In light of the recent Crowdstrike and Microsoft IT outage, we wanted to ensure everyone has a clear understanding – behind the scenes – of the processes that are in place for Sophos updates.

You can read a summary of the issue and additionally a fuller summary of Sophos’ software product update process in these 2 articles:

• Crowdstrike Global Outage: Sophos Guidance
• Sophos Endpoint release & development process

Sophos has a very polished QA process when it comes to our software products. They create, release, and monitor product updates containing new features, functionality, bug fixes, etc. in a controlled, incremental fashion to reduce the potential likelihood of customer issues. Their by step process is outlined here:

• They run all product updates in internal development and quality assurance environments before they are released into production.
• When a release is production-ready, Sophos first releases it to their own devices. Each release is reviewed to ensure that it meets their quality standards.
• Once all internal testing is complete, they begin a phased release to customer devices as part of their ongoing QA controls.
• Sophos can control specific device groups and sizes of groups for each release, with a review between each release to further monitor quality control.
• Should an issue be identified, they stop the current release and focus their attention on fixing the issue.
• If required, a rollback is initiated.

Additional information can be found in the links below:

• CrowdStrike IT Outage Explained by a Windows Developer
• What I learned from the ‘Microsoft global IT outage’
• “…the CrowdStrike issue can be recreated by anybody even now, by placing a broken .sys file into the CrowdStrike system folder. All it checks is the first few bytes of the file — if you have an invalid channel file, the machine blue screens, and fails to boot. That is arguably a security vulnerability in itself.”

• Remediation and Guidance Hub:Channel File 291 Incident