10 January 2011

Optimise Sophos software update deployment configuration and schedule Part I

The one thing you really want is for your malware solution to be as up to date as possible, but this creates a trade off.

One of the things I initially liked most about Sophos was the extremely light weight definition updates.  They use very small .ide text files to update the endpoint with the new definitions.  These can be streamed or installed on the fly as they become available, since they have minimal impact on the operation of the endpoints.  Since this happens a few times a day, on average about 4, it is a very important part of updating any malware protection service.

Once a month however there is a software update. These updates increment the endpoint version number.  Depending on the update these can vary in size, sometimes 1-2MB but the biggest I've seen was 40+MB.  This can cause problems on endpoint with limited resources since the software update trigger a installation action on the endpoint.  The other problem that can occur is if you have large numbers of endpoint updating from a WAN CID or SUM, the sheer volume of data can cause congestion on the WAN.

Ideally you would want to be able to control a few things:

  • The update schedule for definition updates
  • The update schedule for software updates
  • The bandwidth a single endpoint can use
  • The amount of endpoints updating at any point in time

The update architecture
There are a few pieces that work together and that you may want to configure to suite your environment.

Enterprise Console
From here all the native settings are defined.  The subscription available to the SUM's are set here as well as configuring the policies for the endpoints.

Software Update Managers
These ultimately provide the update location from where the endpoint will update from.  Configuration here is the most important since the endpoint checks for "updates" and do not differentiate between definition and software updates. The CID can also be UNC or HTTP location that come with their own pro's and con's.

Updating Policy
The endpoints are governed by an updating policy which allows to to specify update location, subscription and a schedule.  This is also where you can specify a bandwidth throttling limitation.

No comments:

Post a Comment