Sophos Enterprise Console and Sophos Update Manager release notes

Version numbers

Sophos Enterprise Console 4.0
Sophos Update Manager 1.0

About Sophos Enterprise Console and Sophos Update Manager

Sophos Enterprise Console is a management console that can be used to install Sophos endpoint security software remotely, and to configure, monitor, manage, and report on Sophos products running on Windows, Mac OS X, Linux, and UNIX computers. For more information about Sophos Enterprise Console, see Sophos Enterprise Console Help.

Sophos Update Manager enables you to set up automatic updating of Sophos security software from a Sophos website. It allows for deployment across a wide area network with multiple updating locations. Sophos Update Manager is installed with and managed from Enterprise Console. For more information about Sophos Update Manager, see Sophos Enterprise Console Help.

For information on installing Enterprise Console for the first time, see the Sophos Endpoint Security and Control quick startup guide or Sophos Endpoint Security and Control advanced startup guide, depending on your network configuration.

For information on upgrading, see the Sophos Endpoint Security and Control quick upgrade guide or Sophos Endpoint Security and Control advanced upgrade guide, depending on your network configuration.

For advice on best practices for using and managing Sophos security software, see the Sophos Endpoint Security and Control policy setup guide.

The guides are available from the Sophos website (http://www.sophos.com/support/docs/Endpoint_Security_Control-all.html).

New in this version

  • Sophos Update Manager

    Sophos Update Manager is the new and more efficient Sophos updating technology. It enables you to set up automatic updating of Sophos security software from Sophos website. It is installed with and managed from Enterprise Console. Sophos Update Manager is a robust and scalable updating solution. An update manager can support up to 25,000 computers.

  • Role-based administration

    Role-based administration allows you to specify which computers a user can access and which tasks they can carry out, depending on their role in your organization.

  • Sub-estate administration

    Sub-estate administration restricts the computers and groups that users can perform operations on.

  • Data control

    Data control enables you to reduce accidental data loss from workstations by monitoring and restricting the transfer of files containing sensitive data. You can monitor and control the transfer of files to specified storage devices (e.g. removable storage device or optical drive) or by specified applications (e.g. email client or web browser).

  • Enhanced device control

    New device control policy makes it easier to manage the connection of unauthorized storage devices and network interfaces.

  • Enhanced reporting

    New standard reports have been added, such as non-compliance, time-based, and summary reports. Report configuration can now be saved and scheduled so that the report output is sent to an email address at certain times. New Create Report Wizard assists with customization and scheduling of reports.

  • Firewall location awareness

    You can configure the firewall for two different types of location. It will use different settings according to the location where computers are used, for example, in the office (on the network) and out of the office.

  • “Monitor” firewall mode

    To make rule creation simpler, the firewall can be deployed with a policy to allow all unknown traffic and create events.

Known problems

The list below includes problems known at the time of release. For an up-to-date list, including problems found after release, see Sophos support knowledgebase article 63215.

Installation and upgrade

  • (DEF 37341) You cannot install Enterprise Console on a Windows XP or Windows 2000 Professional computer where Sophos Client Firewall has been installed. If you want to install the server components of Enterprise Console on one of these computers, remove Sophos Client Firewall first and reinstall it after you have installed the server components.
  • (WKI 26898) An Enterprise Console management server cannot connect to a remote database installed on a SQL Server Express instance. This is because by default, SQL Server Express does not allow remote connections. For more information, see Sophos support knowledgebase article 24635.
  • (QUE 20382) A reboot may be required following an Enterprise Console installation or upgrade.

    It is possible that some files required by the setup will be in use when the installation or upgrade is carried out and a restart will therefore be required to complete the file copy.

  • Installation of the Enterprise Console management server will fail at runtime if Microsoft networking client is not installed on the computer (although this client does not need to be active).
  • (DEF 18692) A reboot may be required after removing third-party security software.

    In rare circumstances a reboot of an endpoint computer may be required to successfully complete the uninstallation of third-party security software and installation of Sophos security software.

Application control

  • (DEF 27077) Application control events are generated without applications being run by a user.

    There are a number of scenarios where application control events that are not the result of the user running the application will be reported back to Enterprise Console. These are:

    • When an endpoint computer is restarted, an event will be generated if a controlled application has an entry within the Windows Start menu, for example, Microsoft Games.
    • When a user opens the Add or Remove Programs window, an event will be generated if a controlled application is on the list of programs.
    • An event will be generated when a user wants to view file properties of a controlled application (by right-clicking on the file and selecting Properties) or when a user hovers the mouse cursor over the file to view the file’s tooltip.
  • In the Application Control Event Viewer, the User column may contain “NT Authority”.

    The user will be reported as “NT Authority” as opposed to the user logged onto the endpoint if an application is detected during a scheduled scan, by a scheduled task being activated, or when the Start menu is enumerated.

  • Multiple application control events can be generated by a single application identity, for example, “MS Windows Games”. This occurs when an identity covers multiple executables or detection is triggered against more than one application component. The latter case normally occurs for scheduled scans with application detection enabled.
  • (CR 28114) Enterprise Console cannot show if a controlled application was detected locally or remotely.

    If a user attempts to install a controlled application that is blocked, the application will be prevented from being installed. An alert will be sent to Enterprise Console, but the alert will show neither the action that raised the alert nor where the installer was located. For more information about the application control event, see the Sophos Anti-Virus log file on the endpoint (C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt).

Data control

  • (DEF 29635) Files transferred via the ftp protocol within Internet Explorer will not be scanned.
  • (WKI 34375) An empty file stub may be attached to an email when a file has been blocked by data control. Outlook Express and Outlook Web Access will attach an empty file stub to an email following a data control “block” action. This includes the scenario where a user selects the “block file transfer” option in response to the “allow transfer on acceptance by user” action set in the data control rule.
  • (WKI 30676) Microsoft’s “ReadyBoost” technology will be blocked if data control rules use either the “block” or “allow transfer on acceptance by user” actions. In this scenario data control blocks all writes to removable storage except for those made via Windows Explorer.
  • (WKI 31534) Applications (including those stored on the device) will be prevented from writing data to removable storage if data control rules use either the “block” or “allow transfer on acceptance by user” actions.
  • (WKI 36074) New file creation is blocked on monitored storage devices if data control rules use either the “block” or “allow transfer on acceptance by user” actions.
  • Anti-virus and HIPS exclusions will apply to data control in the following situations:
    • Application monitoring, that is, any files uploaded or attached via monitored applications will be exempt from scanning if the source location or file name is specified in the Anti-virus and HIPS policy exclusion list.
    • Storage monitoring for non-Windows Explorer transfers, that is, transfers that are automatically blocked if the “allow transfer on acceptance by user” or “block” action is used in a data control rule for storage devices.
  • (DEF 40240) Application virtualization and streaming technologies (for example, Microsoft App-V) are not supported in this release.
  • (DEF 48035) Alternative file systems, such as AFS (Andrews File System), are not supported in this release.
  • (WKI 36996) If a monitored internet browser (for example, Internet Explorer) is used to explore the file system, it may trigger data control scanning as the file system is browsed.
  • (WKI 37905) Installation of applications (for example, Internet Explorer or Firefox) from the desktop or “My documents” may be interrupted by data control if the applications are monitored by data control rules.
  • (WKI 37907) Installation of Firefox plug-ins (XPI) can be blocked if a data control rule monitors Firefox for the “object code” file type.

Device control

  • (SUG 29039) The block network bridging mode will not work in IPV6-only environments.
  • (WKI 37908) Devices that use the MTP protocol (Media Transfer Protocol) are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer.
  • Camera devices are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer.
  • (WKI 30431) The “Kingston DataTraveler Vault” hardware-encrypted device is not covered by the “Secure Removable Storage” category within device control. Compared to other hardware-encrypted storage devices, this model uses a different mechanism to expose its encrypted storage partition. Currently this mechanism cannot be automatically detected and exempt.
  • (WKI 36186) In the “block bridged” mode it is not possible to generate the “block” events required to exempt Wireless or Modem device types.

Firewall

  • (DEF 22335) An allowed application is blocked temporarily by Sophos Client Firewall.

    When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.

  • (CR 18615) In some cases firewall rules are not applied to a running application or service until it is restarted.

    A running application or service is denied network access until after it's restarted even if the firewall configuration has been updated to allow it. This happens when the application was initially blocked because it had been detected as a hidden process, new or modified application, or a process with its memory modified by another application.

Other problems

  • (DEF 36019) If Sophos Endpoint Security and Control is not installed on the server running the Enterprise Console management server, endpoint computers show “Unknown” as their up-to-date status.

    Sophos Endpoint Security and Control must always be installed (although it does not have to be running) on the server running the Enterprise Console management server. Otherwise, Enterprise Console will not be able to manage endpoint computers correctly. If you want to install Sophos Endpoint Security and Control on the server alongside other anti-virus software and disable on-access scanning, see Sophos support knowledgebase article 13814.

  • Computer names must use the standard ASCII 7 format to be valid in Enterprise Console. Computers with names containing accented or non-Roman characters are not recognized.
  • (CR 22041 and CR 27529) Computers imported from or synchronized with Active Directory may appear in the console as belonging to a workgroup.

    When Enterprise Console discovers an unmanaged computer that belongs to a workgroup by using the Find on the network option of the Find new computers feature, the console displays the name of the computer's workgroup in the Domain/workgroup field. If the computer is then moved to an Active Directory domain and restarted, and Enterprise Console immediately synchronizes that computer with or imports it from Active Directory, the console will still display the name of the computer's workgroup in the Domain/workgroup field, and not its domain name. You can resolve this problem by making the computer managed, as explained below.

    Protect the computer. The computer now has two entries in Enterprise Console: the original entry, which shows it as part of a workgroup, and a new entry, with the Domain/workgroup set to the name of the Active Directory domain. However, the new entry may appear in the Unassigned group, and have only the default policies applied. If this happens, you need to do as follows:

    If the computer is not a member of a synchronized Active Directory group, move the computer to the appropriate Enterprise Console group.

    Delete the original workgroup entry.

    If the computer is a member of a synchronized Active Directory group, delete the workgroup entry for that computer in Enterprise Console (the computer will be shown in the synchronized group). The next time synchronization takes place, the entry for the managed computer will appear in the correct group, with the correct policies applied. Alternatively, if you can delete the workgroup entry for the computer from Enterprise Console before the computer is found in Active Directory, the computer will appear in the correct group first time.

  • Excluding folders from on-access scanning may disable scanning on Windows 95/98 computers.

    When you set an anti-virus policy for a group of computers, you can exclude folders from on-access scanning. This option is not supported on Windows 95/98 computers and may have the effect of disabling on-access scanning on those computers. If you move the Windows 95/98 computers to a group that does not have this option included in its policy, on-access scanning should restart.

  • (CR 27212) A link to Sophos Network Communications Report is not available on a computer where Enterprise Console is installed.

Additional information

  • (CR 24322) Scheduled scanning for controlled applications. For information about setting up a scheduled scan for controlled applications, see Sophos support knowledgebase article 22473.
  • Please Note: Sophos Enterprise Console 4 is the last version of Sophos Enterprise Console that will be supported on Windows 2000. The next version of Sophos Enterprise Console (4.5), scheduled for April 2010, will not support the Windows 2000 platform. Additionally, Sophos Enterprise Console 4.5 will not support SQL Server 2000.

System requirements

Supported operating systems

Supported operating systems are listed on the system requirements page of the Sophos website (http://www.sophos.com/products/all-sysreqs.html).

Hardware requirements

  • Processor: 2.0 GHz Pentium or equivalent.
  • Memory: There is no minimum memory requirement.
  • Disk space: 1.5 GB for complete Enterprise Console installation without SQL Server 2005 Express; 1.8 GB for complete Enterprise Console installation with SQL Server 2005 Express.

    In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required in the Documents and Settings folder.

If you want to install Sophos Update Manager on a computer other than the one where Enterprise Console is installed, you will need at least:

  • Processor: Pentium 4 (or equivalent) 1.0 GHz
  • Memory: 512 MB RAM
  • Disk space: 50 MB for installation. In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required in the Documents and Settings folder.

Minimum database size

The computer where you place the database (which may be the same computer as the computer where Enterprise Console is installed or a different one) needs a minimum of 1 GB disk space for data.

Maximum database size

  • If you use Microsoft SQL Server 2005 Express Edition, the maximum size that a database can reach is 4 GB.
  • If you use Microsoft SQL Server 2005 or 2008, there is no limit apart from that set by the administrator.
  • If you use MSDE, the maximum size that a database can reach is 2 GB.

Software requirements

To enable Enterprise Console to communicate with managed workstations, open ports 8192 and 8194 on the computer where the Enterprise Console management server is installed. To enable Sophos Update Manager to download security software from Sophos, open port 80 on the computer where Sophos Update Manager is installed.

Technical support

For technical support, visit http://www.sophos.com/support.

If you contact technical support, provide as much information as possible, including the following:

  • Sophos software version number(s)
  • Operating system(s) and patch level(s)
  • The exact text of any error messages

Copyright

Copyright © 2009 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.