You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

 

Overview

Sonus recommends the following Antivirus and Ransomware protection software for the ASM/SBA (WS 2008R2 and WS 2012R2) :

  • Sophos Server Protection for Virtualization, Windows and Linux
  • Sophos Endpoint Exploit Prevention

Note that these are Sophos marketing titles. Depending on the country and partner/reseller, the names could differ. For example, one partner website shows the product names as Sophos Server Protection for Windows, Linux and vShield.

Sophos AV software contains a Management Interface (Console+Server+Update Manager) that runs in a separate Windows Server and Antivirus (Agent) software that runs in the ASM/SBA.

We recommend running the Management Interface and Antivirus separately to conserve CPU processing in ASM/SBA.

Prerequisites

  • Server running with the Sophos Management Server and Console.
  • Server is reachable to the ASM node, and ready to manage the antivirus installation.
  • This document assumes installation on the ASM/SBA running on Windows Server 2012 R2.

Installing Sophos

For detailed installation instructions, refer to Sophos documentation at https://docs.sophos.com/esg/enterprise-console/tools/deployment_guide/en-us/index.html.

Here are the key steps performed when installing:

TaskCovered in Sophos
Deploymnent Guide		Covered on This
Wiki Page

Download the Enterprise Console installer

(tick) 

Check the system requirements

(tick) 

Create the accounts you need

(tick) 

Prepare for installation

(tick) 

Install the Enterprise Console

(tick) 

Download security software

(tick) 

Create computer groups

(tick) 

Set up security policies

(tick) 

Search for computers

(tick) 

Prepare to protect computers

(tick) 
Protect computers(tick) 

Check the health of your network

(tick) 
Add Exclusions (tick)
Activate Exploit Prevention (tick)
Protect the ASM (tick)

Activate Exploit Protection

The following are the steps to protect the ASM:

  1. Adding Exclusions
  2. Activating Exploit Prevention
  3. Protecting the ASM

Adding Exclusions (AntiVirus File/Folder Scan Exclusion List)

Create the antivirus and Host Intrusion Prevention System (HIPS) policy with the file and folder exclusions recommended by Microsoft SBA deployments.

On-Access Scan Settings

 

  • C:\windows\SoftwareDistribution\Datastore\

  • C:\windows\SoftwareDistribution\Datastore\Logs\

  • C:\Windows\security\database\*.edb

  • C:\Windows\security\database\*.sdb

  • C:\Windows\security\database\*.log

  • C:\Windows\security\database\*.chk

  • C:\Windows\security\database\*.jrs

  • C:\Windows\System32\LogFiles\

  • C:\Windows\Microsoft.NET\assembly\GAC_MSIL\

  • C:\UX\PUBLIC\LOGS\
  • C:\Program Files\Microsoft Lync Server 2010\
  • C:\Program Files\Microsoft Lync Server 2013\

  • C:\Program Files\Skype for Business Server 2015\

  • C:\Program Files\Common Files\Microsoft Lync Server 2010\

  • C:\Program Files\Common Files\Microsoft Lync Server 2013\

  • C:\Program Files\Common Files\Skype for Business Server 2015\

  • C:\Program Files\Microsoft SQL Server\MSSQL11.LYNCLOCAL\MSSQL\Binn\SQLServr.exe

  • C:\Program Files\Microsoft SQL Server\MSSQL12.LYNCLOCAL\MSSQL\Binn\SQLServr.exe

  • C:\Program Files\Microsoft SQL Server\MSSQL11.RTCLOCAL\MSSQL\Binn\SQLServr.exe

  • C:\Program Files\Microsoft SQL Server\MSSQL12.RTCLOCAL\MSSQL\Binn\SQLServr.exe

  • ABServer.exe

  • UXSBA.exe

  • ClsAgent.exe

  • LysSvc.exe

  • MediationServerSvc.exe

  • ReplicaReplicatorAgent.exe

  • ReplicationApp.exe

  • RtcHost.exe

  • RTCSrv.exe

  • Fabric.exe

  • FabricDCA.exe

  • FabricHost.exe

Note that the preceding list of items can be saved in a file using Notepad and imported into exclusions.

Activating Exploit Prevention

Key in the Exploit Prevention credentials and activate it by performing the following steps:

StepAction
1

Open the console and click View and then Update Managers.

Select Update Managers

2

In the Update managers pane, click the appropriate computer name and then View/Edit Configuration.

 

Select View/Edit Configuration

 

3

Click Sources > Edit. When the Source Details dialog box opens, apply the credentials and then click OK.

Enter Your Credentials

4

In the Sophos Enterprise Console - Protect Computers Wizard, select Exploit Prevention, Sophos Clean and then click Next.

 

Select Features

 

 

Protecting the ASM

StepAction
1

Create a group.

2

Add the ASM node into the group.

Note: Make sure to choose the Exclusion policy for the group and select Exploit prevent only.

 

This will install the Agent software with Exploit Prevention and also apply the Exclusions.

 

Discover With Active Directory

Discover Computers

3 Log on to the ASM node.
4Confirm the Exclusion on the Agent (Configure antivirus / On-access scanning / Exclusion).
5Confirm the Exploit prevention on the Agent (View product information).
References

https://www.sophos.com/en-us/support/documentation/enterprise-console.aspx?platform=Version-5-5#Version-5-5

https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/pdf/sec_55_qsgeng.pdf

https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/pdf/sec_55_asgeng.pdf

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sesc_10_ibpgeng.pdf?la=en

  • No labels