Sophos Enterprise Console release notes

Version numbers

Sophos Enterprise Console 5.0.0
Sophos Update Manager for Windows 1.3.1

New in this release

Note: The Patch Assessment and Web Control features are not included with all licenses. If you want to use them, you might need to customize your license. For more information, see http://www.sophos.com/en-us/products/endpoint/endpoint-protection/pricing.aspx.

Please note that integrated Full Disk Encryption is not yet available in Enterprise Console 5.0; it will be available in Enterprise Console 5.1, currently scheduled for release in the second quarter of 2012.

Patch assessment

Patch assessment enables you to reduce the attack surface of your computer systems, with the minimum effort, by accurately identifying missing patches on each endpoint and displaying this information centrally in the Sophos Enterprise Console.

SophosLabs provides ratings that help you determine the most critical patch issues so that you can resolve these quickly and spend less time patching. These ratings take a number of key factors into account, including the latest active exploits, and therefore may differ from a vendor's severity level.

Patch assessment maximizes protection by monitoring the most widely-used products from Adobe, Apple, Citrix, Microsoft, Mozilla and others.

Note:

Sophos Patch bandwidth requirements

If Sophos Patch is licensed, the management server will download around 350 MB of patch definitions after the initial installation is completed. This can take a few hours, depending on the internet bandwidth available. Significantly smaller updates will occur, as often as daily, when new patches are released. Once patch is enabled and deployed on endpoints, the volume of data to each endpoint will be in the order of 30-40 MB initially and then can be up to an additional 30 MB two or more times a month, as patch updates become available. When each endpoint completes an assessment, based on the currently available patch definitions, it will upload around 4 KB of results data to the management server.

Web control

You can now restrict access to certain categories of websites in order to avoid any impact on workplace productivity. Like web content scanning, this feature supports the five major browsers: Internet Explorer, Firefox, Google Chrome, Safari, and Opera. Web control can be used in two different modes:

  • Inappropriate Website Control (no extra hardware or software required)
  • Full Web Control (requires a separate Sophos Web Appliance or Security Management Appliance)

With Inappropriate Website Control, you can control fourteen different categories of website independently in each policy. There are three options for each category: Allow, Block, or Warn.

You can create exceptions to the "Block" and "Warn" actions. You can exempt websites from filtering by adding them to the "Websites to Allow" or "Websites to Block" list. Entries can take the form of IP addresses and domain names. You can also edit existing website entries, and remove websites from a list.

Note: If there are conflicting or overlapping entries in the 'Block' and 'Allow' lists, the entries in the Block list will always take precedence. For example, if the same IP address is included in the Block list and the Allow list, the website is blocked. Furthermore, if a domain is included in the Block list, but a subdomain of that same domain is included in the Allow list, the Allow entry is ignored, and the domain and all of its subdomains are blocked.

Full Web Control uses a complete web policy that is configured and deployed via a Sophos Web Appliance or Security Management Appliance. It enforces a comprehensive, full-featured web control policy, and provides complete reporting on web traffic from the Sophos Web Appliance or Security Management Appliance.

Installer improvements

The installation process requires fewer reboots. System pre-requisite checking has been improved.

Other changes include:

  • Only creation of a "SOPHOS" SQL Server instance is permitted (in previous versions any SQL Server instance could be created).
  • A database account specified during the installation is used by two databases - the Enterprise Console database (SOPHOS50) and the Patch database (SOPHOSPATCH). For more information, see http://www.sophos.com/support/knowledgebase/article/113954.html.

Anti-virus and HIPS scanning enhancements

On-access scanning changes:

  • On write and On rename checking are now enabled by default (in addition to the current On read checking) for all new installations.
  • Automatic cleanup is now enabled by default for all new installations.

On-demand and scheduled scanning changes:

  • Automatic cleanup is now enabled by default.
Note: Right-click scans and Scan my computer will still retain the old setting and will not perform an automatic clean up.

Suspicious behavior detection changes:

  • Suspicious behavior has been renamed “Behavior monitoring”.
  • Behavior monitoring now allows a user to control the detection of malicious and suspicious behavior independently.
  • Suspicious behavior can be configured to send alerts only.
  • Buffer overflow can also be configured to send alerts only, but this can now be done independently of suspicious behavior settings.

When you upgrade from a previous version, the product will maintain the previous settings until a new Enterprise Console 5 policy is applied or until a standalone endpoint computer is reset to its default settings.

Network Access Control enhancements

Sophos NAC 3.9 introduces support for managing the compliance of endpoints running the latest Sophos endpoint software, including Sophos Anti-Virus 10.0 and Sophos Patch 1.0.

This release of Sophos NAC simplifies policy by omitting default profile definition for new minor revisions of Sophos endpoint software. These new revisions can still be detected by using the existing profiles, which are not targeted at a specific minor revision. For example, the new revision of Sophos Client Firewall (version 2.9) can be detected using the existing Sophos Client Firewall 2.x profile.

Support for the new Sophos Patch 1.0 product means that Sophos NAC policies can be configured to take into account whether endpoints have the latest operating system and application security patches installed.

Web protection - web content scanning enhancements

  • Better compatibility

    The network interception module (Sophos LSP) used for the web filtering features has been rewritten to improve performance and compatibility with third-party software.

  • Better security

    The feature to protect against malicious web sites (first introduced in version 9.5) has been enhanced so that it verifies the remote IP address and server name for HTTPS connections. For privacy reasons, the content of the HTTPS session is not decrypted or analyzed.

  • Improved web download scanning

    The Sophos Browser Helper Object (BHO) has been replaced with the same network interception module used for blocking access to malicious websites (Sophos LSP). This improves compatibility with certain websites, as well as offering consistent protection to the five major browsers: Internet Explorer, Firefox, Chrome, Safari, and Opera.

  • Intranet scanning

    Sophos Anti-Virus 10 now scans content downloaded from the intranet as well as internet.

Management console enhancements

  • Console re-branding

    In accordance with Sophos re-branding, the Management Console has a new appearance to the color scheme and iconography but there is no significant change to the layout.

  • Events

    With the introduction of new features that generate events, the Event Viewers are now available via the new Events menu on the menu bar in Enterprise Console.

  • Find a Computer

    You can now search for a computer or computers in Enterprise Console by computer name, computer description, or IP address. The search can be performed by pressing CTRL+F, clicking Find a Computer on the Edit menu, or right-clicking anywhere in the computer list and then clicking Find a Computer.

    Computer search is not case sensitive. Trailing wildcards are implicit. You can use the wildcards * and ?

  • Import or export Windows scanning exclusions

    You can now export the list of Windows exclusions for on-access or scheduled scanning to a file and then import it into another policy. The new options are available under:

    • For on-access scanning exclusions: Anti-virus and HIPS policy > Configure (next to the Enable on-access scanning check box) > On-access scan settings dialog box > Windows Exclusions tab > Import or Export.
    • For scheduled scanning exclusions: Anti-virus and HIPS policy > Extensions and Exclusions (under Scheduled scanning) > Scheduled scan extensions and exclusions dialog box > Windows Exclusions tab > Import or Export.
  • Resolve Alerts and Errors

    The Resolve Alerts and Errors dialog box now supports multiple selection using the standard Microsoft convention. Select individual items by pressing CTRL+left mouse button. Select a consecutive group of items by left-clicking the first item and pressing SHIFT+left mouse button on the last item.

  • SMTP server authentication

    If an SMTP server requires authentication details, it has not been possible to enter these details via the Configure SMTP settings dialog box. In Version 5, it is possible to do this via a registry key setting. For details, see http://www.sophos.com/support/knowledgebase/article/113780.html.

Clean file listing

This feature allows SophosLabs to create a list of files which have been verified as clean. When the endpoint computer identifies a file which has been verified as clean, it will allow it to bypass the file scanning component, greatly increasing performance.

The main benefit is for Windows operating system files which are used during startup. By allowing these files to run without scanning we have reduced startup time considerably.

The system will also build a list of files which have been scanned using the latest identities, which will be marked as clean until the next data update is available. These files will also be sent to the SophosLabs "cloud" to be added to the list of files the labs will consider adding to the verified clean files in the future.

Unlike decision caching, which doesn't survive a restart, the new system will retain the list after restarting.

New database backup and restore tool

A new database backup and restore tool, DataBackupRestore.exe, is provided as part of the Enterprise Console installation. The tool allows you to back up and restore the two Enterprise Console databases - SOPHOS50 and SOPHOSPATCH. For instructions about using the tool, see http://www.sophos.com/support/knowledgebase/article/114299.html.

Other improvements

  • Buffer Overflow Protection system support for Windows Vista and later.
  • Enhanced platform support; now supports SBS 2011 Standard 64-bit (for SEC, SUM, Patch), SBS 2011 Essentials 64-bit (for SEC, SUM, Patch), SQL Server 2008 SP2 and SP3 (including Express), and SQL Server 2008 R2 SP1 (including Express).

For more information about the new features, see the Sophos Enterprise Console Help.

System requirements

Supported operating systems and SQL Server versions

For operating system requirements and supported SQL Server versions, see http://www.sophos.com/support/knowledgebase/article/113278.html.

Hardware requirements

  • Processor: 2.0 GHz Pentium or equivalent.
  • Memory: 2 GB RAM for Enterprise Console; 2.5 GB RAM for Enterprise Console and NAC Manager on the same server.
  • Disk space: 1.5 GB for complete Enterprise Console installation without SQL Server 2008 Express; 1.8 GB for complete Enterprise Console installation with SQL Server 2008 Express.

    In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required.

If you want to install Sophos Update Manager on a computer other than the one where Enterprise Console is installed, you will need at least:

  • Processor: Pentium 4 (or equivalent) 1.0 GHz
  • Memory: 512 MB RAM
  • Disk space: 50 MB for installation. In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required.

Minimum database size

The computer where you place the database (which may be the same computer as the computer where Enterprise Console is installed or a different one) needs a minimum of 1 GB disk space for data.

Maximum database size

  • If you use Microsoft SQL Server 2008 Express Edition, the maximum size that a database can reach is 4 GB.
  • If you use Microsoft SQL Server 2005, 2008, or 2008 R2 there is no limit apart from that set by the administrator.

Software requirements

  • At least Internet Explorer 6 or later

To enable Enterprise Console to communicate with managed workstations, open TCP ports 8192 and 8194 on the computer where the Enterprise Console management server is installed. To enable Sophos Update Manager to download security software from Sophos, open HTTP port 80 on the computer where Sophos Update Manager is installed.

Note: TCP port 80 is the default port configured during the management server installation to enable:
  • Managed endpoints running the Sophos Patch Agent to communicate with the management server.

  • An Enterprise Console installation (local or remote to the management server) to communicate with the Web Control and Patch server-side components.

For more information, see http://www.sophos.com/support/knowledgebase/article/114182.html.

Installation and upgrading

Before installing or upgrading to Sophos Enterprise Console 5.0 on a Windows Server 2008 SP1 computer, check if Microsoft .NET Framework 3.5 SP1 is installed on the computer. If it isn't, install it manually and restart the computer before installing Sophos Enterprise Console 5.0.

Known issues

Installation

  • (WKI70911) If you choose to create a new SQL server instance when installing Enterprise Console and Windows Installer 4.5 is not installed on the computer, the following message will appear: "A new instance cannot be created as Windows Installer 4.5 is not installed." To work around this problem, install Windows Installer 4.5 and try again.

    For Windows Installer 4.5, go to the folder created by the Enterprise Console installer (by default, C:\sec_50\), and then go to the subfolder ServerInstaller\pre-reqs\Windows Installer 4.5.

  • (DEF58819) Enterprise Console installs Microsoft .NET Framework 3.5 Service Pack 1 as a prerequisite, because of which you may experience issues with components related to Exchange Web services including the following:
    • Outlook Web Access
    • Office Communications Server integration
    • Outlook Address Book
    • Out of Office notifications
    To resolve these issues, install the update for .NET Framework provided in Microsoft Knowledge Base article 959209 (http://support.microsoft.com/kb/959209).
  • (DEF56407) Distributed Installation: Sophos Management Service doesn't start if a database instance is present without the appropriate network protocols enabled.

    For distributed installations of Sophos Enterprise Console (with SQL Server on a different server) the Sophos Management Service may not start if the "SOPHOS" database instance was created by PureMessage for Microsoft Exchange, or if the chosen SQL Server instance has TCP/IP protocol disabled.

    To work around this problem, do the following.

    • When installing Sophos Enterprise Console and PureMessage together, you must first install Sophos Enterprise Console.
    • If PureMessage for Exchange is already present, or if you are using a SQL Server 2005/2008 database on a different server (a remote database) and the issue occurs, use the SQL Server Configuration Manager to enable the TCP/IP protocol for the database instance and also start the SQL Server Browser service.

Upgrading

  • (WKI77243) The Enterprise Console installer does not prevent upgrade of Enterprise Console 4.0 to Enterprise Console 5.0 where the database is SQL Server 2000 or MSDE (not supported by Enterprise Console 5.0) and is installed on a separate server. No warning is displayed when attempting to upgrade an unsupported SQL Server 2000 or MSDE instance of the Enterprise Console database installed on a separate server.

    An unsupported database instance cannot be upgraded automatically by the installer and the upgrade will fail. You must upgrade your SQL Server instance manually before upgrading Enterprise Console.

    For instructions, go to the folder created by the Enterprise Console installer (by default, C:\sec_50\), and then go to the subfolder containing the Upgrade Advisor documents, ServerInstaller\Docs\Eng.

    • If you have Enterprise Console 4.x on one server and an unsupported instance of SQL Server installed on another server, refer to sec_50_ua205.html.
    • If you have Enterprise Console 4.x, NAC 3.3, and an unsupported instance of SQL Server installed on a separate server, refer to sec_50_ua202.html.
    • If you have Enterprise Console 4.x, NAC 3.5 or NAC 3.7, and an unsupported instance of SQL Server installed on a separate server, refer to sec_50_ua204.html.
    • If you have Enterprise Console 4.x, NAC 3.5 64-bit or NAC 3.7 64-bit, and an unsupported instance of SQL Server installed on a separate server, refer to sec_50_ua207.html.

    For more information about this issue, see http://www.sophos.com/support/knowledgebase/article/116228.html. For more information about issues with upgrading to Enterprise Console 5.0, see http://www.sophos.com/support/knowledgebase/article/114627.html.

  • (DEF69133) After upgrading Sophos Endpoint Security and Control on endpoint computers from an older version (for example, 9.5) to version 10.0, the console may show the computers as differing from policy even if they are compliant. This happens if Allow location roaming is selected in the Updating policy, and/or Scan system memory is selected in the Anti-virus and HIPS policy when these policies are being applied to the endpoints during the upgrade.

    To work around this issue, do either of the following:

    • Before applying new policies to endpoint computers, ensure that Allow location roaming in the Updating policy and Scan system memory in the Anti-virus and HIPS policy are not selected. After the computers have been upgraded to Sophos Endpoint Security and Control 10.0, select the options, if you wish to, and make the computers comply with the updated policies.
    • Without changing any policy settings, upgrade endpoint computers to Sophos Endpoint Security and Control 10.0. After the upgrade, some of them may show the "Differs from policy" status in the console computer list. Select those computers, right-click, select Comply with, and click Group Updating Policy. Similarly, make the computers comply with the Group Anti-virus and HIPS Policy.
  • (WKI65337) When using multiple subscriptions containing the same product, upgrading SUM may result in does not match in configuration settings. Selecting Comply with Configuration will resolve the issue.
  • (DEF60930) After upgrading to Enterprise Console 5.0, if you had a SUM which was set to update to a fixed version of SUM, it will still show as being set to a fixed version, but will actually update to SUM 1.3.x (for Enterprise Console 5.0).

For more information about issues with upgrading to Enterprise Console 5.0, see http://www.sophos.com/support/knowledgebase/article/114627.html.

Downgrading

  • (DEF57375) The Sophos Agent and Sophos Message Router services stop running after downgrading Sophos Endpoint Security and Control on a machine that has the Sophos Management Service installed on it.

    Workaround: Manually restart the Sophos Agent and Sophos Message Router services.

General

  • (DEF69950) If you uninstall Sophos TDL3 Rootkit Cleanup Tool version 1.1 on a computer with Sophos Endpoint Security and Control 10.0 installed, Sophos Anti-Virus will fail to perform a system memory scan reporting the following error: "Scanning 'Memory' returned SAV Interface error 0xa0040202: Scan failed."

    This issue does not arise if you use Sophos TDL3 Rootkit Cleanup Tool version 1.2 or later (the latest version available for downloading from the Sophos website).

    To work around this issue, remove any installations of Sophos TDL3 Rootkit Cleanup Tool 1.1 prior to upgrading your existing version of Sophos Endpoint Security and Control or installing Sophos Endpoint Security and Control 10.0 for the first time. Do not install Sophos TDL3 Rootkit Cleanup Tool 1.1 on computers running Sophos Endpoint Security and Control 9.x or 10.0. Use Sophos TDL3 Rootkit Cleanup Tool 1.2 or later instead.

    If you have encountered this issue, see http://www.sophos.com/support/knowledgebase/article/113403.html.

  • (DEF61278) Default distribution share reserved name SophosUpdate

    When creating an Update Manager distribution, you cannot reference new shares named SophosUpdate because "SophosUpdate" is now a reserved share name used for the default share.

    Workaround: When creating new shares, use other names such as "Update".

    In updating policies, when you are selecting a primary or secondary update location, the drop-down list shows the default share paths only in NetBIOS format, for example \\Server\SophosUpdate, although you may need to use the Fully-Qualified Domain Name form, for example \\server.de.acme\SophosUpdate.

    Workaround: Type the FQDN path into the server location update path field.

  • (DEF58871, DEF58872) When discovering computers or synchronizing to Active Directory, Enterprise Console may fail to differentiate between multiple computers with the same name, and may switch them between groups alternately. This situation may arise where identically-named computers are situated on different domains or sub-domains.

    To work around this problem, do one of the following.

    • Ensure that Sophos RMS (Remote Management System) is installed and running on all identically-named computers before attempting to find them from Enterprise Console.

      Do not synchronize any Active Directory groups that contain machines which have identically-named computers; Manage the computers manually.

    • Eliminate duplicate computer names on your network.

Data control

  • (DEF77371) In data control events, internal English, non-localized program references appear in "Destination type" entries in all languages (for example, "removableStorage"). The data control events can be viewed in the Data Control Event Viewer and the Computer Details dialog box.

    If you have encountered this issue, please see http://www.sophos.com/support/knowledgebase/article/116249.html for translations of the "Destination type" entries.

  • (DEF48035) Alternative file systems, such as AFS (Andrews File System), are not supported in this release.
  • (WKI36074) New file creation is blocked on monitored storage devices if data control rules use either the "block" or "allow transfer on acceptance by user" actions.
  • (DEF29635) Files transferred via the FTP protocol within Internet Explorer will not be scanned.

Device control

  • Camera devices are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer.

Patch

  • (WKI72698) Application Control can be configured to block CScript.exe that is used by Patch. If you use both Application Control and Patch, ensure that you do not block Microsoft WSH CScript in the Programming/Scripting tool category in the Application control policy. By default, programming and scripting tools are allowed.

Sophos Client Firewall

  • (DEF22335) An allowed application is blocked temporarily by Sophos Client Firewall.

    When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.

Web control

  • (DEF73962) Endpoint cannot re-register with a Sophos Web Appliance it has previously registered with.

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2011 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.