Jump to content
  • 0

Matthew Gailer1709152490

Question

Posted

Hi,

 

I am wanting to see if anyone has actually had success in including Sophos Anti-Virus in an App Layering image? I have a client with Sophos Cloud that I am doing a new master image based on App Layering and I've heard varying stories of "success" (I by success, I mean failure). In particular, I'm wanting to know which layer people have had the most success with Sophos.

 

The interesting thing with regards to documentation around layering of Sophos is what seems very much like contradictions. OK - stick with me here :2_grimacing:. Citrix documentation suggests Sophos goes in the OS Layer (https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html#sophos-cloud-all-supported-operating-systems). Citrix best practices (https://support.citrix.com/article/CTX225952) state "Don’t install applications into the OS layer.  The OS layer should be as generic as possible.  You cannot swap out the OS layer like you can with App Layers and Platform Layers." (surely we'd classify the Sophos agent as an application?). I was at Synergy in 2018  and went to the "Citrix App Layering: Top 10 Lessons Learned" (https://www.youtube.com/watch?v=-eQ1py3Tgd4) where the statement is made "trust me, put it in an App Layer" (around the 13 minute mark). One of the reasons was along the lines of if you change anti-virus, you don't have to create a new OS Layer, which in turn means re-creating all the Platform and App Layers. 

 

So you can see with the variations of documentation and statements around this, as well as hearing the failures of Sophos in layering from clients, the actual decision on "What Layer?" is really hard to answer. Field success (especially documented field success) seems the most relevant in the end. So hit me with your thoughts and experiences.

 

Thanks

 

Matt

7 answers to this question

Recommended Posts

Posted

I have never done sophos cloud so i cant help there but i think the reason our recipe has for putting sophos in the os layer was because sophos creates a local account  which can only be done in the os layer. I think you should open a support ticket  to work with support on your issues. 

Posted

We run Sophos Central/Cloud with the Sophos for Virtual Environments VM and lightweight VM client.  It's been running fine in the OS layer for over a year.  Full fledged Sophos Cloud installs might be a very different story with its variety of applications and updates.

 

https://community.sophos.com/kb/en-us/125679

 

If you use a full user layer, make sure there aren't any scheduled scans happening while anyone is logged in or disable them completely.  Otherwise it sucks the entire C: drive in to their user layer.

 

I like to keep my OS layer clean as well but couldn't an AV agent be removed in a new OS layer version instead of starting clean?

Posted

Hey Josh it should not be a problem with the user layer to run a scheduled scan only files that are opened for write get pulled into the user layer and an AV product should not be doing that.  You may still not want to do scheduled scans due to the load on your storage but it shouldn't fill up the user layer.

 

For everyone reading this post we now have Sophos cloud included in our AV guide

https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html

 

Rob

Posted

I assumed the same thing but we had the issue a couple times with an off-hours user back in September.  About 20 minutes after the scheduled scan we'd get an email saying that VM was out of disk space and as soon as we disabled the scheduled scans the issue stopped happening.   

 

I decided it wasn't very useful to have a scheduled scan on the VMs anyway though.  We're 100% non persistent with full user layers so the only thing being scanned off hours on VMs would be a clean base image.

Posted
On 5/25/2019 at 2:20 AM, Josh James said:

We run Sophos Central/Cloud with the Sophos for Virtual Environments VM and lightweight VM client.  It's been running fine in the OS layer for over a year.  Full fledged Sophos Cloud installs might be a very different story with its variety of applications and updates.

 

https://community.sophos.com/kb/en-us/125679

 

If you use a full user layer, make sure there aren't any scheduled scans happening while anyone is logged in or disable them completely.  Otherwise it sucks the entire C: drive in to their user layer.

 

I like to keep my OS layer clean as well but couldn't an AV agent be removed in a new OS layer version instead of starting clean?

 

@Josh,

 

How do you find the Sophos for Virtual Environments? Easy to work with than the fully fledged clients? One thing I haven't looked into just yet is if the Sophos for Virtual Environments client needs to be considered in a golden image like the full agent (i.e. delete uniqueness files) - what's your experience with this?

 

@Rob - I've followed the Citrix instructions for the Sophos Cloud installer and so far so good (no duplicates after reboots, agent updates and is in working order, controllable from Sophos Cloud etc.). I made notes on it that I think might be handy for Citrix doco (i.e. expansion on what was stated) which I will share should things continue as successful as they currently are.

 

Thanks,

 

Matt

Posted
On 5/26/2019 at 4:32 PM, Matthew Gailer1709152490 said:

 

@Josh,

 

How do you find the Sophos for Virtual Environments? Easy to work with than the fully fledged clients? One thing I haven't looked into just yet is if the Sophos for Virtual Environments client needs to be considered in a golden image like the full agent (i.e. delete uniqueness files) - what's your experience with this?

 

 

@Matthew Gailer1709152490

 

No issues so far.  I honestly haven't done much with it since I set it up.  It's a little odd because there's nothing in the tray on the clients.  You have to rely on Windows action center to tell you if all is well along with a text file shared on the appliance.   The cloud console also lists protected VMs when you view the details but that's about the extent of information.   If I remember right you're only getting a subset of protection with the agent but it's been a while since I looked - I figured since we're on non-persistent VMs and all the servers/network traffic is inspected we were relatively safe anyway.

 

One big difference for me - the lightweight VM client doesn't update itself so those of us using full user layers don't end up with a mess of new Sophos components in the user layer.  Side note, the only way to update to new versions of the Sophos for VE appliance is to reboot it, then it will have a new client version on it's file share.

 

Mine is in the gold image.  I'm not sure if it actually needs to be there though, I don't see any special users at quick glance.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...