Sophos Antivirus blocking kbox
Does anyone know the firewall policies I need to put in place to allow the kbox to talk to clients that have Sophos Antivirus and firewall installed
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
airwolf
13 years ago
If you're not using SSL then you need to open ports 80 and 52230. If you're using SSL, it would be 443 and 52230.
Posted by:
rswihart
13 years ago
is these ports on the kbox or clients My clients are the ones not checking in
Posted by:
airwolf
13 years ago
The agent hits the KBOX on ports 80/443 (HTTP/S) and 52230 (AMP). So, these ports have to be allowed in the client firewall.
Posted by:
RichB
13 years ago
We also use Sophos and in addition to the ports mentioned already, every time a new version of the client is released the Sophos server has to be made aware of the newer version or else it flags it as "Suspicious Behavior." If your Sophos policy restricts Suspicious Behavior items from running then that would also prevent clients from checking in. In our environment the new client is allowed to run but a lot of error messages start getting generated and emailed to us so we like to configure it before upgrading KBOX clients.
For example, I will be installing version 5.1.31311 client on one computer so Sophos can discover the new version and then change it's designation from Suspicious to Allowed before pushing it to all computers.
For example, I will be installing version 5.1.31311 client on one computer so Sophos can discover the new version and then change it's designation from Suspicious to Allowed before pushing it to all computers.
Posted by:
rswihart
13 years ago
Richb I think I got it. I had to go into interactive mode and then export. Should we be OK if we do not use ckecksums for client upgrades?
Posted by:
RichB
13 years ago
If you do not have the HIPS scanner set to “Alert only†Sophos will find kinstaller.exe as suspicious and block it from running. This is an issue with every KBOX upgrade and each version of kinstaller.exe we have seen has a new hash value. You can add the kinstaller.exe hash and push out the update to your clients but without the new version of the file being allowed you will run in to issues. You can add the kinstaller.exe to the exclusions list but this will not catch all installs as the installer sometimes extracts to the users profile and there is no way to add that to the exceptions, unless you add a wildcard and allow kinstaller.exe to do whatever it wants, no matter where it in the system. Adding a wildcard like this isn’t suggested as it is a little to open but you could do it this way.
From the antivirus side of Sophos this is the issue we run in to on every upgrade, from a firewall side we are not using the Sophos firewall at this time.
From the antivirus side of Sophos this is the issue we run in to on every upgrade, from a firewall side we are not using the Sophos firewall at this time.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.