Known Issues - Enterprise Console version 4

The following are Known Issues in Enterprise Console, version 4.

Installation and upgrade

• A single instance of Enterprise Console can manage up to 25,000 endpoints, with a requirement that if you need to support more than 10,000 endpoints you will need to deploy Message Relays. However, if you install Enterprise Console 4 on a Windows 2008 server, you will need to deploy Message Relays if you need to support more than 5,000 endpoints. This is a limitation of Windows Server 2008 that we are currently investigating.
• (DEF 37341) You cannot install Enterprise Console (including Remote Console) on a Windows XP, Windows Vista or Windows 2000 Professional computer where Sophos Client Firewall has been installed. If you want to install Enterprise Console on one of these computers, remove Sophos Client Firewall first and reinstall it after you have installed the Enterprise Console.
• (WKI 26898) An Enterprise Console management server cannot connect to a remote database installed on a SQL Server Express instance. This is because by default, SQL Server Express does not allow remote connections. For more information, see Sophos support Enterprise Console: management server cannot connect to remote database on SQL Server Express (inglés).
• (QUE 20382) A reboot may be required following an Enterprise Console installation or upgrade. It is possible that some files required by the setup will be in use when the installation or upgrade is carried out and a restart will therefore be required to complete the file copy. Installation of the Enterprise Console management server will fail at runtime if Microsoft networking client is not installed on the computer (although this client does not need to be active).
• (DEF 18692) A reboot may be required after removing third-party security software. In rare circumstances a reboot of an endpoint computer may be required to successfully complete the uninstallation of third-party security software and installation of Sophos security software.

Application control

• (DEF 27077) Application control events are generated without applications being run by a user. There are a number of scenarios where application control events that are not the result of the user running the application will be reported back to Enterprise Console. These are:
  • When an endpoint computer is restarted, an event will be generated if a controlled application has an entry within the Windows Start menu, for example, Microsoft Games.
  • When a user opens the Add or Remove Programs window, an event will be generated if a controlled application is on the list of programs.
  • An event will be generated when a user wants to view file properties of a controlled application (by right-clicking on the file and selecting Properties) or when a user hovers the mouse cursor over the file to view the file’s tooltip.
• In the Application Control Event Viewer, the User column may contain “NT Authority”. The user will be reported as “NT Authority” as opposed to the user logged onto the endpoint if an application is detected during a scheduled scan, by a scheduled task being activated, or when the Start menu is enumerated.
• Multiple application control events can be generated by a single application identity, for example, “MS Windows Games”. This occurs when an identity covers multiple executables or detection is triggered against more than one application component. The latter case normally occurs for scheduled scans with application detection enabled.
• (CR 28114) Enterprise Console cannot show if a controlled application was detected locally or remotely. If a user attempts to install a controlled application that is blocked, the application will be prevented from being installed. An alert will be sent to Enterprise Console, but the alert will show neither the action that raised the alert nor where the installer was located. For more information about the application control event, see the Sophos Anti-Virus log file on the endpoint (C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt).

Data control

Sophos data leakage prevention functionality - DLP

• (WKI32320) Display stops refreshing after the User acceptance message for Data Control appears.
  This is an issue with Windows refreshing itself and does not affect the functionality of Endpoint Security and Control.
• (WKI34755/WKI36498) Request user authorisation action doesn’t appear with Outlook Express file attachment.
  There is a second dialog that will ask the user to accept or block the message before the message will be sent.
• (WKI41243) Document checkout from SharePoint generates data control event. This occurs when you have a rule set up to block file access through web browsers.
• (WKI47084) A file in SharePoint can be sent via Outlook without triggering a DLP rule.
• (WKI48237) Saving an attachment to a network location causes a data control alert if the file already exists.
  Workaround: Save the attachment locally, then use Windows Explorer to copy the file to the network location.
• (DEF 29635) Files transferred via the ftp protocol within Internet Explorer will not be scanned.
• (WKI 34375) An empty file stub may be attached to an email when a file has been blocked by data control. Outlook Express and Outlook Web Access will attach an empty file stub to an email following a data control “block” action. This includes the scenario where a user selects the “block file transfer” option in response to the “allow transfer on acceptance by user” action set in the data control rule.
• (WKI 30676) Microsoft’s “ReadyBoost” technology will be blocked if data control rules use either the “block” or “allow transfer on acceptance by user” actions. In this scenario data control blocks all writes to removable storage except for those made via Windows Explorer. ReadyBoost is not compatible with data control, you can only run one or the other.
• (WKI 31534) Applications (including those stored on the device) will be prevented from writing data to removable storage if data control rules use either the “block” or “allow transfer on acceptance by user” actions.
• (WKI 36074) New file creation is blocked on monitored storage devices if data control rules use either the “block” or “allow transfer on acceptance by user” actions. Anti-virus and HIPS exclusions will apply to data control in the following situations: Application monitoring, that is, any files uploaded or attached via monitored applications will be exempt from scanning if the source location or file name is specified in the Anti-virus and HIPS policy exclusion list. Storage monitoring for non-Windows Explorer transfers, that is, transfers that are automatically blocked if the “allow transfer on acceptance by user” or “block” action is used in a data control rule for storage devices.
• (DEF 40240) Application virtualization and streaming technologies (for example, Microsoft App-V) are not supported in this release.
• (DEF 48035) Alternative file systems, such as AFS (Andrews File System), are not supported in this release.
• (WKI 36996) If a monitored internet browser (for example, Internet Explorer) is used to explore the file system, it may trigger data control scanning as the file system is browsed.
• (WKI 37905) Installation of applications (for example, Internet Explorer or Firefox) from the desktop or “My documents” may be interrupted by data control if the applications are monitored by data control rules.
• (WKI 37907) Installation of Firefox plug-ins (XPI) can be blocked if a data control rule monitors Firefox for "images" and "archives" file types.

Device control

• (SUG 29039) The block network bridging mode will not work in IPV6-only environments.
• (WKI 37908) Devices that use the MTP protocol (Media Transfer Protocol) are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer. Camera devices are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer.
• (WKI 30431) The “Kingston DataTraveler Vault” hardware-encrypted device is not covered by the “Secure Removable Storage” category within device control. Compared to other hardware-encrypted storage devices, this model uses a different mechanism to expose its encrypted storage partition. Currently this mechanism cannot be automatically detected and exempt.
• (WKI 36186) In the “block bridged” mode it is not possible to generate the “block” events required to exempt Wireless or Modem device types.
• (WKI 41288) Device control raises 2 alert messages when a CD drive which has not already been installed is plugged in. It should only raise 1 alert.
• (WKI34739) Safe Stick is accessible even when blocked, or cannot be accessed if CD part is made Read only.
• (WKI40161) Unable to block printers removable storage slots with device control policy. This is because device control does not work across a network share,

Firewall

• (DEF 22335) An allowed application is blocked temporarily by Sophos Client Firewall. When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.
• (SUG 18615) In some cases firewall rules are not applied to a running application or service until it is restarted. If a process was detected using “process verification” (for example, when it was launched it was a new or modified application), then a new firewall configuration will not be applied until after the application or service is restarted.
• (WKI46954) Opening Internet Explorer 8 after installing Sophos Anti-Virus and Sophos firewall, a message screen 'Add/ Replace checksum' is displayed twice. This has also been seen with other network applications.

Other problems

• (DEF 36019) If Sophos Endpoint Security and Control is not installed on the server running the Enterprise Console management server, endpoint computers show “Unknown” as their up-to-date status. Sophos Endpoint Security and Control must always be installed (although it does not have to be running) on the server running the Enterprise Console management server. Otherwise, Enterprise Console will not be able to manage endpoint computers correctly.
• Computer names must use the standard ASCII 7 format to be valid in Enterprise Console. Computers with names containing accented or non-Roman characters are not recognized.
• (CR 22041 and CR 27529) Computers imported from or synchronized with Active Directory may appear in the console as belonging to a workgroup.

  When Enterprise Console discovers an unmanaged computer that belongs to a workgroup by using the Find on the network option of the Find new computers feature, the console displays the name of the computer's workgroup in the Domain/workgroup field. If the computer is then moved to an Active Directory domain and restarted, and Enterprise Console immediately synchronizes that computer with or imports it from Active Directory, the console will still display the name of the computer's workgroup in the Domain/workgroup field, and not its domain name. You can resolve this problem by making the computer managed, as explained below.

  Protect the computer. The computer now has two entries in Enterprise Console: the original entry, which shows it as part of a workgroup, and a new entry, with the Domain/workgroup set to the name of the Active Directory domain. However, the new entry may appear in the Unassigned group, and have only the default policies applied. If this happens, you need to do as follows:

  If the computer is not a member of a synchronized Active Directory group, move the computer to the appropriate Enterprise Console group.

  Delete the original workgroup entry.

  If the computer is a member of a synchronized Active Directory group, delete the workgroup entry for that computer in Enterprise Console (the computer will be shown in the synchronized group). The next time synchronization takes place, the entry for the managed computer will appear in the correct group, with the correct policies applied. Alternatively, if you can delete the workgroup entry for the computer from Enterprise Console before the computer is found in Active Directory, the computer will appear in the correct group first time.

• Excluding folders from on-access scanning may disable scanning on Windows 95/98 computers.

  When you set an anti-virus policy for a group of computers, you can exclude folders from on-access scanning. This option is not supported on Windows 95/98 computers and may have the effect of disabling on-access scanning on those computers. If you move the Windows 95/98 computers to a group that does not have this option included in its policy, on-access scanning should restart.

• (CR 27212) A link to Sophos Network Communications Report is not available on a computer where Enterprise Console is installed.

Additional information

• (CR 24322) Scheduled scanning for controlled applications. For information about setting up a scheduled scan for controlled applications, see Sophos support knowledgebase article 22473 (inglés).

Please Note: Sophos Enterprise Console 4 is the last version of Sophos Enterprise Console that will be supported on Windows 2000. The next version of Sophos Enterprise Console (4.5), scheduled for April 2010, will not support the Windows 2000 platform. Additionally, Sophos Enterprise Console 4.5 will not support SQL Server 2000.

Related articles:
Known Issues - Endpoint Security and Control, version 9 (inglés)
Known Issues - Sophos Control Center version 4