Sophos Endpoint Security and Control release notes

Maintenance phase

Endpoint Security and Control version 9.7 is now in its Maintenance phase. Although we still support it, and update the threat detection engine and threat data monthly, feature development has ended. To check the Retirement date, go to

You can upgrade to version 10.3.

Version numbers

Sophos Anti-Virus 9.7.9
Sophos Client Firewall 2.7.0
Sophos AutoUpdate 2.5.30

To identify the threat detection engine version and the threat data version:

  1. Open Endpoint Security and Control.
  2. In the left-hand pane, under Help and information, click View product information.
  3. Under Anti-virus and HIPS, click Software.
Note: Some of the features mentioned in these release notes are only available on managed computers or if you have the appropriate license.

New in this release

  • The threat detection engine and threat data have been updated.

Fixed issues

  • The Address Space Layout Randomization (ASLR) flag /DYNAMICBASE is not set on Sophos binaries, in particular those loaded in non-Sophos processes.
  • (DEF85510) Cross site scripting (XSS) vulnerability when Sophos Browser Helper Object (BHO) blocks malicious web content.

Known issues

Standalone installer

  • (CR26760) Sophos Client Firewall installation unexpectedly fails if run from a Windows Installer (.msi) package on Vista with User Access Control enabled.

Sophos Anti-Virus

  • Web protection uses an LSP (Layered Service Provider) to facilitate URL lookups. When Web protection is enabled alongside an incompatible LSP, system instability can occur. When a known incompatible LSP is already installed on the computer, the Sophos LSP is not installed. For more information, see

  • (DEF69950) If you uninstall Sophos TDL3 Rootkit Cleanup Tool version 1.1 on a computer with Sophos Endpoint Security and Control 9.7 installed, Sophos Anti-Virus will fail to perform a system memory scan reporting the following error: “Scanning ‘Memory’ returned SAV Interface error 0xa0040202: Scan failed.”

    This issue does not arise if you use Sophos TDL3 Rootkit Cleanup Tool version 1.2, the latest version available for downloading from the Sophos website.

    To work around this issue, remove any installations of Sophos TDL3 Rootkit Cleanup Tool 1.1 prior to upgrading your existing version of Sophos Endpoint Security and Control or installing Sophos Endpoint Security and Control 9.7 for the first time. Do not install Sophos TDL3 Rootkit Cleanup Tool 1.1 on computers running Sophos Endpoint Security and Control 9. Use Sophos TDL3 Rootkit Cleanup Tool 1.2 instead.

    If you have encountered this issue, see

  • (DEF56055) If you manually change the DNS list using Control Panel, Sophos Live Protection stops working. To work around this problem, restart the Sophos Anti-Virus service.
  • (WKI55631) Web protection does not support Windows XP Service Pack 1 and Windows 2000 Service Pack 3. To work around this problem, install the latest service pack for the operating system.
  • (DEF20694) When Sophos Anti-Virus detects a controlled application on a remote share, the alert always shows that the application was detected on the local computer.
  • (DEF18144, DEF16510) There are known issues for web content scanning with some browser extensions (for example, with Google Gears and RealPlayer 11 Download and Record). You should disable these browser extensions. For information on how to do this, see
  • (DEF57112) On-access scanning is disabled when you downgrade from Sophos Endpoint Security and Control 9.7, if the following apply:
    • You have previously had Sophos Anti-Virus 6 or earlier installed on the computer.
    • You have upgraded to SESC 9.7.
    • You try to downgrade to SESC 9.X or earlier.

    You will see an error message and your computer may not be protected against malware. The solution is to delete the registry key values below and then restart the SAV Service.



    (where NNNN is the last key).

Sophos AutoUpdate

  • (DEF63089) On Windows XP, occasionally AutoUpdate closes unexpectedly during an update.
  • (DEF67569) Sophos Anti-Virus for Windows XP cannot update when the computer has been quarantined by Sophos NAC 3.7. This problem exists for all supported languages on both the 32-bit and 64-bit versions of Windows XP.

  • (DEF68654) On Japanese and other Asian language computers, in the Services window of Control Panel, some of the service descriptions are not localised and display unwanted characters.
  • (WKI64768) AutoUpdate does not support updating through proxies that use WDigest authentication. However, AutoUpdate does support normal digest authentication. For more information, see

Sophos Client Firewall

  • (WKI55953) When you install Sophos Client Firewall, all network adapters are temporarily disconnected. This results in network connections being unavailable for up to 20 seconds and the disconnection of networked applications such as Microsoft Remote Desktop.
  • (WKI32813) Sophos Client Firewall reports Internet Explorer version 8 and 9 as a hidden process. For more information, see
  • (DEF18752) On Windows XP running Sophos Client Firewall and VMware, virtual machines might not be able to access the network. For more information, see
  • (DEF53171) Sophos Client Firewall does not support the “mobile broadband” driver model in Windows version 7.
  • (DEF16039) Sophos Client Firewall occasionally blocks some trusted applications.
  • (CR27434) When rules in the configuration editor are changed, packets of traffic that should not be affected by the modified rules may briefly be blocked while the rules are updating. This will occur only very briefly, but may be noticeable if alerts are being sent to the management console.
  • (CR27073) IPv6 addresses/interfaces in the log of traffic are not logged in IPv6 format.
  • (CR26248) When the log is displayed in a view that auto-refreshes (such as Allowed connections), the view stops refreshing if the service is under a heavy load. After changing to a different view and then back again, auto-refreshing works normally.
  • (CR25569) Although rules blocking IPv6 traffic block traffic that approaches or leaves the machine, they do not block loopback IPv6 traffic.

Additional information

  • On Windows 2000 systems running Internet Explorer 5 or 6, Web protection allows access to blocked sites via Windows Explorer.
  • Sophos Device Control does not block removable storage devices that are used as system drives, as this typically destabilizes the operating system.
  • Endpoint Security and Control standalone installations do not support Windows Server Core.
  • Endpoint Security and Control managed and standalone installations do not support Windows Server Core Hyper-V.
  • Shared Windows components

    When you install Sophos software, some Windows components that might also be used by non-Sophos software are also installed or upgraded:

    Sophos software Shared Windows component
    Name Filenames Versions Date of inclusion with Sophos software
    Sophos Anti-Virus Microsoft XML Core Services msxml4.dll 4.30.2100.0 September 2009
    msxml4r.dll 4.30.2100.0 September 2009
    ATL Library ATL80.dll 8.0.50727.4053 June 2007
    Microsoft Visual C/C++ Runtime Libraries msvcm80.dll 8.0.50727.4053 June 2007
    msvcp80.dll 8.0.50727.4053 June 2007
    msvcr80.dll 8.0.50727.4053 June 2007
    Sophos AutoUpdate Windows Installer msi.dll 2.0.2600.2 November 2003
    msiexec.exe 2.0.2600.2 November 2003
    msihnd.dll 2.0.2600.2 November 2003
    msimain.sdb N/a November 2003
    msimsg.dll 2.0.2600.2 November 2003
    msisip.dll 2.0.2600.2 November 2003
    msls31.dll 3.10.337.0 November 2003
    mspatcha.dll 5.1.2600.0 November 2003
    riched20.dll November 2003
    sdbapiU.dll November 2003
    shfolder.dll 5.0.2919.20 November 2003
    usp10.dll 1.325.2180.1 November 2003
    Sophos Client Firewall Microsoft XML Core Services msxml4.dll 4.30.2100.0 September 2009
    msxml4r.dll 4.30.2100.0 September 2009
    Microsoft Visual C/C++ Runtime Libraries msvcm80.dll 8.0.50727.4053 March 2010
    msvcp80.dll 8.0.50727.4053 March 2010
    msvcr80.dll 8.0.50727.4053 March 2010

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2011–2013 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.