  =                SOPHOS for OpenVMS Installation and IDE Update =                ----------------------------------------------   L This directory tree provides an environment for the controlled update of theL SAVI engine and IDEs on the OpenVMS operating system.  These procedures haveN been developed by Mr Jeremy Begg at VSM Software Services Pty Ltd and are madeL available to the wider community.  Please let us know if they help you or if you find any problems.  N ------------------------------------------------------------------------------ SAVI on OpenVMS  --------------- J Sophos Plc provides a cut-down version of their product for use on OpenVMSD systems.  The OpenVMS version consist of the SAVI API (engine) and aF command-line utility for scanning one or more files in a single pass.   K Updates to the SAVI engine are distributed on a monthly CD-ROM and are also J available for download from the Sophos web site.  Updates to the IDE filesJ used by SAVI to describe new threats are also made available on the Sophos	 web site.   K However Sophos do not provide any tools to automate the process of updating ; SAVI or its IDEs, unlike most of their supported platforms.   J The procedures provided with this kit are an attempt to simplify and semi- automate the update process.  N ------------------------------------------------------------------------------ Directory Structure  ------------------- I The directory structure is very simple and allows for the co-existance of H multiple versions of the SAVI engine (which however is not recommended).  *     SOPHOS_ROOT:[000000]		Parent directory) 		[COM]			DCL procedures and control file  		[LOG]			Log files ' 		[SAVI_xxx]		SAVI engine version 'xxx' - 		[SAVI_xxx.AUX]		IDES for SAVI version 'xxx' - 		[SOPHPDATE]		Login directory for a username   					dedicated to updating IDEs.  N ------------------------------------------------------------------------------ Installation Step 1  ------------------- @ In following the instructions below, a few assumptions are made.  M 1.  SAVI is not currently installed, or you have taken steps to prevent users C     attempting to use it while you are setting up these procedures. L 2.  The DCL symbols UNZIP and WGET are defined and invoke the UNZIP and WGET     utilities, respectively.F 3.  You are logged into an account with appropriate system privileges.    @ Use VMS BACKUP to restore the saveset into a suitable directory. For example:  H $ BACKUP/LOG VSM_SOPHOS.BCK/SELECT=[SOPHOS...] SYS$SYSDEVICE:[SOPHOS...]  H Then modify your system startup procedure to include these two commands:  ?    $ DEFINE/SYS/EXEC SOPHOS_ROOT dev:[SOPHOS.] /TRANS=CONCEALED (    $ @ SOPHOS_ROOT:[COM]START_SOPHOS.COM  K where 'dev' is the VMS device name of the device on which the procedure has J been installed.  Alternatively, the START_SOPHOS.COM procedure will define3 SOPHOS_ROOT if it is not already defined /SYS/EXEC.   L When the saveset has been restored, run the START_SOPHOS procedure to defineJ critical logical names.  This procedure will exit with an error status the? first time it is run, because the SAVI engine won't be present.   N Optionally, create a username dedicated to performaing IDE updates.  At VSM we' have a user with these SYSUAF settings: (                                         E Username: SOPHUPDATE                       Owner:  Sophos Auto-Update I Account:                                   UIC:    [373,1] ([SOPHUPDATE]) < CLI:      DCL                              Tables: DCLTABLES" Default:  SOPHOS_ROOT:[SOPHUPDATE]) LGICMD:   SOPHOS_COM:SOPHUPDATE_LOGIN.COM * Flags:  DisCtlY LockPwd Restricted DisMail+ Primary days:   Mon Tue Wed Thu Fri         + Secondary days:                     Sat Sun F Primary   000000000011111111112222  Secondary 000000000011111111112222F Day Hours 012345678901234567890123  Day Hours 012345678901234567890123F Network:  ##### Full access ######            ##### Full access ######F Batch:    ##### Full access ######            ##### Full access ######F Local:    -----  No access  ------            -----  No access  ------F Dialup:   -----  No access  ------            -----  No access  ------F Remote:   -----  No access  ------            -----  No access  ------D Expiration:            (none)    Pwdminimum:  6   Login Fails:     0? Pwdlifetime:           (none)    Pwdchange:   2-JAN-2008 17:27  P Last Login:            (none) (interactive),  7-JAN-2008 15:35 (non-interactive)9 Maxjobs:         0  Fillm:       128  Bytlm:       128000 9 Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0 9 Maxdetach:       0  BIOlm:       150  JTquota:       4096 9 Prclm:           1  DIOlm:       150  WSdef:         4096 9 Prio:            4  ASTlm:       300  WSquo:         8192 9 Queprio:         4  TQElm:       100  WSextent:     16384 9 CPU:        (none)  Enqlm:      4000  Pgflquo:     256000  Authorized Privileges:     NETMBX       TMPMBX  Default Privileges:    NETMBX       TMPMBX   N ------------------------------------------------------------------------------ Installation Step 2  ------------------- K The BACKUP saveset provided here does not include the SAVI engine itself -- N you'll have to get that from Sophos, either by downloading it or by copying it from the monthly CD-ROM.  / Here are the instructions for using the CD-ROM.   B     $ MOUNT/OVER=ID cd-dev:		! where 'cd-dev' is your CD-ROM drive"     $ @ SOPHOS_COM:UPDATE_SAVI.COM  K The UPDATE_SAVI.COM procedure looks for the file [OPENVMS]VSWEEP.ZIP on the F Sophos CD-ROM, and UNZIPs it into a temporary directory.  It then runsL UPDATE_IDES.COM to download the latest IDE archive for this version of SAVI.F If the this succeeds, the procedure renames the temporary directory toN [SAVI_nnn], where 'nnn' is the 'Threat data version' found in the SAVI releaseI notes.  This number also serves to identify the relevant IDE archive when % downloading from the Sophos web site.   N ------------------------------------------------------------------------------ Installation Step 3  ------------------- L At this point you should have a functional SAVI engine with the latest IDEs,+ which you can check by running the commands       $ VSWEEP := $VSWEEP    $ VSWEEP /VER  M However for correct operation you need to automate the process of keeping the = IDEs up-to-date.  There are two basic methods for doing this.   M 1.  Run the UPDATE_IDES.COM procedure on a regular basis (e.g. every 30 or 60 J     minutes).  This can be easily done with self-submitting batch job (not     supplied here).   M 2.  Arrange for the SOPHUPDATE username to be subscribed to the Sophos update J     alerts mailing list, then use a tool such as DELIVER (part of PMDF) to     trigger UPDATE_IDES.COM.  H Or do both of the above: use DELIVER to run UPDATE_IDES each time SophosL announces a new one, and run it again every 4-6 hours in case an alert email or two goes missing.  N ------------------------------------------------------------------------------ Final Comments --------------G These procedures provide the framework for keeping SAVI up-to-date with @ minimal intervention; all the system manager has to do is to run0 UPDATE_SAVI.COM each time a new CD-ROM comes in.  M However there is nothing here to avoid a clash between a running SAVI process L and the update process.  For example, if VSWEEP starts up at the same momentL that UPDATE_IDES is unpacking a new set of IDE updates, VSWEEP may find thatA some IDE files are "corrupt" because UNZIP is still writing them.   L Nor is there anything here to coordinate IDE updates with a "permanent" SAVIM processes such as PreciseMail Anti-Spam Gateway running in "pass-through SMTP  proxy" mode.  C Handling these issues is left as an exercise to the system manager.      Jeremy Begg <jeremy@vsm.com.au> 7 VSM Software Services Pty Ltd, Adelaide South Australia  10 January 2008 