Security - Sophos AV stop definitions updates #WORKAROUND & #DETAILS **JULY 2023**

During these latter weeks Sophos released new AV version. (Core Agent 2023.1/Server Core Agent 2023.1 )

PROBLEM

  • This letter Sophos version require that these O.S. have propter September 2021 patches installed.
  • In case you are not on track with MS updates or Windows version it will occur this problem
  • End point Sophos definition updates will stop working
    • Client: Early of July 2023
    • Server: End of July 2023

AFFECTED SYSTEMS AND DEVICES

    • Windows computers:
      • From early-June 2023, Windows 10 (x64) operating systems and above that don't support Azure Code Signing (ACS) will fail to complete the upgrade process to Core Agent 2023.1 and above.
    • Windows servers:
      • From late-July 2023, Windows 2016 operating systems and above that don't support Azure Code Signing (ACS) will fail to complete the upgrade process to Server Core Agent 2023.1 and above.

  WORKAROUND APPLICABLE TO POSTPONE PROBLEM

  • The Software Packages functionality in Sophos Central can be used to assign devices to a Fixed term support (FTS) version.
  • The current version for Windows computers and servers is FTS 2022.4.3.2 and can be assigned to devices for the duration of time it takes to apply the Windows Security Updates.
  • Note: There is an expiry date for all software package versions after which devices will stop updating.
    • The expiry date for FTS 2022.4.3.2 on Windows computers is October 10, 2023.
    • The expiry date for FTS 2022.4.3.2 on Windows servers is November 14, 2023.
  • To achieve this goal you must modify Update Management policy as indicated in below screenshots.

 


APPENDIX

Full details on required updates can be found in Microsoft’s official KB5022661 on this topic. 
https://support.microsoft.com/en-gb/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4

In addition to having the required Windows Security Updates to verify modules signed by Azure Code Signing, devices must have the "Microsoft Identity Verification Root Certificate Authority 2020" certificate authority (CA) installed.

Generally impacted O.S. are Windows 10/11 and Windows 2016/2019/2021 server versions.

Legacy O.S. are not impacted:

Windows 8.1

  1. Windows Server 2012 R2
  2. Windows Server 2012
  3. Windows 7.0 SP1
  4. Windows Server 2008 R2
  5. Windows Server 2008 SP2 

New Installation

From the 18th of April 2023, new installations to operating systems that don't support Azure Code Signing (ACS) will fail.