UpPrevious Next
Sheriff CSMâ„¢
Sophos Antivirus
When you configure Sophos Antivirus to send log data to Sheriff CSM, you can use the Sophos Antivirus plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
Plugin Information
Device | Details |
Vendor | Sophos |
Device Type | Antivirus |
Connection Type | Database plugin |
Data Source Name | sophos-mssql |
Data Source ID | 1558 |
Integrating Sophos Antivirus through MSSQL
Before you configure the Sophos Antivirus integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).
To configure Sheriff CSM retrieve data from Sophos Antivirus
Database plugins extract data from an external database and turn them into Sheriff CSM events. The database plugin configuration file provides information on how Sheriff CSM should connect to and query the database. For more information, see
Configuring Database Plugins.
In the Sophos Antivirus plugin configuration file (
/etc/ossum/agent/plugins/sophos-mssql.cfg)
, the section that starts with
[config]
details how Sheriff CSM connects to the MSSQL database.
[config]
type=detector
enable=yes
custom_functions_file=/etc/vigilante/agent/plugins/custom_functions/sophos-ip.cfg
source=database
source_type=mssql
source_ip=
source_port=1433
user=db_user
password=db_pass
db=SophosXXX
sleep=60
To open and update the Sophos Antivirus plugin configuration file, access the command shell on Sheriff CSM (using the jailbreak option), then go to the plugins directory:
cd /etc/vigilante/agent/plugins/
Using a text editor (such as vim), open the plugin file for editing:
vim sophos-mssql.cfg
To enable communication with the MSSQL database, you will need to enter information for the following fields:
- source_ip: Fully qualified domain name, hostname or IP address.
- user: Name of the user with access to the database.
- password: Password for user with access to the database.
After you've updated and saved your changes, restart vigilante-agent:
/etc/init.d/vigilante-agent restart
Plugin Enablement
For plugin enablement information, see
Enable Plugins.
Additional Resources and Troubleshooting
https://cybersecurity.att.com/documentation/Sheriff-CSM/plugin-management/configuring-database-plugins.htm
For troubleshooting, see the vendor documentation.