This article describes common WebCID configuration problems for Linux & Unix endpoints, when using an Internet Information Services (IIS) based web-server.
For full details on creating an IIS update server, see this KBA 38238.
First seen in
Sophos Anti-Virus for Linux
Windows 2003 R2
Windows 2008 R2
What to do
This will guide you through the common issues that cause Linux and Unix endpoints to fail when updating from IIS Server.
All the commands require Administrator or equivalent rights to execute successfully. On Windows 2003 and R2 ensure you are logged on as an Administrator, on Windows 2008 and above, you must start the command prompt as Administrator.
Files cannot be downloaded from the
IIS7 has a security feature called 'Request Filtering' that can prevent the web-server from serving files and directories. For example, files in a
\bin directory will not be available. This only occurs if the 'Request Filtering' feature has been enabled.
To allow files in the \bin directory, run the following command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /-"hiddensegments.[segment='bin']"
For more information on Request Filtering and checking whether it is installed see this article.
Files with no extension cannot be downloaded
Linux / Unix endpoints will not be able to download files that have no file extension for example: '
\S000\savlinux\talpaversion', the error is visible to a browser and in IIS logging as 404.17.
To allow files without extensions to download, add a MIME Type of '.' within IIS Manager, this can also be achieved with the following command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.',mimeType='Sophos/Linux']"
Files with multiple extensions cannot be downloaded
IIS7 Request filtering may not allow files with multiple extensions to be downloaded, such as
*.tar.gz. To allow IIS7 to host files with multiple extensions, add the 'AllowDoubleEscaping' parameter to the 'requestFiltering' element:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:requestfiltering /allowdoubleescaping:true
IIS Manager may prevent you from adding MIME Types with multiple file extensions (More than one '.'), these must be added via the command line using the following:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.x.y',mimeType='Sophos/Linux']"
x.y, with the affected extension, for example '
Certain file extensions cannot be downloaded
In IIS 6/7/8 file extensions must be associated with a MIME type before they can be downloaded. For the simplest configuration, Sophos recommend to allow all file extensions. For more information see this article: Configuring Microsoft Internet Information Services for endpoint updating
Environments using a more restrictive control over file extensions, can cause a problem for Linux / Unix CIDs. The extensions for some files change on a monthly basis, for example, the virus engine:
- September 2012 Engine = libsavi.so.3.2.07.354
- October 2012 Engine = libsavi.so.3.2.07.359
In order to restrictively control file extensions, you will need to update your MIME type list every month. Sophos cannot change the name of these files as they are based on Linux library filename conventions.
IIS web-servers that use NTLM authentication
SAV for Linux / Unix only support Basic or Digest authentication with web servers and proxies. When a web-server only allows NTLM (labeled Integrated Windows Authentication in IIS Manager) the update will fail.
In the properties for your IIS website select 'Directory Security' then click 'Edit' within Authentication and access control. The web-server must allow Basic, Digest, or Anonymous access for Linux / Unix clients to update.