This articles provides an overview of Sophos Patch Assessment and a list of questions and answers on how the Sophos Patch feature works.
We recommend you watch the video Patch Assessment in Sophos Endpoint 10.
Known to apply to the following Sophos product(s) and version(s)
Sophos Patch Agent 1.0
Sophos Endpoint Security and Control 10.0
90% of attacks can be prevented with an existing patch. Yet many computers remain at risk because patching is hard. With our Patch Assessment in Endpoint we prioritize the most critical patches for you by tying them to the threats they prevent. Our patch assessment identifies, prioritizes and scans for critical threat-related patches. And it’s ifntegrated into our EndUser Protection, delivered in one deployment and managed from a single console.
- One simple scan finds unpatched computers vulnerable to threats
- Scans for Windows and other common application patches
- We prioritize patches based on threats and likelihood of exploit—so you don’t have to
- We make it easy to see computers missing critical patches, and to sort by patch vendor, threat, priority and more
- Scan computers for critical patches to stop malicious threats
Patch Assessment Event Viewer:
- How is Sophos Patch installed?
- How is Sophos Patch licensing controlled?
- How does SophosLabs rate the patches?
- Which Operating Systems does Patch currently support?
- Which Applications does Patch currently support?
- How does Sophos Patch classify a patch as missing?
- How large is the full data download to the Patch server?
- What is the size of the patch database on the management server?
- How much memory does the management server need, to support Sophos Patch?
- How long does the initial Patch data download take?
- Where does the Patch server download the Patch data files from?
- How is the status of Patch Server download indicated?
- How often is the Patch data updated?
- Is the full Patch data downloaded every time there is an update?
- Does Patch support air-gapped environments?
- How often do Endpoints scan for missing patches?
- How long does the Patch scan take?
- Will Patch scans create a noticeable impact to the endpoint user?
- How often do Endpoints check for new patches?
- How do Endpoints determine which Patch files to download?
- How much data is downloaded to each Endpoint to perform the Patch assessments?
- Do Endpoints download the full Patch data every time they update from the server?
- Can Endpoint Patch data be cached for remote sites with low bandwidth WAN links?
- How much Patch data is uploaded to the Server from an Endpoint at the end of each scan?
- Is the Patch data encrypted between the Server and Endpoints?
- Can Sophos message relays be used for Patch?
1. How is Sophos Patch installed?
Sophos Patch (also known as just "Patch") is installed as part of the single installer for Endpoint Protection (Advanced and Enterprise only), supporting the same O/S and DB platforms, and is well integrated with Sophos Enterprise Console. Patch is included by default with Endpoint Protection Enterprise and is a chargeable ‘add-on’ for Endpoint Protection Advanced.
2. How is Sophos Patch licensing controlled?
Licensing of Patch controls the management server’s ability to download Patch files from the live Sophos Patch data feed on the internet. No patches will appear in the Sophos Enterprise Console unless Patch has been licensed. If the license expires, then access to the feed will stop and the local Patch data will become more stale as each unlicensed day passes.
3. How does SophosLabs rate the patches?
SophosLabs calculates ratings for each patch based on a number of parameters:
- Vulnerability severity – type of attack
- Software popularity – how popular is the vulnerable software
- Access conditions – does the attacker need to be local or remote, to exploit the vulnerability
- Prevalence – how common are the threats that exploit the vulnerability
Patches are rated Low, Medium, High and Critical based on these parameters. Sophos recommends applying all relevant patches, but the SophosLabs rating is designed to enable a focus on patches that protect against the most active threats.
4. Which Operating Systems does Patch currently support?
|Platform/Device ||Edition ||Architecture |
|32-bit ||64-bit |
|Windows 2000 SP4 ||AS, SVR, PRO ||Y ||N |
|Windows XP SP2, SP3 ||PRO ||Y ||Y1 |
|Windows Vista ||BUS, ENT, ULT ||Y ||Y |
|Windows 7 ||PRO, ENT, ULT ||Y ||Y |
|Windows 2003 ||ENT, STD, WEB ||Y ||Y |
|Windows 2008 ||ENT, STD, WEB ||Y ||Y |
|Windows 2008 R2 ||ENT, STD, WEB ||N ||Y |
1Windows XP Pro SP3 supports 64-bit. Windows XP Pro SP2 does not.
5. Which Applications does Patch currently support?
|Publisher ||Edition |
|Adobe ||Acrobat Pro |
|Adobe ||Acrobat Standard |
|Adobe ||AIR |
|Adobe ||Illustrator |
|Adobe ||InDesign |
|Adobe ||Macromedia Flash Player (Internet Explorer) |
|Adobe ||Macromedia Flash Player (Other browsers) |
|Adobe ||Photoshop |
|Adobe ||Reader |
|Adobe ||Shockwave Player for Windows |
|Apple ||iTunes for Windows |
|Apple ||Quicktime for Windows |
|Citrix Systems ||ICA Win32 Client |
|Citrix Systems ||Citrix Online plug-in for Windows |
|Martin Prikryl |
|Microsoft ||.NET Framework |
|Microsoft ||Data Access Components (MDAC) |
|Microsoft ||DirectX |
|Microsoft ||Exchange Server |
|Microsoft ||Exchange Server 2007 SP3 Update Rollups |
|Microsoft ||Exchange Server 2010 SP1 Update Rollups |
|Microsoft ||Expression Media |
|Microsoft ||Expression Web |
|Microsoft ||FrontPage Server Extension (FPSE) |
|Microsoft ||Host Integration Server |
|Microsoft ||Internet Explorer |
|Microsoft ||Internet Information Service (IIS) |
|Microsoft ||Internet Security and Acceleration Server (ISA) |
|Microsoft ||Jet |
|Microsoft ||MSDE |
|Microsoft ||MSN Messenger |
|Microsoft ||MSXML |
|Microsoft ||Office - including desktop applications (Access, Excel, FrontPage, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word) |
|Microsoft ||Office Viewer - including Word, Excel, PowerPoint, Visio |
|Microsoft ||Outlook Express |
|Microsoft ||Remote Desktop Connection Software |
|Microsoft ||SharePoint Service |
|Microsoft ||SharePoint Server |
|Microsoft ||SharePoint Team Services |
|Microsoft ||SQL Server |
|Microsoft ||Virtual PC |
|Microsoft ||Virtual Server |
|Microsoft ||Visual Studio .NET |
|Microsoft ||Visual Studio |
|Microsoft ||Windows Installer |
|Microsoft ||Windows Media Player |
|Microsoft ||Windows Live Messenger |
|Microsoft ||Windows Messenger |
|Microsoft ||Windows Update |
|Microsoft ||Windows Update Agent |
|Mozilla ||Firefox |
|Novell ||Netware Windows Client |
|Oracle ||Java Runtime Environment (JRE) |
|Real Networks ||RealPlayer SP |
|Skype ||Skype |
|Tim Kosse |
|VMWare ||Player |
|VMWare ||Server |
|VMWare ||Workstation |
|WinZip ||WinZip |
6. How does Sophos Patch classify a patch as missing?
Patches relating to the current operating system and supported applications on each endpoint computer are assessed. A status of missing is reported in the Patch Event Viewer (in the console) for missing patches. The following additional conditions apply:
- Patch does not show later Windows service packs as missing - only patches for the current service pack level are displayed.
- Certain applications, for example Mozilla Firefox, do not always provide security patches for the installed version and rely on updating to a later version of the application for protection against vulnerabilities. In this situation the console's event viewer may display the later version of the application as missing, for example if Firefox 9 is installed, version 10 will display as missing as it includes security related updates.
7. How large is the full data download to the Patch server?
The complete dataset, which is only downloaded in its entirety when Patch is first activated is around 300MB in size for Enterprise Console 5.0. For Console 5.1 release, this volume of data is compressed to around 150MB.
8. What is the size of the Patch database on the management server?
The Patch database default size, based on the patches currently supported, is around 350MB. This database will grow in size, as more patches are supported and also based on the number of endpoints being assessed and the number of patches missing on those endpoints. The database will grow at a rate of around 180 bytes per endpoint per missing patch.
For example, with an estate of 25,000 endpoints, each missing 100 patches, the database will currently grow to a total size of around 770MB.
9. How much memory does the management server need, to support Sophos Patch?
The Patch server main use of memory is for efficiency reasons, to cache any new assessment files from the database that need to be distributed to the endpoints. It is recommended to allocate 512MB of memory for Patch on the management server.
10. How long does the initial Patch data download take?
Initial download and setup of Patch data for Enterprise Console 5.0 can take several hours, depending on WAN bandwidth and server performance.
For console 5.1, the reduced data volume downloaded and other efficiency improvements significantly reduce the initial download time to typically around 1.5-2 hours.
11. Where does the Patch server download the Patch data files from?
Patch ratings come directly from Sophos in the standard Endpoint Security feed. Whereas Patch definition files are received directly from Lumension, who are Sophos’ technology partner for the Patch capability. Therefore, additional gateway firewall exclusions may be needed to ensure the full data feed is not blocked. There are two parts to the Lumension feed, one HTTP, where the basic list of Patch files are downloaded and the second, HTTPS location, where the actual Patch data files are downloaded.
You will also need to make sure that the endpoint is able to access the Microsoft Windows update address below:
12. How is the status of Patch Server download indicated?
The download status for the Patch feed is indicated in the Patch ‘event viewer’ window. The Patch status indicates, at a high level, whether the initial full download still needs to complete [
Not Downloaded], whether the feed has downloaded successfully [
OK], or whether the feed has been interrupted and caused the data to be incomplete or become stale [
Out of Date].
13. How often is the Patch data updated?
The Patch server checks for updates every 24 hours. The frequency at which new patches are released means that there is no benefit in performing this check more frequently.
14. Is the full Patch data downloaded every time there is an update?
No, only new data files, or modified versions of existing files, are downloaded to the server.
15. Does Patch support air-gapped environments?
No, air gap networks are not currently supported, as Patch needs continuous access to live data from Sophos to ensure the patches, and their associated SophosLabs ratings, are kept up to date.
16. How often do Endpoints scan for missing patches?
The console policy allows scanning to be set to every 8 hours/24 hours/Week. If the period expires whilst an Endpoint is switched off, the scan will start the next time a machine is powered on.
17. How long does the Patch scan take?
Patching is not a time-critical process, so scans have been designed to run in the background and, as a result, typically take 10-20 minutes to complete.
18. Will Patch scans create a noticeable impact to the endpoint user?
Scans are carried out as a background process, to avoid impacting users, and also have a start-up delay to ensure they do not interfere at all with the boot process. The Scan start delay is also randomized so that VDI environments don’t get hit with all scans kicking off simultaneously.
19. How often do Endpoints check for new patches?
Each endpoint checks the server for new patches before the start of each scan.
20. How do Endpoints determine which Patch files to download?
To optimize performance and minimize network traffic, Endpoints only download from the server the patches relevant to their O/S and language.
21. How much data is downloaded to each Endpoint to perform the Patch assessments?
Each endpoint downloads around 35-40MB of Patch data.
22. Do Endpoints download the full Patch data every time they update from the server?
No, after the initial download, Endpoints only download new or updated Patch data from the server. Note that around 27MB of the data is in a single file (mcescan.cab) that can update several times a month and needs to be re-downloaded in its entirety if it changes.
23. Can Endpoint Patch data be cached for remote sites with low bandwidth WAN links?
If you are running Enterprise Console 5.0, Endpoint Patch data does not support caching. However, enhancements have been added for Console v5.1 enable standard in-line transparent caches to be used at remote locations.
24. How much Patch data is uploaded to the Server from an Endpoint at the end of each scan?
Each Endpoint uploads around 4kBytes of results data to the server at the end of each scan.
25. Is the Patch data encrypted between the Server and Endpoints?
The Patch agent-server connection uses HTTP transport, with the Patch data itself protected using PKI encryption.
26. Can Sophos message relays be used for Patch?
No, Patch has been designed using a separate HTTP based client-server communications channel to avoid the need for message relays. Customers using message relays to communicate back from remote locations will need to open up a separate channel for Patch communications.