I recently had to install and configure Sophos for vShield for a client. I wanted to document the steps for the next poor soul that needs to go through this. As a quick review vShield is an umbrella term used by VMware to describe their VM security offerings. The component we are interested in is vShield Endpoint, which provides offloaded antivirus and anti-malware protection for VM’s. It was VMware’s alternate answer to locally installed AV agents, which typically bring a whole set of management pain points to virtual environments. With vShield Endpoint scanning occurs at the hypervisor level, which negates the need for local agents (kind of, but oh not really. read below for more). vShield Endpoint is rather useless by itself. The goodness occurs when 3rd party solutions (like Sophos) leverage vShield Endpoint for AV scanning.
- ESXi hosts are deployed and managed by a vCenter instance. Sophos documentation states vSphere 5.1, 5.5 and 6.0 are all supported.
- Sophos Enterprise Console has been installed. Version 5.2.2 was already installed in this case.
- Sophos Update Manager is installed. Note the definition location as it will be needed. From SEC click View | Bootstrap locations and look for the savvshield entry.
- vShield Manager is installed in the environment, and vShield Endpoint has been enabled on each of the ESXi hosts.
- Following logins are needed-
- vCenter administrator account – only needed during install
- vCenter read-only account. Can be domain or local, and is stored on each SSVM and used to query vCenter during operation.
- vShield administrator account – only needed during install
- Sophos Update Manager account. This is typically a domain account called SophosUpdateMgr and is used by the SSVM’s to connect to the Update Manager repository.
- Sophos vShield sofware package. I installed version 220.127.116.11.
Quick picture of the overall architecture that I copied from the Sophos documentation
- Sophos has good documentation on their site. I would suggest reading through it before beginning.
- Installer will validate each step and will not proceed if the information is incorrect.
- DNS A records are not required for the SSVM’s
- Note that if you power off an SSVM on a host all the guest VM’s could become unresponsive for up to 30 seconds. This is due to the guest VM file requests via the SSVM timing out. The recommendation from Sophos is to disable vShield on the hosts before shutting down the SSVM. Another more realistic option is to just place the host in maintenance mode before executing power commands on the SSVM.
- Sophos for vShield can only protect guest VM’s running Windows.
- Each Guest VM needs the VMware Guest Introspection Agent installed. This is a filter driver that intercepts file access activity. Of course this is not part of the default VMware Tools install so this needs to be added to all your VM’s.
- Sophos can only BLOCK access and execution of infected files, because it integrates at the hypervisor level it can’t actually CLEAN or DELETE the infected files. For this you need to install the Sophos Guest VM agent into each VM for complete protection. Luckily the Guest Agent can be deployed with Group Policy to ease the sting of touching all your VM’s.
- The Guest VM’s will NOT appear as managed servers in the Sophos Enterprise Console. Only the deployed SSVM’s will be visible.
- Guest VM’s show as unprotected in vShield Manager. Don’t be alarmed. This is referring to vShield App protection, not Sophos AV protection.
- Extract the Sophos SSVM software. By default it outputs the files to c:\ssvm_x_y_z
- Run (as Administrator) SSVMTOOL.exe
- Choose “Install New Sophos Security VM’s”
- Review the pre-requisites
- Enter your vCenter credentials.
- Ignore the untrusted SSL cert on vCenter.
- Enter your vShield server and admin credentials.
- Select the ESXi hosts you want to install the Sophos Security VM’s on to. The installer will only show hosts that DO NOT have the SSVM currently installed. Multiple hosts can be selected but BE AWARE you cannot input static IP’s if you select multiple hosts. DHCP is the only choice. My advice is to just select one host for the first attempt to test the process. In case it errors out there will be less mess to clean up.
- Enter the Sophos Update Manager location and credentials.
- Enter the support password. This is a local password to the Sophos installation.
- Choose the appropriate time zone.
- Configure IP address if required, or select DHCP
- Choose Datastore. If you have free local storage on each host that can be a good location for the SSVM, as they are pinned to host and excluded from vMotion. No need to waste shared storage unless perhaps higher performance storage is required.
- Choose Network
- View summary and choose Install.
- The installer will now deploy the SSVM via an OVF template. This step can take a few minutes before it completes.
- If all goes well, you now have deployed a SSVM. Congratulations if you decided to use static IP addressing, you now need to go back and run the same installer for every other ESXi host in your environment. This may be acceptable for smaller shops, i.e. < 2o hosts but not very scalable for the enterprise. Large scale deployments may be forced to use DHCP, or perhaps Sophos has the ability to use an answer file, or script the install across a large number of hosts.
How to confirm that Sophos AV protection is working
The easiest way to check if everything is working correctly is to open vShield Manager and select an ESXi host. Each host should have a Sophos SSVM installed. Also each VM need to have its thin agent enabled. This is the actual filter driver in the VM that intercepts file access and allows the SSVM to scan the file. If you don’t see both these items then the VM is most likely not being protected.
I would suggest live testing with the EICAR test virus once Sophos is up and running. Download the text string here, save it as a .com file, and then run it. You should receive the following message in Windows.
And you will see the subsequent warning in SEC.
To automatically clean the threat remember you need to install the Sophos Guest VM Agent. It’s default location is \\SophosUpdateMgrServer\SophosUpdate\CIDs\S000\SAVVSHIELD\sgvma\SophosGvmAgentInstaller.exe. The VMware Tools Introspection Agent has to be installed prior to installing the Sophos Guest VM Agent.