New features

• This Sophos Enterprise Console (SEC) maintenance release is designed to work with the new version of the Sophos Remote Management System (RMS)—version 4.0—which contains a number of security and performance enhancements.

  For more information, see http://www.sophos.com/en-us/support/knowledgebase/121071.aspx.

• Improved integration with Sophos Anti-Virus for VMware vShield, in particular, improved error reporting.
• Optimized workflow for minor upgrades. In particular, there is no need to re-enter passwords and port number.
• Support for Microsoft SQL Server 2014.
• Third-party software has been updated.

Fixed issues

• The default policy for encryption must require a Windows password when an endpoint is resuming from sleep or hibernation.
• (DEF96865) Improve logging, remove error messages for transient conditions that resolve themselves.
• (DEF96047) If a user upgraded from SEC 5.1 to SEC 5.2 and then to SEC 5.2.1, the SEC 5.1 encryption database may be recovered on upgrade from SEC 5.2 to SEC 5.2.1.
• (DEF95439) In SEC 5.2.1 R2, it is not possible to deploy NAC agent to an endpoint from the console.
• (DEF95350) When modifying a SEC 5.2.1 R2 installation, the installer rediscovers SQL Server instance, rather than using an already configured database instance.
• (DEF95280) The Sophos Message Router service (RouterNT.exe) sometimes fails to reconnect to its parent Message Router after a communication failure.
• (DEF77537) Change the hash function used to sign the RMS SSL certificates from MD5 to SHA-1, to enhance security.
• (DEF73469) RMS returns an incorrect "Last Logged On User" for Windows 8 endpoints.
• (DEF51796) The IP address sent to SEC by RMS should be the IP address of the adapter it's communicating over, rather than that of the first adapter that responded when the Sophos Agent service requested the IP address of the computer.

Other changes

Product retirements

Please note that SEC 4.5 and 4.7 are now retired, and at the end of December 2014, SEC 5.0 will retire. After this date, if you call Sophos Support with any issues relating specifically to SEC 5.0, then you will be told that it is unsupported and will be asked to upgrade to a supported management console version.

For more information on product retirements, see http://www.sophos.com/en-us/support/knowledgebase/119147.aspx.

Supported operating systems and SQL Server versions

For operating system requirements and supported SQL Server versions, see http://www.sophos.com/en-us/support/knowledgebase/113278.aspx.

If you don't have a supported SQL Server version (SQL Server 2005 Express or later) already installed, the Enterprise Console installer attempts to install SQL Server 2008 R2 Express Edition with Service Pack 1 (SP1).

Other software requirements

The installer also attempts to install the following software (unless already installed):

• Microsoft .NET Framework 4.0
  Important: If not already installed, install reliability updates for .NET Framework 4.0. For more information, see http://support.microsoft.com/kb/2533523 and http://support.microsoft.com/kb/2600217.
• Microsoft Message Queuing (MSMQ)

You will need to have the following software installed:

• At least Internet Explorer 7 or later

For more information about installing required system software, refer to the Enterprise Console startup documentation published at http://www.sophos.com/en-us/support/documentation/enterprise-console.aspx.

Port requirements

Enterprise Console requires certain ports to be open. For more information, go to http://www.sophos.com/en-us/support/knowledgebase/38385.aspx.

Hardware requirements

• Processor: Pentium 4 (or equivalent) 2.0 GHz or faster.
• Memory: 2 GB RAM for Enterprise Console.
• Disk space: 1.5 GB for complete Enterprise Console installation without SQL Server 2008 R2 Express; 1.8 GB for complete Enterprise Console installation with SQL Server 2008 R2 Express.

  In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows, Mac, and Linux - then around 700 MB would be required.

If you want to install Sophos Update Manager on a computer other than the one where Enterprise Console is installed, you will need at least:

• Processor: Pentium 4 (or equivalent) 1.0 GHz
• Memory: 1 GB RAM
• Disk space: 50 MB for installation. In addition to this, you will need around 200 MB - 350 MB per endpoint product you are downloading from Sophos. For example, if you download three security software products - for Windows, Mac, and Linux - then around 700 MB would be required.

Minimum database size

The computer where you place the database (which may be the same computer as the computer where Enterprise Console is installed or a different one) needs a minimum of 1 GB disk space for data.

Maximum database size

• If you use Microsoft SQL Server 2008 Express Edition, the maximum size that a database can reach is 4 GB.
• If you use Microsoft SQL Server 2008 R2 Express Edition (installed by default), the maximum size that a database can reach is 10 GB.
• If you use Microsoft SQL Server 2005, 2008, 2008 R2, 2012, 2012 R2, or 2014 there is practically no limit apart from that set by the administrator.

Installation

Upgrading

• (DEF87597) When you upgrade from Enterprise Console 5.1 to Enterprise Console 5.2.2, there is a risk that encryption registry keys and files may be incorrectly deleted if a second user interactively logs on to the server using the Remote Desktop Protocol (RDP), while the management server is being upgraded. Sophos strongly recommends that only one user be logged on to the server for the duration of the upgrade.

  For information on how to prevent other users from logging on to the server during the upgrade, see http://support.microsoft.com/kb/186504/en-us.

• (WKI79868) When you upgrade from Sophos Enterprise Console 5.0 to Sophos Enterprise Console 5.2.2, the Patch Assessment Event Viewer will be blank. Missing patches data will appear in the Patch Assessment Event Viewer after the computers are assessed for missing patches during their next scheduled assessment. (The patch assessment interval is specified in the Patch Policy and can be set to "Every 8 hours", "Every day" (default), or "Every week".)

  This issue does not appear when upgrading to Enterprise Console 5.2.2 from Enterprise Console 5.1 or later.

• (DEF69133) After upgrading Sophos Endpoint Security and Control on endpoint computers, the console may show the computers as differing from policy even if they are compliant. This happens if Allow location roaming is selected in the Updating policy, and/or Scan system memory is selected in the Anti-virus and HIPS policy when these policies are being applied to the endpoints during the upgrade.

  To work around this issue, do either of the following:

  • Before applying new policies to endpoint computers, ensure that Allow location roaming in the Updating policy and Scan system memory in the Anti-virus and HIPS policy are not selected. After the computers have been upgraded, select the options, if you wish to, and make the computers comply with the updated policies.
  • Without changing any policy settings, upgrade endpoint computers. After the upgrade, some of them may show the "Differs from policy" status in the console computer list. Select those computers, right-click, select Comply with, and click Group Updating Policy. Similarly, make the computers comply with the Group Anti-virus and HIPS Policy.
• (WKI65337) When using multiple subscriptions containing the same product, upgrading SUM may result in a "Does not match" status being displayed in the Configuration column in the Update managers view. To resolve this issue, right-click the affected SUM and click Comply with Configuration. For more information, see http://www.sophos.com/en-us/support/knowledgebase/113330.aspx.

For more information about issues with upgrading Enterprise Console, see http://www.sophos.com/en-us/support/knowledgebase/114627.aspx.

Deployment

• (DEF84838) It is not possible to protect Windows 8 and Windows 8.1 computers that are in a workgroup from Enterprise Console 5.2.2 running on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.

  For more information and instructions on how to enable deployment, see http://www.sophos.com/en-us/support/knowledgebase/118354.aspx.

General

• (DEF90191) On Japanese or Chinese Windows Server 2012 installations, Enterprise Console fails when the Chart tab is selected in the Reporting window. Workaround: Use scheduled reports instead.
• (DEF82914) Optional user-defined desktop messages are not displayed on computers running Windows 8. For more information, see http://www.sophos.com/en-us/support/knowledgebase/118233.aspx.
• (DEF66327) Opening a remote console on a WAN takes approximately 75 seconds.
• (DEF61278) Default distribution share reserved name SophosUpdate

  When creating an Update Manager distribution, you cannot reference new shares named SophosUpdate because "SophosUpdate" is a reserved share name used for the default share.

  Workaround: When creating new shares, use other names such as "Update".

  In updating policies, when you are selecting a primary or secondary update location, the drop-down list shows the default share paths only in NetBIOS format, for example \\Server\SophosUpdate, although you may need to use the Fully-Qualified Domain Name form, for example \\server.de.acme\SophosUpdate.

  Workaround: Type the FQDN path into the server location update path field.

• (DEF58871, DEF58872) When discovering computers or synchronizing to Active Directory, Enterprise Console may fail to differentiate between multiple computers with the same name, and may switch them between groups alternately. This situation may arise where identically-named computers are situated on different domains or sub-domains.

  To work around this problem, do one of the following.

  • Ensure that Sophos RMS (Remote Management System) is installed and running on all identically-named computers before attempting to find them from Enterprise Console.

    Do not synchronize any Active Directory groups that contain machines which have identically-named computers. Manage the computers manually.

  • Eliminate duplicate computer names on your network.

Data control

• (WKI36074) New file creation is blocked on monitored storage devices if data control rules use either the "block" or "allow transfer on acceptance by user" actions.
• (DEF29635) Files transferred via the FTP protocol within Internet Explorer will not be scanned.

Full disk encryption

• (WKI93313) Encryption recovery cannot be performed for a protected endpoint after the endpoint was removed from the console.

  Workaround: Do not delete encrypted endpoints from the console.

Patch

• (WKI72698) Application Control can be configured to block CScript.exe that is used by Patch. If you use both Application Control and Patch, ensure that you do not block Microsoft WSH CScript in the Programming/Scripting tool category in the Application control policy. By default, programming and scripting tools are allowed.

Sophos Client Firewall

• (DEF22335) An allowed application is blocked temporarily by Sophos Client Firewall.

  When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.

Copyright © 2014 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.