:\Program Files\Microsoft SQL Server\MSSQL12.LYNCLOCAL\MSSQL\Binn\SQLServr.exe

  • C:\Program Files\Microsoft SQL Server\MSSQL11.RTCLOCAL\MSSQL\Binn\SQLServr.exe

  • C:\Program Files\Microsoft SQL Server\MSSQL12.RTCLOCAL\MSSQL\Binn\SQLServr.exe

  • ABServer.exe

  • UXSBA.exe

  • ClsAgent.exe

  • LysSvc.exe

  • MediationServerSvc.exe

  • ReplicaReplicatorAgent.exe

  • ReplicationApp.exe

  • RtcHost.exe

  • RTCSrv.exe

  • Fabric.exe

  • FabricDCA.exe

  • FabricHost.exe

Note that the preceding list of items can be saved in a file using Notepad a third party simple text editor and imported into exclusions.

Activating Exploit Prevention

Key in Enter the Exploit Prevention credentials and activate it by performing the following steps:

StepAction
1

Open the console and click View and then Update Managers.

Caption
0Figure
1Select Update Managers

2

In the Update managers pane, click the appropriate computer name and then View/Edit Configuration.

 

Caption
0Figure
1Select View/Edit Configuration

 

3

Click Sources > Edit. When the Source Details dialog box opens, apply the credentials and then click OK.

 

Caption
0Figure
1Enter Your Credentials

4

In the Sophos Enterprise Console - Protect Computers Wizard, select Exploit Prevention, Sophos Clean and then click Next.

 

Caption
0Figure
1Select Features

 

 

Protecting the ASM

StepAction
1

Create a group.

2

Add the ASM node into the group.

Note: Make sure to choose the Exclusion policy for the group and select Exploit prevent only.

 

This will install the Agent software with Exploit Prevention and also apply the Exclusionsexclusions.

 

Caption
0Figure
1Discover With Active Directory

Caption
0Figure
1Discover Computers

3 Log To verify the installation, log on to the ASM node by establishing a Remote Desktop Connection.
4Confirm the Exclusion on the Agent (Configure antivirus / Find and open the installed Sophos program and then navigate to Configure antivirus > On-access scanning > Exclusion to verify the exclusions you added in Adding Exclusions (AntiVirus File/Folder Scan Exclusion List).
5Confirm that the Exploit prevention is active on the Agent (View product information).by viewing its listing on View Product Information.

 

Sophos Anti-Malware Operation Modes

Panel
borderColorgreen
borderWidth2
borderStylesolid
titleDifferences Between Continuous and Full-Scan Operation

Continuous Operation:

  • Sophos Anti-Malware runs in the background and continuously protects the ASM in real time.
  • Sophos Anti-Malware contributes a negligible additional load on the CPU. The SBC ASM can be driven to maximum call capacities without regard to the Sophos software.

Full-Scan Operation

  • Sophos Anti-Malware can perform a complete system scan ("full scan") and the period of the full scan should be initiated according to Sophos instructions  
  • When performing a full scan, Sophos Anti-Malware uses a significant proportion of RAM and CPU resources. Full scans should be scheduled for off-peak periods. 
Panel
borderColorgreen
borderWidth1
borderStylesolid
titleReferences

https://www.sophos.com/en-us/support/documentation/enterprise-console.aspx?platform=Version-5-5#Version-5-5

https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/pdf/sec_55_qsgeng.pdf

https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/pdf/sec_55_asgeng.pdf

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sesc_10_ibpgeng.pdf?la=en

Pagebreak