Jamf Nation Community

I don't have Sophos, so I can't check, but does mdls also show the wrong version info? I'm assuming it does. If so, then I would agree with @john_wetter. Sophos would have to fix it. Someone messed up it seems.

Yes, mdls also shows as 9.2.4 so I do think we're stuck on this one.

@bpavlov Perhaps you could change your reporting EA to look here instead.

/Library/Sophos Anti-Virus/product-info.plist

As such

/usr/libexec/PlistBuddy -c "print :ProductVersion:" /Library/Sophos Anti-Virus/product-info.plist

Doesn't Sophos refer to the Installer when they quote version and not the version of the App.

defaults read /Library/Application Support/Sophos/opm/Installer.app/Contents/Info CFBundleShortVersionString

Thanks everyone for the feedback. Looks like there are at least two different places where I could possibly get the information from. Extension Attribute, here I come!

@sean Not sure what Sophos' intention, but considering it seems like the version was always up to date in previous versions up until 9.2.4 I believe this may be a simple case of oversight. I noticed this same thing in 9.2.7 as well but at the time didn't make a big deal out of it. But now I want to make sure we're ready for OS X 10.11 and want to get everyone on at least 9.2.8.

I believe I've submitted a ticket with Sophos Support about this. I say believe because I've never contacted them for anything so here's hoping they get the feedback that I did submit. On a somewhat related note, is anyone using a newer version of Sophos Anti-virus (I think preview is at 9.4.1)? Any idea if the version mismatch still exists? https://www.sophos.com/en-us/support/knowledgebase/120189.aspx

I am on Sophos 9.4.1 and the JSS reports 9.4.0 under the Applications section. I also use an extension attribute to determine the Sophos version:

#!/bin/bash
SophosVers=$( defaults read /Library/Sophos Anti-Virus/product-info ProductVersion )
if [[ "$SophosVers" == "" ]]; then
    echo "<result>N/A</result>"
else
    echo "<result>$SophosVers</result>"
fi

Here are a few more handy Sophos Extension Attributes:

Display last time Sophos updated:

#!/bin/bash
SophosUpdated=$( defaults read /Library/Preferences/com.sophos.sau LastUpdated )
if [[ "$SophosUpdated" == "" ]]; then
    echo "<result>N/A</result>"
else
    echo "<result>$SophosUpdated</result>"
fi

Display Sophos primary server URL:

#!/bin/bash
SophosURL=$( defaults read /Library/Preferences/com.sophos.sau PrimaryServerURL )
if [[ "$SophosURL" == "" ]]; then
    echo "<result>N/A</result>"
else
    echo "<result>$SophosURL</result>"
fi

@bpavlov As said, the version that Sophos are quoting I believe is the Installer.app version, not the version of the Sophos Anti-Virus.app, since the app is just part of the install. So the version of Sophos Anti-Virus.app will be 9.2.4 and I doubt there is anything for them to correct. It happens that the parts installed around the app have progressed and so the Installer.app has been incremented.

For example:

        <product-version>9.2.8</product-version>
        <virus-engine-version>3.60.0</virus-engine-version>
        <virus-data-version>5.23</virus-data-version>

As a developer you are only going to increment the version if changes are made to the app. So installer 9.2.7 and 9.2.8 would both install the unchanged Sophos Anti-Virus.app version 9.2.4. Likewise, the app would have been updated to 9.4.0 and since then, other components have been updated meaning that the installer will now be 9.4.1, but the app will still be 9.4.0.

This isn't in any way unique; previous release:

# defaults read /Applications/Sophos Anti-Virus.app/Contents/Info CFBundleShortVersionString

9.1.4

# defaults read /Library/Application Support/Sophos/opm/Installer.app/Contents/Info CFBundleShortVersionString

9.1.8

Asking them to increment the version of the app to constantly be inline with the installer would be a nightmare for the devs. They would end up with several versions of the app all being the same thing, so I wouldn't expect this to change.

See:

defaults read /Library/Application Support/Sophos/opm/receiptConfiguration.plist

Of course, Casper is reporting the version of Apps in /Applications. Set up an EA ,as posted by @dgreening, reading the product-info or the installer app if you want to know what is installed instead of reporting the version of the app.

Does anyone know how to script an Extension Attribute to get the Sophos Antivirus Definitions Date?

I am running version 9 and the Extension Attributes that I have found so far do not work consistently. Also not all computers got the sweep file on the same location /usr/bin/sweep, many got it at /usr/local/bin/sweep

The result is that some computers show the right date, some others show a "Not Installed" output and some others show an empty field on the reports.

You might want to run an if statement that checks where the sweep binary is located and then set that location as the variable to use for the rest of the script so then all you'd technically would have to do is reference $sweep.

Can't remember where I got these, but this is what we use.

Sophos Virus Definition Date:

#!/bin/sh
#This script has been verified to work on Sophos (v 7.1).

#Check to see if Sophos is installed
if [ -f "/usr/bin/sweep" ]; then
result=`/bin/date -j -f "%b %d %Y" "$(/usr/bin/sweep -v | grep "Released" | awk '{print $4, $3, $5}')" "+%Y-%m-%d 00:00:00"`
echo "<result>$result</result>"
else
echo "<result>Not installed</result>"
fi

Sophos Virus Definition Version

#!/bin/sh
#This script has been verified to work on Sophos (v 7.1).

#Check to see if Sophos is installed
if [ -f "/usr/bin/sweep" ]; then
result=`/usr/bin/sweep -v | grep "Virus data version" | awk '{print $5}'`
echo "<result>$result</result>"
else
echo "<result>Not Installed</result>"
fi

Sweep is very slow. Check out

Release:

awk -F """ '/VirusData Version/ {print $(NF-1)}' /Library/Sophos Anti-Virus/VDL/vvf.xml

Virus Data Version:

awk -F """ '/VirusData Version/ {print $2}' /Library/Sophos Anti-Virus/VDL/vvf.xml

Thank you all, this is what I have come up with and it seems to be working fine so far:

Sean (or anyone), how would you change my version so that it uses your "Release" version above without looking at sweep? Regardless of the output speed, it seems safer not to be looking at a file that can be installed at different locations depending on the original version of the installer.

@sean I like it. Updated our EAs. Thanks!

@hugo.iturralde You can reduce your EA to the following by using @sean suggestion:

#!/bin/sh

result=`awk -F """ '/VirusData Version/ {print $(NF-1)}' /Library/Sophos Anti-Virus/VDL/vvf.xml`
echo "<result>$result</result>"

and

#!/bin/sh

result=`awk -F """ '/VirusData Version/ {print $2}' /Library/Sophos Anti-Virus/VDL/vvf.xml`
echo "<result>$result</result>"

If I wanted to use sweep in particular, then I'd probably just let the OS get the path for me. I'd also set the not installed to a date, that way the EA can be set as a date format rather than having mixed responses. You can then do date is newer than....

#!/bin/bash

the_sweep=`which sweep`

if [ $? = 0 ]
then
        get_release=`$the_sweep -v | awk -F ":" '/Released/ {print $NF}'`
        result=`/bin/date -j -f " %d %b %Y" "${get_release}" "+%Y-%m-%d"`
else
        result="1984-01-24"
fi

echo "<result>$result</result>"

exit 0

Otherwise as suggested by @stevewood it's just a case of running pretty much that line, surrounded by some error checking. Could use different hours:mins:secs or a different date to distinguish between the two alternative cases, instead of the same default date.

#!/bin/bash

default_date="1984-01-24"

if [ -e /Library/Sophos Anti-Virus/VDL/vvf.xmfl ]
then
        result=`awk -F """ '/VirusData Version/ {print $(NF-1)}' /Library/Sophos Anti-Virus/VDL/vvf.xml`
        if [ $? != 0 ]
        then
                result="$default_date"         
        fi
else
        result="$default_date"         
fi

echo "<result>$result</result>"

exit 0

I'm also a fan of bash rather than sh. Although they both report as being bash...

mymac:~ root# bash --version
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
mymac:~ root# sh --version
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

..they aren't and bash has more to offer eg. sh can't do process substitution. Taking the above sophos as an example. Run this as sh and it will fail.

#!/bin/bash

the_sweep=`which sweep`

if [ $? = 0 ]
then
        # Use process substitution to make variables available outside loop
        while read line
        do
                case "$line" in

                        "Released"*)
                                result_date=`/bin/date -j -f " %d %b %Y" "${line##*:}" "+%Y-%m-%d"`
                        ;;

                        "Virus data version"*)
                                result_version="${line##*:}"
                        ;;

                        "Data file name"*)
                                break
                        ;;
                esac
        done < <($the_sweep -v)

        result="$result_date :$result_version"
else
        result="Not installed"
fi

echo "<result>$result</result>"

sh scripts should be able to be run as bash, bash scripts may or may not be able to be run as sh.