Please note that integrated Full Disk Encryption is not yet available in Enterprise Console 5.0; it will be available in Enterprise Console 5.1, currently scheduled for release in the second quarter of 2012.
Patch assessment enables you to reduce the attack surface of your computer systems, with the minimum effort, by accurately identifying missing patches on each endpoint and displaying this information centrally in the Sophos Enterprise Console.
SophosLabs provides ratings that help you determine the most critical patch issues so that you can resolve these quickly and spend less time patching. These ratings take a number of key factors into account, including the latest active exploits, and therefore may differ from a vendor's severity level.
Patch assessment maximizes protection by monitoring the most widely-used products from Adobe, Apple, Citrix, Microsoft, Mozilla and others.
Sophos Patch bandwidth requirements
If Sophos Patch is licensed, the management server will download around 350 MB of patch definitions after the initial installation is completed. This can take a few hours, depending on the internet bandwidth available. Significantly smaller updates will occur, as often as daily, when new patches are released. Once patch is enabled and deployed on endpoints, the volume of data to each endpoint will be in the order of 30-40 MB initially and then can be up to an additional 30 MB two or more times a month, as patch updates become available. When each endpoint completes an assessment, based on the currently available patch definitions, it will upload around 4 KB of results data to the management server.
You can now restrict access to certain categories of websites in order to avoid any impact on workplace productivity. Like web content scanning, this feature supports the five major browsers: Internet Explorer, Firefox, Google Chrome, Safari, and Opera. Web control can be used in two different modes:
With Inappropriate Website Control, you can control fourteen different categories of website independently in each policy. There are three options for each category: Allow, Block, or Warn.
You can create exceptions to the "Block" and "Warn" actions. You can exempt websites from filtering by adding them to the "Websites to Allow" or "Websites to Block" list. Entries can take the form of IP addresses and domain names. You can also edit existing website entries, and remove websites from a list.
Full Web Control uses a complete web policy that is configured and deployed via a Sophos Web Appliance or Security Management Appliance. It enforces a comprehensive, full-featured web control policy, and provides complete reporting on web traffic from the Sophos Web Appliance or Security Management Appliance.
The installation process requires fewer reboots. System pre-requisite checking has been improved.
Other changes include:
On-access scanning changes:
On-demand and scheduled scanning changes:
Suspicious behavior detection changes:
When you upgrade from a previous version, the product will maintain the previous settings until a new Enterprise Console 5 policy is applied or until a standalone endpoint computer is reset to its default settings.
Sophos NAC 3.9 introduces support for managing the compliance of endpoints running the latest Sophos endpoint software, including Sophos Anti-Virus 10.0 and Sophos Patch 1.0.
This release of Sophos NAC simplifies policy by omitting default profile definition for new minor revisions of Sophos endpoint software. These new revisions can still be detected by using the existing profiles, which are not targeted at a specific minor revision. For example, the new revision of Sophos Client Firewall (version 2.9) can be detected using the existing Sophos Client Firewall 2.x profile.
Support for the new Sophos Patch 1.0 product means that Sophos NAC policies can be configured to take into account whether endpoints have the latest operating system and application security patches installed.
The network interception module (Sophos LSP) used for the web filtering features has been rewritten to improve performance and compatibility with third-party software.
The feature to protect against malicious web sites (first introduced in version 9.5) has been enhanced so that it verifies the remote IP address and server name for HTTPS connections. For privacy reasons, the content of the HTTPS session is not decrypted or analyzed.
The Sophos Browser Helper Object (BHO) has been replaced with the same network interception module used for blocking access to malicious websites (Sophos LSP). This improves compatibility with certain websites, as well as offering consistent protection to the five major browsers: Internet Explorer, Firefox, Chrome, Safari, and Opera.
Sophos Anti-Virus 10 now scans content downloaded from the intranet as well as internet.
In accordance with Sophos re-branding, the Management Console has a new appearance to the color scheme and iconography but there is no significant change to the layout.
With the introduction of new features that generate events, the Event Viewers are now available via the new Events menu on the menu bar in Enterprise Console.
You can now search for a computer or computers in Enterprise Console by computer name, computer description, or IP address. The search can be performed by pressing CTRL+F, clicking Find a Computer on the Edit menu, or right-clicking anywhere in the computer list and then clicking Find a Computer.
Computer search is not case sensitive. Trailing wildcards are implicit. You can use the wildcards * and ?
You can now export the list of Windows exclusions for on-access or scheduled scanning to a file and then import it into another policy. The new options are available under:
The Resolve Alerts and Errors dialog box now supports multiple selection using the standard Microsoft convention. Select individual items by pressing CTRL+left mouse button. Select a consecutive group of items by left-clicking the first item and pressing SHIFT+left mouse button on the last item.
If an SMTP server requires authentication details, it has not been possible to enter these details via the Configure SMTP settings dialog box. In Version 5, it is possible to do this via a registry key setting. For details, see http://www.sophos.com/support/knowledgebase/article/113780.html.
This feature allows SophosLabs to create a list of files which have been verified as clean. When the endpoint computer identifies a file which has been verified as clean, it will allow it to bypass the file scanning component, greatly increasing performance.
The main benefit is for Windows operating system files which are used during startup. By allowing these files to run without scanning we have reduced startup time considerably.
The system will also build a list of files which have been scanned using the latest identities, which will be marked as clean until the next data update is available. These files will also be sent to the SophosLabs "cloud" to be added to the list of files the labs will consider adding to the verified clean files in the future.
Unlike decision caching, which doesn't survive a restart, the new system will retain the list after restarting.
A new database backup and restore tool, DataBackupRestore.exe, is provided as part of the Enterprise Console installation. The tool allows you to back up and restore the two Enterprise Console databases - SOPHOS50 and SOPHOSPATCH. For instructions about using the tool, see http://www.sophos.com/support/knowledgebase/article/114299.html.
For more information about the new features, see the Sophos Enterprise Console Help.
For operating system requirements and supported SQL Server versions, see http://www.sophos.com/support/knowledgebase/article/113278.html.
In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required.
If you want to install Sophos Update Manager on a computer other than the one where Enterprise Console is installed, you will need at least:
Minimum database size
The computer where you place the database (which may be the same computer as the computer where Enterprise Console is installed or a different one) needs a minimum of 1 GB disk space for data.
Maximum database size
To enable Enterprise Console to communicate with managed workstations, open TCP ports 8192 and 8194 on the computer where the Enterprise Console management server is installed. To enable Sophos Update Manager to download security software from Sophos, open HTTP port 80 on the computer where Sophos Update Manager is installed.
Managed endpoints running the Sophos Patch Agent to communicate with the management server.
An Enterprise Console installation (local or remote to the management server) to communicate with the Web Control and Patch server-side components.
Before installing or upgrading to Sophos Enterprise Console 5.0 on a Windows Server 2008 SP1 computer, check if Microsoft .NET Framework 3.5 SP1 is installed on the computer. If it isn't, install it manually and restart the computer before installing Sophos Enterprise Console 5.0.
For Windows Installer 4.5, go to the folder created by the Enterprise Console installer (by default, C:\sec_50\), and then go to the subfolder ServerInstaller\pre-reqs\Windows Installer 4.5.
For distributed installations of Sophos Enterprise Console (with SQL Server on a different server) the Sophos Management Service may not start if the "SOPHOS" database instance was created by PureMessage for Microsoft Exchange, or if the chosen SQL Server instance has TCP/IP protocol disabled.
To work around this problem, do the following.
An unsupported database instance cannot be upgraded automatically by the installer and the upgrade will fail. You must upgrade your SQL Server instance manually before upgrading Enterprise Console.
For instructions, go to the folder created by the Enterprise Console installer (by default, C:\sec_50\), and then go to the subfolder containing the Upgrade Advisor documents, ServerInstaller\Docs\Eng.
For more information about this issue, see http://www.sophos.com/support/knowledgebase/article/116228.html. For more information about issues with upgrading to Enterprise Console 5.0, see http://www.sophos.com/support/knowledgebase/article/114627.html.
To work around this issue, do either of the following:
For more information about issues with upgrading to Enterprise Console 5.0, see http://www.sophos.com/support/knowledgebase/article/114627.html.
This issue does not arise if you use Sophos TDL3 Rootkit Cleanup Tool version 1.2 or later (the latest version available for downloading from the Sophos website).
To work around this issue, remove any installations of Sophos TDL3 Rootkit Cleanup Tool 1.1 prior to upgrading your existing version of Sophos Endpoint Security and Control or installing Sophos Endpoint Security and Control 10.0 for the first time. Do not install Sophos TDL3 Rootkit Cleanup Tool 1.1 on computers running Sophos Endpoint Security and Control 9.x or 10.0. Use Sophos TDL3 Rootkit Cleanup Tool 1.2 or later instead.
If you have encountered this issue, see http://www.sophos.com/support/knowledgebase/article/113403.html.
When creating an Update Manager distribution, you cannot reference new shares named SophosUpdate because "SophosUpdate" is now a reserved share name used for the default share.
Workaround: When creating new shares, use other names such as "Update".
In updating policies, when you are selecting a primary or secondary update location, the drop-down list shows the default share paths only in NetBIOS format, for example \\Server\SophosUpdate, although you may need to use the Fully-Qualified Domain Name form, for example \\server.de.acme\SophosUpdate.
Workaround: Type the FQDN path into the server location update path field.
To work around this problem, do one of the following.
Do not synchronize any Active Directory groups that contain machines which have identically-named computers; Manage the computers manually.
If you have encountered this issue, please see http://www.sophos.com/support/knowledgebase/article/116249.html for translations of the "Destination type" entries.
When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.
You can find technical support for Sophos products in any of these ways:
Copyright © 2011 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.