Sophos for Marshal

Version: 1.1.2, Last Revision: October 24, 2017

Sophos for Marshal is a configuration and update tool that allows the Sophos anti-virus scanner to be used with Trustwave SEG, ECM, and WebMarshal products.

These notes are additional to the Help or other documentation.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20635.

Supported Trustwave Products

Sophos for Marshal 1.1 works with the following Trustwave content scanning product releases:

Trustwave SEG 7.3.0 and above.
WebMarshal 6.10.0 and above
Trustwave ECM 7.1.5 and above.

These products continue to support the Sophos SAVI interface. You can use both Sophos scanners side-by-side, but doing so can affect performance.

New Features in Version 1.1.0

Native 64-bit support: Sophos for Marshal is available in a native 64-bit version as well as a 32-bit version. Both versions can be installed on the same system. Use the 64-bit installation with SEG version 8.x and other forthcoming content scanning releases that use a native 64-bit scanning engine.
CXMail: This Sophos option implements additional checks appropriate to email or other edge servers. This option is enabled by default.
LiveProtection: This Sophos option performs a signature based query to Sophos to check for updated information when a virus is found. This option is enabled by default, but can be disabled.
Archive Decompression: Archives are always decompressed (this overrides the "deepScan" setting in WebMarshal Engine configuration). Decompression ensures that Sophos for Marshal returns correct information about password protected archives that cannot be scanned.

Hardware and Software Prerequisites

Sophos for Marshal 1.1 requires Windows Server 2008 (SP2) or above, with a supported Trustwave product (SEG, ECM, or WebMarshal).

The LiveProtection feature requires DNS connectivity (port 53) to a local DNS server that can forward queries to Sophos. The DNS server address will be populated automatically based on server settings. You can override the automatic setting if required.

The updater requires access to the following website: https://sophos.marshal.com (HTTPS is required; this is a change from version 1.0). For details of required ports and destinations see Knowledge Base article 11906.

Licensing

Sophos for Marshal is licensed and purchased through Trustwave as a module with the supported content scanning products.

Licensing for Sophos for Marshal is included in the trial keys generated by supported releases of the supported products.
To trial Sophos for Marshal in a current fully licensed installation, contact Trustwave for a key.
Engine and IDE updates are available only if the product license key has a current trial or maintenance entitlement for Sophos for Marshal.

Installing Sophos for Marshal

To install Sophos for Marshal, run the installer package. Immediately after installation, the Sophos for Marshal updater attempts to retrieve the latest virus scanning Engine and IDE (signature) files.

If you need to configure proxy settings, you should do so immediately and then start an update manually.

To configure settings and start an update, start "Sophos for Marshal Configuration" from the Start menu. (Installation creates shortcuts in the submenu for each installed Trustwave product that supports Sophos for Marshal). For details of the fields in the configuration tool, see Help.

Notes:

The package does not include a Sophos Engine or IDE files. The updater must run and complete a download of these components before you can use the scanning functionality.

The updater requires access to the following website: https://sophos.marshal.com (HTTPS is required; this is a change from version 1.0). For details of required ports and destinations see Knowledge Base article 11906.

To use Sophos for Marshal with a supported Trustwave product:

Obtain and install the appropriate key for SEG, ECM, or WebMarshal.
Install the software on every processing server (including all array nodes if applicable). It is not necessary to install Sophos for Marshal on an Array Manager-only server.
Follow the instructions for adding a scanner in the documentation for the specific product.

Upgrading Sophos for Marshal

To upgrade from an earlier version, run the installer package.

Note: This upgrade migrates the data from the previous version and then installs the new version. You will be informed that the data is being moved. Settings, Engine, and IDE files are retained.

If a processing engine service (such as the SEG Engine) is under load, the installer may not be able to stop the service. The installer will notify you.

To complete the upgrade when the installer cannot stop a service:

Manually stop the product engine service(s).
Run the upgrade installation.
Manually start the product engine service(s).

Uninstalling Sophos for Marshal

To uninstall Sophos for Marshal:

Remove the Sophos for Marshal scanner from all SEG, ECM, and/or and WebMarshal scanning rules.
Delete the Sophos for Marshal scanner from the list of scanners in each installed product.
Restart the Engine services for each product. If the server has not been restarted since Sophos for Marshal was installed, you may need to restart the Controller services as well.
Close the SEG or ECM Configurator and/or WebMarshal Console.
Use the Add/Remove Programs control panel to uninstall Sophos for Marshal.

Change History

1.1.2 (October 24, 2017)

SFM-125

Discovery of SEG and ECM license keys is improved.

1.1.1.1544 (August 14, 2017)

SFM-116

Sophos for Marshal now uses libcurl instead of WinInet for access to updates, to avoid issues with certificate validation when using a proxy.

1.1.0.1027 (June 6, 2017)

SFM-8	The Sophos SDK used by Sophos for Marshal has been updated to the latest version that provides additional capabilities.
SFM-10	Sophos for Marshal implements the CXMail scanning option for enhanced checking of files.
SFM-11	Sophos for Marshal implements the LiveProtection scanning option for enhanced checking of files.
SFM-13	The product has been rebranded for Trustwave.
SFM-15	Installation and registry locations are updated to the default Trustwave locations.
SFM-41	MSXML4 is no longer used by Sophos for Marshal. The related DLLs are removed on upgrade.
SFM-54	Engine and IDE updates require valid maintenance for the scanning product (SEG, ECM, or WebMarshal).
SFM-67	The available frequencies for IDE checks have changed. You can choose to check as often as every 10 minutes. The default check is hourly.
SFM-71	Service executable paths were not quoted. Fixed.

1.0.4.9547 (November 11, 2010)

SFM-1

Sophos for Marshal now supports MailMarshal Exchange 7.0

1.0.3.8975 (March 23, 2010)

VS-386	Update to the install logic was required due to change in the MailMarshal SMTP registry location.
VS-387	Update to the install logic was required due to change in the MailMarshal Exchange registry location.
VS-391	Files are now digitally signed to ensure authenticity.
VS-393	The product has been rebranded for M86 Security.
VS-396	The installer checked for the presence of a parent product on uninstall. Fixed.

1.0.2.8084 (August 26, 2009)

VS-365	Updated Sophos engines were not installed when MailMarshal was under heavy load. Fixed.
VS-372	The upgrade installation has been modified to minimize the number of manual service restarts required.
VS-373	Sophos for Marshal installation now creates a menu shortcut in the MailMarshal Exchange program group (if MailMarshal Exchange is present).

1.0.1.5823 (July 17, 2008)

VS-263

Sophos for Marshal now supports MailMarshal Exchange 5.2

1.0.0.4359 (November 28, 2007) - Initial Release

Legal Notice

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.