Sophos Patch FAQs for Endpoint Protection version 10

  • Article ID: 114162
  • Rating:
  • 8 customers rated this article 5.0 out of 6
  • Updated: 26 Feb 2014

This articles provides an overview of Sophos Patch Assessment and a list of questions and answers on how the Sophos Patch feature works. 

We recommend you watch the video Patch Assessment in Sophos Endpoint 10.

Known to apply to the following Sophos product(s) and version(s)

Sophos Patch Agent 1.0
Sophos Endpoint Security and Control 10.0

Overview

90% of attacks can be prevented with an existing patch. Yet many computers remain at risk because patching is hard. With our Patch Assessment in Endpoint we prioritize the most critical patches for you by tying them to the threats they prevent. Our patch assessment identifies, prioritizes and scans for critical threat-related patches. And it’s integrated into our EndUser Protection, delivered in one deployment and managed from a single console.

Key features

  • One simple scan finds unpatched computers vulnerable to threats
  • Scans for Windows and other common application patches
  • We prioritize patches based on threats and likelihood of exploit—so you don’t have to
  • We make it easy to see computers missing critical patches, and to sort by patch vendor, threat, priority and more
  • Scan computers for critical patches to stop malicious threats

Patch Assessment Event Viewer:

FAQs

  1. How is Sophos Patch installed?
  2. How is Sophos Patch licensing controlled?
  3. How does SophosLabs rate the patches?
  4. Which Operating Systems does Patch currently support?
  5. Which Applications does Patch currently support?
  6. How does Sophos Patch classify a patch as missing?
  7. How large is the full data download to the Patch server?
  8. What is the size of the patch database on the management server?
  9. How much memory does the management server need, to support Sophos Patch?
  10. How long does the initial Patch data download take?
  11. Where does the Patch server download the Patch data files from?
  12. How is the status of Patch Server download indicated?
  13. How often is the Patch data updated?
  14. Is the full Patch data downloaded every time there is an update?
  15. Does Patch support air-gapped environments?
  16. How often do Endpoints scan for missing patches?
  17. How long does the Patch scan take?
  18. Will Patch scans create a noticeable impact to the endpoint user?
  19. How often do Endpoints check for new patches?
  20. How do Endpoints determine which Patch files to download?
  21. How much data is downloaded to each Endpoint to perform the Patch assessments?
  22. Do Endpoints download the full Patch data every time they update from the server?
  23. Can Endpoint Patch data be cached for remote sites with low bandwidth WAN links?
  24. How much Patch data is uploaded to the Server from an Endpoint at the end of each scan?
  25. Is the Patch data encrypted between the Server and Endpoints?
  26. Can Sophos message relays be used for Patch?

1. How is Sophos Patch installed?

Sophos Patch (also known as just "Patch") is installed as part of the single installer for Endpoint Protection (Advanced and Enterprise only), supporting the same O/S and DB platforms, and is well integrated with Sophos Enterprise Console. Patch is included by default with Endpoint Protection Enterprise and is a chargeable ‘add-on’ for Endpoint Protection Advanced.

2. How is Sophos Patch licensing controlled?

Licensing of Patch controls the management server’s ability to download Patch files from the live Sophos Patch data feed on the internet. No patches will appear in the Sophos Enterprise Console unless Patch has been licensed. If the license expires, then access to the feed will stop and the local Patch data will become more stale as each unlicensed day passes.

3. How does SophosLabs rate the patches?

SophosLabs calculates ratings for each patch based on a number of parameters:

  • Vulnerability severity – type of attack
  • Software popularity – how popular is the vulnerable software
  • Access conditions – does the attacker need to be local or remote, to exploit the vulnerability
  • Prevalence – how common are the threats that exploit the vulnerability

Patches are rated Low, Medium, High and Critical based on these parameters. Sophos recommends applying all relevant patches, but the SophosLabs rating is designed to enable a focus on patches that protect against the most active threats.

4. Which Operating Systems does Patch currently support?

Platform/Device Edition Architecture
32-bit 64-bit
Windows 2000 SP4 AS, SVR, PRO Y N
Windows XP SP2, SP3 PRO Y Y1
Windows Vista BUS, ENT, ULT Y Y
Windows 7 PRO, ENT, ULT Y Y
Windows 2003 ENT, STD, WEB Y Y
Windows 2008 ENT, STD, WEB Y Y
Windows 2008 R2 ENT, STD, WEB N Y

1Windows XP Pro SP3 supports 64-bit. Windows XP Pro SP2 does not.

5. Which Applications does Patch currently support?

Publisher Edition
Adobe Acrobat Pro
Adobe Acrobat Standard
Adobe AIR
Adobe Illustrator
Adobe InDesign
Adobe Macromedia Flash Player (Internet Explorer)
Adobe Macromedia Flash Player (Other browsers)
Adobe Photoshop
Adobe Reader
Adobe Shockwave Player for Windows
Apple iTunes for Windows
Apple Quicktime for Windows
Citrix Systems ICA Win32 Client
Citrix Systems Citrix Online plug-in for Windows
Microsoft .NET Framework
Microsoft Data Access Components (MDAC)
Microsoft DirectX
Microsoft Exchange Server
Microsoft Exchange Server 2007 SP3 Update Rollups
Microsoft Exchange Server 2010 SP1 Update Rollups
Microsoft Expression Media
Microsoft Expression Web
Microsoft FrontPage Server Extension (FPSE)
Microsoft Host Integration Server
Microsoft Internet Explorer
Microsoft Internet Information Service (IIS)
Microsoft Internet Security and Acceleration Server (ISA)
Microsoft Jet
Microsoft MSDE
Microsoft MSN Messenger
Microsoft MSXML
Microsoft Office - including desktop applications (Access, Excel, FrontPage, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word)
Microsoft Office Viewer - including Word, Excel, PowerPoint, Visio
Microsoft Outlook Express
Microsoft Remote Desktop Connection Software
Microsoft SharePoint Service
Microsoft SharePoint Server
Microsoft SharePoint Team Services
Microsoft SQL Server
Microsoft Virtual PC
Microsoft Virtual Server
Microsoft Visual Studio .NET
Microsoft Visual Studio
Microsoft Windows Installer
Microsoft Windows Media Player
Microsoft Windows Live Messenger
Microsoft Windows Messenger
Microsoft Windows Update
Microsoft Windows Update Agent
Mozilla Firefox
Novell Netware Windows Client
Oracle Java Runtime Environment (JRE)
Real Networks RealPlayer SP
Skype Skype
VMWare Player
VMWare Server
VMWare Workstation
WinZip WinZip

6. How does Sophos Patch classify a patch as missing?

Patches relating to the current operating system and supported applications on each endpoint computer are assessed. A status of missing is reported in the Patch Event Viewer (in the console) for missing patches. The following additional conditions apply:

  • Patch does not show later Windows service packs as missing - only patches for the current service pack level are displayed.
  • Certain applications, for example Mozilla Firefox, do not always provide security patches for the installed version and rely on updating to a later version of the application for protection against vulnerabilities. In this situation the console's event viewer may display the later version of the application as missing, for example if Firefox 9 is installed, version 10 will display as missing as it includes security related updates.

7. How large is the full data download to the Patch server?

The complete dataset, which is only downloaded in its entirety when Patch is first activated is around 300MB in size for Enterprise Console 5.0. For Console 5.1 release, this volume of data is compressed to around 150MB.

8. What is the size of the Patch database on the management server?

The Patch database default size, based on the patches currently supported, is around 350MB. This database will grow in size, as more patches are supported and also based on the number of endpoints being assessed and the number of patches missing on those endpoints. The database will grow at a rate of around 180 bytes per endpoint per missing patch.

For example, with an estate of 25,000 endpoints, each missing 100 patches, the database will currently grow to a total size of around 770MB.

9. How much memory does the management server need, to support Sophos Patch?

The Patch server main use of memory is for efficiency reasons, to cache any new assessment files from the database that need to be distributed to the endpoints. It is recommended to allocate 512MB of memory for Patch on the management server.

10. How long does the initial Patch data download take?

Initial download and setup of Patch data for Enterprise Console 5.0 can take several hours, depending on WAN bandwidth and server performance.

For console 5.1, the reduced data volume downloaded and other efficiency improvements significantly reduce the initial download time to typically around 1.5-2 hours.

11. Where does the Patch server download the Patch data files from?

Patch ratings come directly from Sophos in the standard Endpoint Security feed. Whereas Patch definition files are received directly from Lumension, who are Sophos’ technology partner for the Patch capability. Therefore, additional gateway firewall exclusions may be needed to ensure the full data feed is not blocked. There are two parts to the Lumension feed, one HTTP, where the basic list of Patch files are downloaded and the second, HTTPS location, where the actual Patch data files are downloaded:

  • http://sophos.cdn.lumension.com/sophos/
  • https://a248.e.akamai.net/f/60/59258/10m/sophos.cdn.lumension.com/sophos/
  • https://a248.e.akamai.net/f/60/59258/2d/sophos.cdn.lumension.com/sophos/

12. How is the status of Patch Server download indicated?

The download status for the Patch feed is indicated in the Patch ‘event viewer’ window. The Patch status indicates, at a high level, whether the initial full download still needs to complete [Not Downloaded], whether the feed has downloaded successfully [OK], or whether the feed has been interrupted and caused the data to be incomplete or become stale [Out of Date].

13. How often is the Patch data updated?

The Patch server checks for updates every 24 hours. The frequency at which new patches are released means that there is no benefit in performing this check more frequently.

14. Is the full Patch data downloaded every time there is an update?

No, only new data files, or modified versions of existing files, are downloaded to the server.

15. Does Patch support air-gapped environments?

No, air gap networks are not currently supported, as Patch needs continuous access to live data from Sophos to ensure the patches, and their associated SophosLabs ratings, are kept up to date.

16. How often do Endpoints scan for missing patches?

The console policy allows scanning to be set to every 8 hours/24 hours/Week. If the period expires whilst an Endpoint is switched off, the scan will start the next time a machine is powered on.

17. How long does the Patch scan take?

Patching is not a time-critical process, so scans have been designed to run in the background and, as a result, typically take 10-20 minutes to complete.

18. Will Patch scans create a noticeable impact to the endpoint user?

Scans are carried out as a background process, to avoid impacting users, and also have a start-up delay to ensure they do not interfere at all with the boot process. The Scan start delay is also randomized so that VDI environments don’t get hit with all scans kicking off simultaneously.

19. How often do Endpoints check for new patches?

Each endpoint checks the server for new patches before the start of each scan.

20. How do Endpoints determine which Patch files to download?

To optimize performance and minimize network traffic, Endpoints only download from the server the patches relevant to their O/S and language.

21. How much data is downloaded to each Endpoint to perform the Patch assessments?

Each endpoint downloads around 35-40MB of Patch data.

22. Do Endpoints download the full Patch data every time they update from the server?

No, after the initial download, Endpoints only download new or updated Patch data from the server. Note that around 27MB of the data is in a single file (mcescan.cab) that can update several times a month and needs to be re-downloaded in its entirety if it changes.

23. Can Endpoint Patch data be cached for remote sites with low bandwidth WAN links?

If you are running Enterprise Console 5.0, Endpoint Patch data does not support caching. However, enhancements have been added for Console v5.1 enable standard in-line transparent caches to be used at remote locations.

24. How much Patch data is uploaded to the Server from an Endpoint at the end of each scan?

Each Endpoint uploads around 4kBytes of results data to the server at the end of each scan.

25. Is the Patch data encrypted between the Server and Endpoints?

The Patch agent-server connection uses HTTP transport, with the Patch data itself protected using PKI encryption.

26. Can Sophos message relays be used for Patch?

No, Patch has been designed using a separate HTTP based client-server communications channel to avoid the need for message relays. Customers using message relays to communicate back from remote locations will need to open up a separate channel for Patch communications.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments