Sophos Enterprise Console 5.2.1 release notes

New in this release

This section lists changes that have been made since the release of Sophos Enterprise Console 5.2.0.

  • Enterprise Console remote console is now supported on Windows 8.
  • The user interface will no longer show Network Access Control (NAC), Data Control, Encryption and Patch if they are not included in the user's license.
  • Windows 2000 support

    For new SEC 5.2.1 customers support for Windows 2000 computers from Enterprise Console 5.2.1 will cease at end-December 2013.

    Existing customers upgrading to SEC 5.2.1, depending on their license, can subscribe to SAV 10.0 before end-December 2013 in order to continue protecting Windows 2000 computers. For information about platform retirements, see

  • Filter by alert name

    A new filter has been added in the computer list view, that allows you to filter computers by alert name. Wildcards can be used to specify alert names.

  • Last logged-on user

    A new entry showing the last logged-on user for each computer has been added in the computer list view and the Computer details dialog box. Note that this can be disabled if there are privacy concerns over the data. For more information, see

  • New options for updating from Sophos

    Sophos is introducing new software packages and is retiring some of the existing ones and the use of fixed versions. The Software Subscription dialog box will no longer display fixed packages, nor any of the following labeled packages:

    • OLDEST

    For more information about available software packages, see

  • Additional warnings and errors in the installer for the following upgrade cases:
    • Enterprise Console upgrade will be prevented if you have a subscription to any of the labeled packages listed above. You will need to resubscribe to one of the other packages to continue with the upgrade.
    • Upgrade will be prevented if you have a Sophos Update Manager (SUM) subscription to any package other than "1 Recommended". You will need to resubscribe to the "1 Recommended" package and ensure that SUM has been updated to the latest recommended version (1.4.2) before upgrading Enterprise Console.
    • A warning will be displayed if you have a subscription to a fixed package. The fixed package you are subscribed to will still be displayed after the upgrade, but no other fixed packages will be shown. Once you unsubscribe from a fixed package, it will be permanently removed from the list of available packages.
    • A warning will be displayed if you have a subscription to a fixed package with the autosubscribe option ("Automatically upgrade fixed version software when it is no longer supported by Sophos") disabled. If you proceed with the upgrade, the autosubscribe option will be automatically enabled, and will no longer be displayed in the Software Subscription dialog box.
  • Upgrade of the SUMInstallSet admin share if the shipped version of SUM is newer

    After upgrading to Enterprise Console 5.2.1, the SUMInstallSet admin share (\\Servername\SUMInstallSet on the computer where Enterprise Console management server is installed) will contain the version of SUM shipped with Enterprise Console (1.4.2). In previous Enterprise Console releases, the share contained only the version of SUM shipped with the version of Enterprise Console that was originally installed.

Upgrading to Enterprise Console 5.2.1

You can upgrade to Enterprise Console 5.2.1 directly from:

  • Enterprise Console 5.0, 5.1, or 5.2.0
  • Sophos Control Center 4.0.1 or 4.1

To upgrade from Enterprise Console 4.x or Enterprise Manager 4.7, you must upgrade to Enterprise Console 5.1 first.

Note: If you are upgrading from Enterprise Console 5.2.0 and want to upgrade the Sophos databases manually by running the database install scripts, please note that not all of the databases need upgrading in this case. For more information and instructions, go to

For more information about upgrading, see the Sophos Enterprise Console upgrade guide.

System requirements

Supported operating systems and SQL Server versions

For operating system requirements and supported SQL Server versions, see

If you don't have a supported SQL Server version (SQL Server 2005 Express or later) already installed, the Enterprise Console installer attempts to install SQL Server 2008 R2 Express Edition with Service Pack 1 (SP1).

Other software requirements

The installer also attempts to install the following software (unless already installed):

You will need to have the following software installed:

  • At least Internet Explorer 7 or later

For more information about installing required system software, refer to the Enterprise Console startup documentation published at

Port requirements

Enterprise Console requires certain ports to be open. For more information, go to

Hardware requirements

  • Processor: Pentium 4 (or equivalent) 2.0 GHz or faster.
  • Memory: 2 GB RAM for Enterprise Console; 2.5 GB RAM for Enterprise Console and NAC Manager on the same server.
  • Disk space: 1.5 GB for complete Enterprise Console installation without SQL Server 2008 R2 Express; 1.8 GB for complete Enterprise Console installation with SQL Server 2008 R2 Express.

    In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required.

If you want to install Sophos Update Manager on a computer other than the one where Enterprise Console is installed, you will need at least:

  • Processor: Pentium 4 (or equivalent) 1.0 GHz
  • Memory: 512 MB RAM
  • Disk space: 50 MB for installation. In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows 2000 and later, Mac and Linux - then around 700 MB would be required.

Minimum database size

The computer where you place the database (which may be the same computer as the computer where Enterprise Console is installed or a different one) needs a minimum of 1 GB disk space for data.

Maximum database size

  • If you use Microsoft SQL Server 2008 Express Edition, the maximum size that a database can reach is 4 GB.
  • If you use Microsoft SQL Server 2008 R2 Express Edition (installed by default), the maximum size that a database can reach is 10 GB.
  • If you use Microsoft SQL Server 2005, 2008, 2008 R2, or 2012, there is practically no limit apart from that set by the administrator.

Fixed issues

This section lists issues fixed since the release of Sophos Enterprise Console (SEC) 5.2.0.

  • (DEF86614) Slow console behavior when the console is managing thousands of groups.

    Database queries have been optimized to improve the response.

  • (DEF87148) The "next run" data for scheduled reports can drift in certain timezones.
  • (DEF87584) The integrated SophosSecurity purge task fails to execute (

    The integrated purge task is executed periodically in the context of the database account set during the installation. In Enterprise Console 5.2.0, the database account did not have sufficient rights to all SophosSecurity stored procedures involved in the purge task execution. As a result, multiple error log entries were generated by each purge task execution. This problem has been resolved in Enterprise Console 5.2.1. For existing SophosSecurity installation, the upgrade process will ensure that the necessary access rights are set.

  • (DEF87766) Improved error message during installation when the SQL instance is not running, and when the logged-on user doesn't have rights to access the database.
  • (DEF88637) The console may crash with auditing enabled in non-English locales when performing operations such as acknowledging alerts (
  • (SUG87577) A separate top-level folder for Patch has been created in the System event log.

Known issues and limitations


  • (SUG81937) The installer doesn't display a warning when there is an insufficient disk space for the .NET Framework 4.0 installation, and the installation fails with the error "Microsoft .NET 4.0 failed."
  • (DEF76263) At the end of the Enterprise Console 5.x installation, the following error message is displayed: Sophos Enterprise Console Installation Failed - Microsoft Message Queuing failed. This failure may occur for a number of reasons. The recommended action is to manually install MSMQ and re-run the installer but please refer to for guidance.
  • (DEF72326) Sophos Management Service fails to start after Enterprise Console is installed on a computer where an earlier version of Enterprise Console has been previously uninstalled. For more information, see
  • (DEF56407) Distributed installation: Sophos Management Service doesn't start if a database instance is present without the appropriate network protocols enabled.

    For distributed installations of Enterprise Console (with SQL Server on a different server) the Sophos Management Service may not start if the "SOPHOS" database instance was created by PureMessage for Microsoft Exchange, or if the chosen SQL Server instance has TCP/IP protocol disabled.

    To work around this problem, do the following.

    • When installing Sophos Enterprise Console and PureMessage together, you must first install Sophos Enterprise Console.
    • If PureMessage for Exchange is already present, or if you are using a SQL Server 2005/2008 database on a different server (a remote database) and the issue occurs, use the SQL Server Configuration Manager to enable the TCP/IP protocol for the database instance and also start the SQL Server Browser service.


  • (DEF87597) When you upgrade from Enterprise Console 5.1 to Enterprise Console 5.2.1, there is a risk that encryption registry keys and files may be incorrectly deleted if a second user interactively logs on to the server using the Remote Desktop Protocol (RDP), while the management server is being upgraded. Sophos strongly recommends that only one user be logged on to the server for the duration of the upgrade.

    For information on how to prevent other users from logging on to the server during the upgrade, see

  • (WKI79868) When you upgrade from Sophos Enterprise Console 5.0 to Sophos Enterprise Console 5.2.1, the Patch Assessment Event Viewer will be blank. Missing patches data will appear in the Patch Assessment Event Viewer after the computers are assessed for missing patches during their next scheduled assessment. (The patch assessment interval is specified in the Patch Policy and can be set to "Every 8 hours", "Every day" (default), or "Every week".)

    This issue does not appear when upgrading from Enterprise Console 5.1 to Enterprise Console 5.2.1 or from Enterprise Console 5.2.0 to Enterprise Console 5.2.1.

  • (DEF69133) After upgrading Sophos Endpoint Security and Control on endpoint computers from an older version (for example, 9.5) to version 10.0, the console may show the computers as differing from policy even if they are compliant. This happens if Allow location roaming is selected in the Updating policy, and/or Scan system memory is selected in the Anti-virus and HIPS policy when these policies are being applied to the endpoints during the upgrade.

    To work around this issue, do either of the following:

    • Before applying new policies to endpoint computers, ensure that Allow location roaming in the Updating policy and Scan system memory in the Anti-virus and HIPS policy are not selected. After the computers have been upgraded to Sophos Endpoint Security and Control 10.0, select the options, if you wish to, and make the computers comply with the updated policies.
    • Without changing any policy settings, upgrade endpoint computers to Sophos Endpoint Security and Control 10.0. After the upgrade, some of them may show the "Differs from policy" status in the console computer list. Select those computers, right-click, select Comply with, and click Group Updating Policy. Similarly, make the computers comply with the Group Anti-virus and HIPS Policy.
  • (WKI65337) When using multiple subscriptions containing the same product, upgrading SUM may result in a "Does not match" status being displayed in the Configuration column in the Update managers view. To resolve this issue, right-click the affected SUM and click Comply with Configuration. For more information, see

For more information about issues with upgrading to Enterprise Console 5.2.1, see


  • (DEF87128) If you are subscribed to Sophos Endpoint Security and Control 10.2 and attempt to deploy Sophos Client Firewall to Windows 8 computers, the Protect Computers Wizard won't block the installation. The installation attempt will fail because Sophos Client Firewall is not supported and cannot be installed on Windows 8 at the time of this release.
  • (DEF84838) It is not possible to protect Windows 8 computers that are in a workgroup from Enterprise Console 5.2 running on Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.

    For more information and instructions on how to enable deployment, see


  • (DEF90191) On Japanese or Chinese Windows Server 2012 installations, Enterprise Console fails when the Chart tab is selected in the Reporting window. Workaround: Use scheduled reports instead.
  • (DEF82914) Optional user-defined desktop messages are not displayed on computers running Windows 8. For more information, see
  • (DEF66327) Opening a remote console on a WAN takes approximately 75 seconds.
  • (DEF61278) Default distribution share reserved name SophosUpdate

    When creating an Update Manager distribution, you cannot reference new shares named SophosUpdate because "SophosUpdate" is a reserved share name used for the default share.

    Workaround: When creating new shares, use other names such as "Update".

    In updating policies, when you are selecting a primary or secondary update location, the drop-down list shows the default share paths only in NetBIOS format, for example \\Server\SophosUpdate, although you may need to use the Fully-Qualified Domain Name form, for example \\\SophosUpdate.

    Workaround: Type the FQDN path into the server location update path field.

  • (DEF58871, DEF58872) When discovering computers or synchronizing to Active Directory, Enterprise Console may fail to differentiate between multiple computers with the same name, and may switch them between groups alternately. This situation may arise where identically-named computers are situated on different domains or sub-domains.

    To work around this problem, do one of the following.

    • Ensure that Sophos RMS (Remote Management System) is installed and running on all identically-named computers before attempting to find them from Enterprise Console.

      Do not synchronize any Active Directory groups that contain machines which have identically-named computers; Manage the computers manually.

    • Eliminate duplicate computer names on your network.

Data control

  • (DEF48035) Alternative file systems, such as AFS (Andrews File System), are not supported in this release.
  • (WKI36074) New file creation is blocked on monitored storage devices if data control rules use either the "block" or "allow transfer on acceptance by user" actions.
  • (DEF29635) Files transferred via the FTP protocol within Internet Explorer will not be scanned.

Device control

  • Camera devices are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer.


  • (WKI72698) Application Control can be configured to block CScript.exe that is used by Patch. If you use both Application Control and Patch, ensure that you do not block Microsoft WSH CScript in the Programming/Scripting tool category in the Application control policy. By default, programming and scripting tools are allowed.

Sophos Client Firewall

  • (DEF22335) An allowed application is blocked temporarily by Sophos Client Firewall.

    When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.

Web control

  • (DEF73962) Endpoint cannot re-register with a Sophos Web Appliance (SWA) it has previously registered with.

    If an endpoint registers with an SWA (SWA1), then with a different SWA (SWA2), and then returns to SWA1, it does not re-register. Its cloud URL remains as if it was registered with SWA2. Inside the user's organization it would communicate with SWA1 and outside the organization it would communicate through the cloud with SWA2.

Additional information

For release notes for managed endpoint software, follow these links:

Before using Sophos Reporting Interface, read the Sophos Reporting Interface user guide.

Sophos documentation is published at

Information from previous releases

For information about new features in Sophos Enterprise Console 5.0, 5.1 or 5.2.0, go to:

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2013 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.