Sophos Protect Devices Update Failure

Occasionally, when end stations are attempting to update Sophos End Point protection, the SonicWall Gateway Anti-Virus blocks the download as the updates contains strings that resemble malicious code.  While the two companies are investigating, the following article will provide a way to avoid this issue.

Sophos updates contain strings that resemble malicious code, so when a SonicWall firewall scans them, they show up as indicators of malware and we block them. Our SonicWall Capture Labs Director is in contact with Sophos on the best way for us both to resolve this however, the fact that our GAV sees some of their Malware Definition/Signatures as potential Malware is not surprising given that they must contain data to detect Malware and that data looks like Malware.

If you have troubles installing the Sophos client and not able to download the initial signature database it is most likely because SonicWall GAV security service is blocking the transfer. We will need to exclude a few Sophos FQDN addresses (i.e. *.sophos.com, *.sophosupd.com, etc.) in order to pass the traffic. To do this we will create a firewall access rule for the Sophos AV Group with the option to Disable DPI so traffic to the Sophos AV Group bypasses all of the SonicWall DPI engines. We will also modify the FQDN address objects to override the TTL given by the DNS server lookup as they are shorter than what it appears the Sophos client refreshes for, we will put them at the max of 86,400 seconds which is 24 hours. This is because if the client is trying to talk to d1.sophosupd.com for updates on IP 1.2.3.4 and uses that IP for the next 30 minutes but the TTL is only 60 seconds, the SonicWall could clear that IP out of the FQDN Address Object cache before the client does a new DNS query to repopulate the SonicWall firewall’s cache and it would therefore not match the bypass DPI Rule.

1. Create custom Address Objects from Network | Address Objects for Sophos Domains and override the DNS TTL as below.
   

   NOTE: You will have to check with Sophos which domains you need to exclude and create as many customer Address Objects as needed. After the Address Objects are created, you can group them under an Address Group (i.e. Sophos AV Group) to be used into the Access Rules.

   
   

   Sophos Endpoint - domains *.sophos.com *.sophosupd.com *.sophosupd.net *.sophosxl.net ocsp2.globalsign.com crl.globalsign.com

   
   
2. Create the following access rule by navigating to Firewall | Access Rules.
   Under the General tab select:
   • Action: Allow
   • From: Any zone with Sophos clients
   • To: WAN
   • Source Port: Any
   • Service: Any
   • Source: Any
   • Destination: The address objects that was created for Sophos
     
   • Under the Advanced tab check Disable DPI.
3. Create DPI-SSL exclusions. Exclude the following:
   • .prod.hydra.sophos.com
   • dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
     

     NOTE: the exact FQDN for this will differ on a customer by customer basis.  Thus, you could also simply exclude .upe.p.hmr.sophos.com per https://community.sophos.com/sophos-central/f/recommended-reads/122522/sophos-central-certificate-security-information which explains that the Sophos Client uses Certificate Pinning (thus, does not reference the OS’s Trusted CA database).  For our example we added this and deleted the specific “dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com”

DPI-SSL Connection Failure List when trying to install the client: