Rich Trouton On Twitter: Deploying Sophos Enterprise Anti-virus For Mac
Posted By admin On 21.03.20Apple's documentation covers disabling SIP,. Lists these steps:. Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+ R until the Apple logo appears on your screen. Click Utilities Terminal. In the Terminal window, type in csrutil disable and press Enter. Restart your Mac.
You can verify whether a file or folder is restricted by issuing this ls command using the capital O (and not zero 0) to modify the long listing flag: ls -lO /System /usr Look for the restricted text to indicate where SIP is enforced. By default (=SIP enabled), the following folders are restricted (see ): /System /usr /bin /sbin Apps that are pre-installed with OS X. And the following folders are free: /Applications /Library /usr/local.
It's possible to disable SIP by booting to Recovery HD and running the following command: csrutil disable It is also possible to enable SIP protections and selectively disable aspects of it, by adding one or more flags to the csrutil enable command. All require being booted from Recovery in order to set them: Enable SIP and allow installation of unsigned kernel extensions csrutil enable -without kext Enable SIP and disable filesystem protections csrutil enable -without fs Enable SIP and disable debugging restrictions csrutil enable -without debug Enable SIP and disable DTrace restrictions csrutil enable -without dtrace Enable SIP and disable restrictions on writing to NVRAM csrutil enable -without nvram I also have a post available with more information about SIP.
If all you need is to access /usr/local, take a look at this page: The idea is to temporarily disable SIP using csrutil disable, add /usr/local, use chflags to set that directory to non-restricted sudo mkdir /usr/local && sudo chflags norestricted /usr/local && sudo chown -R $(whoami):admin /usr/local and then re-enable SIP using csrutil enable. If /usr/local already exists at the time of your upgrade, then even the above isn't necessary.
You can simply run sudo chown -R $(whoami):admin /usr/local.
Believe me when I say that we're working very hard to try to fix this issue we're seeing with 'Shh/Updater-B', and are diligently trying to respond to all folks across all the various forums. Tech support, within my spitting distance I should note, is working very hard to take your calls. Please note that was aggressive detection on our part. You are not infected with malware. Our labs are in final Q/A of an update to resolve the issue to make the alert go away for our customers that are affected. We very much apologize for the inconvenience, but the update will be out shortly and the false alert will go away.
Will update as we learn more. UPDATE RED NOTIFICATION - False Positive detections with ssh/updater-B - UPDATE 15:11 PDT As the False Positive can affect our own binaries, in can in some instances prevent both SUM and SAU from being able to update. In these situations the following instructions can be used to workaround the issue, download the fixed IDE, and propagate it to all endpoints. SUM unable to update If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B. To workaround this issue and successfully download the IDE file that fixes this issue follow these steps: 1. Delete agen-xuv.ide from C: Program Files Sophos Sophos Anti-Virus C: Program Files (x86) Sophos Sophos Anti-Virus 2.
Restart the 'Sophos Anti-Virus Service' 3. Update SUM via the Sophos Enterprise Console Endpoints unable to update If customers have endpoints that are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them: 1. Centrally disable On-Access scanning via policy in SEC 2. Select Groups in SEC and select 'Update Now' 3. Once a group has updated re-enable On-Access scanning via policy in SEC. I almost did not renew my Sophos Subscription at the beginning of this year.
It will certain end now. This is horrid! You post an update without full quality testing that Quarantines every updating service on my network, including yours (??), and then say you are working hard to get a fix out? How many hours to do you expect us to eat in fixing your massive SNAFU?
Last week GoDaddy caused bad blood with their customers through a 'SELF-DENIAL Attack'. Looks like SOPHOS has now writtent the template for 'How to discard your entire customer base in one fell swoop'. Sorry, but sorry and we are trying just isn't enough, ever. Hi B2BYTE, I'm eager to try to help you in any way I can with this horrible incident. We have pushed out an update and workarounds for this scenario and have been real-time responding to customers' questions via Twitter, and I've also been trying to keep my eye on our various channels. Again, this was an egregious error on our part, but we're certainly going to do everything we can to make it right with every single one of our customers who have been wrongly affected. We see a lot of customers who are back up and running.
Can I help you? B2BYTE I don't think a knee jerk reaction to move away from Sophos will necessarily mean you don't have to deal with anything like this again. Just a couple of days ago i had to help someone out when a McAfee update killed their internet connection (see ). Don't get me wrong, this was a major.
up by Sophos and i think they need to have a think about their lines of communication. I managed to sort my network out last night by finding in the sophos forums. I thought Natan@Sophos did a fantastic job and should be praised for helping as best he could. I shouldn't have had to google to find a forum thread though.
This should have been on the front page of the website with a link to the KB article, which in it'self should have been updated more quickly as fixes for the problem became available. We've all messed up at one point or another, i'm glad my employer didn't decide to change his IT manager as a result. I still believe Sophos is the best AV out there. As long as they learn from this and it doesn't happen again! Simon2872 wrote: B2BYTE I don't think a knee jerk reaction to move away from Sophos will necessarily mean you don't have to deal with anything like this again. Just a couple of days ago i had to help someone out when a McAfee update killed their internet connection (see ). Don't get me wrong, this was a major.
up by Sophos and i think they need to have a think about their lines of communication. I managed to sort my network out last night by finding in the sophos forums. I thought Natan@Sophos did a fantastic job and should be praised for helping as best he could. I shouldn't have had to google to find a forum thread though. This should have been on the front page of the website with a link to the KB article, which in it'self should have been updated more quickly as fixes for the problem became available.
We've all messed up at one point or another, i'm glad my employer didn't decide to change his IT manager as a result. Mac os x server v10..7 universal for mac. I still believe Sophos is the best AV out there. As long as they learn from this and it doesn't happen again! We really appreciate your guys' support in during this very trying time (for both you guys and us).
Posts like these definitely reiterate that we have the best customers on the planet. We look forward to making things right again. RichB - NS wrote: why no email to clients? I much would have preferred to come in early and fix this mess, than to have a shitstorm of employees waiting at my desk at 8AM. Hi Rich, We're very sorry for the issues caused by Shh/updater-B issue. We have been proactively posting in the knowledgebase article to ensure we can give as frequent updates as possible rather than multiple email communications. A thorough email communication is going out today.
In the meantime, if you need any more info, please check the article here: Once again, we're sorry for the havoc this may have caused. And of course, please feel free to reach out to us via Twitter @SophosSupport. Kim, I do appreciate the dedication of you and of Sophos in general to rectify this problem. To address another post above, I would not 'knee-jerk react' to this incident. My quesions about the integrity of Sophos began 15 months ago regarding some gaps in the Sophos coverage. The latest occurrance must weigh into any decision. My network has generally been okay with your soution, but I have always had concerns with both Enterprise Console and client functionality.
Rich Trouton On Twitter: Deploying Sophos Enterprise Antivirus For Mac
Some are aspects I can live with, as a pain for administration but less painful at the client level. I am simply amazed that Sophos did not have sufficient testing and quality oversight to prevent this problem. Please address how your customer base, moving forward, can be assured that Sophos is addressing their process control. Remember, we recognize that at any time a serious vulnerabilty can appear in the wild and spread like cyber-fire. Rapid response to overcome such an event impacts all major security providers. This is the nature of the beast.
BUT, self-inflicted events like this must put the general quality of your business in question. I look forward to hearing back on what you will do to improve.