Sophos Enterprise Console release notes

Version numbers

Sophos Enterprise Console 5.1.0
Sophos Update Manager for Windows 1.3.1

New in this release

This section lists changes that have been made since the release of Sophos Enterprise Console 5.0.

Full Disk Encryption

Note: Full Disk Encryption is not included with all licenses. If you want to use it, you might need to change your license. For more information, see

Full Disk Encryption protects data on endpoint computers from being read or changed by unauthorized persons. Volumes on disks are encrypted transparently. Users do not need to decide what data is to be encrypted. Encryption and decryption are performed in the background.

For full information on how to configure and use the Full Disk Encryption functionality, see the Sophos Enterprise Console Help.

Small Business Upgrade

Support for direct upgrade from the Small Business management console (Sophos Control Center) to Sophos Enterprise Console 5.1. This addresses requirements where Small Business customers upgrade their existing license to new license options including SAV Business and Endpoint Protection Business.

For more information about license options, see

For information about upgrading to Sophos Enterprise Console 5.1, visit the Small Business Upgrade Center at

Patch Assessment enhancements

Note: Patch Assessment is not included with all licenses. If you want to use it, you might need to change your license. For more information, see

Patch Assessment now:

  • Shows when the initial patch download is complete.
  • Has a significantly faster initial download.
  • Clearly shows where a missing patch has been superseded by a newer patch. This helps maximize protection and minimize the number of patches that need to be applied.
  • Updates faster and scans more intelligently.

For information about how to configure and use the Patch Assessment functionality, see the Sophos Enterprise Console Help. For a list of frequently asked questions and answers, including the list of applications currently supported by Patch Assessment, see

Enhanced deployment on Windows 7

Deployment of Sophos Endpoint Security and Control on endpoint computers running more recent Microsoft operating systems, including Windows 7, has been enhanced. Messaging in the Protect Computers Wizard has been amended to assist with information on environment preparation for the client.

For detailed requirements for deployment on Windows 7 and other versions of Windows, see the following Sophos support knowledgebase articles:

Sophos Reporting Interface External Interface is installed along with Enterprise Console

Sophos Reporting Interface External Interface is now installed along with Enterprise Console. This is the supported method of accessing data in the Enterprise Console database for richer reporting. This makes it possible to use third-party reporting tools (for example, Crystal Reports or SQL Server Reporting Services) with Sophos Reporting Interface out of the box.

Please note that Log Writer still needs to be installed separately. Existing installations of Log Writer will continue to function as usual.


During an upgrade from Sophos Enterprise Console 4.x or Sophos Control Center 4.x, you will be asked to enter a database account. For more information, see

Database backup and restore tool

The database backup and restore tool, DataBackupRestore.exe, which is provided as part of the Enterprise Console installation, allows you to back up and restore the three Enterprise Console databases - SOPHOS51, SOPHOSPATCH51, and SOPHOSENC51. For instructions about using the tool, see

Copy information from the Groups Using This Policy dialog box

It is now possible to copy information from the Groups Using This Policy dialog box to the Clipboard. To do this, open the dialog box by right-clicking the policy for which you want to view the information, and then clicking View Groups Using Policy. Select the entries you want to copy and press CTRL+C to copy them to the Clipboard.

For more information about the new features, see the Sophos Enterprise Console Help.

System requirements

Supported operating systems and SQL Server versions

For operating system requirements and supported SQL Server versions, see

Hardware requirements

  • Processor: 2.0 GHz Pentium or equivalent.
  • Memory: 2 GB RAM for Enterprise Console; 2.5 GB RAM for Enterprise Console and NAC Manager on the same server.
  • Disk space: 1.5 GB for complete Enterprise Console installation without SQL Server 2008 Express; 1.8 GB for complete Enterprise Console installation with SQL Server 2008 Express.

    In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required.

If you want to install Sophos Update Manager on a computer other than the one where Enterprise Console is installed, you will need at least:

  • Processor: Pentium 4 (or equivalent) 1.0 GHz
  • Memory: 512 MB RAM
  • Disk space: 50 MB for installation. In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required.

Minimum database size

The computer where you place the database (which may be the same computer as the computer where Enterprise Console is installed or a different one) needs a minimum of 1 GB disk space for data.

Maximum database size

  • If you use Microsoft SQL Server 2008 Express Edition, the maximum size that a database can reach is 4 GB.
  • If you use Microsoft SQL Server 2005, 2008, or 2008 R2 there is no limit apart from that set by the administrator.

Software requirements

  • At least Internet Explorer 6 or later

To enable Enterprise Console to communicate with managed workstations, open TCP ports 8192 and 8194 on the computer where the Enterprise Console management server is installed. To enable Sophos Update Manager to download security software from Sophos, open HTTP port 80 on the computer where Sophos Update Manager is installed.

Note: TCP port 80 is the default port configured during the management server installation to enable:
  • Managed endpoints running the Sophos Patch Agent to communicate with the management server.

  • An Enterprise Console installation (local or remote to the management server) to communicate with the Web Control, Patch, and Encryption server-side components.

For more information, see

Fixed issues

This section lists issues fixed since the release of Sophos Enterprise Console 5.0.

Installation and Upgrading

  • (WKI77243) The Enterprise Console installer does not prevent upgrade of Enterprise Console 4.0 to Enterprise Console 5.0 where the database is SQL Server 2000 or MSDE (not supported by Enterprise Console 5.0 or later) and is installed on a separate server. No warning is displayed when attempting to upgrade an unsupported SQL Server 2000 or MSDE instance of the Enterprise Console database installed on a separate server.
  • (DEF75587) On Windows Server 2008 SP1, if Microsoft .NET Framework 3.5 SP1 is not installed before the Enterprise Console 5.0 installer is run, the upgrade of the Enterprise Console database will fail.
  • (WKI70911) If you choose to create a new SQL server instance when installing and Windows Installer 4.5 is not installed on the computer, the following message will appear: "A new instance cannot be created as Windows Installer 4.5 is not installed."

Known issues


  • (DEF76263) At the end of the Enterprise Console 5.x installation, the following error message is displayed: Sophos Enterprise Console Installation Failed - Microsoft Message Queuing failed. This failure may occur for a number of reasons. The recommended action is to manually install MSMQ and re-run the installer but please refer to Sophos support knowledgebase article 116488 ( for guidance.
  • (DEF58819) Enterprise Console installs Microsoft .NET Framework 3.5 Service Pack 1 as a prerequisite, because of which you may experience issues with components related to Exchange Web services including the following:
    • Outlook Web Access
    • Office Communications Server integration
    • Outlook Address Book
    • Out of Office notifications
    To resolve these issues, install the update for .NET Framework provided in Microsoft Knowledge Base article 959209 (
  • (DEF56407) Distributed Installation: Sophos Management Service doesn't start if a database instance is present without the appropriate network protocols enabled.

    For distributed installations of Sophos Enterprise Console (with SQL Server on a different server) the Sophos Management Service may not start if the "SOPHOS" database instance was created by PureMessage for Microsoft Exchange, or if the chosen SQL Server instance has TCP/IP protocol disabled.

    To work around this problem, do the following.

    • When installing Sophos Enterprise Console and PureMessage together, you must first install Sophos Enterprise Console.
    • If PureMessage for Exchange is already present, or if you are using a SQL Server 2005/2008 database on a different server (a remote database) and the issue occurs, use the SQL Server Configuration Manager to enable the TCP/IP protocol for the database instance and also start the SQL Server Browser service.


  • (DEF69133) After upgrading Sophos Endpoint Security and Control on endpoint computers from an older version (for example, 9.5) to version 10.0, the console may show the computers as differing from policy even if they are compliant. This happens if Allow location roaming is selected in the Updating policy, and/or Scan system memory is selected in the Anti-virus and HIPS policy when these policies are being applied to the endpoints during the upgrade.

    To work around this issue, do either of the following:

    • Before applying new policies to endpoint computers, ensure that Allow location roaming in the Updating policy and Scan system memory in the Anti-virus and HIPS policy are not selected. After the computers have been upgraded to Sophos Endpoint Security and Control 10.0, select the options, if you wish to, and make the computers comply with the updated policies.
    • Without changing any policy settings, upgrade endpoint computers to Sophos Endpoint Security and Control 10.0. After the upgrade, some of them may show the "Differs from policy" status in the console computer list. Select those computers, right-click, select Comply with, and click Group Updating Policy. Similarly, make the computers comply with the Group Anti-virus and HIPS Policy.
  • (WKI65337) When using multiple subscriptions containing the same product, upgrading SUM may result in does not match in configuration settings. Selecting Comply with Configuration will resolve the issue.
  • (DEF60930) After upgrading to Enterprise Console 5.1, if you had a SUM which was set to update to a fixed version of SUM, it will still show as being set to a fixed version, but will actually update to SUM 1.3.x (for Enterprise Console 5.1).
  • (DEF82127) For upgrades that require migration of the SQL Server database to another computer, a declare statement for the @user_name variable is missing in the Upgrade Advisor, in the snippet of the SQL script used for relinking the user and the login account.
    On the sec_51_ua302.html and sec_51_ua304.html pages of the Upgrade Advisor, in section 7, step 18 and in section 9, step 4, respectively, the following declaration should be added at the beginning of the SQL script snippet (before the "SET @user_name = (SELECT TOP(1)..." line):
    DECLARE @user_name NVARCHAR(128);

For more information about issues with upgrading to Enterprise Console 5.1, see


  • (DEF61278) Default distribution share reserved name SophosUpdate

    When creating an Update Manager distribution, you cannot reference new shares named SophosUpdate because "SophosUpdate" is now a reserved share name used for the default share.

    Workaround: When creating new shares, use other names such as "Update".

    In updating policies, when you are selecting a primary or secondary update location, the drop-down list shows the default share paths only in NetBIOS format, for example \\Server\SophosUpdate, although you may need to use the Fully-Qualified Domain Name form, for example \\\SophosUpdate.

    Workaround: Type the FQDN path into the server location update path field.

  • (DEF58871, DEF58872) When discovering computers or synchronizing to Active Directory, Enterprise Console may fail to differentiate between multiple computers with the same name, and may switch them between groups alternately. This situation may arise where identically-named computers are situated on different domains or sub-domains.

    To work around this problem, do one of the following.

    • Ensure that Sophos RMS (Remote Management System) is installed and running on all identically-named computers before attempting to find them from Enterprise Console.

      Do not synchronize any Active Directory groups that contain machines which have identically-named computers; Manage the computers manually.

    • Eliminate duplicate computer names on your network.

Data control

  • (DEF48035) Alternative file systems, such as AFS (Andrews File System), are not supported in this release.
  • (WKI36074) New file creation is blocked on monitored storage devices if data control rules use either the "block" or "allow transfer on acceptance by user" actions.
  • (DEF29635) Files transferred via the FTP protocol within Internet Explorer will not be scanned.

Device control

  • Camera devices are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer.


  • (DEF77873) If the Patch Agent is configured to connect to the Sophos Enterprise Console (SEC) management server through a Sophos Web Appliance, and if the SEC server and Patch Agent are in different geographical locations, then the download of the patch data will fail.
    If you have encountered this issue, in the web appliance, disable scanning of files from the SEC management server.
    1. Log on to the web administrative interface of the web appliance.
    2. Go to Configuration > Global Policy > Security Filter.
    3. Click the Sites button next to the Trusted risk classification.
    4. Click Add Site.
    5. Enter the IP address or server name of the SEC management server.
    6. Select Override the risk class, and select Trusted.
    7. Click Save.
  • (WKI72698) Application Control can be configured to block CScript.exe that is used by Patch. If you use both Application Control and Patch, ensure that you do not block Microsoft WSH CScript in the Programming/Scripting tool category in the Application control policy. By default, programming and scripting tools are allowed.

Sophos Client Firewall

  • (DEF22335) An allowed application is blocked temporarily by Sophos Client Firewall.

    When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.

Web control

  • (DEF73962) Endpoint cannot re-register with a Sophos Web Appliance (SWA) it has previously registered with.

    If an endpoint registers with an SWA (SWA1), then with a different SWA (SWA2), and then returns to SWA1, it does not re-register. Its cloud URL remains as if it was registered with SWA2. Inside the user's organization it would communicate with SWA1 and outside the organization it would communicate through the cloud with SWA2.

Additional information

For release notes for managed endpoint software, follow these links:

Information from previous releases

New in Sophos Enterprise Console 5.0

For information about new features in Sophos Enterprise Console 5.0, see the Sophos Enterprise Console 5.0 release notes (

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2012 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.