3 Replies Latest reply on Nov 18, 2014 10:29 AM by alexander_h

    Data Source Sophos Antivirus

    allegiance

      Hi Everyone,

       

      1. Does anyone already added Sophos Antivirus version 5.2.0.644 to McAfee SIEM version 9.3.2  and above? I tried to supply the information that it requires but there is a timeout problem connecting to the Sophos DB. I already tried every settings even changing the timeout to higher or lower settings but still no luck.

       

      2. Is there a bug witht the NTP on SIEM version 9.4.0? Because what I experienced is after a month the time on the SIEM will automatically adjust on an advance time and the IP address of the NTP server will be missing.

        • 1. Re: Data Source Sophos Antivirus
          alexander_h

          Hi,

           

          1. Sophos integration usually works fine when you are using the default settings for the sophos DB.

               what i would suggest is:

               - Check the port used by the SQL server dynamic/Static --> use the default 1433

              - check the DB name as if it's not the default it will fails as the query is hardcoded

           

               The is a KB from McAfee the gives details how to use custom setting for the SQL query that is performed:

           

          McAfee KnowledgeBase - How to set up a Sophos data source

           

               2. I never had issues with Missing NTP servers.

                    - the time will never change on the ESM as it is using UTC and it's not affected by daylight saving changes.

                    - i could suggest you to use pool.ntp.org as i had some issues with Windows NTP and Linux systems.

           

          Hope this helps

          • 2. Re: Data Source Sophos Antivirus
            allegiance

            Hi Alex,

             

            Thank you so much for your help. To add up some information

             

            1. I forgot to tell that I already tried the KB74839 but still it doesn't solve the problem. There is no sqlcollector.pl on the path /usr/local/bin. The port that we are using is the default port 1433 and default database name which is SOPHOS52. We also verified the port, database name and the instance of the Sophos database settings using SQLStudioExpress.

            • 3. Re: Data Source Sophos Antivirus
              alexander_h

              i would say that the best will be to check the logs on the SQL servers as it might be refusing the connections.

              If you are using the latest ESM it already has all of the dialogs withing the datasourse config.

               

              what is the message that you see within /var/log/messages on the receiver.

              Also check the event logs on the Windows hosting the sophos db and also the sql logs.

               

              Just to be sure have you tried ping, Telnet on port 1433 against the sql from the receiver.