About these release notes

These are the release notes for Sophos Endpoint Security and Control for Windows Recommended versions, managed by Sophos Enterprise Console or standalone.

Some of the features mentioned in these release notes are only available on managed computers or if you have the appropriate license.

Note

You may find that you cannot yet download and use the latest version on the lists below. This is because Sophos releases the software over a number of days, but publishes the release notes on the first day.

Version 10.8

Components

Sophos Endpoint Security and Control

10.8.4.4 VE 3.74.1

July 2019

10.8.4.3 VE3.74.1

May 2019

Sophos Anti-Virus

10.8.4.227

10.8.4.227

Threat detection engine

3.74.1

3.74.1

Sophos Client Firewall Windows 8 and later

3.0.6

3.0.6

Sophos Client Firewall Windows 7 and earlier

2.9.7

2.9.7

Sophos AutoUpdate

5.15.166

5.14.36

Sophos Patch Agent

1.0.313.30

1.0.313.30

Sophos Web Control

1.5

1.5

Sophos Remote Management System

4.1.2.24

4.1.2.24

Sophos Network Threat Protection

Malicious Traffic Detector

1.8.77.8000

1.8.77.8000

Sophos System Protection

Sophos Endpoint Defense

2.1.2.8000

2.1.2

Version 10.8.4.4 VE 3.74.1

Updated Components

Sophos AutoUpdate has been updated to 5.15.166.

Resolved issues

Issue ID

Component

Description

WINEP-12971

Sophos AutoUpdate

Resolved an issue with Sophos Anti-Virus failing to update.

WINEP-16773

Sophos AutoUpdate

Resolved an issue with unlocking computers with an identity agent installed if Almon.exe is running.

WINEP-17442

Sophos AutoUpdate

License expiry message is now available in all languages.

Version 10.8.4.3 VE3.74.1

Updated components

Sophos Anti-Virus has been updated to 10.8.4.227.

Sophos Patch Agent has been updated to 1.0.313.30.

Sophos Remote Management Service has been updated to 4.1.2.24.

Sophos Network Threat Protection has been updated to 1.8.77.8000.

Sophos Endpoint Defense has been updated to 2.1.2.

Sophos System Protection (SSP) has been removed.

Deprecated functionality

Custom installation paths are no longer supported. Existing installations using custom installation paths will fail to update to 10.8.4 and later versions.

A custom installation path is no longer offered by the standalone installer.

Download size

If you are upgrading from the previous version (10.8.2), the download size is 167MB.

If you are also subscribed to Sophos Patch Agent, the download size is an extra 21.2MB.

Resolved issues

Issue ID

Component

Description

WINEP-7792

Sophos Anti-Virus

Resolved an issue causing excessive CPU usage when opening the Sophos Anti-Virus GUI.

WINEP-14732

Sophos Anti-Virus

Resolved an issue generating false behavior detection log entries.

WINEP-13683

Sophos Anti-Virus

Resolved a resource leak seen with EPP in some configurations.

WINEP-13879

Sophos Anti-Virus

Resolved issue preventing migration to Sophos Central.

WINEP-14543

Sophos Remote Management System

Resolved an issue where message relay settings were lost.

WINEP-12731

Sophos Remote Management System

Resolved issue with communications to Sophos Enterprise Console on startup.

WINEP-11298

Sophos Network Threat Protection

Malicious Traffic Detector

Resolved performance slowdown seen with MTD and SCF active.

Known issues and limitations

Component

Issue ID

Description

Comment

Sophos Anti-Virus

WINEP-1862

If you have a version of Sophos Anti-Virus installed that is earlier than 10.3.15, and choose to uninstall it from the Windows 10 Setup wizard, What needs your attention screen by using the Uninstall button, not all of the Endpoint Security and Control components will be removed.

We recommend that you upgrade to Endpoint Security and Control 10.3.15 before upgrading to Windows 10.

For more information about removing Endpoint Security and Control, see knowledgebase article 12360.

Windows 10 support

Sophos Anti-Virus

-

On 64-bit computers upgraded from Windows 8.1 to Windows 10, in the 32-bit version of Windows Explorer, the right-click option Scan with Sophos Anti-Virus does not work. (The option works correctly in the native 64-bit version of Windows Explorer.) This is due to a missing Sophos registry key, that has not been migrated during the OS upgrade.

To resolve this issue, re-protect the computers: in Enterprise Console, select the computers you want to re-protect, right-click, and then click Protect Computers. Follow the steps in the Protect Computers Wizard. Alternatively, to manually re-protect a computer, follow the steps provided in knowledgebase article 12386.

V.10.3.15, Windows 10 support

Sophos Anti-Virus

-

After an upgrade from Windows 8.1 (either 64-bit or 32-bit) to Windows 10, if a computer is started in safe mode, the Sophos Anti-Virus service (SAVService.exe) fails to start. This is due to a missing Sophos registry key, that has not been migrated during the OS upgrade.

To resolve this issue, re-protect the computers.

V.10.3.15, Windows 10 support

Sophos Anti-Virus

-

After an upgrade from Windows 8.1 (either 64-bit or 32-bit) to Windows 10, the Sophos Healthcheck tool fails with warnings about missing registry keys. This is because some of the Sophos registry keys have not been migrated during the OS upgrade.

To resolve this issue, re-protect the computers.

V.10.3.15, Windows 10 support

Sophos Anti-Virus

WINEP-1813

On SAV upgrade, for example, from 10.3.12 to 10.3.15, the following error may appear in Enterprise Console and in the SAV log on the endpoint:

Web protection is no longer functional. The filtering driver has been bypassed or unloaded 0xa058000c

This issue is caused by Sophos Client Firewall blocking the web protection processes. To work around it, allow the processes in the firewall policy in Enterprise Console as follows. In the advanced Firewall Policy configuration dialog, under Configurations, click Configure next to a location you want to configure, go to the Processes tab, click Add to allow an application to launch hidden processes and add the following files: swi_lspdiag.exe and swi_lspdiag64.exe.

V.10.3.15

Sophos Anti-Virus

-

When a computer is upgraded to Windows 10, the following error may be reported against it in Enterprise Console:

Web Protection is no longer functional. The filtering driver has been bypassed or unloaded. [0xa058000c]

These errors can be safely ignored. To remove them from Enterprise Console, after the computer has been upgraded to Windows 10, right-click the computer, click Resolve Alerts and Errors, select the errors and click Acknowledge.

V.10.3.15, Windows 10 support

Sophos Anti-Virus

WINEP-1770

Sophos Anti-Virus doesn’t support Hypervisor enforced Code Integrity introduced in the Enterprise lockdown mode.

V.10.3.15, Windows 10 support

Sophos AutoUpdate

WINEP-1841

The update log (C:\ProgramData\Sophos\AutoUpdate\logs\alc.log) contains messages about “skipped” components that are not included in this version of Endpoint Security and Control, for example:

Installation of Sophos Network Threat Protection skipped

Installation of Sophos System Protection skipped

These messages can be safely ignored.

 

Sophos Client Firewall

-

After upgrading to Windows 10 a computer with a standalone installation of Sophos Endpoint Security and Control that includes Sophos Client Firewall, the firewall configuration cannot be applied. The following errors are logged in the firewall system log:

Failed to configure the firewall.

Failed to update the filter rules, error 80004005.

To resolve this issue, restart the computer.

V.10.3.15, Windows 10 support

Sophos Client Firewall

WINEP-1819

After an upgrade from Windows 7 to Windows 10, the firewall Windows 7 driver SCFNdis.sys is migrated but cannot be loaded and may cause a system error when the computer is booted.

To resolve this issue, browse to the folder C:\Windows\System32\drivers and delete the file SCFNdis.sys.

V.10.3.15, Windows 10 support

Sophos Client Firewall

-

When a computer is upgraded to Windows 10, the following errors may be reported against it in Enterprise Console:

Failed to configure the firewall.

Failed to update the filter rules, error 80004005.

These errors can be safely ignored. To remove them from Enterprise Console, after the computer has been upgraded to Windows 10, right-click the computer, click Resolve Alerts and Errors, select the errors and click Acknowledge.

V.10.3.15, Windows 10 support

Sophos Client Firewall

-

It is not possible to deploy Sophos Anti-Virus and Sophos Client Firewall to a Windows 10 endpoint at the same time from Sophos Enterprise Console.

Workaround: Deploy Sophos Anti-Virus first, and then re-run the Protect Computers Wizard and deploy Sophos Client Firewall.

Windows 10 support

Sophos Client Firewall

-

On upgrade to Windows 10, Sophos Client Firewall loses all custom configuration settings and reverts to the default settings. Custom configuration settings need to be re-applied following the upgrade.

  • If you use Enterprise Console to manage Sophos Client Firewall, re-apply the firewall policy to the computer after you upgrade it to Windows 10. In Enterprise Console, in the computer list, the computer’s policy compliance will be shown as “Differs from policy”. Right-click the computer, click Comply with and then click Group Firewall Policy.
  • If you use a standalone installation of Endpoint Security and Control and Sophos Client Firewall, before you start the upgrade to Windows 10, export the firewall configuration to a file: open Sophos Endpoint Security and Control and on the Home page, under Firewall, click Configure firewall, click Export and save the configuration file.

    After the upgrade to Windows 10, import the configuration file: under Firewall, click Configure firewall, and then click Import.

V.10.3.15, Windows 10 support

Sophos Client Firewall

WINEP-1758

On Windows 10, a dual location firewall policy cannot be applied to an endpoint when both locations are visible (this includes VPN connections). The following errors appear in the firewall system log:

Failed to configure the firewall

Failed to update the filter rules error 80004005

Workaround: Disable configuration for a secondary location, or use Windows Firewall instead.

Windows 10 support

Sophos Patch

WINEP-1818

In Enterprise Console, in the Protect Computers Wizard, Windows 10 is not listed in the list of platforms on which Patch is available, even though Sophos Patch Agent can be installed on Windows 10.

Note Even though Sophos Patch Agent will install on Windows 10, it is not currently supported on it and will not report missing patch information.

Windows 10 support

Data Control

DEF79180

Files that breach a data control rule can still be transferred to a Windows 8 storage pool.

 

Installer

DEF84838

Protecting Windows 8 or Windows Server 2012 computers that are in a workgroup from Sophos Enterprise Console 5.1 on Windows Server 2008 or Windows Server 2008 R2 fails with the errors "Failed to launch setup.exe" and "2147942405".

For more information and instructions on how to enable deployment, see http://www.sophos.com/en-us/support/knowledgebase/118354.aspx.

 

Sophos Anti-Virus

DEF84420

If you use a browser's Windows 8 Modern UI application to access a malicious website, and you click the toast that Sophos Anti-Virus displays, the browser is minimized and the desktop is displayed instead. To switch back to the browser, press Alt+Tab.

 

Sophos Anti-Virus

DEF83463

Although Sophos Anti-Virus can scan files that are locked during an on-demand scan, it cannot perform cleanup successfully.

 

Sophos Anti-Virus

DEF79482

iSCSI mount points cannot be excluded from on-access scanning.

 

Sophos Anti-Virus, Sophos Web Control

-

Sophos web protection and web control use a Layered Service Provider (LSP) to intercept network traffic. If web protection or web control is turned on while an incompatible third-party LSP is running, system instability can occur. Therefore, if a third-party LSP that is known to be incompatible is already installed on the computer, the Sophos LSP is not installed. For more information, see http://www.sophos.com/en-us/support/knowledgebase/116241.aspx.

 

Additional information

System requirements

Sophos Endpoint Security and Control is supported on Windows XP/2003/Vista/2008/7/8/2012/Windows 10. For a full list of system requirements, see System Requirements for Antivirus protection for Windows.

Subscriptions, packages and product versions

Which maintenance version of Endpoint Security and Control do I have?

To find out which maintenance version of Endpoint Security and Control (for example, 10.3.7) is running on your computer:

  1. Open Endpoint Security and Control.
  2. In the left-hand pane, under Help and information, click View product information.
  3. Under Anti-virus and HIPS, click Software.

Deployment

Automatic deployment of Endpoint Security and Control to Windows 8 and Windows Server 2012 from Enterprise Console requires Enterprise Console 5.1 or later.

Automatic deployment of Endpoint Security and Control to Windows 8.1 and Windows Server 2012 R2 from Enterprise Console requires Enterprise Console 5.2.1 R2 or later.

If you are using Enterprise Console 5.0 or earlier, you can install the software by running the installer from a bootstrap location that contains a software subscription for version 10.3. For more information on manual installation, see https://www.sophos.com/en-us/support/knowledgebase/12386.aspx.

Support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2

  • Endpoint Security and Control uses toast notifications instead of balloon notifications to display messages on screen.
  • If you specify a user-defined message to be displayed in desktop messages, it is not displayed in toasts. For more information, see https://www.sophos.com/en-us/support/knowledgebase/118233.aspx.
  • If Sophos Anti-Virus cleans up a threat that affects a Windows Store app, it marks the app as tampered with. This causes Windows to offer the user the ability to re-download and re-install the app.
  • Rootkit scanning is not supported on REFS file systems on Windows Server 2012 and Windows Server 2012 R2. If the user attempts a rootkit scan on this file system, a message will be logged in the SAV log telling them that rootkit scanning is not supported.

Sophos Client Firewall

  • A number of features have been removed from Sophos Client Firewall 3.0 for Windows 8:

    Interactive mode
    Hidden process detection
    Modified memory detection
    Rawsocket applications (rawsockets are treated the same as other connections)
    Non-stateful rules
    The option Concurrent connections for TCP rules
    The option Where the local port is equal to the remote port

  • Sophos Client Firewall does not support the "mobile broadband" driver model in Windows 7.
  • When you install Sophos Client Firewall, all network adapters are temporarily disconnected. This results in network connections being unavailable for up to 20 seconds and the disconnection of networked applications such as Microsoft Remote Desktop.
  • When the log is displayed in a view that auto-refreshes (such as Allowed connections), the view stops refreshing if the service is under a heavy load. After changing to a different view and then back again, auto-refreshing works normally.

Application Control

When Sophos Anti-Virus detects a controlled application on a remote share, the alert always shows that the application was detected on the local computer.

Sophos Device Control

Sophos Device Control does not block removable storage devices that are used as system drives, as this typically destabilizes the operating system.

Unsupported scenarios

  • Endpoint Security and Control standalone installations do not support Windows Server Core.
  • Endpoint Security and Control managed and standalone installations do not support Windows Server Core Hyper-V.

Shared Windows components

When you install Sophos software, some Windows components that might also be used by non-Sophos software are also installed or upgraded:

Sophos software

Shared Windows component

Name

File names

Versions

Date of inclusion with Sophos software

Sophos Anti-Virus

Microsoft XML Core Services

msxml4.dll

4.30.2100.0

September 2009

msxml4r.dll

4.30.2100.0

September 2009

ATL Library

atl90.dll

9.0.30729.4148

June 2013

Microsoft Visual C/C++ Runtime Libraries

msvcm90.dll

9.0.30729.4148

June 2013

msvcp90.dll

9.0.30729.4148

June 2013

msvcr90.dll

9.0.30729.4148

June 2013

Sophos Client Firewall 3.0 for Windows 8

Microsoft XML Core Services

msxml4.dll

4.30.2100.0

June 2013

msxml4r.dll

4.30.2100.0

June 2013

Microsoft Visual C/C++ Runtime Libraries

msvcm90.dll

9.0.30729.6161

June 2013

msvcp90.dll

9.0.30729.6161

June 2013

msvcr90.dll

9.0.30729.6161

June 2013

Sophos Client Firewall 2.9 for Windows 7 and earlier

Microsoft XML Core Services

msxml4.dll

4.30.2100.0

September 2009

msxml4r.dll

4.30.2100.0

September 2009

Microsoft Visual C/C++ Runtime Libraries

msvcm90.dll

9.0.30729.6161

October 2013

msvcp90.dll

9.0.30729.6161

October 2013

msvcr90.dll

9.0.30729.6161

October 2013

Legal notices

Copyright © 2019 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.