Sophos Anti-Virus for Windows NT release notes ---------------------------------------------- Contents -------- Withdrawal of support New in this version Known problems Troubleshooting Compatibility issues Additional information Information from previous versions Technical support Copyright Withdrawal of support --------------------- The following will no longer be supported after 31 December 2008: * Updating a standalone installation of Sophos Anti-Virus for Windows NT * Updating Sophos Anti-Virus for Windows NT from Sophos You will still be able to install and update Sophos Anti-Virus for Windows NT from a central installation directory after this date. New in this version ------------------- * The threat detection engine and threat data have been updated. Known problems -------------- * SAV32CLI and Setup If SAV32CLI is running when Setup is started, Setup will fail. To work around this, close SAV32CLI before running Setup. * Automatic downgrading from this version of Sophos Anti-Virus to earlier versions of Sophos Anti-Virus for Windows NT is not supported. To downgrade, you are advised to manually uninstall Sophos Anti-Virus, Sophos AutoUpdate and Sophos Remote Management System, and then install the earlier version. Troubleshooting --------------- * Errors accessing network shares from remote computers After installing Sophos Anti-Virus for Windows NT, you may encounter difficulties accessing network shares from remote computers. You may also receive one of the following error messages: "Not enough server storage is available to process this command." "Not enough memory to complete transaction. Close some applications and retry." Additionally, the Windows NT server may log one or both of the following event messages in the system log: Event ID : 2011 Source : Srv Description : The server's configuration parameter "IRPStackSize" is too small for the server to use a local device. Please increase the value of this parameter. Event ID : 0 Source : Srv Description : Description for Event ID 0 could not be found. It contains the insertion string \device\LanManServer. This is a restriction imposed by the default Windows NT server configuration. The following registry entry is required to solve the problem. (Microsoft has issued the following warning with respect to the Registry Editor: "Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.") Key: HLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: IrpStackSize Type: REG_DWORD Data: 0x6 You can use REGEDT32 to modify or create this entry in the registry. You will need to restart the system before the change will take effect. If you still experience problems, a larger value can be selected. The valid range for this parameter is 0x1 to 0xC (1 to 12). Please see the Microsoft knowledge base article ID Q198386 for further information. Compatibility issues -------------------- * Banyan VINES support Please note that the on-access scanner will not check files on remote Banyan VINES drives unless the Banyan VINES network support was started at start up. * PATHWORKS Version 4 server Windows NT clients which use a PATHWORKS 4 server for the central installation directory may repeatedly auto-update. This problem only occurs on PATHWORKS 4 not on later PATHWORKS versions. * Bay Networks (Performance Technologies) Instant Internet A conflict between the version of the WinSock client installed by the Instant Internet application and the Sophos SMTP.SMM module can lead to the Sophos Anti-Virus service not starting or stopping correctly. As a work-around, add the following value to the registry. (Microsoft has issued the following warning with respect to the Registry Editor: "Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.") Key: HLM\Software\Sophos\SweepNT\SMMS\SMTP\ Value Name: No Startup Check Type: REG_DWORD Data: 0x1 This work-around will prevent the SMTP module checking for the appropriate network transport protocols during startup. Additional information ---------------------- The following information may refer to use of the Registry Editor (REGEDT32.EXE). Microsoft has issued the following warning with respect to the Registry Editor: "Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk." * Archive types Archives are not scanned by default. To enable archive scanning, in Sophos Anti-Virus, tick the 'Scan inside archives' box. Depending on the number of archives present, scanning time may be increased. Selecting archive scanning enables the scanning of ARJ, BZip2, CMZ, GZIP, LHA, LZH, RAR, RAR3, TAR, UUE, ZIP, self-extracting archives of these types, zipmail files, compressed help and files compressed with MS Compress. Self-extracting archives are only scanned as archives if archive handling has been switched on for that archive type. Otherwise they will be scanned only as executables. If both archive scanning and Macintosh virus scanning are selected BinHex and MacBinary files will also be scanned. Unix ELF files are scanned either when their file extension is in the executables list, or if 'All files' is selected. * MailMonitor for Notes/Domino Users of MailMonitor for Notes/Domino should take the steps described below after updating to the new version of Sophos Anti-Virus. At the Domino server window type the following tell savdb quit tell savmail quit load savdb load savmail * System requirements This version of Sophos Anti-Virus for Windows NT requires Windows NT 4.0 or later. It will not run on Windows NT 3.51. * Messaging sub-system It is possible to inhibit the display of a desktop message issued by the on-access scanner as it shuts down. To do this add the following value to the registry: Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\Desktop.smm Value Name: Shutdown Message Action Type: REG_DWORD Data: 0x0000000F It is possible to force the SMTP SMM to send its reports as MIME-encoded attachments. To do this add the following value to the registry: Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\SMTP.smm Value Name: Mime Encode Type: REG_DWORD Data: 0x00000001 Files in off-line storage are reported. To suppress these messages add the following value to the registry: Key: HLM\SOFTWARE\Sophos\ADVANCED Value Name: REPORT_OFF_LINE_FILES Type: REG_DWORD Data: 0x00000000 Encrypted files are reported. To suppress these messages add the following value to the registry: Key: HLM\SOFTWARE\Sophos\ADVANCED Value Name: REPORT_PASSWORD_ENCRYPTED Type: REG_DWORD Data: 0x00000000 * Interaction with files held in off-line storage By default, during immediate and scheduled scans, Sophos Anti-Virus will not retrieve files marked as being held in off-line storage for scanning. This default behaviour can be over-ridden by setting the following value in the registry: Key: HLM\Software\Sophos\ADVANCED\ Value Name: SCAN_FILES_IN_HSM Type: REG_DWORD Data: 0x00000001 By default, during immediate and scheduled scans, Sophos Anti-Virus will reset a file's last accessed time. This default behaviour can be over-ridden by setting the following value in the registry: Key: HLM\Software\Sophos\ADVANCED\ Value Name: RESET_LAST_ACCESSED_TIME Type: REG_DWORD Data: 0x00000000 * Log file handling The log file may become very large. It is not possible to delete SWEEP.LOG while the service is running. However, if the location of SWEEP.LOG file is changed the original can then be deleted. * SNMP Notification There is a messaging module for SNMP trap generation. Four types of traps are possible. They are assigned OIDs (object identifiers) as follows: 1.3.6.1.4.1.2604.2.1.1.1.1 Virus warning 1.3.6.1.4.1.2604.2.1.1.1.2 Error message 1.3.6.1.4.1.2604.2.1.1.1.3 Informational message 1.3.6.1.4.1.2604.2.1.1.1.4 Test trap Each trap carries a SAV version string and an informational string giving the nature of the alert. Data are assigned OIDs as follows: 1.3.6.1.4.1.2604.2.1.1.2.1.1 Virus warning text 1.3.6.1.4.1.2604.2.1.1.2.1.2 Error message text 1.3.6.1.4.1.2604.2.1.1.2.1.3 Informational message text 1.3.6.1.4.1.2604.2.1.1.2.1.4 Test trap string 1.3.6.1.4.1.2604.2.1.1.2.2 Version string Note: it is impossible to remotely query the Management Information Base. The data is only available from the contents of the trap. * Virus information When requesting information on viruses, users are directed towards the Sophos website for the most accurate up to date information. Information from previous versions ---------------------------------- 4.7.12 * (DEF 21427) MIME scanning has been improved. Technical support ----------------- For technical support, visit www.sophos.com/support. If you contact technical support, provide as much information as possible, including the following: * Sophos software version number(s) * Operating system(s) and patch level(s) * The exact text of any error messages Copyright --------- Copyright © 2005-2008 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner. Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.