EH10 - V5.3.0 - Engineer Handout - Enduser Protection

Hello, and welcome to this Sophos Certified Engineer training course for Enduser Protection
version 5.3. This is Module 100, Course Introduction.
Sophos Certified Engineer

Enduser Protection ET100 – Engineer Theory
April 2015
Training version: 5.3.0

Product version: Enterprise Console 5.3, Endpoint Protection 10.3
© 2015 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names,
logos and marks mentioned in this document may be the trademarks or registered
trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness
or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office
is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Module 0 - 1
Prior to taking this training you should pass the online assessment EA01a – Certified
Engineer Fundamentals. Training is offered to help you pass the assessment and
comprises four short modules covering:
• Cryptography basics
• Networking basics
• Active Directory basics
• Security threat basics
In addition you should:
• Be able to setup a Windows server, with Windows workstations

• Have knowledge of general Windows networking
Module 0 - 2
You must complete and pass the online assessment if you wish to register for the
Enduser Protection Certified Architect course.
Please note that the assessment will include questions from both theory and lab
portions of this course.
Module 0 - 3
This course is split into eight modules and seven labs. It includes demonstrations and
activities as well as references for additional reading.
Module 0 - 4
Once you complete this course you will be able to:
• Describe the main technical capabilities of Enduser Protection and its benefits
• Deploy and manage Enduser Protection in an environment of up to two hundred users
• Configure the most commonly used features
• List the system requirements
• Locate and use additional online resources
Module 0 - 5
Please take a few minutes to answer the following questions and find out what you
already know about the Enduser Protection. Don’t worry if you don’t know all of the
answers, as all of the content will be covered in this course.
Module 0 - 6
Module 0 - 7
Module 0 - 8
Module 0 - 9
You can download the course materials from the training portal, under module
ET100:
• EL10 contains the lab exercises

• EH10 consists of all of the theory modules as a combined hand-out
Module 0 - 10
Thank you for taking this Sophos Certified Engineer module for Enduser Protection.
Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.
Module 0 - 11
Now that you have completed this module, you should:
• Complete Module 101: Introduction to Enduser Protection
Module 0 - 12
Thank you for your time, please close this window to return to the Partner Portal.
Module 0 - 13
Hello, and welcome to this Sophos Certified Engineer training course for Enduser
Protection version 5.3. This is Module 101, Introduction to enduser protection.

April 2015
Product version: Enterprise Console 5.3, Enduser Protection 10.3
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice. Sophos Limited is a company registered in England number 2096520,
whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
Module 1 - 1
This course is split into eight modules with lab exercises interspersed throughout. You are
now in module one.
Module 1 - 2
This module starts with an overview of the components that make up Enduser
Protection. It then looks at Sophos Enterprise Console and includes a short
demonstration of the interface. The module finishes with a look at SophosLabs and
the information that is available from the Sophos Support site.
Module 1 - 3
On completion of this module you will be able to:
• Describe the function of each of the components of Sophos Enduser Protection

• Understand the benefits of using Sophos Enterprise Console
• Recognize the importance of Sophos Labs in protecting our customers
• Locate information using the Sophos Support site
Module 1 - 4
The enduser protection solution that you will learn about in this course is made up of
two parts:
• Sophos Endpoint Security and Control

and
• Sophos Enterprise Console
Endpoint Security and Control is installed on each device and provides Anti-virus as
well as other security functions. It is possible to use Endpoint Security and Control as
a stand-alone product but most organizations benefit from using the centralized
control offered by Sophos Enterprise Console.
This module will provide an overview of the features of each part of the solution.
Module 1 - 5
Sophos Enduser Protection provides industry leading Anti-virus and much more. It
can be deployed and managed by Sophos Enterprise Console (SEC), or can be
installed as a standalone product without central management. The following slides
provide a short description of each of the enduser protection components.
Module 1 - 6
Anti-virus and HIPS provides detection of known malware combined with real-time
threat intelligence from SophosLabs. In addition, the Host Intrusion Prevention
System (HIPS) dynamically analyzes the behavior of programs running on the system
in order to detect and block activity which appears to be malicious. It can do this in
two ways:
• File-based HIPS compares elements of a file to the code that's been found in other
malware.
• Behavior-based HIPS:
• Compares the actions that a file takes when it executes and compares that
to known actions undertaken by malware (and generally risky actions).
• Prevents buffer overflow attacks, which occur when a program stores
excess data by overwriting other parts of the computer's memory, causing
errors or crashes.
The Anti-virus component also includes Web Protection which blocks access to
malicious web sites and scans downloaded files.
Module 1 - 7
The Sophos Client Firewall (SCF) protects an endpoint from malicious attacks and
unwanted connections from local and remote networks. It monitors inbound and
outbound connections and network activity, which it can allow or block based on a
configured policy. This compliments Sophos Anti-virus by blocking traffic originating
from suspicious processes or traffic that could be malicious.
The Sophos Client Firewall includes elements of Application Filtering, Packet Filtering
and Stateful Inspection.
• Application filtering allows rules to be created based on the application where the
network traffic originated from
• Packet filtering allows filtering of network traffic based on the source and
destination IP addresses, network ports, and protocols
• Stateful inspection refers to a deeper and more complex analysis of network data,
keeping a record of connections so that related traffic can be swiftly processed
Client firewalls have the benefit that they remain effective even when the PC is away
from the network, for example in a hotel.
Module 1 - 8
Application Control enables network administrators to block certain non-malicious
applications from running on work computers. Typically Application Control is used to
prevent users from running applications that are not a security threat, but that are
considered unsuitable for use in the workplace environment, e.g., games or instant
messaging programs. It may also be used to control which applications are allowed
for compatibility reasons.
Module 1 - 9
Data Control provides data loss protection (DLP) and is designed to reduce the risk of
accidental data transfer by employees.
The Data Control policy can be configured to monitor file types, names or confidential
content such as email addresses and credit card numbers during:
• The transfer of files onto storage devices (removable storage, optical and floppy
drives)
• Media devices that support the Media Transfer Protocol (MTP) and Picture Transfer
Protocol (PTP) as these are classed as removable storage
• The upload of files into applications (corporate web browsers, email clients and IM
clients)
Module 1 - 10
Device Control restricts access to devices on an endpoint such as USB sticks and
wireless network cards. It allows an administrator to manage whether the device type
is allowed, read only, or blocked. Supported devices include:
• Removable storage, including thumb drives, USB keys, and external hard disks
• Secure removable storage
• Optical media drives (CD / DVD / Bluray)
• Disk drives (Floppy drives)
• Network interfaces such as wireless, modems, bluetooth and Infrared
• Media Transfer Protocol (MTP), including Blackberry, iPhone and various types of
Android smart phone
• Picture Transfer Protocol (PTP), commonly used on digital cameras
Module 1 - 11
Tamper Protection prevents unauthorized users from uninstalling Sophos security
software or disabling it through the Sophos Endpoint Security and Control interface.
When it is enabled, configuration options are greyed out in the interface.
If it is necessary to disable or remove the client, tamper protection can be turned off
by authenticating with the tamper protection password.
Module 1 - 12
90% of attacks can be prevented by applying an existing patch for the operating
system or application. Despite this, many computers remain at risk because of the
effort required to test and deploy patches. Patch Assessment prioritizes the most
critical patches by tying them to the threats they prevent. It also shows the
computers that require patching.
The key features are:

• Scanning to locate unpatched computers that are vulnerable to threats
• Prioritization of patches based on threats and likelihood of exploit
Module 1 - 13
Web Control – restricts or allows access to specific websites based on category or
URL. As well as protecting computers on the corporate network it can also protect,
control, and report on computers that are located, or roam, outside the network.
Module 1 - 14
Malicious Traffic Detection (MTD) is provided for Windows clients and monitors
outbound HTTP traffic from non-browser processes for signs of connectivity to known
bad URLs. Examples include Bot Net command and control servers and other
malware sites. If this traffic is detected then it is an early indicator that a new piece of
malware may be present on the endpoint. It can aid in the collection of samples to
enable SophosLabs to write specific detection criteria.
MTD will typically be invisible as a feature to users. In the illustration the new
malware attempts to connect to a known malware site. Malicious Traffic Detection
intercepts the traffic and instructs Sophos Anti-virus to perform a memory scan and
attempt to disable the process using the HIPS functionality.
This feature is supported for Windows clients running Vista, Windows 7, and
Windows 8.x.
Web browsers are not monitored with MTD, but are still protected by Sophos Web
Control. To prevent any conflicts, Firefox, Internet Explorer, Google Chrome, Opera
and Safari are automatically excluded from MTD.
Module 1 - 15
Now let’s just clarify some functionality that is not included in Enduser Protection and
the first of these is full disk encryption. Legacy versions of Sophos Enduser Protection
offered an optional license for full disk encryption and power on authentication
(POA), with policies managed from Sophos Enterprise Console. This has been
replaced by Sophos SafeGuard Enterprise Encryption which provides a data
protection solution for multiple devices and operating systems.
SafeGuard Enterprise Encryption protects data on PCs, mobile devices, and data that
has been placed in the cloud or on a file share. It also integrates with Microsoft’s
BitLocker and Apple’s FileVault encryption technologies.
The SafeGuard Management Center manages encryption for all devices and platforms
from a unified management center. It works with Active Directory to import user and
device information and then apply data security policies to groups. It offers secure
storage, exchange, and recovery of keys for all supported devices and operating
systems.
Customers who have the licenses for full disk encryption can continue to use this
component of enduser protection and manage it from Sophos Enterprise Console.
Module 1 - 16
The second thing to note is that Sophos offers a specialized Server Security solution
that supports Windows Server as well as popular flavors of Linux (including CentOS
and Ubuntu) and Unix-based operating systems like HP/UX, Sun Solaris and IBM AIX.
For more information on the platforms supported by Sophos Server Security:

http://www.sophos.com/en-us/support/knowledgebase/119802.aspx
For virtualized environments there are two options. The full-featured endpoint client
can be installed on the guest operating system and runs with a low memory footprint
on hypervisors like VMware ESXi, Hyper-V and XenServer. For those using a VMware
environment it is also possible to deploy agentless scanning via vShield Endpoint.
Instead of installing and running virus scanning on each virtual machine vShield
Endpoint uses a secure virtual appliance. This downloads and stores virus signatures
and has a virus-scanning engine which protects all virtual servers.
For more information on Sophos Anti-virus for vShield:

http://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-antivirus-for-
vshield-dsna.pdf?la=en
Module 1 - 17
Sophos Enterprise Console helps customers manage all the security features included
in Enduser Protection. SQL Server is used to store data for the application.
Enterprise Console supports management of Windows, Linux, Mac OS X, UNIX and

virtualized machines. It allows administrators to:
• Discover all computers on the network

• Deploy Sophos to endpoints
• Create and assign policies to be enforced on endpoints
• View/Inspect the current status of Sophos installations
• View and resolve alerts and errors centrally
• Force immediate scans or updates on an endpoint
• Generate reports
• Manage centralized updating on the network
Module 1 - 18
The screenshot shows Enterprise Console. At the top of the screen there is a
configurable dashboard that provides a quick indication of the status of endpoints,
highlighting any issues in red that may be of concern.
The left hand side has a pane showing groups that have been added by the
administrator or imported from Active Directory. These groups contain computers.
The policies pane is below the Groups pane. Policies are used to configure settings for
the various security components installed on a managed endpoint. These policies are
assigned to the groups so different polices can be applied to different groups.
The Computer pane shows detailed status information for all computers that are
managed by SEC. It also shows computers that have been discovered but are not yet
managed.
Module 1 - 19
Update managers enable automatic updating of Sophos security software from the
Sophos website. An update manager is installed with and managed from Enterprise
Console.
Once an update manager is configured it:
• Connects at a scheduled frequency to a data distribution warehouse

• Downloads updates to the threat detection data and updates for the security
software
• Places the updated software in one or more network shares so it can be installed
on endpoint computers
Module 1 - 20
Sophos Cloud provides an alternative for organizations that want maximum flexibility.
Instead of deploying Enterprise Console on-premise, customers can use a browser to
connect to the Cloud management console hosted by Sophos. Although the
management components are hosted in The Cloud, the Enduser Protection software
installed on each device is exactly the same as that for on-premise deployments.
Module 1 - 21
You are now going to see a short demonstration of the Sophos Enterprise Console
user interface which you can view at your own pace. Click in the blue box when you
are ready to move onto the next slide.
Module 1 - 22
Enterprise Console shows the Dashboard which provides a quick indication of the
status of computers, highlighting any issues in red that may be of concern.
Module 1 - 23
Clicking the Dashboard button hides it to allow more space on screen to view
Computers, Groups and Policies.
Module 1 - 24
The Update managers button is used to switch from Endpoints view to the Update
managers view.
Module 1 - 25
In Update manager view the Groups and Policies panes are replaced by Software
Subscriptions. Only computers hosting Update Managers are shown. The Endpoints
button replaces Update Managers and Discover computers is grayed out.
Module 1 - 26
Right clicking on an object provides a list of actions that can be performed - in this
case for a Group. Selecting a Group shows just the computers that are members.
Module 1 - 27
The Dashboard links can be used to view details of the affected computers and
change to the tab showing the relevant status.
Module 1 - 28
The View has changed to ‘Computers with data control events...’. Only WORKSTATION
is showing.
Module 1 - 29
Now the View shows ‘Computers with application control events...’. Not all the tabs
are visible so the scroll buttons can be used.
Module 1 - 30
The ‘View’ drop down list can be used to select the computers that are visible.
Module 1 - 31
Module 1 - 32
All computers are now shown again. A gray computer sign means that the computer
is not managed by Enterprise Console.
Module 1 - 33
SophosLabs are the people behind the scenes, collecting, correlating and analyzing
data to provide the best protection for every Sophos customer. The lab team
developed a state of the art big data analytics system to efficiently process the
millions of emails, URLs, files, and other data that come into the labs each day.
SophosLabs expertise covers threat data such as:
• Malware (Viruses, worms, trojans, rootkits and spyware)

• Adware
• Host based Intrusion Protection (HIPS) rules
• Malicious URLs
• Spam campaigns
They also cover additional security intelligence such as:
• Data loss prevention (Sensitive data types)

• Application control
• Device control
• Web URL database for web control
• Application patches
For Enduser Protection threat data is made up of Identities, Genotypes and HIPS
Module 1 - 34
Rules.
• Identities, or IDE files, contain data which allow Sophos Enduser clients to detect
and cleanup malware and other threats.
• Behavioral Genotypes are special identities tuned to detect variants, families and
large categories of malware.
• HIPS rules are used to watch all system processes for signs of active malware
actions
Threat updates are released multiple times per day and are only a few Kbytes in size.
Module 1 - 34
The Labs section of the Sophos web site shows the latest information about security
threats.
Module 1 - 35
The Sophos Support site provides a wide range of information and resources. It is the place
to go to for product documentation, knowledgebase articles and downloads.
Module 1 - 36
The site is also designed to make it easy for customers to communicate with the team
at SophosLabs. For example, customers are encouraged to send samples of suspicious
emails and attachments for investigation.
A knowledgebase article provides instructions on how to do this safely.

Module 1 - 37
The Sophos knowledgebase provides a large number of articles written by Sophos technical
support to help administrators with:
• Rollout and configuration best practice

• Advanced configuration
• Disaster recovery planning
• Significant files and registry keys
• Troubleshooting on all supported platforms
It also provides links to Sophos Technical Support Videos.
Module 1 - 38
At the bottom of the Sophos website page there are links to access the Sophos
Community, which includes:
• The main corporate blog

• Social networks via Facebook, Twitter, YouTube and other social media
• Naked Security News
• Podcasts and RSS feeds
There are also quick links to information such as white papers and technical papers.
Module 1 - 39
You will now download the Enterprise Console Help documentation from the Support
site and use this to prepare for the next activity.
Module 1 - 40
Drag the Enterprise Console computer status icon to the box next to the correct
description
The computer is not managed by Enterprise Console
Installation of security software is in progress.
The computer that is usually managed by Enterprise Console is disconnected from

the network.
Installation of security software is pending
The computer is managed by Enterprise Console
Sorry - you made one or more mistakes. you can use the Table of Contents to select
the activity and try again.
Module 1 - 41
On completion of this module, you can now:
• Describe the function of each of the components of Sophos Enduser Protection

• Understand the benefits of using Sophos Enterprise Console
• Recognize the importance of SophosLabs in protecting our customers
• Locate information using the Sophos Support site
Module 1 - 42
Please take a few minutes to answer the following knowledge check questions.
Module 1 - 43
Module 1 - 44
Module 1 - 45
Module 1 - 46
Module 1 - 47
Module 1 - 48
Module 1 - 49
Now that you have completed this module, you should complete Module 102:
Solution architecture
Module 1 - 50
Module 1 - 51
version 5.3. This is Module 102, Solution architecture.

April 2015

Product version: Enterprise Console 5.3, Endpoint Protection 10.3
Module 2 - 1
This course is split into eight modules; you are now in module two.
Module 2 - 2
The module covers each of the components that make up Enduser Protection. It
describes their function and shows how they communicate with other components.
Module 2 - 3
Once you complete this module you will be able to:
• List the components that comprise the solution

• Describe the position and function of each of the components within the
Enduser Protection architecture
Module 2 - 4
In the last module we introduced Sophos Enterprise Console (known as SEC) as a
management interface. Now we are going to look in more detail at the solution
architecture and the components it includes. These include a SQL Database in which
all endpoint management and policy information is stored.
SEC does not communicate directly with the database to obtain and write
information, it uses the Sophos Management Service to do this. This component is
responsible for retrieving information from the database so it can be displayed in SEC
and also for writing any new configuration to the database. SEC is therefore
dependent on both of these components to display information.
Module 2 - 5
So given that there are a number of components that work with SEC, do all these
components need to be installed on the same machine?
The most common scenario is that the Enterprise Console, the Management Server
components and the database are installed on the same server. However, in larger
organizations, an additional console maybe installed remotely, for example on the
administrator’s PC as opposed to just the server. This means administration can be
performed from two locations.
However, SEC can also be installed on a separate machine to both the management
server and the database. This is often the case if the customer wishes to use an
existing SQL server to host the database used by Sophos, or to spread resources.
Module 2 - 6
Now we will expand this is a little wider and see where further components fit in.
Another important piece is Sophos Update Manager, known as the SUM. This
frequently checks the Sophos Online warehouses for the latest updates and
downloads them centrally. More often than not, Sophos Update Manager will be
present on the same machine as SEC.
Updates and product packages are stored in Central Installation Directories (known as
CIDs) so that client machines on the network can update from them. However,
Sophos Update Manager and client machines need to exchange information with SEC
and SEC needs to report accurate status information for endpoints and also send
policies to them. This is performed using the Remote Management System (RMS).
Module 2 - 7
The diagram shows how SUM fits into the product set and the communication that
takes place between the components.
On the left hand side we have SEC which communicates with the Sophos database via
the Management Service.
We also have RMS which is the communication mechanism that allows endpoints to
communicate with SEC and vice versa.
To the right of RMS we have SUM which is responsible for downloading the latest
updates and writing them to central installations so they can be downloaded by
endpoints.
SUM needs to report status information to SEC so it also uses RMS to communicate
with SEC.
Larger environments may have additional SUM installations for load balancing. These
also communicate with SEC via RMS allowing the centralized management of all
updating taking place on the network.
In this example a child SUM in the Branch Office updates from a parent SUM in the
head office. In all cases Sophos Update Manager must be run on Windows.
Module 2 - 8
The Branch Office can be configured with a secondary download location pointing to
Sophos that is used if communication to the Head Office fails.
Module 2 - 8
Central Installation Directories, or CIDs, are used by managed computers to download
the installation files and the update files.
Sophos Update Manager (SUM) automatically downloads software and threat

updates, by default, every 10 minutes from the Sophos website. CIDs can be
replicated to remote offices to ensure that update files are only transferred once
though the WAN.
The default CID is located on the SUM server in a UNC path \\<server
name>\SophosUpdate\CIDs. However, CIDs managed by SUM can be hosted on any
file server which supports UNC shares with Windows authentication or NetWare
authentication.
CIDs can also be hosted on web servers, such as Microsoft IIS or Apache. They are
then referred to as web CIDs and use a virtual directory to point to the CID location.
The HTTP protocol offers the following benefits over UNC shares:
• HTTP is a convenient way to update Sophos Antivirus on Macintosh, Linux and

UNIX
• It does not rely on Windows authentication
• It uses less network bandwidth and is more scalable
Module 2 - 9
• Web CIDs can be used to update endpoints across the internet without using the
Sophos website.
Module 2 - 9
Sophos AutoUpdate is a component that is installed as part of the Sophos Endpoint
client software. It handles updates for all the client software components.
AutoUpdate can be configured with a primary and secondary update location so that
updates can be downloaded from the secondary location if the primary cannot be
reached. AutoUpdate automatically connects and authenticates with a pre-configured
user name and password at a scheduled interval.
A further feature of AutoUpdate is the ability to limit the network bandwidth. This is
useful for slow or sporadic network connections where a large update cannot be
downloaded in a single session.
Module 2 - 10
We mentioned earlier that the Remote Management System (RMS) is a
communication system that allows Sophos components to securely and reliably send
messages between each other.
It is used to send policies and instructions to endpoints managed by SEC, and to allow
endpoints to send status information back to the server so they can be displayed in
the SEC.
RMS consists of a number of components that ensure the reliable and secure transit
of messages between endpoints and the server
At the top we have SEC, which is where an administrator will perform management
tasks. This connects to the Management Service, which is the first part of RMS and is
responsible for writing and reading information to/from the database.
The Message Router is used when it is necessary to need to send information to a

client machine such as a new policy, or an instruction to perform a full scan.
A message router is also located on the endpoint to receive the message. The router
itself, only knows where the message came from and where it’s going to. It’s another
component named the Sophos Agent that is able to read the message and work out
which Enduser Protection component it should go to. The image shows three
Module 2 - 11
Adapters within the Sophos Agent:
• SAV Adapter communicates with the Anti-virus component

• AU Adapter with Auto Update and
• SCF Adapter with the Firewall.
If a message needs to be sent back to the console, such as a malware detection, the
process works in reverse. Certificates are used to authenticate connections to the
server Message Router. The Certification Manager component is used to issue
certificates to message routers on the client. No certificate, no communication!
Module 2 - 11
Patch Assessment uses extra components. The Client has a Patch Agent that uses
HTTP to report on its currently installed patches to the Patch Server. The Patch Server
also uses HTTP to communicate with the Databased and SEC.
The diagram also shows the protocols and ports used for communication between
other components. The Management Service and SEC use HTTP and COM+. COM+
is a Microsoft technology which supports communication between application
components.
The RMS Message Routers use ports 8192 and 8194.
Summary of port configurations in Sophos applications:

Module 2 - 12
Use this activity to see if you can remember the function of components described in
this module.
Drag the component on the left to the box ABOVE the correct description
Message Router
Sophos Agent
Sophos Update Manager
Central Installation Directory
Management Service
Used by managed computers to download the installation files and the update files
Checks the Sophos Online warehouses for the latest updates and downloads them
centrally
Allows managed endpoints to communicate with the server and vice versa
Allows communication between Sophos Enterprise Console and the database
Reads messages and works out which Enduser Protection component it should go to
Sorry - you made one or more mistakes. You can use the Table of Contents to select
the activity and try again.
Module 2 - 13
List the components that comprise the solution

Describe the position and function of each of the components within the Enduser
Protection architecture
Module 2 - 14
Module 2 - 15
Module 2 - 16
Module 2 - 17
Module 2 - 18
Module 2 - 19
Module 2 - 20
Module 2 - 21
Now that you have completed this module, you should complete Module 103: System
requirements and deployment.
Module 2 - 22
Module 2 - 23
version 5.3. This is Module 103, System requirements and deployment.

April 2015

Module 3 - 1
This course is split into eight modules with lab exercises interspersed throughout. You are
now in module three.
Module 3 - 2
This module starts by looking at the system requirements for Sophos Enterprise
Console and Enduser Protection. It then covers the key steps required to install
Enterprise Console. The next topic describes the options for installing Enduser
Protection and the module continues with a look at the Competitor Removal Tool and
product upgrades.
Before completing the labs you will see a short demonstration showing installation of
the Mac Enduser Protection client. In the labs you will register for a trial and then
install the management and endpoint software using your personal lab environment
hosted by Cloudshare.
Module 3 - 3
• Qualify the main system requirements for the management software and endpoint
software components
• Recognize the main steps for deploying Sophos Enterprise Console
• Understand the options for deploying Enduser Protection software
Module 3 - 4
The slide shows the main system requirements for Enterprise Console.
MS SQL Server Express is a free database provide by Microsoft. This is the default
database installed with the Sophos setup, and is suitable for sites of up to 6,000
endpoints. For larger sites you should involve a Sophos engineer to deploy using the
full version of SQL Server.
Please note that although it is possible to install Enterprise Console and the
Management Server on Windows 7 this has performance limitations. However, there
may be benefits in using operating systems such as Windows 7 and 8.x to deploy the
Remote Console. This can allow tasks to be delegated to other users.
System Requirements for Enterprise Console are documented and regularly updated
on the Sophos Support site.
System Requirements for Enterprise Console

How to install additional remote Enterprise Consoles

Module 3 - 5
The slide shows the main system requirements for Enduser Antivirus and Client
Firewall. Again, you should refer to the knowledgebase articles to find the latest
information.
The links shown cover system requirements for Antivirus Protection on Windows,
Mac and Linux as well as the requirements for Client Firewall on Windows.
System Requirements for Antivirus protection for Windows:

System requirements for Antivirus protection for Mac:

System Requirements for Antivirus protection for Linux:

System Requirements for Client Firewall:

https://www.sophos.com/en-us/support/knowledgebase/118622.aspx
Module 3 - 6
Sophos offers 30 day trials of Enduser Protection Bundles for both On Premise and In
the Cloud deployments. In the lab at the end of this module you will request a trial
username and password.
To convert this trial into a full product, you only need to replace the trial credentials
with a fully licensed username and password in Sophos Update Manager.
Enduser Protection Bundles – Free Trial:

https://www.sophos.com/en-us/products/enduser-protection-suites/free-trial.aspx
Module 3 - 7
We’ll now look at the process of installing Sophos Enterprise Console. You will
complete this activity in the lab at the end of the module.
The installation package is available from www.sophos.com and is a self-extracting

archive, using the SFX file format. The version used for this training is sec_530_sfx.
Running sec_530_sfx will first extract the files to the selected directory. It then
automatically launches setup.exe to install SEC and other associated components. SFX
also includes the pre-requisite software such as DotNet framework that needs to be
available prior to the installation of SEC.
Module 3 - 8
The Components Selection page defaults to all components. If Management Server or
Database are not selected, the program will ask for their location.
Separate Windows installer files (.msi) are used for each component. There are also
64 and 32-bit versions and the correct version for the platform is automatically
selected.
Module 3 - 9
The installer completes a number of System Property checks to ensure the
destination meets its requirements.
Prerequisite checks performed by the Sophos Enterprise Console 5.x installer:

Module 3 - 10
If the database component was selected, you will be given the choice to:
• Create a new SQL instance for the DB named SOPHOS

• Use an existing SQL instance
An existing user account is required for the management service to connect to the
DB. This can be an Active Directory (AD) or local account but an AD account is
recommended if the management server is a domain member. This account does not
require any administrative privileges in Active Directory and is assigned the necessary
privileges for the database during installation. It is recommended that it is configured
with a secure password that does not expire.
Module 3 - 11
During the installation of Sophos Enterprise Console the installer prompts for access
to port 80 for HTTP traffic, with the option to configure another port.
The HTTP port number is required for:
• Managed endpoints running the Sophos Patch Agent that need to communicate
with the management server
• An Enterprise Console installation (local or remote to the management server) to
communicate with the Web Control and Patch server-side components
It may be necessary to select another port if 80 is already being used by an

application that is unable to share the port.
Why is port 80 required/ needs configuring when installing or upgrading to Enterprise

Console 5.x?
Module 3 - 12
Another user account is required for the Sophos Update Manager and is used by
endpoints to obtain updates from Central Installation Directories (CID) after
deployment. This needs to be an existing account with a password that never expires.
The Windows Log on as a service right is assigned to the selected account.
This finishes our overview of the key settings required for installation of Enterprise
Console. You will configure these settings when you complete the lab at the end of
this module.
Module 3 - 13
Now we will consider installation of Sophos Enduser Protection, which can be
achieved using the following methods:
• Automatically – using the Protect Computer Wizard provided in Enterprise Console

• Active Directory Synchronization – which synchronizes Enterprise Console groups
with Active Directory containers.
• Manually – using an installer located on a CID
• Custom installer package – an installation package created using the Sophos
Deployment Packager tool
It is also possible to download the installer from www.sophos.com and install this as
a standalone product. However, this does not provide the benefits of centralized
management and policies.
Module 3 - 14
The Protect Computers Wizard allows managed computers to have Enduser
Protection software deployed automatically. Before protecting computers from the
console:
• Create one or more Enterprise Console groups to contain the computers that
require Enduser Protection software
• Ensure that there is a correctly configured updating policy applied to the groups
that will be protected. Updating polices are covered in the next module
• Prepare computers for automatic installation of the security software as described
in the Sophos endpoint deployment guide
Sophos endpoint deployment guide:

http://downloads.sophos.com/tools/on-line/deployment_guide/en-us/index.html
Automatic installation is not possible on Mac, Linux and UNIX computers; manual
installation must be used instead.
Module 3 - 15
Policies and enduser protection are based around Groups. Groups can be manually
created by the administrator or imported from Active Directory Containers and
Organizational Units (OUs). Once Groups representing the Active Directory containers
and OUs are visible in Enterprise Console they can be used with the Protect
Computers Wizard.
Synchronization with Active Directory links the Active Directory location with the
Enterprise Console Group and ensures that any new computers are automatically
discovered and added to the list of managed computers. The default synchronization
interval is 60 minutes, but this can be modified as required. Windows workstations
can be protected automatically when discovered during synchronization with Active
Directory.
When configuring synchronization, selecting Install Sophos security software

automatically causes the Wizard to follow steps similar to those in the Protect
Computers Wizard.
Important: Computers running Windows server operating systems, Mac OS, Linux, or
UNIX will not be protected automatically.
Module 3 - 16
When installation from the Sophos Enterprise Console is not possible you can use
alternative deployment mechanisms.
You can protect computers by running the installation program manually. Manual
installation is performed by running the installation file from one of the Bootstrap
Locations listed in the Sophos Enterprise Console. The bootstrap locations point to
the folder in the CID that holds the enduser software.
Module 3 - 17
The Sophos deployment packager tool creates a Windows self-extracting file. The
graphical user interface allows administrators to easily select which components will
be deployed, whether they should be included in the package or downloaded by
Sophos AutoUpdate during the installation, as well as the default updating
parameters.
How to create a standalone or custom installer package

Module 3 - 18
Running multiple anti-virus products on the same enduser client may cause
problems, for example:
• Files may become locked

• Files may be scanned twice
• One AV product may interfere with actions of the other
The Windows endpoint client software includes an integrated Competitor Removal

Tool (CRT). The files are located in the CID’s CRT subdirectory. The list of competitor
products in this directory is automatically updated by Sophos AutoUpdate.
By default setup.exe uses the CRT to:
• Detect third party Antivirus software

• Detect third party client firewall software (except the Windows firewall and VPN
clients)
• Stop the installation if a third party security software product is found
If you enable removal of third-party security software, setup.exe uses the CRT to
perform this task.
It is possible to ask Sophos to customize the CRT’s XML files to detect and remove
Module 3 - 19
additional security software not already detected.
CRT can be tested by running the avremove.exe program manually from the CRT
directory for every version of the third party Antivirus and client firewall software
installed across the network.
Sophos Competitor Removal Tool: significant files and information

Module 3 - 19
Module 3 - 20
Enduser Protection for Mac can be downloaded from the Sophos web site or from a
managed source such as a Web CID.
Module 3 - 21
Module 3 - 22
Module 3 - 23
As with Windows it may be necessary to provide a user name and password for an
account that has permission to modify the system.
Module 3 - 24
Module 3 - 25
Module 3 - 26
Module 3 - 27
Module 3 - 28
Clicking on the Sophos icon in the Status menu displays options for using and
configuring the client.
Module 3 - 29
When one of the Sophos options (in this case Scan This Mac) is selected a Sophos
Anti-Virus menu appears in the Application menu next to File.
Module 3 - 30
The Sophos Anti-Virus menu has some additional options, for example Services.
A Sophos icon also appears in the Dock at the bottom of the desktop.
Module 3 - 31
Sophos licenses include unlimited upgrades.
Upgrades should be applied:
• When a new version is announced on the Sophos website and from Sophos email
notifications
• Before the product version is retired as specified in the software lifecycle (Product and
software retirement)
• Using the quick or the advanced upgrade guides, as well as the Upgrade Center
Module 3 - 32
• Qualify the main system requirements for the management software and endpoint
software components
• Recognize the main steps for deploying Sophos Enterprise Console
• Understand the options for deploying Enduser Protection software
Module 3 - 33
Module 3 - 34
Module 3 - 35
Module 3 - 36
Module 3 - 37
Module 3 - 38
Module 3 - 39
Module 3 - 40
Now that you have completed this module, you should complete labs 1, 2 and 3 from
the Lab Workbook. Following this continue to Module 104: Managing updating and
anti-virus.
Module 3 - 41
Module 3 - 42
version 5.3. This is Module 104, Managing updating and anti-virus.

April 2015
Module 4 - 1
This course is split into eight modules; you are now in module four.
Module 4 - 2
This module will show how to use Enterprise Console to manage updating and ensure
that computers are protected from malware. It will also show how to view and
resolve security issues.
Module 4 - 3
• Configure Software Subscriptions and Updating policies

• Discover computers to be protected
• Configure and test policies for Anti-virus and HIPS
• Use Sophos Enterprise Console to view and resolve security issues
Module 4 - 4
As you saw in the first module the Sophos Enterprise Console (SEC) interface consists
of the following areas:
• Dashboard, which can be hidden

• Sophos SmartViews
• Groups pane
• Policies pane
• Computer list pane
In this and the following modules we will look at the how SEC is used to configure and
manage enduser protection.
Sophos Enterprise Console’s text and help files automatically appear in the following
languages based on the control panel’s Regional and Language Options:
• English (default)
• German
• French
• Italian
• Spanish
• Japanese
• Chinese (traditional)
Module 4 - 5
• Chinese (simplified)
Module 4 - 5
The first area we will consider is Software Subscriptions; these are only visible when
the Update Managers button is clicked.
In the labs you entered a user name and password allowing Update Manager to
authenticate with Sophos and download software and updates. The licenses
associated with the user name determine the options that are available for
download.
For an environment that includes different types of endpoints it is possible to add all
of these to the Recommended Software Subscription. This means that all endpoints
receive software for each of the platforms.
Alternatively it can be beneficial to configure multiple Software Subscriptions on an

Update Manager. For example, Windows Endpoints use a Software Subscription that
just contains the Windows Platform software. Mac computers can be configured to
receive just the Mac updates.
Each subscription (not just that named Recommended) has the option to select
between the Recommended and other versions. The Preview subscription, for
example, is fully tested production quality code that should be used if the customer is
experiencing any issues with the Recommended subscription. Updates and fixes are
usually released into the Preview subscription before they are released to other
Module 4 - 6
subscriptions.
Software subscriptions in Enterprise Console

Module 4 - 6
The Software Subscriptions are used by Sophos Update Manager (SUM) when it
downloads updates to Sophos Enduser Protection software from the Sophos website.
SUM downloads:
• Software installation files and updates for selected enduser platforms

• Application, data and device control updates for Sophos Enterprise Console and
• Updates for the Update Manager software
Update Managers are centrally configured by Sophos Enterprise Console and include
settings such as:
• Update sources - which typically points to the Sophos website

• Schedule - the default frequency of checking for threat updates is 10 minutes and
60 minutes for software. This can be modified if required and scheduled updates
can also be configured by day and time
• Subscriptions – one or more of the subscriptions can be assigned to the SUM
• Distribution – for each subscription it is possible to configure one or more CIDs to
be updated by SUM
SUM’s update status is integrated in the Dashboard so alerts can be displayed when it
can’t update from Sophos.
Module 4 - 7
In the last module we looked at the available methods for installing the Enduser
Protection software; now we will look at the other steps that are required to protect
endusers.
Module 4 - 8
To protect computers in Enterprise Console, they must first be found and added to
the list of managed computers.
The Discover computers function provides the following options that search for
networked computers and add them to Enterprise Console:
• Import - retrieves the Active Directory (AD) container and Organizational Unit
structure and copies it into Enterprise Console as a computer group structure. It is
also possible to import computers and if this option is selected, computers found
in AD are placed in a group matching their location in the hierarchy
• Discover with Active Directory - discovers networked computers and adds them to
the Unassigned group
• Discover on the network – discovers computers including those that are not
members of AD and adds them to the Unassigned group
• Discover by IP range - can also be used to discover networked computers and add
them to the Unassigned group
Module 4 - 9
A group is a folder in Enterprise Console that holds computers. You must place
computers in groups in order to protect and manage them.
Groups can be imported from the Active Directory hierarchy and then synchronization
can be used to ensure that new computers are automatically managed and protected.
If groups are not imported from AD they must be created manually. They are typically
based on the computer’s location or role, as well as the security privileges required
by its user. Computers can then be moved from the Unassigned group into that which
is appropriate.
Each group has a policy applied for each of the Enduser Protection features.
Module 4 - 10
The table shows a summary of the Enterprise Console policies that are supported by
each client platform.
Supported Enterprise Console policies by endpoint platform

Module 4 - 11
The first policy we will look at is the Updating policy which specifies the Enduser
settings to be applied for Sophos AutoUpdate.
By default, computers update from a single primary source expressed as a UNC share.
If computers cannot contact their primary source, they attempt to update from their
secondary source (if one has been specified). Both primary and secondary update
server locations may be either UNC shares or HTTP URLs pointing to any Update
Manager on the network. The secondary update server location may alternatively be
configured to get updates directly from Sophos over the internet via HTTP.
Some laptop users may roam extensively or internationally within an organization.

When location roaming is enabled laptops attempt to locate and update from the
nearest update server location by querying other (fixed) endpoints on the local
network they are connected to. This minimizes update delays and bandwidth costs.
Module 4 - 12
The second policy we will consider is that used to configure Anti-virus and the Host
Intrusion Prevention System (HIPS). This is the core element of Enduser Protection
and provides On-access and Scheduled scanning that will detect and clean up:
• Viruses
• Trojans
• Worms
• Spyware
• Rootkits
• Adware
• Other potentially unwanted applications (PUAs)
Module 4 - 13
On-access scanning listens to the Windows file system to determine if a file is being
requested from or written to the disk. If it detects one of these actions, it restricts
access to the file and passes it to the Sophos Anti-virus (SAV) engine for scanning:
• If infected, access to the file is blocked and the action configured for cleanup is
performed
• If clean, access is granted.
This is transparent to the user.
Module 4 - 14
On-access scanning configuration supports a number of additional options. The first
we will consider is scanning for Adware and PUAs (Potentially Unwanted
Applications), which is enabled by default. PUAs are not considered malicious but
may affect productivity or be considered unsuitable for business networks.
On-access scanning can also be configured to scan for suspicious files. These files
display characteristics that are commonly, but not exclusively, found in malware. The
characteristics are not sufficiently strong for the file to be identified as a new piece of
malware.
If the Anti-virus scan has identified a file as suspicious but cannot further identify it,
Sophos Live Protection can assist. This provides 'in-the-cloud' checking for individual
files to determine if they are safe or malicious. Data such as the file’s checksum and
other attributes are sent to Sophos to assist with analysis. If the file is identified as
clean or malicious, the decision is sent back to the computer and the status of the file
is automatically updated.
Extensions and exclusions can be used to configure which files are scanned. The
default is to scan just executable and other vulnerable files.
Module 4 - 15
Sophos Behavior Monitoring protects Windows computers from unidentified or
"zero-day" threats and suspicious behavior.
Suspicious behavior detection uses Sophos’s Host Intrusion Prevention System (HIPS)
to dynamically analyze the behavior of all programs running on the computer to
detect and block activity that appears to be malicious. It watches all system processes
for signs of active malware, such as suspicious writes to the registry or file copy
actions. It can be set to warn the administrator and/or block the process.
Buffer overflow detection catches attacks targeting security vulnerabilities in

operating system software and applications.
Module 4 - 16
The Web Protection component of Anti-virus and HIPS includes the following
features:
• Live URL filtering, which blocks access to websites that are known to host
malware. This feature works by performing a real-time lookup against Sophos’s
online database of infected websites
• Content scanning, which scans data and files downloaded from the internet (or
intranet) and proactively detects malicious content. This feature scans content
hosted at any location
By default, web protection is enabled. This is not the same as web control which is
used to control which websites users are allowed to access. Web control will be
covered in a later topic.
Additionally, Sophos Live Protection provides Sophos users with instant access to
SophosLabs malware and malicious URL’s data.
Module 4 - 17
The Authorization manager is used to allow programs and websites that have been
detected as potentially harmful to be authorized for use. For example, network
scanning tools such as NetCat (nc.exe) may be useful for the appropriate users.
Module 4 - 18
In the last few slides we have looked at the protection that Anti-virus and HIPS can
provide for Endusers. Tamper Protection prevents unauthorized users from
uninstalling the software and from disabling security features.
Once Tamper Protection is enabled it can only be disabled locally by entering the
password or by restarting the computer in Windows Safe Mode.
Tamper attempts, both successful and unsuccessful are recorded in the Tamper
Protection Event Viewer. Event Viewers are an important tool for managing enduser
protection; they are also available for firewall and patch, as well as device,
application, data and web control.
Module 4 - 19
The Dashboard provides an at-a-glance summary of the network's security status and
allows administrators to easily view and resolve issues.
Percentages for warning and critical levels can be configured as well as email alerts
when a warning or critical level has been reached.
Module 4 - 20
Smart Views filter the computers that are displayed.
The relevant view is automatically selected when an administrator clicks on a Dashboard link.
Module 4 - 21
A right click context menu is available for individual computers or a group; this includes the ability to
resolve alerts and errors.
The combination of the dashboard, Smart Views and right click actions provide an easy and quick way to
manage security issues.
Module 4 - 22
• Configure Software Subscriptions and Updating policies

• Discover computers to be protected
• Configure and test policies for Anti-virus and HIPS
• Use Sophos Enterprise Console to view and resolve security issues
Module 4 - 23
Module 4 - 24
Module 4 - 25
Module 4 - 26
Module 4 - 27
Module 4 - 28
Module 4 - 29
Module 4 - 30
Now that you have completed this module, you should complete Lab 4 and then
Module 105: Managing application, data and device control.
Module 4 - 31
Module 4 - 32
version 5.3. This is Module 105, Managing application, data and device control.

April 2015

Module 5 - 1
This course is split into eight modules; you are now in module five.
Module 5 - 2
This module will show how to use Enterprise Console to configure application, data
and device control.
Module 5 - 3
• Configure policies to support application control

• Configure rules and policies for data control
• Configure device control
• Use the dashboard and event viewers to view and resolve security issues
Module 5 - 4
Application Control detects and blocks applications that, although legitimate, could
cause security, support or legal issues in the workplace. Such applications may
include instant messaging (IM) clients, Voice over IP (VoIP) clients or File Sharing
applications. The example shows all Instant Messaging applications blocked except
for Microsoft Lync.
The list of applications displayed in the console is managed by Sophos and is

automatically updated by Sophos Update Manager (SUM). The detection of updated
versions of these applications is managed by SophosLabs and is included in Sophos
AutoUpdate. In addition customers can submit a request to Sophos to include new
applications.
Module 5 - 5
Data control prevents accidental data loss that is typically caused by employees
mishandling sensitive data. For example, a user sends a file containing sensitive data
home via web-based email. Data control enables you to monitor and control the
transfer of files from computers to storage devices and applications connected to the
internet.
The data control rule conditions include:

• File types
• File names and extensions
• Destination, for example, removable storage devices and applications such as
internet browsers and email clients
• File content based on a Content Control Lists (CCLs) from SophosLabs or Custom
CCLs
When data control detects activity that matches data control conditions it takes the
action specified in the rule. This can be one of the following actions:
• Allow file transfer and log event
• Allow transfer on acceptance by user and log event
• Block transfer and log event
If a file matches two data control rules that specify different actions, the rule that
specifies the most restrictive action is applied.
Module 5 - 6
The conditions and rules can be used in one or more data control policies and then
assigned to one or more groups.
Module 5 - 6
Data control policies contain one or more rules which can be based on file content or
type. The example shows a rule that matches Microsoft Office documents and logs an
event when a document is transferred to one of the configured destinations.
A large number of rules are pre-configured and administrators can edit these or
create their own.
Module 5 - 7
Data control includes file type definitions for over 150 different file formats. Any
newly added types will be automatically added to any data control rules that use that
file type category.
File types not covered by a file type definition can be identified using their
extensions.
Module 5 - 8
SophosLabs manages over 50 content rules covering:
• Document classification
• Financial data
• Personally identifiable information, such as email addresses, for multiple regions
around the world.
Module 5 - 9
Data control intercepts all files copied onto monitored device types using Windows
Explorer and from the Windows desktop. However, direct saves from within
applications, such as Microsoft Word, or transfers made using the command prompt
are not intercepted.
So if your Data Control policy only contains "Allow transfer on acceptance by user and
log event" rules then a user can bypass the system by saving files directly from within
applications or using the command prompt. However, as soon as you define one rule
that has either “Block transfer and log event” or "Allow file transfer and log event"
set then the system will only allow you to save files to storage devices using the
Windows Explorer.
Data control can also intercept files being sent in applications such as email clients. To
ensure only file uploads by users are monitored, some system file locations are
excluded from data control monitoring. This significantly reduces the risk of data
control events being generated by applications opening configuration files as opposed
to users uploading files.
Module 5 - 10
Device control can detect and prevent the use of unauthorized external hardware
devices, removable storage media, and wireless connection technologies.
By default Device control is not enabled and all devices are allowed. If required it can
be configured to detect but not block. Devices that are connected to an Endpoint,
while in the “Detect but do not block devices” mode are still reported back to the
Enterprise Console (monitor mode). The information collected can then be used to
create exemptions to authorize specific device types.
The Secure Removable storage category is for devices with hardware encryption.
Secure removable storage devices supported by Sophos Device Control

Device control also provides wireless anti-bridging capabilities. Selecting the Block
bridged mode significantly reduces the risk of network bridging between a corporate
network and a non-corporate network. The mode works by disabling either wireless
or modem network adapters when an endpoint is connected to a physical network
(typically through an Ethernet connection). Once the endpoint is disconnected from
the physical network, the wireless or modem network adapters are seamlessly re-
enabled.
Module 5 - 11
The event viewers, dashboard and smart views provide an easy way to view and
resolve issues.
Module 5 - 12
• Configure policies to support application control

• Configure rules and policies for data control
• Configure device control
• Use the dashboard and event viewers to view and resolve security issues
Module 5 - 13
Module 5 - 14
Module 5 - 15
Module 5 - 16
Module 5 - 17
Module 5 - 18
Module 5 - 19
Module 5 - 20
Module 106: Managing web control, patch and firewall.
Module 5 - 21
Module 5 - 22
version 5.3. This is Module 106, Managing web control, patch and firewall.

April 2015

Module 6 - 1
This course is split into eight modules; you are now in module six.
Module 6 - 2
This module will show how to use Enterprise Console to configure web control, patch
assessment and firewall policies.
Module 6 - 3
• Manage Web Control

• Configure Patch Assessment
• Configure Firewall Policies
• Use Event Viewers to view status and configure policies
Module 6 - 4
Web Control allows access to web sites that are managed by categories. It is possible
to block access to a category or just show a warning that the site is questionable and
access will be logged if the user decides to proceed.
Web Control is not used to block access to malicious web sites and content; Web
Protection provides this function and it is managed by the Anti-Virus and HIPS Policy.
Module 6 - 5
Sophos provides two types of Web Control; Inappropriate Website Control and Full
Web Control. Inappropriate Website Control is designed to protect users from visiting
websites that would reflect badly on the organization. It is made up of 14 categories
and is managed from Sophos Enterprise Console.
Full Web Control provides significantly more categories and requires integration with
a Sophos Web Appliance, Sophos Management Appliance or a Sophos UTM..
Endpoint computers communicate with Enterprise Console in the same way as when
the Inappropriate Website Control policy is selected, but the web-filtering rules and
web activity logs are synchronized with the specified appliance.
Module 6 - 6
For each web control policy the administrator can define which inappropriate
categories can be accessed, generate warnings or be blocked. Websites belonging to
other categories are allowed. Website Exceptions can be configured to allow or to
block specific websites or IP addresses. In the example, gambling sites are blocked
but an exception has been configured for The National Lottery.
Module 6 - 7
Reporting of inappropriate website control is done via the Sophos Enterprise
Console’s Web Event Viewer and includes information about the users that were
blocked, warned or have proceeded past a warning when trying to connect to
inappropriate websites.
For reasons of confidentiality it may be necessary to control which Enterprise Console

administrators are able to view this information. Role-based management can used
to define which helpdesk users are allowed to access this information.
Module 6 - 8
A patch is a piece of software designed to fix software bugs, including security
vulnerabilities, in operating systems or applications.
According to Gartner patching can prevent up to 90% of vulnerabilities but many

computers remain at risk because patching can be difficult. IT Managers don’t always
know which patches are most important and which computers require them. The
reports provided by Patch greatly simplify the patching process:
• Patches by rating allows IT Manager to prioritize the most important patches

• Computers missing patches identifies computers that need attention
SophosLabs calculates ratings for patches based on a number of parameters:
• Vulnerability severity – the type of attack

• Software popularity – how popular the vulnerable software is
• Access conditions – does the attacker need to be local or remote, to exploit the
vulnerability
• Prevalence – how common are the threats that exploit the vulnerability
Module 6 - 9
Patches are rated Low, Medium, High and Critical based on these parameters. Sophos
recommends that customers consider applying all relevant patches, but the Labs
rating is designed to allow them to focus on patches that protect against the most
active threats.
Module 6 - 9
By default Patch Assessments are not enabled. Once they are, computers begin an
assessment which can take up to 20 minutes, with each patch fully assessed to
ensure it was deployed correctly. Subsequent assessments occur at the interval set in
policy, which is daily by default. The assessment is fully transparent for the end-users.
Computers are only assessed for security patches on software that is installed on the
computer. If a new patch is released that supersedes an older patch, then patch
assessment will no longer check for the presence of the older patch. Only the new
patch will be assessed.
Module 6 - 10
Patch reporting is done via the Patch event viewer in the Sophos Enterprise Console.
Patches by rating supports a wide range of vendors and is sorted by rating, with the
most critical patches at the top.
Clicking on a patch name shows the patch description and the list of threats and
vulnerabilities tied to this patch. Each threat listed has a link to the Sophos website
and each vulnerability listed has a link to the Common Vulnerabilities and Exposures
web site cve.mitre.org.
Using this report, administrators can focus on the most critical patches.
Module 6 - 11
Administrators can use the Computers missing patches list to determine actions
required. Third party applications such as Microsoft Windows Software Update
Services (WSUS) and System Center Configuration Manager (SCCM) can be used to
deploy the patches.
Module 6 - 12
The client firewall is an optional component that can be installed on endpoints. By
default the firewall is enabled and blocks all non-essential traffic. Therefore, before
deploying the client firewall to endpoints it should be configured to allow the
required applications. Another option is to change the firewall to Monitor mode. This
collects information about the network that can be used to create the required rules.
Basic Firewall Policies can be created using a wizard, while customized configuration
can be completed by selecting Advanced firewall policy.
Module 6 - 13
The Basic Firewall Policy supports:
• A Single location for computers that are always on the network, for example,
desktops.
• Dual locations if different settings are required according to computer’s location,
for example, in the office (on the network) and out of office
The operational modes are:
• Block inbound and outbound traffic – this is the default level and offers the highest
security. Only essential traffic is allowed through the firewall
• Block inbound and allow outbound traffic – this allows computers to access the
network and internet without having to create rules. It also allows applications to
communicate through the firewall
• Monitor – this applies any existing rules. If the traffic has no matching rule, it is
reported to the console and then allowed if it is outbound. This mode enables
administrators to collect information about the network and then create suitable
rules before deploying the firewall to computers
• Custom – this allows custom rules to be configured by clicking the Advanced
button
Module 6 - 14
The basic firewall configuration wizard makes it easy to configure applications that
should be trusted. These can be added by locating them in the Firewall Event Viewer.
It also provides configuration to allow file and printer sharing.
Module 6 - 15
Custom firewall rules can be created using the advanced configuration.
The Default policy is pre-configured to allow typical activity, as illustrated by the ICMP
tab.
Module 6 - 16
Firewall Event Viewer provides a easy way to create rules. The example shows that no
application has been configured for Internet Explorer (iexplore.exe). The Create rule
option can allow (or block) all activity for this application or create a rule based on
pre-set configuration suitable for the type of application, in this case a browser.
Module 6 - 17
On completion of this module you can now:
• Manage Web Control

• Configure Patch Assessment
• Configure Firewall Policies
• Use Event Viewers to view status and configure policies
Module 6 - 18
Module 6 - 19
Module 6 - 20
Module 6 - 21
Module 6 - 22
Module 6 - 23
Module 6 - 24
Module 6 - 25
Module 107: Management at the endpoint.
Module 6 - 26
Module 6 - 27
version 5.3. This is Module 107, Management at the endpoint.

April 2015

Module 7 - 1
This course is split into eight modules; you are now in module seven.
Module 7 - 2
The main focus of this course is the centralized management of Enduser Protection
from Sophos Enterprise Console. However, the enduser client also provides effective
security management and logging. This module will look at the functionality provided
by the Windows and Mac clients.
Module 7 - 3
• Describe the main management tasks which can be completed at the endpoint
• Recognize the differences in the features supported by the Windows and Mac
clients
Module 7 - 4
On Windows the client software status is visible via an icon in the system tray. The
same icon can also be right-clicked to Open Sophos Endpoint Security and Control
and manage updating. The items available for user configuration will depend upon
the components that have been enabled for the computer and whether tamper
protection has been configured.
The Home button provides a quick way to return to the main view.
Module 7 - 5
Installation of Sophos Enduser Protection adds a number of components and services
to the Windows environment.
For information on how to view Windows services and components

For more information about Sophos Endpoint Security and Control Components and
Services
Module 7 - 6
Sophos Endpoint Protection also restricts access to certain parts of the software to
members of certain Sophos groups. For example, only members of the
SophosAdministrator group are allowed to change the endpoint client software
configuration via the graphical user interface (GUI). The other Windows users have
limited access, or no access to the interface.
Module 7 - 7
On demand scans can be performed from Endpoint Security and Control and from
Windows Explorer. These can supplement on-access scanning and scheduled scans
configured from Sophos Enterprise Console.
Module 7 - 8
When a threat is detected, a Microsoft balloon or Windows toast notification is
displayed. The latter is displayed if the client operating system is Windows 8 or later.
The user can view threats by opening Endpoint Security and Control. The Status
window shows the number of items in quarantine and the link can be used to view
and manage the items.
If the machine is managed, a threat notification is sent back to SEC using the Remote
Management System (RMS).
Module 7 - 9
Quarantine Manager shows details of detected threats and allows them to be cleared
from the list and authorized. The options that are available will depend upon the
user’s privileges. By default users are members of the SophosUser group so they will
not be allowed to perform any of the possible actions.
Module 7 - 10
While the authorization action can be performed from Endpoint Security and Control,
in a managed environment it is more likely to be performed from Enterprise Console.
Authorization is part of the Anti-virus and HIPS policy and the settings apply to all
computers managed by the policy.
Module 7 - 11
As described earlier, tamper protection prevents unauthorized users from uninstalling
the software and from disabling security features. It can be disabled locally by
entering the Tamper protection password.
Module 7 - 12
Sophos Anti-virus for Mac is configured locally via the Mac system preferences. The
configuration is available to Mac administrators only.
When deploying Enduser Protection to non-Windows clients it is important to be

aware of the Sophos Enterprise Console policies which are supported. The currently
available features were shown in an earlier module but functionality may be added
with new releases, so the latest information should always be checked.
Supported Enterprise Console policies by endpoint platform

https://www.sophos.com/support/knowledgebase/120404.aspx
Module 7 - 13
• Describe the main management tasks which can be completed at the endpoint
• Recognize the differences in the features supported by the Windows and Mac clients
Module 7 - 14
Module 7 - 15
Module 7 - 16
Module 7 - 17
Module 7 - 18
Module 7 - 19
Now that you have completed this module, you should complete Module 108: Role-
based administration and reporting.
Module 7 - 20
Module 7 - 21
version 5.3. This is Module 108, Role-based administration and reporting.

April 2015

While reasonable care has been taken in the preparation of this document, Sophos makes
no warranties, conditions or representations (whether express or implied) as to its
completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered

office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Module 8 - 1
This course is split into eight modules; you are now in module eight.
Module 8 - 2
This module will show how to use Enterprise Console to enable auditing, configure
role-based administration and produce standard and custom reports.
Module 8 - 3
• Enable auditing
• Configure role-based administration
• Generate standard reports
• Customize reports
Module 8 - 4
Auditing monitors changes in Enterprise Console configuration and other user or system
actions. This information can be used for regulatory compliance and troubleshooting.
By default, auditing is disabled. Once enabled an audit entry is written to the auditing
database whenever certain configuration settings are changed or certain actions, such
as policy management, are performed.
The audit entry includes the following information:
• Action performed
• User who performed the action
• User's computer
• User's sub-estate
• Date and time of the action
Third-party programs, such as Microsoft Excel, Microsoft Access, Microsoft SQL Server
Reporting Services, or Crystal Reports, are used to access and analyze data stored in the
auditing database.
For information about how to view audit entries, see the Sophos Enterprise Console
Auditing user guide.
http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx
Module 8 - 5
Roles are used to define levels of administrative privilege in Enterprise Console. There
are four preconfigured roles in Enterprise Console:
• System Administrator – has full rights to manage Sophos security software on the
network and roles in Enterprise Console. The System Administrator role cannot be
edited or deleted
• Administrator – has rights to manage Sophos security software on the network, but
cannot manage roles in Enterprise Console
• Helpdesk –has remediation rights only, for example, to clean up or update computers
• Guest – has read-only access to Enterprise Console
It is possible to edit the Administrator, Helpdesk and Guest roles, or create custom roles
with just the required privileges.
Sub-estates can be used to restrict the computers and groups that users can perform
operations on. The Default sub-estate contains all Enterprise Console groups, including
the Unassigned group. When additional sub-estates are created, groups of computers
can be added to them. Windows users and groups can then be assigned a role for one or
more sub-estates.
Module 8 - 6
Roles define the activities that are permitted and the users who can perform them.
The Tools menu provides the option to Manage Roles and Sub-Estates. In the
example, the members of the SophosPowerUser group are assigned to the Helpdesk
role and can perform remediation actions. Other Available rights can be added to
their Assigned rights if required. The example shows the Auditing right which is
required to enable or disable auditing.
To open Enterprise Console users also need to be members of the Sophos Console
Administrators Windows group and have been assigned to a role and sub-estate.
Module 8 - 7
Sub-estates define the list of Sophos groups that users can manage.
A user can only see the sub-estate that they are assigned to. If a user belongs to
multiple sub-estates, it is possible to select which sub-estate they want to use in the
Sophos Enterprise Console. This is known as the Active Sub-Estate. Users cannot edit
a policy which is applied outside of their active sub-estate.
The User and Group view allows administrators to view which roles and which sub-
estates are available to a Windows user or group.
Module 8 - 8
The Reports Manager in Sophos Enterprise Console allows reports to be generated
on demand or at scheduled times. Reports can also be emailed to one or more
recipients.
Reports cover:
• Alerts and events

• Compliance of computers with their policies
• Updating hierarchy
The Properties button allows reports to be customized. For example, the

Configuration tab illustrated allows choice of the period covered by the report and
the types of event to include. The Schedule tab determines the frequency of the
report, the file format and the email addresses to which it will be sent.
Module 8 - 9
New reports can be designed using the Create Report Wizard. This uses one of the
existing reports as a template and then allows the administrator to configure options
such as the reporting period and filter. The new report will be listed in Report
Manager, so it can be run or further customized using the Properties button.
Module 8 - 10
When a report is run it can be displayed as a table or a chart. The Export button
allows the report to be exported to a file and offers a choice of formats.
Module 8 - 11
On completion of this module you can now:
• Enable auditing
• Configure role-based administration
• Generate standard reports
• Customize reports
Module 8 - 12
Module 8 - 13
Module 8 - 14
Module 8 - 15
Module 8 - 16
Module 8 - 17
Module 8 - 18
Module 8 - 19
Now that you have completed this module, you should complete Lab 7.
Following that you will be ready to complete your assessment.
Module 8 - 20
Module 8 - 21

EH10 - V5.3.0 - Engineer Handout - Enduser Protection

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

EH10 - V5.3.0 - Engineer Handout - Enduser Protection

Încărcat de

Drepturi de autor:

Formate disponibile

Hello, and welcome to this Sophos Certified Engineer training course for Enduser Protection

version 5.3. This is Module 100, Course Introduction.

Sophos Certified Engineer

Training version: 5.3.0

In addition you should:

• Be able to setup a Windows server, with Windows workstations

• EL10 contains the lab exercises

• Complete Module 101: Introduction to Enduser Protection

Sophos Certified Engineer

• Describe the function of each of the components of Sophos Enduser Protection

• Sophos Endpoint Security and Control

The key features are:

For more information on the platforms supported by Sophos Server Security:

For more information on Sophos Anti-virus for vShield:

Enterprise Console supports management of Windows, Linux, Mac OS X, UNIX and

• Discover all computers on the network

Once an update manager is configured it:

• Connects at a scheduled frequency to a data distribution warehouse

SophosLabs expertise covers threat data such as:

• Malware (Viruses, worms, trojans, rootkits and spyware)

They also cover additional security intelligence such as:

• Data loss prevention (Sensitive data types)

A knowledgebase article provides instructions on how to do this safely.

• Rollout and configuration best practice

It also provides links to Sophos Technical Support Videos.

• The main corporate blog

The computer is not managed by Enterprise Console

Installation of security software is in progress.

The computer that is usually managed by Enterprise Console is disconnected from

Installation of security software is pending

The computer is managed by Enterprise Console

• Describe the function of each of the components of Sophos Enduser Protection

Sophos Certified Engineer

Training version: 5.3.0

• List the components that comprise the solution

Sophos Update Manager (SUM) automatically downloads software and threat

• HTTP is a convenient way to update Sophos Antivirus on Macintosh, Linux and

The Message Router is used when it is necessary to need to send information to a

• SAV Adapter communicates with the Anti-virus component

The RMS Message Routers use ports 8192 and 8194.

Summary of port configurations in Sophos applications:

List the components that comprise the solution

Sophos Certified Engineer

Training version: 5.3.0

System Requirements for Enterprise Console

How to install additional remote Enterprise Consoles

System Requirements for Antivirus protection for Windows:

System requirements for Antivirus protection for Mac:

System Requirements for Antivirus protection for Linux:

System Requirements for Client Firewall:

Enduser Protection Bundles – Free Trial:

The installation package is available from www.sophos.com and is a self-extracting

Prerequisite checks performed by the Sophos Enterprise Console 5.x installer:

• Create a new SQL instance for the DB named SOPHOS

The HTTP port number is required for:

It may be necessary to select another port if 80 is already being used by an

Why is port 80 required/ needs configuring when installing or upgrading to Enterprise

• Automatically – using the Protect Computer Wizard provided in Enterprise Console

Sophos endpoint deployment guide:

When configuring synchronization, selecting Install Sophos security software

How to create a standalone or custom installer package

• Files may become locked

The Windows endpoint client software includes an integrated Competitor Removal

By default setup.exe uses the CRT to: