SAV for Linux / Unix : IIS WebCID update troubleshooting

  • ID dell'articolo: 64787
  • Aggiornato: 20 mar 2014

This article describes common WebCID configuration problems for Linux & Unix endpoints, when using an Internet Information Services (IIS) based web-server.

For full details on creating an IIS update server, see this KBA 38238.

First seen in

Sophos Anti-Virus for Linux

Operating systems
Windows 2003
Windows 2003 R2
Windows 2008
Windows 2008 R2
Windows 2012

What to do

This will guide you through the common issues that cause Linux and Unix endpoints to fail when updating from IIS Server.

Using AppCmd.exe

All the commands require Administrator or equivalent rights to execute successfully. On Windows 2003 and R2 ensure you are logged on as an Administrator, on Windows 2008 and above, you must start the command prompt as Administrator.

Files cannot be downloaded from the \bin directory

IIS7 has a security feature called 'Request Filtering' that can prevent the web-server from serving files and directories. For example, files in a \bin directory will not be available. This only occurs if the 'Request Filtering' feature has been enabled.

To allow files in the \bin directory, run the following command:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /-"hiddensegments.[segment='bin']"

For more information on Request Filtering and checking whether it is installed see this article.

Files with no extension cannot be downloaded

Linux / Unix endpoints will not be able to download files that have no file extension for example: '\S000\savlinux\talpaversion', the error is visible to a browser and in IIS logging as 404.17. 

To allow files without extensions to download, add a MIME Type of '.' within IIS Manager, this can also be achieved with the following command:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.',mimeType='Sophos/Linux']"

Files with multiple extensions cannot be downloaded

IIS7 Request filtering may not allow files with multiple extensions to be downloaded, such as *.tar.gz. To allow IIS7 to host files with multiple extensions, add the 'AllowDoubleEscaping' parameter to the 'requestFiltering' element:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /allowdoubleescaping:true

IIS Manager may prevent you from adding MIME Types with multiple file extensions (More than one '.'), these must be added via the command line using the following:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.x.y',mimeType='Sophos/Linux']"

Note: Replace x.y, with the affected extension, for example '.so.0'.

Certain file extensions cannot be downloaded

In IIS 6/7/8 file extensions must be associated with a MIME type before they can be downloaded.  For the simplest configuration, Sophos recommend to allow all file extensions.  For more information see this article: Configuring Microsoft Internet Information Services for endpoint updating

Environments using a more restrictive control over file extensions, can cause a problem for Linux / Unix CIDs. The extensions for some files change on a monthly basis, for example, the virus engine:

  • September 2012 Engine = libsavi.so.3.2.07.354
  • October 2012 Engine = libsavi.so.3.2.07.359

In order to restrictively control file extensions, you will need to update your MIME type list every month. Sophos cannot change the name of these files as they are based on Linux library filename conventions.

IIS web-servers that use NTLM authentication

SAV for Linux / Unix only support Basic or Digest authentication with web servers and proxies. When a web-server only allows NTLM (labeled Integrated Windows Authentication in IIS Manager) the update will fail.

In the properties for your IIS website select 'Directory Security' then click 'Edit' within Authentication and access control. The web-server must allow Basic, Digest, or Anonymous access for Linux / Unix clients to update.

 
Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente

Commenti