Sophos Endpoint Security and Control 10.2.3 release notes

Version numbers

Sophos Anti-Virus 10.2.3
Threat detection engine 3.39.0
Threat data 4.85, January 2013
Sophos Client Firewall 2.9.1
Sophos AutoUpdate 2.7.8
Note: Some of the features mentioned in these release notes are only available on managed computers or if you have the appropriate license.

New in this release

  • The threat detection engine and threat data have been updated.

Fixed issues

This is a threat detection engine and threat data release only. No issues have been fixed in this release.

Known issues

Data control

  • (DEF79180) Files that breach a data control rule can still be transferred to a Windows 8 storage pool.

Installation

  • (DEF84838) Installation on Windows 8 and Windows Server 2012 does not work if both of the following conditions are met:
    • The computer is in a workgroup.
    • Automatic installation is attempted from Sophos Enterprise Console 5.1 running on Windows 2008 or Windows 2008 R2.

    For more information and instructions on how to enable deployment, see http://www.sophos.com/en-us/support/knowledgebase/118354.aspx.

    Alternatively, you can install the security software manually on each such computer by running the installer from a bootstrap location that contains a software subscription for version 10.2. To locate the installer, in Enterprise Console, on the View menu, click Bootstrap Locations. (For more information, see http://www.sophos.com/en-us/support/knowledgebase/12386.aspx.) To be able to manage the computers from Enterprise Console, on each computer, in Windows Firewall, Settings, Advanced settings:

    Use New Rule… to add a Sophos RMS port with the following details:

    Rule Type: Port

    Protocols and Ports: TCP - Specific Ports - 8194

    Action: Allow the connection

    Profile: Domain, Private

    Name: Sophos RMS

Sophos Anti-Virus

  • (DEF83463) Although Sophos Anti-Virus can now scan files that are locked during an on-demand scan, it cannot perform cleanup successfully.
  • (DEF85118) If you use the Internet Explorer 10 Windows 8 Modern UI application to access a malicious HTTPS website, Sophos Anti-Virus displays a balloon notification instead of a toast. This means that you do not see the notification until you view the desktop.
  • (DEF84420) If you use a browser's Windows 8 Modern UI application to access a malicious website, and you click the toast that Sophos Anti-Virus displays, the browser is minimized and the desktop is displayed instead. To switch back to the browser, press Alt+Tab.
  • (DEF79726) If you use the Internet Explorer 10 Windows 8 Modern UI application, Sophos web protection does not stop you from accessing malicious websites.
  • Sophos web protection and web control use a Layered Service Provider (LSP) to intercept network traffic. If web protection or web control is turned on while an incompatible third-party LSP is running, system instability can occur. Therefore, if a third-party LSP that is known to be incompatible is already installed on the computer, the Sophos LSP is not installed. For more information, see http://www.sophos.com/en-us/support/knowledgebase/116241.aspx.
  • (DEF56055) If you manually change the DNS list using Control Panel, Sophos Live Protection stops working. To work around this problem, restart the Sophos Anti-Virus service.
  • (WKI55631) Web protection does not support Windows XP Service Pack 1 and Windows 2000 Service Pack 3. To work around this problem, install the latest service pack for the operating system.
  • (DEF20694) When Sophos Anti-Virus detects a controlled application on a remote share, the alert always shows that the application was detected on the local computer.

Sophos AutoUpdate

Sophos Client Firewall

  • (WKI55953) When you install Sophos Client Firewall, all network adapters are temporarily disconnected. This results in network connections being unavailable for up to 20 seconds and the disconnection of networked applications such as Microsoft Remote Desktop.
  • (WKI32813) Sophos Client Firewall reports Internet Explorer version 8 and 9 as a hidden process. For more information, see http://www.sophos.com/en-us/support/knowledgebase/54899.aspx.
  • (DEF18752) On Windows XP running Sophos Client Firewall and VMware, virtual machines might not be able to access the network. For more information, see http://www.sophos.com/en-us/support/knowledgebase/15434.aspx.
  • (DEF53171) Sophos Client Firewall does not support the “mobile broadband” driver model in Windows version 7.
  • (DEF16039) Sophos Client Firewall occasionally blocks some trusted applications.
  • (CR27434) When rules in the configuration editor are changed, packets of traffic that should not be affected by the modified rules may briefly be blocked while the rules are updating. This will occur only very briefly, but may be noticeable if alerts are being sent to the management console.
  • (CR27073) IPv6 traffic is not logged.
  • (CR26248) When the log is displayed in a view that auto-refreshes (such as Allowed connections), the view stops refreshing if the service is under a heavy load. After changing to a different view and then back again, auto-refreshing works normally.
  • (CR25569) Although rules blocking IPv6 traffic block traffic that approaches or leaves the machine, they do not block loopback IPv6 traffic.

Standalone installer

  • (CR26760) Sophos Client Firewall installation unexpectedly fails if run from a Windows Installer (.msi) package on Vista with User Access Control enabled.

Web control

  • (DEF79725) If you use the Internet Explorer 10 Windows 8 Modern UI application, Sophos web control does not stop you accessing websites that conflict with the Inappropriate Website Control policy categories.

Additional information

  • On Windows 8, if you specify a user-defined message to be displayed in desktop messages, it is not displayed in toasts, which are used by Endpoint Security and Control instead of balloons.
  • Rootkit scanning is not supported on REFS file systems on Windows Server 2012. If the user attempts a rootkit scan on this file system, a message will be logged in the SAV log telling them that rootkit scanning is not supported.
  • Sophos Device Control does not block removable storage devices that are used as system drives, as this typically destabilizes the operating system.
  • Endpoint Security and Control standalone installations do not support Windows Server Core.
  • Endpoint Security and Control managed and standalone installations do not support Windows Server Core Hyper-V.
  • On Windows 2000 systems running Internet Explorer 5 or 6, Web protection allows access to blocked sites via Windows Explorer.
  • Shared Windows components

    When you install Sophos software, some Windows components that might also be used by non-Sophos software are also installed or upgraded:

    Sophos software Shared Windows component
    Name Filenames Versions Date of inclusion with Sophos software
    Sophos Anti-Virus Microsoft XML Core Services msxml4.dll 4.30.2100.0 September 2009
    msxml4r.dll 4.30.2100.0 September 2009
    ATL Library ATL80.dll 8.0.50727.4053 June 2007
    Microsoft Visual C/C++ Runtime Libraries msvcm80.dll 8.0.50727.4053 June 2007
    msvcp80.dll 8.0.50727.4053 June 2007
    msvcr80.dll 8.0.50727.4053 June 2007
    Sophos AutoUpdate Windows Installer msi.dll 2.0.2600.2 November 2003
    msiexec.exe 2.0.2600.2 November 2003
    msihnd.dll 2.0.2600.2 November 2003
    msimain.sdb N/a November 2003
    msimsg.dll 2.0.2600.2 November 2003
    msisip.dll 2.0.2600.2 November 2003
    msls31.dll 3.10.337.0 November 2003
    mspatcha.dll 5.1.2600.0 November 2003
    riched20.dll 5.30.23.1200 November 2003
    sdbapiU.dll 1.0.0.1 November 2003
    shfolder.dll 5.0.2919.20 November 2003
    usp10.dll 1.325.2180.1 November 2003
    Sophos Client Firewall Microsoft XML Core Services msxml4.dll 4.30.2100.0 September 2009
    msxml4r.dll 4.30.2100.0 September 2009
    Microsoft Visual C/C++ Runtime Libraries msvcm80.dll 8.0.50727.4053 March 2010
    msvcp80.dll 8.0.50727.4053 March 2010
    msvcr80.dll 8.0.50727.4053 March 2010

Information from previous releases

December 2012

New in this release

The threat detection engine and threat data have been updated.

Fixed issues

  • (DEF84016) In the Italian version, the links to the Sophos website, security information and technical support go to English webpages.
  • (DEF83871) After upgrading Sophos Anti-Virus, an unexpected reboot request sometimes appears in Sophos Enterprise Console.
  • (DEF75436) Sophos AutoUpdate installer stops Windows Indexing Service when excluding the AutoUpdate Cache folder from indexing for Windows Search.

November 2012

New in this release

The threat detection engine and threat data have been updated.

Fixed issues

  • (DEF83496) The "Sophos Anti-Virus" service can be deadlocked if the on-access scanning checksum file is locked.
  • (DEF80504) The process ALMon can terminate unexpectedly if a desktop message is displayed when Sophos Anti-Virus starts to update itself.
  • (DEF82646) Each time that the "Sophos Anti-Virus" service is restarted, Visual Studio 2010 rebuilds all projects.
  • (DEF83635) The web protection LSP is incompatible with the LSP that is used by Microsoft Intelligent Application Gateway. To resolve this, the web protection LSP is not installed.
  • (DEF83548) On Windows Vista or later, some websites take a long time to load with the "Sophos Web Intelligence Service" service running.
  • (DEF85461) On Windows Vista or later, Internet Explorer, with protected mode turned on, allows the folder ProgramData to be exploited. Sophos web protection and web control components, which are stored in this folder, are therefore vulnerable to attack.
  • (DEF84788) In the Traditional Chinese version, on the Product information page, "Components" is translated as "Computer".
  • (DEF84798) In the Italian version, the title of a toast notification is truncated.
  • (DEF82585) Full Web Control stops images in an iGoogle gadget from being displayed.
  • (DEF83522) Inappropriate Website Control allows adult content to be loaded in some circumstances.
  • (DEF81690) Rules in the Full Web Control policy that check for Group fail in some circumstances.

October 2012

New in this release

  • Support for Windows 8 and Windows Server 2012:

    Endpoint Security and Control now uses toast notifications instead of balloon notifications to display messages on screen.

    If Sophos Anti-Virus cleans up a threat that affects a Windows Store app, it marks the app as tampered with. This causes Windows to offer the user the ability to re-download and re-install the app.

    Note:
    • Sophos Client Firewall does not support Windows 8, and cannot be installed on Windows 8.
    • Automatic deployment of Endpoint Security and Control to Windows 8 and Windows Server 2012 from Enterprise Console requires Enterprise Console 5.1 or later. If you are using Enterprise Console 5.0 or earlier, you can install the software by running the installer from a bootstrap location that contains a software subscription for version 10.2. For more information on manual installation, see http://www.sophos.com/en-us/support/knowledgebase/12386.aspx.
  • Sophos Anti-Virus can now scan locked files during an on-demand scan.
  • The performance of Sophos Anti-Virus during a local, or network, file copy operation has been improved.
  • The threat detection engine and threat data have been updated.

Fixed issues

  • (DEF81600) The Sophos Anti-Virus log repeatedly shows that the file C:\Documents and Settings\All Users\Application Data\Sophos\Web Control\Activity\current could not be accessed during an on-demand scan.
  • (DEF82722) On Windows Server 2008 Core, updating of Endpoint Security and Control takes a long time.
  • (DEF84125) In the Spanish version, the Endpoint Security and Control Help contains some links that are in English.

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2011–2013 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.