Sophos NAC version 3.9 release notes

New in this release

  • Sophos Patch Agent profile

    Use the Sophos Patch Agent profile to ensure that the patch agent is installed on managed endpoints, and that computers are patched. To add the profile to the pre-defined Default and Managed policies, see the NAC Manager Help.
  • This release does not include any new minor version-specific profiles, for example Sophos Client Firewall 2.9, because minor versions are detected by the major version-specific profiles, for example Sophos Client Firewall 2.x. (The old minor-version-specific profiles, for example Sophos Client Firewall 2.7, are still included, though.)

Known issues

  • (DEF74281) Sometimes, NAC Manager displays NULL for the last scan time for endpoints, and detects these endpoints as non-compliant because the period since the last scan exceeds the grace period. If enforcement is turned on, NAC quarantines these endpoints until a further scan is completed.
  • The Compliance Agent installation may require you to restart the endpoint after installation for the following reasons:

    • During installation, you were prompted to shut down applications that were using shared resources, such as the XMLDOM, and you chose not to shut down these applications.
    • You are upgrading Quarantine Agent, and the upgrade uses a new version of the Agent Quarantine Manager which is a kernel driver.
  • (SUG21670) Sophos NAC will not install on the same server as Microsoft Sharepoint server.
  • (DEF56259, DEF56336) After installing or upgrading the Compliance Agent, Sophos Enterprise Console displays an "Awaiting policy from console" policy compliance status. This status indicates that the endpoint is waiting for a NAC policy from the NAC Server to determine policy compliance. Therefore, the Compliance Agent on the endpoint has not sent an updated policy compliance status to Sophos Enterprise Console. The workaround is to retrieve the NAC policy through a user-initiated compliance check. To do this, right-click the Agent system tray icon on the endpoint, and select Check Compliance. This issue will also resolve itself automatically when the Compliance Agent retrieves the policy according to the Policy Refresh Interval, which is set to 4 hours by default.

Additional information

Sophos Compliance Agent uses the Citrix Deterministic Network Enhancer (DNE). If you use another DNE-based application, for example Cisco VPN Client, we recommend that you check that your particular installation is fully compatible with Compliance Agent, before deploying Compliance Agent to a large number of endpoints.

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2011 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.