Sophos Antivirus

When you configure your Sophos Antivirus to send log data to USM Appliance, you can use the Sophos Antivirus plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor Sophos
Device Type Antivirus
Connection Type Database plugin
Data Source Name sophos-mssql
Data Source ID 1558

Integrating Sophos Antivirus through MSSQL

Before you configure the Sophos Antivirus integration, you must have the IP Address of the USM Appliance Sensor.

To configure USM Appliance retrieve data from Sophos Antivirus

Database plugins extract data from an external database and turn them into USM Appliance events. The database plugin configuration file provides information on how USM Appliance should connect to and query the database. For more information, see Configuring Database Plugins.

In the Sophos Antivirus plugin configuration file (/etc/ossum/agent/plugins/sophos-mssql.cfg), the section that starts with [config] details how USM Appliance connects to the MSSQL database.














To open and update the Sophos Antivirus plugin configuration file, access the command shell on USM Appliance (using the jailbreak option), then go to the plugins directory:

cd /etc/ossim/agent/plugins/

Using a text editor (such as vim), open the plugin file for editing:

vim sophos-mssql.cfg

To enable communication with the MSSQL database, you will need to enter information for the following fields:

  • source_ip: Fully qualified domain name, hostname or IP address.
  • user: Name of the user with access to the database.
  • password: Password for user with access to the database.

After you've updated and saved your changes, restart ossim-agent:

/etc/init.d/ossim-agent restart

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.