Advisory: Sophos XG Firewall – Antivirus service stopped due to failed pattern update
Overview
Sophos has received customer reports of the SFOS Antivirus service being stopped due to a failed AV pattern update.
This issue only affects SFOS devices that have been recently rebooted or have had their antivirus service restarted by a configuration change.
This will affect email delivery and cause web traffic to be dropped.
Applies to the following Sophos product(s) and version(s)
Sophos Firewall XG
How to identify if you are affected
This issue only affects SFOS devices that have been recently rebooted or have had their antivirus service restarted by a configuration change.
Affected devices will have the following in the /log/avd.log:
/bin/avd: error while loading shared libraries: libssp.so.0: cannot open shared object file: No such file or directory
The antivirus service will be stopped and the Avira and Sophos AV pattern update will be shown as failed. Users can confirm this via the Pattern Updates section in the SFOS GUI and from the Advanced Shell.
Advanced Shell:
- service -S | grep antivirus
antivirus STOPPED
Impact
A stopped SFOS antivirus service will affect email delivery and cause web traffic to be dropped.
Current status
4/4/2020 – 9pm GMT
- Updated AV pattern with fix has been released to prevent this issue
- Manual fix for devices that are already affected is available from Support
4/4/2020 – 6pm GMT
- Sophos is actively working to resolve this issue
- We expect this issue to be resolved by 9pm GMT
What to do
An updated AV pattern with the fix has been automatically released to all SFOS devices.
Users with devices that are already affected should refer to the instructions below:
For affected devices running SFOS v18 EAP2 or above:
- From the advanced shell:
/scripts/av_version_change.sh savi
/scripts/av_version_change.sh avira
- Then initiate a pattern update from the GUI
For affected devices running SFOS v17.5.x, please raise a support case and include the information below:
- Enable the Support Access Tunnel and provide the Access ID
- Provide consent for Sophos Support to add a RSA/SSH key for the fix to be applied
Dell Software Group sold to help fund looming EMC deal
Ingram Micro gets distribution access to Dell’s security range in Australia