Maintenance phase

Endpoint Security and Control version 9.7 is now in its Maintenance phase. Although we still support it, and update the threat detection engine and threat data monthly, feature development has ended. To check the Retirement date, go to http://www.sophos.com/en-us/support/retirements.aspx.

You can upgrade to version 10.3.

Version numbers

Sophos Anti-Virus	9.7.9
Sophos Client Firewall	2.7.0
Sophos AutoUpdate	2.5.30

To identify the threat detection engine version and the threat data version:

Open Endpoint Security and Control.
In the left-hand pane, under Help and information, click View product information.
Under Anti-virus and HIPS, click Software.

Note: Some of the features mentioned in these release notes are only available on managed computers or if you have the appropriate license.

New in this release

The threat detection engine and threat data have been updated.

Fixed issues

The Address Space Layout Randomization (ASLR) flag /DYNAMICBASE is not set on Sophos binaries, in particular those loaded in non-Sophos processes.
(DEF85510) Cross site scripting (XSS) vulnerability when Sophos Browser Helper Object (BHO) blocks malicious web content.

Known issues

Standalone installer

(CR26760) Sophos Client Firewall installation unexpectedly fails if run from a Windows Installer (.msi) package on Vista with User Access Control enabled.

Sophos Anti-Virus

Web protection uses an LSP (Layered Service Provider) to facilitate URL lookups. When Web protection is enabled alongside an incompatible LSP, system instability can occur. When a known incompatible LSP is already installed on the computer, the Sophos LSP is not installed. For more information, see http://www.sophos.com/support/knowledgebase/article/111203.html.
(DEF69950) If you uninstall Sophos TDL3 Rootkit Cleanup Tool version 1.1 on a computer with Sophos Endpoint Security and Control 9.7 installed, Sophos Anti-Virus will fail to perform a system memory scan reporting the following error: “Scanning ‘Memory’ returned SAV Interface error 0xa0040202: Scan failed.”
This issue does not arise if you use Sophos TDL3 Rootkit Cleanup Tool version 1.2, the latest version available for downloading from the Sophos website.

To work around this issue, remove any installations of Sophos TDL3 Rootkit Cleanup Tool 1.1 prior to upgrading your existing version of Sophos Endpoint Security and Control or installing Sophos Endpoint Security and Control 9.7 for the first time. Do not install Sophos TDL3 Rootkit Cleanup Tool 1.1 on computers running Sophos Endpoint Security and Control 9. Use Sophos TDL3 Rootkit Cleanup Tool 1.2 instead.

If you have encountered this issue, see http://www.sophos.com/support/knowledgebase/article/113403.html.
(DEF56055) If you manually change the DNS list using Control Panel, Sophos Live Protection stops working. To work around this problem, restart the Sophos Anti-Virus service.
(WKI55631) Web protection does not support Windows XP Service Pack 1 and Windows 2000 Service Pack 3. To work around this problem, install the latest service pack for the operating system.
(DEF20694) When Sophos Anti-Virus detects a controlled application on a remote share, the alert always shows that the application was detected on the local computer.
(DEF18144, DEF16510) There are known issues for web content scanning with some browser extensions (for example, with Google Gears and RealPlayer 11 Download and Record). You should disable these browser extensions. For information on how to do this, see http://www.sophos.com/support/knowledgebase/article/36142.html.
(DEF57112) On-access scanning is disabled when you downgrade from Sophos Endpoint Security and Control 9.7, if the following apply:
- You have previously had Sophos Anti-Virus 6 or earlier installed on the computer.
- You have upgraded to SESC 9.7.
- You try to downgrade to SESC 9.X or earlier.
You will see an error message and your computer may not be protected against malware. The solution is to delete the registry key values below and then restart the SAV Service.

HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVI

HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVI\SAV-0000 to SAV-NNNN

(where NNNN is the last key).

Sophos AutoUpdate

(DEF63089) On Windows XP, occasionally AutoUpdate closes unexpectedly during an update.
(DEF67569) Sophos Anti-Virus for Windows XP cannot update when the computer has been quarantined by Sophos NAC 3.7. This problem exists for all supported languages on both the 32-bit and 64-bit versions of Windows XP.
(DEF68654) On Japanese and other Asian language computers, in the Services window of Control Panel, some of the service descriptions are not localised and display unwanted characters.
(WKI64768) AutoUpdate does not support updating through proxies that use WDigest authentication. However, AutoUpdate does support normal digest authentication. For more information, see http://www.sophos.com/support/knowledgebase/article/112633.html.

Sophos Client Firewall

(WKI55953) When you install Sophos Client Firewall, all network adapters are temporarily disconnected. This results in network connections being unavailable for up to 20 seconds and the disconnection of networked applications such as Microsoft Remote Desktop.
(WKI32813) Sophos Client Firewall reports Internet Explorer version 8 and 9 as a hidden process. For more information, see http://www.sophos.com/support/knowledgebase/article/54899.html.
(DEF18752) On Windows XP running Sophos Client Firewall and VMware, virtual machines might not be able to access the network. For more information, see http://www.sophos.com/support/knowledgebase/article/15434.html.
(DEF53171) Sophos Client Firewall does not support the “mobile broadband” driver model in Windows version 7.
(DEF16039) Sophos Client Firewall occasionally blocks some trusted applications.
(CR27434) When rules in the configuration editor are changed, packets of traffic that should not be affected by the modified rules may briefly be blocked while the rules are updating. This will occur only very briefly, but may be noticeable if alerts are being sent to the management console.
(CR27073) IPv6 addresses/interfaces in the log of traffic are not logged in IPv6 format.
(CR26248) When the log is displayed in a view that auto-refreshes (such as Allowed connections), the view stops refreshing if the service is under a heavy load. After changing to a different view and then back again, auto-refreshing works normally.
(CR25569) Although rules blocking IPv6 traffic block traffic that approaches or leaves the machine, they do not block loopback IPv6 traffic.

Additional information

On Windows 2000 systems running Internet Explorer 5 or 6, Web protection allows access to blocked sites via Windows Explorer.
Sophos Device Control does not block removable storage devices that are used as system drives, as this typically destabilizes the operating system.
Endpoint Security and Control standalone installations do not support Windows Server Core.
Endpoint Security and Control managed and standalone installations do not support Windows Server Core Hyper-V.

Shared Windows components

When you install Sophos software, some Windows components that might also be used by non-Sophos software are also installed or upgraded:

Sophos software	Shared Windows component
Sophos software	Name	Filenames	Versions	Date of inclusion with Sophos software
Sophos Anti-Virus	Microsoft XML Core Services	msxml4.dll	4.30.2100.0	September 2009
	Microsoft XML Core Services	msxml4r.dll	4.30.2100.0	September 2009
	ATL Library	ATL80.dll	8.0.50727.4053	June 2007
	Microsoft Visual C/C++ Runtime Libraries	msvcm80.dll	8.0.50727.4053	June 2007
		msvcp80.dll	8.0.50727.4053	June 2007
		msvcr80.dll	8.0.50727.4053	June 2007
Sophos AutoUpdate	Windows Installer	msi.dll	2.0.2600.2	November 2003
		msiexec.exe	2.0.2600.2	November 2003
		msihnd.dll	2.0.2600.2	November 2003
		msimain.sdb	N/a	November 2003
		msimsg.dll	2.0.2600.2	November 2003
		msisip.dll	2.0.2600.2	November 2003
		msls31.dll	3.10.337.0	November 2003
		mspatcha.dll	5.1.2600.0	November 2003
		riched20.dll	5.30.23.1200	November 2003
		sdbapiU.dll	1.0.0.1	November 2003
		shfolder.dll	5.0.2919.20	November 2003
		usp10.dll	1.325.2180.1	November 2003
Sophos Client Firewall	Microsoft XML Core Services	msxml4.dll	4.30.2100.0	September 2009
	Microsoft XML Core Services	msxml4r.dll	4.30.2100.0	September 2009
	Microsoft Visual C/C++ Runtime Libraries	msvcm80.dll	8.0.50727.4053	March 2010
		msvcp80.dll	8.0.50727.4053	March 2010
		msvcr80.dll	8.0.50727.4053	March 2010

Technical support

You can find technical support for Sophos products in any of these ways:

Visit the SophosTalk community at community.sophos.com/ and search for other users who are experiencing the same problem.
Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.
Download the product documentation at www.sophos.com/en-us/support/documentation/.
Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages.

Legal notices

Copyright © 2011–2013 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Endpoint Security and Control release notes