locked
Getting UAG to recognise Sophos RRS feed

  • Question

  • Hi,

    We are testing Sophos Anti Virus to replace CA Estrust at the minute. Our UAG currently checks for CA to be installed and update on a machine before letting users onto certain applications in the portal. We current use this policy to check for CA. 

     (  (  (  ( AV_eTrustITM_Installed AND AV_eTrustITM_Running )  AND  ( CInt(Left(AV_eTrustITM_Version_Product,2))>=8 )  AND  ( DateDiff("d",AV_eTrustITM_LastUpdate,Now)<=7 OR AV_eTrustITM_UptoDate )  )  )  AND  (  (  ( AS_eTrustITM_Installed AND AS_eTrustITM_Running )  AND  ( CInt(Left(AS_eTrustITM_Version_Product,2))>=8 )  )  )  )  AND  Network_Domains_NetBIOS ="DOMAIN"

    We would like it to check for CA AND Sophos as well. It is possible to do this as everything we have tried so far hasn't worked?

    Has anyone elsed used Sophos successfully with UAG?

    Cheers

    Chris

    Friday, February 17, 2012 11:52 AM

All replies

  • First step would be to connect from a machine with Sophos and then use web monitor on UAG to look at that clients session.   Once you bring up the session details go to the "parameters" tab.   This is all the endpoint detection results.   This should either tell you which variable is getting setting and how for sophos, or tell you Sophos is not currently detected in which case you could write your own custom detection script for Sophos..
    Friday, February 17, 2012 3:17 PM
  • Thanks that was a good place to start. Managed to get it recognising it with just (  AV_Sophos_Installed  AND AV_Sophos_Running ) .

    The problem being is we need to check that the users AV is update to date before letting them in. When you look at the parameters of a connection that gets through on the above sophos the valuesare show:

    AV_Sophos_UptoDate = FALSE

    AV_Sophos_LastUpdate = 0

    Now I know my machine is upto date. Any ideas on where it is getting these variables from or any other ways of making sure that the AV has the latest update?

    Saturday, February 18, 2012 2:21 PM
  • Look in Internalsite for a file by a name similar to Detection.vbs.   This is the file that gets downloaded to client and run and sets the values for all the endpoint parameters.   Just look in there for the two paramemters in question and you can see exactly what file or registry key or wherever it is getting the value from.    Note that you can;t change this file.   if you want to detect the sophos some other way besides the way it currently does it, then write your own UAG custom detection:  http://technet.microsoft.com/en-us/library/ff607423.aspx  or you can search around and will find more specefics like:  http://social.technet.microsoft.com/Forums/eu/forefrontedgeiag/thread/88d7b126-4037-496c-8fdb-a8db63323116

    Thanks,

    Mark

    Tuesday, February 21, 2012 9:17 PM
  • I've been looking into this recently and have come up with the following information (not a fix, unfortunately).

    Detection.vbs gets information on Sophos antivirus via a subroutine 'Sub ExtractSophos5Data'. This subroutine checks the data in the registry value HKLM\SOFTWARE\Sophos\SAVService\Application\TempDir (which is a path to a temporary directory), replaces the last directory in that path with "\Config" (which gives the path of the directory Sophos stores its configuration in) and then tries to read the file machine.xml in that directory. It is this file that contains the last update information for Sophos.

    Under Windows Vista/7, the path to machine.xml is 'C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml'. According to Sophos Technical Support "machine.xml is a  file that is only accessed by Sophos components. Any access of this file via Unified Access Gateway is not supported by Sophos. As far as I am aware Microsoft retired support for Sophos in their Forefront products a while back. http://technet.microsoft.com/en-us/forefront/dd940095.aspx"

    The link in their response refers to Forefront Security Antimalware Engine Notifications and Developments. I have asked the person dealing with Sophos to respond with a query as to any other way for UAG to determine the time of last update of Sophos antivirus and will post the response here if helpful.

    Monday, January 14, 2013 3:00 PM