You are on page 1of 162

Sophos Enterprise Console, version 3.

1
user manual

Document date: October 2008


Contents

Contents

1 About Sophos Endpoint Security and Control 10


...................................................................................................................................

2 Introduction to Enterprise Console 13


...................................................................................................................................

About the interface


................................................................................................................................... 13
13
What is a group?
................................................................................................................................... 16
13
What is a policy?
................................................................................................................................... 16
13
What is the Unassigned folder?
................................................................................................................................... 16
13
What are libraries?
................................................................................................................................... 17
13
What do the icons mean?
................................................................................................................................... 17
13

3 How do I get started? 20


...................................................................................................................................

4 How do I create and use groups? 26


...................................................................................................................................

What are groups for?


................................................................................................................................... 27
26
Create a group
................................................................................................................................... 27
26
Add computers to a group
................................................................................................................................... 28
26
Delete computers from a group
................................................................................................................................... 28
26
Cut and paste a group
................................................................................................................................... 28
26
Delete a group
................................................................................................................................... 29
26
Rename a group
................................................................................................................................... 29
26
Apply a policy to a group
................................................................................................................................... 29
26
See which policies a group uses
................................................................................................................................... 29
26

5 How do I create and use policies? 31


...................................................................................................................................

What are policies for?


................................................................................................................................... 31
31
What are the default policies?
................................................................................................................................... 32
31
Do I need to create my own policies?
................................................................................................................................... 33
31

3
Sophos Enterprise Console user manual

Create a policy
................................................................................................................................... 35
31
Apply a policy
................................................................................................................................... 35
31
Edit a policy
................................................................................................................................... 35
31
Rename a policy
................................................................................................................................... 36
31
Delete a policy
................................................................................................................................... 36
31
See which groups use a policy
................................................................................................................................... 36
31
Check whether computers use the group policy
................................................................................................................................... 37
31
Make computers use the group policy
................................................................................................................................... 37
31

6 How do I add computers to the console? 38


...................................................................................................................................

Import groups from Active Directory


................................................................................................................................... 38
38
Use Active Directory to find computers
................................................................................................................................... 40
38
Use network browsing to find computers
................................................................................................................................... 40
38
Use IP range to find computers
................................................................................................................................... 41
38
Import computers from a file
................................................................................................................................... 41
38

7 How do I synchronize with Active Directory? 43


...................................................................................................................................

About Active Directory synchronization


................................................................................................................................... 43
43
What is a synchronization point?
................................................................................................................................... 45
43
What is a synchronized group?
................................................................................................................................... 46
43
Synchronize with Active Directory
................................................................................................................................... 46
43
Protect computers automatically
................................................................................................................................... 48
43
View and edit synchronization properties
................................................................................................................................... 49
43
Turn synchronization on or off
................................................................................................................................... 51
43

8 How do I protect new computers? 52


...................................................................................................................................

Protect new computers


................................................................................................................................... 52
52
Protect new types of computer
................................................................................................................................... 54
52
Protect computers that are already in a group
................................................................................................................................... 56
52
Protect computers that require manual installation
................................................................................................................................... 57
52

4
Contents

Protect computers by using a login script


................................................................................................................................... 58
52
Protect Windows 95/98/Me computers with a login script
................................................................................................................................... 60
52
Add the firewall to protected computers
................................................................................................................................... 61
52
Select software packages
................................................................................................................................... 61
52
Default update directories
................................................................................................................................... 62
52
Remove third-party security software
................................................................................................................................... 63
52

9 How do I check whether my network is protected? 65


...................................................................................................................................

The dashboard overview


................................................................................................................................... 65
65
Configure the dashboard
................................................................................................................................... 69
65
Which computers are protected?
................................................................................................................................... 70
65
Which computers are up to date?
................................................................................................................................... 71
65
Find computers that are unprotected
................................................................................................................................... 72
65
Find computers without the firewall installed
................................................................................................................................... 73
65
Find computers with alerts that need attention
................................................................................................................................... 73
65
Find out-of-date computers
................................................................................................................................... 74
65
Find computers not managed by the console
................................................................................................................................... 75
65
Find computers disconnected from the network
................................................................................................................................... 76
65

10 How do I update computers? 77


...................................................................................................................................

Set up automatic updating


................................................................................................................................... 77
77
Select a source for updates
................................................................................................................................... 79
77
Select an alternative source for updates
................................................................................................................................... 80
77
Schedule updates
................................................................................................................................... 81
77
Update computers now
................................................................................................................................... 82
77
Make computers update when they dial up
................................................................................................................................... 82
77
Specify a proxy server for updating
................................................................................................................................... 83
77
Limit the bandwidth used
................................................................................................................................... 83
77
Select a different source for initial installation
................................................................................................................................... 84
77

5
Sophos Enterprise Console user manual

Log updates
................................................................................................................................... 85
77

11 How do I change anti-virus and HIPS settings? 86


...................................................................................................................................

What is HIPS?
................................................................................................................................... 87
86
Scan for viruses, Trojans, worms, and spyware
................................................................................................................................... 87
86
Detect suspicious behavior
................................................................................................................................... 88
86
Scan for suspicious files
................................................................................................................................... 89
86
Authorize suspicious items
................................................................................................................................... 90
86
Scan for adware/PUA
................................................................................................................................... 91
86
Authorize adware/PUA
................................................................................................................................... 92
86
Change types of file scanned
................................................................................................................................... 93
86
Exclude items from on-access scanning
................................................................................................................................... 95
86
Scan for rootkits
................................................................................................................................... 95
86
Scan inside archive files
................................................................................................................................... 96
86
Scan Macintosh files
................................................................................................................................... 97
86
Turn on-access scanning on or off
................................................................................................................................... 98
86
Change when on-access scanning occurs
................................................................................................................................... 98
86
Scan computers at set times
................................................................................................................................... 99
86
Change scheduled scan settings
................................................................................................................................... 99
86
Exclude items from scheduled scanning 100
................................................................................................................................... 86
Items that can be excluded from scanning 101
................................................................................................................................... 86

12 How do I change application control settings? 103


...................................................................................................................................

Select the applications you want to control


...................................................................................................................................103
103
Scan for applications you want to control
...................................................................................................................................104
103
Uninstall controlled applications you do not want
...................................................................................................................................105
103

13 How do I change firewall settings? 106


...................................................................................................................................

Set up the firewall


...................................................................................................................................106
106
What are the default settings?
...................................................................................................................................107
106

6
Contents

Allow file and print sharing


...................................................................................................................................108
106
Allow applications that have been blocked
...................................................................................................................................108
106
Select interactive or non-interactive working
...................................................................................................................................109
106
Turn the firewall on or off
...................................................................................................................................109
106
Get help with advanced options
...................................................................................................................................110
106

14 How do I change NAC settings? 111


...................................................................................................................................

Set up NAC
...................................................................................................................................111
111
Set up the NAC server URL
...................................................................................................................................111
111
Start NAC Manager
...................................................................................................................................112
111
What are the default settings?
...................................................................................................................................113
111
What are the pre-defined NAC policies?
...................................................................................................................................113
111
Edit a NAC policy
...................................................................................................................................114
111

15 How do I scan computers? 115


...................................................................................................................................

Scan computers now


...................................................................................................................................115
115

16 How do I set up alerts? 116


...................................................................................................................................

Set up anti-virus and HIPS email alerts


...................................................................................................................................116
116
Set up anti-virus and HIPS SNMP alerts
...................................................................................................................................118
116
Configure anti-virus and HIPS desktop alerts
...................................................................................................................................120
116
Set up application control alerts
...................................................................................................................................121
116
Set up network status email alerts
...................................................................................................................................122
116
Set up Active Directory synchronization email alerts
...................................................................................................................................123
116
Configure event logging
...................................................................................................................................124
116

17 How do I deal with alerts? 125


...................................................................................................................................

What do the alert icons mean?


...................................................................................................................................125
125
Deal with virus and spyware alerts
...................................................................................................................................126
125
Deal with suspicious behavior alerts
...................................................................................................................................127
125

7
Sophos Enterprise Console user manual

Deal with suspicious file alerts


...................................................................................................................................127
125
Deal with firewall alerts
...................................................................................................................................127
125
Deal with adware/PUA alerts
...................................................................................................................................128
125
Deal with controlled application alerts
...................................................................................................................................128
125
Clear alerts from the console
...................................................................................................................................128
125

18 How do I clean up computers? 130


...................................................................................................................................

Clean up computers now


...................................................................................................................................130
130
Deal with detected items if cleanup fails
...................................................................................................................................131
130
Set up automatic cleanup
...................................................................................................................................131
130

19 How do I generate reports? 134


...................................................................................................................................

Generate a report
...................................................................................................................................134
134
Display a report as a table
...................................................................................................................................135
134
Display a report as a chart
...................................................................................................................................135
134
Show the number of alerts per item name
...................................................................................................................................135
134
Show the number of alerts per location
...................................................................................................................................137
134
Show the rate of alerts
...................................................................................................................................138
134
Show history of alerts
...................................................................................................................................140
134
Print a report
...................................................................................................................................141
134
Export a report to a file
...................................................................................................................................141
134
Change the report layout
...................................................................................................................................142
134

20 How can another user use Enterprise Console? 143


...................................................................................................................................

21 How do I turn reporting to Sophos on or off? 144


...................................................................................................................................

22 Troubleshooting 145
...................................................................................................................................

Cannot protect computers in Unassigned folder


...................................................................................................................................145
145
Sophos Anti-Virus installation failed
...................................................................................................................................146
145
Computers are not updated
...................................................................................................................................146
145

8
Contents

Anti-virus settings do not take effect on Macs


...................................................................................................................................147
145
Anti-virus settings do not take effect on Linux or UNIX
...................................................................................................................................147
145
Linux or UNIX computer does not comply with policy
...................................................................................................................................148
145
On-access scan settings do not take effect
...................................................................................................................................148
145
New scan appears unexpectedly on 2000 or later
...................................................................................................................................148
145
Connectivity and timeout problems
...................................................................................................................................148
145
Adware/PUAs are not detected
...................................................................................................................................149
145
Partially detected item
...................................................................................................................................149
145
Frequent alerts about potentially unwanted applications
...................................................................................................................................150
145
Cleanup failed
...................................................................................................................................150
145
Recover from virus side-effects
...................................................................................................................................151
145
Recover from application side-effects
...................................................................................................................................151
145
Technical support
...................................................................................................................................152
145

23 Glossary 153
...................................................................................................................................

Index
...................................................................................................................................
157

9
Sophos Enterprise Console user manual

1 About Sophos Endpoint Security and


Control
Sophos Endpoint Security and Control protects your file servers,
desktops and laptops against known and unknown threats, adware
and other potentially unwanted applications, and unwanted behavior,
and provides simplified, centralized management of your network. It
comprises Sophos Anti-Virus, Sophos Client Firewall, Sophos
Network Access Control, and Sophos Enterprise Console (including
EM Library which downloads software and updates from Sophos
automatically).
The figure below shows how the Sophos Endpoint Security and
Control components work together.

Sophos Enterprise Console enables you to centrally deploy, update,


and monitor anti-virus and firewall software on your computers, thus
protecting them against viruses, worms, Trojans, spyware, hackers,
unknown threats, and unwanted behavior. Enterprise Console
includes EM Library which downloads software and updates from
Sophos automatically.

10
About Sophos Endpoint Security and Control

Sophos Anti-Virus (for Windows 98/Me/2000 and later, Mac OS X,


Linux, and UNIX) detects and eliminates viruses, worms, Trojans,
and spyware on your computer or network. Sophos Anti-Virus for
Windows 2000 and later can also detect and stop unknown threats,
adware and other potentially unwanted applications, unwanted
behavior, and rootkits.
In particular, Sophos Anti-Virus can:
· Scan your computer or network for threats, suspicious files,
adware and other potentially unwanted applications.
· Check each file you access for threats and suspicious behavior.
· Alert you when it finds a threat, suspicious file, or unwanted
application.
· Clean up infected items by removing a virus from a file or boot
sector.
· Prevent potentially unwanted applications from running on your
computer.
· Remove potentially unwanted applications from your computer.
· Block "controlled applications" - legitimate consumer
applications that can undermine productivity and network
performance.
· Keep a log of its activity.
· Be updated to detect the latest threats and potentially unwanted
applications.
Sophos Client Firewall (for Windows 2000 and later) can limit
access to the company network or the internet to specifically
permitted applications or classes of applications. It proactively locks
down computers, protecting networks against internet worms,
hackers and the risk of virus infection from unprotected computers,
especially those that connect directly to the internet.
Sophos Network Access Control (NAC) (for Windows 2000 and
later) protects the company network from non-compliant or untrusted
computers. It controls access based on security policies set and
controlled by the administrator and enforces compliance with the

11
Sophos Enterprise Console user manual

policies.
To learn more about Sophos EM Library, Sophos Anti-Virus, Sophos
Client Firewall, or Sophos Network Access Control, refer to the
respective Help or user manual.
To learn more about threats, go to Sophos security information web
page.

12
Introduction to Enterprise Console

2 Introduction to Enterprise Console


This section gives you an overview of the interface and key features
of Sophos Enterprise Console.
· About the interface
· What is a group?
· What is a policy?
· What is the Unassigned folder?
· What are libraries?
· What do the icons mean?

About the interface


The Enterprise Console interface enables you to protect computers
on your network, ensure that they are up to date, view any threats,
potential threats, or unwanted applications that are detected and clean
them up. See below for a description of the features.

13
Sophos Enterprise Console user manual

The Dashboard
The Dashboard provides an at-a-glance view of the network's
security status. To show or hide the dashboard, click the Dashboard
button on the toolbar.

The Groups pane


In the Groups pane, you create groups and put networked
computers in them. You can create groups yourself or import them,
with or without computers, from Active Directory. You can also set
up synchronization with Active Directory so that new computers and
groups as well as other changes in Active Directory are copied into
Enterprise Console automatically.
The Unassigned folder is for computers that are not yet in a
group. To configure a group, select it and right-click.

The Policies pane


In the Policies pane, you create or change the policies applied to
groups of computers. To configure a policy, select it and right-click.

14
Introduction to Enterprise Console

The computer list


The computer list (right-hand pane) displays the computers in the
selected group.
If you have Linux or UNIX computers managed from the
console, make sure a unique hostname is configured for each
computer. Otherwise, each computer will be displayed in the
console with the default name "localhost."
The Status tab shows whether the computers are protected by on-
access scanning, whether the firewall is enabled, whether NAC
(network access control) is enabled, and whether the software is up to
date. This page also shows if there are any alerts. The other tabs give
more detailed information on each of these subjects.
For an explanation of the icons displayed in the computer list, see
What do the icons mean?

The toolbar
Find new computers searches for computers on the network and
adds them to the console.
Create group creates a new group for computers.
View/Edit policy enables you to open and change a policy selected
in the Policies pane.
Protect enables you to install anti-virus and firewall software on
computers selected in the computer list.
Libraries opens Sophos EM Library, which you use to download the
latest software packages and make them available on your network.
Reports enables you to generate reports about alerts on your
networks.
Dashboard opens the Dashboard, which provides an overview of the
network's security status.
NAC opens Sophos NAC Manager, which you use to edit NAC
(network access control) policies.

15
Sophos Enterprise Console user manual

What is a group?
A group is a folder that holds a number of computers.
You can create groups yourself or import them, with or without
computers, from Active Directory. You can also set up
synchronization with Active Directory so that new computers and
groups as well as other changes in Active Directory are copied into
Enterprise Console automatically.
Each group has settings for updating, anti-virus and HIPS protection,
firewall protection, application control, and NAC (network access
control). All the computers in a group should usually use these
settings, which are called a "policy".
A group can contain sub-groups.

What is a policy?
A policy is a collection of settings applied to all the computers in a
group.
· The Updating policy specifies how computers are updated with
new security software.
· The Anti-virus and HIPS policy specifies how the security
software scans computers for viruses, Trojans, worms, spyware,
adware, potentially unwanted applications, suspicious behaviour
and suspicious files, and how it cleans them up.
· The Application control policy specifies which applications are
blocked and which are allowed on your computers.
· The Firewall policy specifies how the firewall protects
computers.
· The NAC policy specifies the conditions that computers must
comply with before they can access the network.

What is the Unassigned folder?


The Unassigned folder is a folder where Enterprise Console holds

16
Introduction to Enterprise Console

computers before you put them into groups.


You cannot:
· apply policies to the Unassigned folder
· create subfolders in the Unassigned folder
· move or delete the Unassigned folder.

What are libraries?


Libraries download the latest software from Sophos and make it
available on your server, ready for installation on networked
computers.
A component called EM Library keeps the libraries up to date. To
use EM Library, click the Libraries icon in the toolbar.

What do the icons mean?


In the list of computers, icons are used to indicate:
· alerts
· protection disabled or out of date
· the status of each computer, e.g. whether software is being
installed.

Alerts
Sign Explanation
A red warning sign displayed in the Alerts and errors
column means that a virus, worm, Trojan, spyware, or
suspicious behavior has been detected.
A yellow warning sign displayed in the Alerts and errors
column indicates one of the following problems:
· A suspicious file has been detected.
· An adware or other potentially unwanted application

17
Sophos Enterprise Console user manual

Sign Explanation

has been detected.


· A controlled application has been detected.
· The firewall has blocked an application.
· An error has occurred.
A yellow warning sign displayed in the Anti-virus and
HIPS policy, Firewall policy, Updating policy, or
Application control policy column means that the
computer is not using the same policies as other computers
in its group.

If there are multiple alerts or errors on a computer, the icon of an


alert that has the highest priority will be displayed in the Alerts and
errors column. Alert types are listed below in descending order of
priority.
Priority of alerts
1. Virus/spyware alerts
2. Suspicious behavior alerts
3. Suspicious file alerts
4. Firewall alerts
5. Adware/PUA alerts
6. Controlled application alerts
7. Sophos Anti-Virus, updating, and Sophos Client Firewall errors

Protection disabled or out of date


Sign Explanation
A gray shield means that on-access scanning is inactive.

A gray firewall sign means that the firewall is disabled.

A clock icon means that the software is out of date.

18
Introduction to Enterprise Console

Computer status
Sign Explanation
A blue computer sign means that the computer is managed
by Enterprise Console.
A computer sign with a yellow arrow means that installation
of anti-virus and firewall software is pending.
A computer sign with a green arrow means that installation
is in progress.
A computer sign with an hourglass means that the automatic
updating component of Sophos Anti-Virus has been
installed and is now downloading the latest version of the
product.
A gray computer sign means that the computer is not
managed by Enterprise Console.
A computer sign with a red cross beside it means that the
computer is disconnected.

19
Sophos Enterprise Console user manual

3 How do I get started?


You protect your network with Enterprise Console as follows:
This is only an overview, so you may want to consult the other
materials and sections mentioned.
· Step 1: Set up a library for software and updates
· Step 2: Create groups
· Step 3: Set up policies
· Step 4: Add computers to the console
· Step 5: Protect computers
· Step 6: Check computers are protected
· Step 7: Protect against adware, other potentially unwanted
applications (PUAs), and suspicious or unwanted behavior
· Step 8: Clean up computers

Step 1: Set up a library for software and updates


After you install Enterprise Console, you need to set up a library that
will download and update security software and data from Sophos
and make them available to your networked computers.
When you start Enterprise Console for the first time, the Welcome to
Sophos Endpoint Security and Control dialog box is displayed. In
this dialog box, select the type of setup you prefer. There are two
options:
· Quick setup - select this if you want to subscribe to Sophos
updates quickly, using default settings. This will start the
Subscribe to Sophos Updates Wizard. Your chosen software
will be placed in default locations and updated hourly. If you
have Active Directory, groups and computers will be imported
from Active Directory into Enterprise Console.
· Advanced setup - select this if you want to have more control

20
How do I get started?

over the library settings. This will open EM Library console. For
instructions on how to use it to set up a library, see EM Library
Help, the section "How do I get started?"
The Welcome to Sophos Endpoint Security and Control
dialog box is displayed only once, when you start Enterprise
Console for the first time. After you close this dialog, it won't be
displayed again, and you won't be able to use the Quick setup
option anymore.

Step 2: Create groups


You can choose among the following three approaches to creating
groups, depending on which suits you best.
· Using the Quick setup option
If you have Active Directory and selected the Quick setup
option described in step 1, the Subscribe to Sophos Updates
Wizard has already imported groups and computers from Active
Directory into Enterprise Console. You do not need to do
anything in this case.
· Creating groups one by one
You can create groups one by one, using the Create group
option. To do this, click the Create group icon on the toolbar. A
new group is displayed in the Groups pane. Rename it. For
more information, see How do I create and use groups?
· Importing groups from Active Directory
You can import your group structure from Active Directory,
with or without the computers. To do this, follow the
instructions in Import groups from Active Directory.

Step 3: Set up policies


Updating policy

If after you had installed Enterprise Console you chose the Quick

21
Sophos Enterprise Console user manual

setup option and completed the Subscribe to Sophos Updates


Wizard, the default updating policy has already been set up.
If you didn't complete the Subscribe to Sophos Updates
Wizard, enter details of the location from which updates are
fetched (see Set up automatic updating). Computers cannot be
protected and updated until the policy has an updating location.
For more information on configuring updating, see How do I update
computers?
Anti-virus and HIPS policy

If you want to modify scanning and set up alerts, double-click Anti-


virus and HIPS. Then double-click Default. See How do I change
anti-virus and HIPS settings? and How do I set up alerts?
Application control policy

For instructions on setting up an application control policy, see How


do I change application control settings?
Firewall policy

For instructions on configuring a firewall policy, see How do I


change firewall settings?
NAC policy

For instructions on configuring a NAC policy, see How do I change


NAC settings?

Step 4: Add computers to the console


You can choose among the following four approaches to adding
groups to the console, depending on which suits you best.
· Using the Quick setup option
If you have Active Directory and selected the Quick setup
option described in step 1, the Subscribe to Sophos Updates
Wizard has already imported groups and computers from Active

22
How do I get started?

Directory into Enterprise Console. You do not need to do


anything in this case.
· Using the Find new computers option
Click the Find new computers icon on the toolbar. Select the
search method you want to use, click OK, and follow the
instructions in the wizard or dialog box that is displayed. For
details, see How do I add computers to the console?
If you used an option other than Import from Active Directory,
click the Unassigned folder to see the computers that have been
found. Select the computers you want to place in the new group.
Drag and drop the computers onto the new group.
· Importing groups and computers from Active Directory
Select a group you want to import your Active Directory
containers and computers into, right-click and select Import
from Active Directory. Alternatively, on the Groups menu,
select Import from Active Directory. This option is also
available in the Find new computers dialog box described
above.
Follow the instructions in the Import from Active Directory
Wizard. To import computers as well as groups, on the Choose
What to Import page of the Import from Active Directory
Wizard, select Computers and groups. For more information,
see Import groups from Active Directory.
· Synchronizing with Active Directory
Select a group you want to synchronize with Active Directory,
right-click and select Synchronize with Active Directory.
Alternatively, on the Groups menu, select Synchronize with
Active Directory. Follow the instructions in the Synchronize
with Active Directory Wizard. For more information, see How
do I synchronize with Active Directory?

Step 5: Protect computers


You can choose between two approaches to protecting your

23
Sophos Enterprise Console user manual

networked computers, depending on which suits you best.


· Using the Protect computers wizard
When you drag a computer from the Unassigned folder and
drop it onto a group, a wizard is launched to help you protect the
computers. See How do I protect new computers?
If you want to use Sophos Client Firewall, install it on only a
few sample computers first. The firewall must be configured
before you install it on all computers as it is designed to
prevent network access to unauthorized applications. See Set
up the firewall.
Protect computers that require manual installation as described
in Protect computers that require manual installation.
· Protecting computers automatically during synchronization
with Active Directory
If you chose to synchronize with Active Directory, you can also
choose to protect your Windows 2000 or later computers
automatically. You can do so in the Synchronize with Active
Directory Wizard or Synchronization properties dialog box.
For instructions, see Protect computers automatically.
Computers running Windows 95/98/Me, Windows server
operating systems, Mac, Linux, or UNIX will not be protected
automatically. You must protect such computers manually as
described in Protect computers that require manual installation.

Step 6: Check computers are protected


When installation is complete, look at the list of computers in the
new group again. In the On-access column, you should see the word
"Active": this shows that the computer is protected by on-access
scanning, and that it is now managed by Enterprise Console. For
more information, see How do I check whether my network is
protected?

24
How do I get started?

Step 7: Protect against adware, other potentially


unwanted applications (PUAs), and suspicious or
unwanted behavior
By default, Sophos Anti-Virus detects viruses, Trojans, worms, and
spyware. Sophos Anti-Virus 7 and later for Windows 2000 and later
also analyzes behavior of the programs running on the system. To
add further protection, you can:
· Scan for suspicious files
· Scan for adware and other potentially unwanted applications
· Control applications on your network

Step 8: Clean up computers

If a virus or other item or an unwanted application has been detected


on your network, clean up affected computers as described in

How do I clean up computers?

25
Sophos Enterprise Console user manual

4 How do I create and use groups?


This section describes how to create and manage groups of
computers.
When planning and creating a group structure, remember that a good
group structure should:
· Be manageable
You must decide what is a manageable size for the groups you
create. You should be able to deploy software, scan and clean up
computers easily. This is especially important for the initial
deployment.
· Reflect the needs of different users within the organization
Consider your users' individual requirements when creating
groups. For example, if you want to block a certain application
on some computers and allow it to run on others, you should
create two different groups for that purpose.

You can either create groups manually and set up the group structure
yourself or import the group structure from Active Directory.
If you want to set up a group structure that will correspond to your
Active Directory containers, see Import groups from Active
Directory.
· What are groups for?
· Create a group
· Add computers to a group
· Delete computers from a group
· Cut and paste a group
· Delete a group
· Rename a group
· Apply a policy to a group

26
How do I create and use groups?

· See which policies a group uses

What are groups for?


You must create groups and place computers in them before you can
protect and manage those computers.
Groups are useful because you can:
· Have computers in different groups updated from different
sources or on different schedules.
· Use different anti-virus and HIPS, application control, firewall,
or NAC (network access control) policies for different groups.
· Manage computers more easily.
You can create groups within groups and apply a specific set of
policies to each group and subgroup.

Create a group
To create a new group for computers, do as follows:
1. In the Groups pane (on the left-hand side of the console),
select where you want to create the group. Click the computer
name at the top if you want to create a new top-level group.
Click an existing group if you want to create a sub-group.
2. On the toolbar, click the Create group icon.
3. A "New Group" is added to the list, with its name highlighted.
Type a new name for the group.
Updating, anti-virus and HIPS, application control, firewall, and
NAC (network access control) policies are applied to the new group
automatically. You can edit these policies, or apply different policies.
If the new group is a sub-group, it initially uses the same settings
as the group it is within.

27
Sophos Enterprise Console user manual

Add computers to a group


To add computers to a group, do as follows:
1. Select the computers that you want to add to a group. For
example, click the Unassigned folder and select computers
there.
2. Drag and drop the computers onto the new group.
If you move unprotected computers from the Unassigned folder
to a group that has automatic updating set up, a wizard is
launched to help you protect them.
If you move computers from one group to another, they will use
the same policies as the computers already in the group they are
moved to.

Delete computers from a group


You can delete computers from a group, e.g. if you want to remove
entries for computers that are no longer on the network.
If you delete computers that are still on the network, they will no
longer be listed or managed by the console.
To delete computers:
1. Select the computers that you want to delete.
2. Right-click and select Delete.
If you want to see the computers again, click the Find new
computers icon on the toolbar. These computers will not be
shown as managed until they are restarted.

Cut and paste a group


To cut and paste a group, do as follows:
1. Select the group you want to cut and paste. On the Edit menu,
click Cut.
2. Select the group where you want to place the group. On the

28
How do I create and use groups?

Edit menu, click Paste.

Delete a group
To delete a group, do as follows:
Any computers that were in the deleted group will be placed in
the Unassigned folder.
1. Select the group you want to delete.
2. Right-click and select Delete. When prompted, confirm that
you want to delete the group and, if the group has any
subgroups, its subgroups.

Rename a group
To rename a group, do as follows:
1. Select the group you want to rename.
2. Right-click and select Rename.

Apply a policy to a group


You apply a policy to a group as follows:
1. In the Policies pane, highlight the policy.
2. Click the policy and drag it onto the group to which you want
to apply the policy. When prompted, confirm that you want to
continue.
Alternatively, you can right-click a group and select View group
policy details. You can then select policies for that group from
drop-down menus.

See which policies a group uses


To see which policies have been applied to a group, do as follows:

29
Sophos Enterprise Console user manual

1. In the Groups pane, right-click the group. Select View group


policy details.
2. In the group details dialog box, you can see the policies
currently used.

30
How do I create and use policies?

5 How do I create and use policies?


This section describes how to create policies and apply them to
groups of computers. The section also tells you how to ensure that all
the computers in a group use the same updating, anti-virus and HIPS,
application control, firewall, and NAC (network access control)
settings.
· What are policies for?
· What are the default policies?
· Do I need to create my own policies?
· Create a policy
· Apply a policy
· Edit a policy
· Rename a policy
· Delete a policy
· See which groups use a policy
· Check whether computers use the group policy
· Make computers use the group policy

What are policies for?


A policy is a collection of settings applied to all the computers in a
group.
· The Updating policy specifies how computers are updated with
new security software.
· The Anti-virus and HIPS policy specifies how the security
software scans computers for viruses, Trojans, worms, spyware,
adware, potentially unwanted applications, suspicious behaviour
and suspicious files, and how it cleans them up.
· The Application control policy specifies which applications are

31
Sophos Enterprise Console user manual

blocked and which are allowed on your computers.


· The Firewall policy specifies how the firewall protects
computers.
· The NAC policy specifies the conditions that computers must
comply with before they can access the network.
You can create more than one policy of each type.
You can apply the same policy to more than one group.

What are the default policies?


When you install Enterprise Console, "default" policies are created
for you.

Updating policy
The default updating policy provides:
· Automatic updating of computers every five minutes, provided
that the policy includes details of the location from which
updates are fetched.
If after you had installed Enterprise Console you chose the Quick
setup option and completed the Subscribe to Sophos Updates
Wizard, the default updating policy already includes an updating
location.
If you didn't complete the Subscribe to Sophos Updates
Wizard, enter details of the location from which updates are
fetched (see Set up automatic updating). Computers cannot be
protected and updated until the policy has an updating location.

Anti-virus and HIPS policy


The default anti-virus and HIPS policy provides:
· On-access scanning for viruses and spyware (but not suspicious
files and adware and other potentially unwanted applications).
· Analysis of the execution of programs running on the system
(Sophos Anti-Virus 7 for Windows 2000 and later).

32
How do I create and use policies?

· Security alerts displayed on the desktop of the affected computer


and added to the event log.

Application control policy


By default, all applications and application types are allowed. On-
access scanning for applications you may want to control on your
network is disabled.

Firewall policy
By default, the Sophos Client Firewall is enabled and blocks all non-
essential traffic. Before you use it throughout your network, you
should configure it to allow the applications you want to use, as
described in Set up the firewall.
The firewall's other default settings are as follows:
· Applies rules without asking the user for confirmation ("non-
interactive" mode).
· Displays alerts in Enterprise Console if rules are changed locally
on managed computers.
· Blocks processes if memory is modified by another application.
· Drops packets that are sent to blocked ports ("stealth"
operation).
· Uses checksums to identify new and modified applications.
· Reports new and modified applications to Enterprise Console.
· Warns about applications that may launch hidden processes.

NAC policy
By default, computers are allowed to access the network (unless you
have modified the default policy or changed the "policy mode" in
NAC server).

Do I need to create my own policies?


When you install Enterprise Console, "default" policies are created

33
Sophos Enterprise Console user manual

for you. These policies are applied to any groups you create.
The default policies offer a basic level of security, but you need to
create new policies or change the default policies if you want to use
features like network access control or application control.

Updating policy
If, after you installed Enterprise Console, you chose the Quick setup
option and completed the Subscribe to Sophos Updates Wizard,
the default updating policy has already been set up for you.
If you didn't complete the Subscribe to Sophos Updates
Wizard, enter details of the location from which updates are
fetched (see Set up automatic updating). Computers cannot be
protected and updated until the policy has an updating location.

Anti-virus and HIPS


The default anti-virus and HIPS policy will protect computers against
viruses and other malware. However, you may want to create new
policies, or change the default policy, to enable detection of other
unwanted applications or behaviour. See How do I change anti-virus
and HIPS settings?
Application control

You need to configure an application control policy to specify which


applications can be used. See How do I change application control
settings?

Firewall
You need to configure the firewall to allow applications used on your
computers. See Set up the firewall.

NAC
By default, Sophos NAC allows all computers to access the network.
You need to configure a NAC policy in order to control access. See
Edit a NAC policy.

34
How do I create and use policies?

Create a policy
To create a policy, do as follows:
You cannot create NAC policies. You can only edit them. See
Edit a NAC policy.
1. In the Policies pane, right-click the type of policy you want to
create, e.g. "Updating Policy" and select Create policy.
2. A "New Policy" is added to the list, with its name highlighted.
Type a new name for the policy.
3. Double-click the new policy. Enter the settings you want.
For instructions on how to set up different policies, see:
§ How do I change anti-virus and HIPS settings?
§ How do I change application control settings?
§ How do I change firewall settings?
§ How do I update computers?
You have created a policy that can now be applied to groups.

Apply a policy
You apply a policy to a group as follows:
1. In the Policies pane, highlight the policy.
2. Click the policy and drag it onto the group to which you want
to apply the policy. When prompted, confirm that you want to
continue.
Alternatively, you can right-click a group and select View group
policy details. You can then select policies for that group from
drop-down menus.

Edit a policy
To edit a policy for a group or groups of computers, do as follows:

35
Sophos Enterprise Console user manual

1. In the Policies pane, double-click the policy you want to edit.


2. Edit the settings.
For instructions on how to set up different policies, see:
§ How do I change anti-virus and HIPS settings?
§ How do I change application control settings?
§ How do I change firewall settings?
§ How do I change NAC settings?
§ How do I update computers?

Rename a policy
To rename a policy, do as follows:
You cannot rename a "Default" policy.
1. In the Policies pane, select the policy you want to rename.
2. Right-click and select Rename policy.

Delete a policy
To delete a policy, do as follows:
You cannot delete a "Default" policy.
1. In the Policies pane, right-click the policy you want to delete
and select Delete Policy.
2. Any groups that use the deleted policy will revert to using the
default policy.

See which groups use a policy


To see which groups a particular policy has been applied to, do as
follows:
1. In the Policies pane, right-click the policy and select View

36
How do I create and use policies?

groups using policy.


2. A list of the groups that use the policy is displayed.

Check whether computers use the group policy


You can check whether all the computers in a group comply with the
updating, anti-virus and HIPS, application control, firewall, and NAC
policy for that group.
1. Select the group which you want to check.
2. On the Status page, look in the column for each policy, e.g.
Anti-virus and HIPS policy. If the computer does not use the
same policy as the rest of the group, you see a warning sign and
the words "Differs from policy".
If you want your computers to comply with their group policies, see
Make computers use the group policy.

Make computers use the group policy


If you find computers that do not comply with the updating, anti-
virus and HIPS, application control, firewall, or NAC policy for their
group, you can apply the group policy to that computer.
1. Select the computer(s) that do not comply with group policy.
2. Right-click and select Comply with. Then select the
appropriate policy type, e.g. Group anti-virus and HIPS
policy.

37
Sophos Enterprise Console user manual

6 How do I add computers to the console?


You can use the "Find new computers" function and choose among
several options that allow you to find networked computers and add
them to Enterprise Console.
If you use Active Directory, you can import your Active Directory
group structure as well as computers.
If you choose to add computers only, the computers will be placed in
the Unassigned folder in the Groups pane. You must create groups,
set up group policies, and place the computers in the groups before
you can protect and manage the computers.
Use one of the following options to find networked computers and
list them in Enterprise Console:
· Import from Active Directory
· Find with Active Directory
· Find on the network
· Find by IP range
· Import from file

Import groups from Active Directory


Importing groups from Active Directory retrieves the Active Directory
container structure and copies it into Enterprise Console as a computer
group structure. You can import the group structure only or groups and
computers. If you choose the latter, computers found in Active Directory
are placed in their respective group, and not in the Unassigned folder.
You can have both "normal" groups that you create and manage
yourself and groups imported from Active Directory. You can also
synchronize the imported groups with Active Directory.
To import groups from Active Directory:
1. On the toolbar, click the Find new computers icon.
2. In the Find new computers dialog box, select Import from

38
How do I add computers to the console?

Active Directory and click OK. The Import from Active


Directory Wizard starts.
Alternatively, select a group you want to import your Active
Directory container(s) into, right-click and select Import from
Active Directory. You can also select Import from Active
Directory on the Groups menu.
3. On the Overview page of the wizard, click Next.
4. On the Choose an Enterprise Console group page, select or
create an Enterprise Console group which you want to import
to. Click Next.
5. On the Choose an Active Directory container page, select an
Active Directory container from which you want to import
computers and subgroups. Enter the name of the container (e.g.
LDAP://CN=Computers,DC=domain_name,DC=local) or click
Browse to browse to the container in Active Directory. Click
Next.
6. On the Choose What to Import page, select Computers and
groups or Groups only, depending on what you want to
import.
7. On the Confirm Your Choices page, check the details, and
then click Next to proceed.
8. On the last page of wizard, you can view the details of the
groups and computers that have been imported. To close the
wizard, click Finish.
9. After you have imported the groups from Active Directory,
apply policies to the groups. See How do I create and use
policies?
After you have imported groups from Active Directory and applied
group policies to the groups, you can synchronize the groups with
Active Directory, if you want to. For instructions, see Synchronize
with Active Directory.

39
Sophos Enterprise Console user manual

Use Active Directory to find computers


You can use Active Directory to find networked computers and list
them in the Unassigned folder.
1. On the toolbar, click the Find new computers icon.
2. In the Find new computers dialog box, select Find with
Active Directory and click OK.
3. You are prompted to enter a username and password. You need
to do this if you have computers (e.g. Windows XP Service
Pack 2) that cannot be accessed without account details. The
account must be a domain administrator's account, or have full
administrative rights over the target XP machines.
If you are using a domain account, you must enter the
username in the form domain\user.
4. In the Find computers dialog box, select the domains you want
to search. Click OK.
5. Click the Unassigned folder to see the computers that have
been found.
To begin managing computers, select them and drag them to a group.

Use network browsing to find computers


To add a list of computers found in Windows domains and
workgroups to the Unassigned folder:
1. On the toolbar, click the Find new computers icon.
2. In the Find new computers dialog box, select Find on the
network and click OK.
3. You are prompted to enter a username and password. You need
to do this if you have computers (e.g. Windows XP Service
Pack 2) that cannot be accessed without account details. The
account must be a domain administrator's account, or have full
administrative rights over the target XP machines.

40
How do I add computers to the console?

If you are using a domain account, you must enter the


username in the form domain\user.
4. In the Find computers dialog box, select the domains or
workgroups you want to search. Click OK.
5. Click the Unassigned folder to see the computers that have
been found.
To begin managing computers, select them and drag them to a group.

Use IP range to find computers


You can use a range of IP addresses to find networked computers and
list them in the Unassigned folder.
You cannot use IPv6 addresses.
1. On the toolbar, click the Find new computers icon.
2. In the Find new computers dialog box, select Find by IP
range and click OK.
3. In the Find computers dialog box, enter the Start of IP Range
and End of IP Range. Click OK.
4. Click the Unassigned folder to see the computers that have
been found.
To begin managing computers, select them and drag them to a group.

Import computers from a file


To enable Enterprise Console to list your computers, you can import
the computer names from a file.
The file that contains the computer names must be one of the
following:
· A file that uses the conventions listed below.
· An SGR file exported from Sophos SAVAdmin.

41
Sophos Enterprise Console user manual

You can create a file using entries like this:


[GroupName1]
Domain1|Windows2000|ComputerName1
Domain1|Windows2000Server|ComputerName2
You do not have to specify which group the computers will be
put in. If you enter [] for the group name, computers will be put
in the Unassigned folder.
Valid operating system names are: Windows95, Windows98,
Windows9x, WindowsMe, WindowsNT, WindowsNTServer,
Windows2000, Windows2000Server, WindowsXP,
Windows2003, WindowsVista, Windows Server 2008,
MACOS9, MACOSX, Linux, and Unix.
The domain name and the operating system are both optional. So an
entry can look like this:
[GroupName1]
||ComputerName1
You import computer names as follows:
1. On the File menu, click Import computers from file.
2. In the browser window, select the file.
3. Click the Unassigned folder to see the computers that have
been found.
4. To begin managing computers, select them and drag them to a
group.

42
How do I synchronize with Active Directory?

7 How do I synchronize with Active


Directory?
This section describes how to synchronize Enterprise Console groups
with Active Directory containers.
· About Active Directory synchronization
· What is a synchronization point?
· What is a synchronized group?
· Synchronize with Active Directory
· Protect computers automatically
· View and edit synchronization properties
· Turn synchronization on or off

About Active Directory synchronization


What does Active Directory synchronization do for me?
With Active Directory synchronization, you can synchronize
Enterprise Console groups with Active Directory containers. New
computers and containers discovered in Active Directory will be copied
into Enterprise Console automatically. You can also choose to
protect discovered Windows 2000 or later workstations
automatically. This will allow you to minimize the time in which
computers can become infected and reduce the amount of work you
need to do to organize and protect computers.
Computers running Windows 95/98/Me, Windows server
operating systems, Mac, Linux, or UNIX will not be protected
automatically. You must protect such computers manually.
After you have set up synchronization, you can set up email alerts to
be sent to your chosen recipients about new computers and containers
discovered during future synchronizations. If you choose to protect
computers in synchronized Enterprise Console groups automatically,
you can also set up alerts about automatic protection failures.

43
Sophos Enterprise Console user manual

How does Active Directory synchronization work?


In Enterprise Console, you can have both "normal," unsynchronized
groups that you manage yourself and groups synchronized with
Active Directory.
When setting up synchronization, you select or create a
synchronization point, an Enterprise Console group that will be
synchronized with an Active Directory container. All subgroups and
computers that the Active Directory container may contain will be
copied into Enterprise Console and kept synchronized with Active
Directory.
To learn more about synchronization points, see What is a
synchronization point? To learn more about synchronized
groups, see What is a synchronized group?
After you set up synchronization with Active Directory, the
synchronized part of Enterprise Console group structure matches
exactly the Active Directory container it is synchronized with. This
means the following:
· If a new computer is added to the Active Directory container,
then it also appears in Enterprise Console.
· If a computer is removed from Active Directory or is moved into
an unsynchronized container, then the computer is moved to the
Unassigned folder in Enterprise Console.
When a computer is moved to the Unassigned folder, it
stops receiving new policies.
· If a computer is moved from one synchronized container to
another, then the computer is moved from one Enterprise
Console group to the other.
· If a computer already exists in an Enterprise Console group
when it is first synchronized, then it is moved from that group to
the synchronized group that matches its location in Active
Directory.
· When a computer is moved into a new group with different
policies, then new policies are sent to the computer.

44
How do I synchronize with Active Directory?

By default, synchronization occurs every 60 minutes. You can


change the synchronization interval, if you want to.

How do I approach synchronization?


It is totally up to you to decide what groups to synchronize with
Active Directory and how many synchronization points to set up.
You must decide whether the size of groups that will be created as a
result of synchronization is manageable. You should be able to
deploy software, scan and clean up computers easily. This is
especially important for the initial deployment.
The recommended approach is as follows:
1. Import the group structure (without computers), using the
Import from Active Directory function. For instructions, see
Import groups from Active Directory.
2. Review the imported group structure and choose your
synchronization points.
3. Set up group policies and apply them to the groups and
subgroups. For instructions, see How do I create and use
policies?
4. Synchronize your chosen synchronization points, one at a time,
with Active Directory. For instructions, see Synchronize with
Active Directory.

What is a synchronization point?


A synchronization point is an Enterprise Console group that
points to a container (or subtree) in Active Directory. A
synchronization point can contain synchronized groups imported
from Active Directory.
In the Groups pane, a synchronization point will appear as follows:

You can move, rename, or delete a synchronization point. You can


also change policies and synchronization settings, including
automatic protection settings, for a synchronization point.

45
Sophos Enterprise Console user manual

You cannot create or delete subgroups in a synchronization point, or


move other groups into it. You cannot move computers into or from
the synchronization point.

What is a synchronized group?


A synchronized group is a subgroup of a synchronization point,
imported from Active Directory.
In the Groups pane, a synchronized group will appear as follows:

You can change policies assigned to a synchronized group.


You cannot change any synchronized group settings other than
group policies. You cannot rename, move, or delete a synchronized
group. You cannot move computers or groups into or from the group.
You cannot create or delete subgroups in the group. You cannot
change synchronization settings for the group.

Synchronize with Active Directory


To synchronize with Active Directory:
1. Select a group that will become your synchronization point,
right-click and select Synchronize with Active Directory.
The Synchronize with Active Directory wizard starts.
2. On the Overview page of the wizard, click Next.
3. On the Choose an Enterprise Console group page, select or
create an Enterprise Console group that you want keep
synchronized with Active Directory (synchronization point).
Click Next.
4. On the Choose an Active Directory container page, select an
Active Directory container which you want to synchronize the
group with. Enter the name of the container (e.g. LDAP://
CN=Computers,DC=domain_name,DC=local) or click Browse
to browse to the container in Active Directory. Click Next.

46
How do I synchronize with Active Directory?

5. If you want to protect Windows 2000 or later workstations


automatically, on the Protect Computers Automatically page,
select the software you want to install. Leave Remove third-
party security software selected if you want to have another
vendor's software removed automatically.
If you need to remove another vendor's updating tool, see
Remove third-party security software.
You cannot install the firewall on computers running server
operating systems.
Before you can install Sophos NAC on computers, you must
click the link to specify the NAC server URL.
All Windows 2000 or later workstations discovered during this
and future synchronizations will be protected automatically, in
compliance with their respective group policies.
Computers running Windows 95/98/Me, Windows server
operating systems, Mac OS, Linux, or UNIX will not be
protected automatically. You must protect such computers
manually, as described in Protect computers that require
manual installation.
You can enable or disable automatic protection later, as
described in View and edit synchronization properties.
Click Next.
6. If you chose to protect computers automatically, on the Enter
Active Directory Credentials page, enter the details of an
administrator account that will be used to install software on
the computers. Click Next.
7. On the Choose the Synchronization Interval page, choose
how often you want to synchronize the Enterprise Console
group with the Active Directory container. The default is 60
minutes.
You can change the synchronization interval later, as
described in View and edit synchronization properties.
8. On the Confirm Your Choices page, check the details, and
then click Next to proceed.

47
Sophos Enterprise Console user manual

9. On the last page of wizard, you can view the details of the
groups and computers that have been synchronized.
You can also set up email alerts to be sent to your chosen
recipients about new computers and groups discovered during
future synchronizations. If you chose to protect computers in
synchronized groups automatically, you can also set up alerts
about automatic protection failures. To open the Configure
email alerts dialog box after you click Finish, select the check
box on the last page of the wizard. For instructions, see Set up
Active Directory email alerts.
To close the wizard, click Finish.

Protect computers automatically


Only workstations running Windows 2000 or later can be protected
automatically when discovered during synchronization with Active
Directory.
Computers running Windows 95/98/Me, Windows server
operating systems, Mac OS, Linux, or UNIX will not be
protected automatically. You must protect such computers
manually as described in Protect computers that require manual
installation.
You can protect computers in synchronized groups automatically
either when running the Synchronize with Active Directory wizard
or by editing the synchronization properties in the Synchronization
properties dialog box.
You cannot install the firewall on computers running server
operating systems.
Before you can install Sophos NAC on computers, you must
click the link to specify the NAC server URL.

Enable automatic protection in the Synchronize with


Active Directory wizard
1. On the Protect Computers Automatically page, select the
software you want to install. Leave Remove third-party

48
How do I synchronize with Active Directory?

security software selected if you want to have another vendor's


software removed automatically.
If you need to remove another vendor's updating tool, see
Remove third-party security software.
2. On the Enter Active Directory Credentials page of the
wizard, enter the username and password of an administrator
account that will be used to install software on the computers.
Click Next and complete the wizard.

Enable automatic protection in the Synchronization


properties dialog box
1. In the Groups pane, select the group (synchronization point)
for which you want to enable automatic protection. Right-click
the group and select Synchronization properties.
2. In the Synchronization properties dialog box, select the
software you want to install. Leave Remove third-party
security software selected if you want to have another vendor's
software removed automatically.
3. Enter the username and password of an administrator account
that will be used to install software on the computers. Click
OK.

Disable automatic protection


Should you want to disable automatic protection later, in the
Synchronization properties dialog box, clear the Install Sophos
Anti-Virus automatically check box.

View and edit synchronization properties


1. In the Groups pane, select the group (synchronization point)
for which you want to edit synchronization properties. Right-
click the group and select Synchronization properties.
2. In the Synchronization properties dialog box, set the options
as described below.

49
Sophos Enterprise Console user manual

Active Directory container

This field displays an Active Directory container which the


group is synchronized with.
This field is non-editable. You cannot change the container from
the Synchronization properties dialog box. If you want to
synchronize the group with a different Active Directory
container, remove synchronization and run the Synchronize
with Active Directory wizard again.
Synchronization interval

By default, synchronization occurs every 60 minutes. You can


change the synchronization interval. The minimum
synchronization interval is 5 minutes.
Automatic protection

Select the Install Sophos Anti-Virus automatically check box


if you want to protect all newly discovered Windows 2000 or
later workstations automatically, in compliance with their
respective group policies.
If you want to install the firewall or network access control as
well as anti-virus software, select Install Sophos Client
Firewall automatically or Install Sophos Network Access
Control automatically.
Before you can install Sophos NAC on computers, you must
click the link to specify the NAC server URL.
Only Windows 2000 or later workstations will be protected
automatically. Computers running Windows 95/98/Me,
Windows server operating systems, Mac OS, Linux, or
UNIX will not be protected automatically. You must protect
such computers manually, as described in Protect computers
that require manual installation.
In the Username field, enter the username of an administrator
account that will be used to install software on the computers.

50
How do I synchronize with Active Directory?

In the Password field, enter the password of an administrator


account that will be used to install software on the computers.

Turn synchronization on or off


To turn the synchronization on, run the Synchronize with Active
Directory wizard as described in Synchronize with Active Directory.
To turn the synchronization off, select the group (synchronization
point) which you do not want to synchronize with Active Directory
anymore, right-click and select Remove synchronization. Click Yes
to confirm.

51
Sophos Enterprise Console user manual

8 How do I protect new computers?


This section describes how to install Sophos Anti-Virus, Sophos
Client Firewall, and Sophos Network Access Control on networked
computers.
· Protect new computers
· Protect new types of computer
· Protect computers that are already in a group
· Protect computers that require manual installation
· Protect computers by using a login script
· Protect Windows 95/98/Me computers with a login script
· Add the firewall to protected computers
· Select software packages
· Default update directories
· Remove third-party security software

Protect new computers


New Windows computers can be protected automatically from the
console.
These instructions assume that you have already created groups and
applied an updating policy to them.
Automatic installation is not possible on Windows 95/98/Me,
Mac, Linux, and UNIX computers. Use manual installation
instead.
If you want to protect Windows XP computers automatically
from the console, make sure that "Simple File Sharing" is turned
off. For a full list of requirements for the anti-virus and firewall
software, see the Sophos Endpoint Security and Control Network
Startup Guide. For a list of system requirements for Sophos
NAC, see the Sophos NAC Installation Guide.

52
How do I protect new computers?

If you chose to synchronize with Active Directory and protect the


computers automatically, you do not need to follow the steps
below. See How do I synchronize with Active Directory? for
details.
1. Click the Find new computers icon on the toolbar. In the Find
new computers dialog box, specify how you want to find
computers.
Depending on your choice, Enterprise Console either creates a
group structure that mirrors an Active Directory container or
places new computers in the Unassigned folder. (See How do I
add computers to the console? for details.)
2. If you have computers in the Unassigned folder, drag the
computer(s) onto a group.
If you have imported groups and computers from Active
Directory, select the computers you want to protect, right-click
and select Protect computers.
The Protect computers wizard is launched.
3. On the Welcome page of the wizard, click Next.
4. On the Select security software page, select the software you
want. Leave Remove third-party security software selected if
you want to have another vendor's software removed
automatically.
If you need to remove another vendor's updating tool, see
Remove third-party security software.
Third-party software removal uninstalls only products with
the same functionality as those you install.
Sophos Client Firewall and Sophos NAC are available only if
your license includes them, and only for Windows 2000 or later.
You cannot install the firewall on computers running server
operating systems.

Before you can install Sophos NAC on computers, you must


click the link to specify the NAC server URL. If Sophos
NAC is installed on more than one server, use the URL of

53
Sophos Enterprise Console user manual

the computer running the application, not the computer with


the database.
Click Next.
5. On the Protection summary page, any problems with
installation are shown in the Protection issues column. See the
troubleshooting section, or carry out manual installation for
these computers. Click Next.
6. On the Credentials page, enter details of an account which can
be used to install software. This account is typically a domain
administrator account. It must:
§ have local administrator rights on computers you want to
protect
§ be able to log on on the computer where you installed the
management server
§ have read access to the Primary server location specified in
the Updating policy.
If you are using a domain account, you must enter the
username in the form domain\user.

Protect new types of computer


If you add computers to the network that use an operating system you
have not protected before, follow the steps below.
Sophos treats Windows 2000 and later as one type of computer,
and Windows 95, 98 and Me as another type. If you have
Windows 2000 protected on your network already, and then add
Windows 2003 computers, you can use the usual steps to protect
new computers.
1. If you have not already done so, use EM Library to select and
download the software package for the new operating system.
For instructions, see Select software packages.
2. In Enterprise Console, find new computers on the network and
put them in the Unassigned folder.

54
How do I protect new computers?

3. Right-click the group where you will place the new computers
and select View group policy details. Make a note of the
updating policy used.
4. In the Policies pane, double-click the updating policy.
5. Select the new operating system. Click Configure.
6. In the Set updating policy dialog box, on the Primary server
tab, enter details of the folder from which computers will be
updated. Enter the username and password. Click OK. Click
OK again.
7. Drag the new computers onto the group. A wizard is launched
to help you protect the computers.
8. On the Welcome page of the wizard, click Next.
9. On the Select security software page, select the software you
want. Leave Remove third-party security software selected if
you want to have another vendor's software removed
automatically.
If you need to remove another vendor's updating tool, see
Remove third-party security software.
Sophos Client Firewall and Sophos NAC are available only if
your license includes them, and only for Windows 2000 or later.
You cannot install the firewall on computers running server
operating systems.
Before you can install Sophos NAC on computers, you must
click the link to specify the NAC server URL.
Click Next.
10.On the Protection summary page, any problems with
installation are shown in the Protection issues column. See the
Troubleshooting section, or carry out manual installation for
these computers. Click Next.
11.On the Credentials page, enter details of an account which can
be used to install software. This account is typically a domain
administrator account. It must:

55
Sophos Enterprise Console user manual

§ have local administrator rights on computers you want to


protect
§ be able to log on on the computer where you installed the
management server
§ have read access to the Primary server location specified in
the Updating policy.
If you are using a domain account, you must enter the
username in the form domain\user.
12.Repeat steps 3 to 11 for any other groups in which you want to
put the new computers.

Protect computers that are already in a group


If you have placed computers in a user-defined group, but not
protected them yet, you can protect them automatically as follows:
These instructions assume that you have already applied an updating
policy to the group.
Automatic installation is not possible on Windows 95/98/Me
computers. Use manual installation instead.
1. Select the computer(s). Right-click and select Protect
computers. The Protect computers wizard is launched.
2. On the Welcome page of the wizard, click Next.
3. On the Select security software page, select the software you
want. Leave Remove third-party security software selected if
you want to have another vendor's software removed
automatically.
If you need to remove another vendor's updating tool, see
Remove third-party security software.
Sophos Client Firewall and Sophos NAC are available only if
your license includes them, and only for Windows 2000 or later.
You cannot install the firewall on computers running server
operating systems.

56
How do I protect new computers?

Before you can install Sophos NAC on computers, you must


click the link to specify the NAC server URL.
Click Next.
4. On the Protection summary page, any problems with
installation are shown in the Protection issues column. See the
troubleshooting section, or carry out manual installation for
these computers. Click Next.
5. On the Credentials page, enter details of an account which can
be used to install software. This account is typically a domain
administrator account. It must:
§ have local administrator rights on computers you want to
protect
§ be able to log on on the computer where you installed the
management server
§ have read access to the Primary server location specified in
the Updating policy.
If you are using a domain account, you must enter the
username in the form domain\user.

Protect computers that require manual installation


If Enterprise Console is unable to install anti-virus, firewall, or NAC
software on certain computers automatically, you can perform the
installation manually.
Enterprise Console will subsequently manage and update these
installations, provided that you have put the computers into a group
or groups.
Alternatively, you can perform the installation automatically by
using a script. See Protect computers by using a login script.
If you have a previous version of Sophos Anti-Virus on
Windows 95, 98 or Me, you must uninstall it before installing the
latest version.
You install manually as follows:

57
Sophos Enterprise Console user manual

1. In Enterprise Console, select the computer(s) where you want


to make a manual installation. Click the Update details tab and
look in the Primary server column. This shows you the
directory that each computer will update from.
Alternatively, if you are using the default directories, see
Default update directories for a list of the directories.
If your license includes the firewall, you can install it along
with the NAC and anti-virus software, on Windows 2000 or
later computers. Look for the directory for Sophos Endpoint
Security and Control. The directory name is SAVSCFXP.
2. Go to the computer and browse to the directory that it will
update from.
On a Windows computer, double-click setup.exe.
To protect Windows 2000 or later computers with the firewall,
as well as anti-virus software, open a command prompt and run
setup.exe with the appropriate qualifier:
To install anti-virus only, type: setup.exe -sav
To install anti-virus and firewall, type: setup.exe -scf
To install anti-virus, firewall, and NAC (and specify the NAC
server location), type: setup.exe -scf -nac http://
<nacserver>
On a Mac OS X computer, double-click Sophos Anti-Virus.
mpkg.
On a Linux or UNIX computer, install Sophos Anti-Virus using
the distribution package, as described in the Sophos Endpoint
Security and Control Network Startup Guide.
If you have Linux or UNIX computers managed from the
console, make sure a unique hostname is configured for each
computer. Otherwise, each computer will be displayed in the
console with the default name "localhost."

Protect computers by using a login script


You can protect computers with anti-virus software (and with the
firewall if your license includes it) by running the installation

58
How do I protect new computers?

program with a script or a program like Microsoft SMS.


Enterprise Console will subsequently manage and update these
installations, provided that you have put the computers into a
group or groups.
Finding the installation program you need

The installation program is in the directory where EM Library places


Sophos updates. To check which directory this is, look in the
computer list and find the computer(s) you want to protect. Click the
Update details tab and look in the Primary server column.
Alternatively, if you are using the default directories, see Default
update directories for a list of the directories.
Protecting Windows 95/98/Me computers

For Windows 95/98/Me computers, use a login script to run setup.


exe. For instructions, see Protect Windows 95/98/Me computers with
a login script.
Protecting Mac OS X computers

For Mac OS X computers, use Apple Remote Desktop. Go to the


central installation directory and copy the installer to the computer
running Apple Remote Desktop before using it.
Protecting Windows 2000 or later computers

If you want to protect Windows 2000 or later computers with the


firewall and/or network access control, as well as anti-virus software,
you must:
· Ensure that you use the correct setup program. This is the setup
program for Sophos Endpoint Security and Control and it is in a
directory called SAVSCFXP.
· Run the setup program with the -scf qualifier (for the firewall)
and the -nac qualifier for network access control.

59
Sophos Enterprise Console user manual

Protect Windows 95/98/Me computers with a login


script
To protect Windows 95/98/Me computers with a login script, do as
follows:
1. If you do not already know it, find the location of the directory
that contains the installation program.
To do this, check which updating policy the computers use. In
the Policies pane, double-click the policy. Select Windows
95/98/Me and click Configure. Then note the Address shown.
2. Add the following line to the login script:
[Path]\setup.exe -user [domain\name] -pwd [password] -login -s
where [Path] is the location of the directory that contains the
installation program (e.g. \\Servername\InterChk\ES9x), and the
username and password are for an account that is able to log on
to your Windows 95/98/Me computers, and has read access to
the CID share (in this example \\Servername\InterChk).
If you have any Windows 95 computers, you must run a
small utility on them before installation. From the Sophos
Endpoint Security and Control Network Install CD, copy the
file Tools/Utils/w95ws2setup.exe to your server. Then insert
a line in the login script, before the line shown above, to run
this utility.
The user account you specify must
§ be able to log on to the computers you want to protect
§ have administrator rights on the computers you want to
protect
§ have read access to the Primary server location specified in
the Updating policy.
If you do not want to manage the computers with Enterprise
Console, you should add the parameter -mng no
The next time your users log in, their computers will install the anti-
virus software.

60
How do I protect new computers?

Add the firewall to protected computers


If you have already protected your computers with Sophos Anti-
Virus, you can install the Sophos Client Firewall on them, provided
that your license includes the firewall.
The firewall can be installed only on computers running
Windows 2000 or later.
You cannot install the firewall on computers running server
operating systems.
1. If you have not already done so, use EM Library to select and
download the "Sophos Endpoint Security and Control"
package, which includes the firewall. For instructions, see
Select software packages.
2. Select the computer(s) where you want to install the firewall.
Right-click and select Protect computers. A wizard is
launched.
3. On the Welcome page of the wizard, click Next.
4. On the Select security software page, select Install Sophos
Client Firewall.
5. On the Protection summary page, any problems with
installation are shown in the Protection issues column. See the
troubleshooting section, or carry out manual installation for
these computers. Click Next.
6. On the Credentials page, enter details of an account which can
be used to install software. This account is typically a domain
administrator account.

Select software packages


Before you can install new anti-virus, firewall, or network access
control software on your networked computers, you must ensure that
you have selected the right software packages to be downloaded from
Sophos.
You do this as follows:

61
Sophos Enterprise Console user manual

1. Click the Libraries icon on the toolbar. The Sophos EM


Library window is displayed.
2. The Configuration view is open by default. Click Select
Packages. Right-click the package you want. Select Subscribe,
and follow the prompts.
The "Sophos Endpoint Security and Control" package
includes Sophos Anti-Virus for Windows 2000/XP/2003/
Vista, Sophos Client Firewall, and Sophos NAC.
A quick way to get a new package is to go to the Library
menu, and select Select Packages there. This puts the
package in a default location.
3. Click Download Packages.
4. In the EM Library message box, click Yes.
5. Close the EM Library window to return to Enterprise Console.

Default update directories


If you accepted the defaults when you set up Sophos EM Library, the
folders from which each product is installed and updated are as
follows:
The directory for "Sophos Endpoint Security and Control"
contains the installer for Sophos Anti-Virus, Sophos Client
Firewall and Sophos NAC.
Sophos Endpoint Security and Control for \\Servername\InterChk\SAVSCFXP
Windows 2000/XP/2003/Vista
Sophos Anti-Virus for Windows 2000/ \\Servername\InterChk\ESXP
XP/2003/Vista
Sophos Anti-Virus for Windows NT \\Servername\InterChk\ESNT
Sophos Anti-Virus for Windows 95/98/Me \\Servername\InterChk\ES9x
Sophos Anti-Virus for Mac OS X \\Servername\InterChk\ESOSX
Sophos Anti-Virus for Linux \\Servername\InterChk\savlinux
Sophos Anti-Virus for UNIX \\Servername\InterChk\EESAVUNIX

62
How do I protect new computers?

Remove third-party security software


If you want to remove any previously installed security software, you
should do as follows BEFORE running the Remove third-party
security software option in the Protect computers wizard:
· If computers are running another vendor's anti-virus software,
ensure that its user interface is closed.
· If computers are running another vendor's firewall or HIPS
product, ensure that it is turned off or configured to allow the
Sophos installer to run.
· If you want to remove not just the other vendor's software but
also the other vendor's update tool (to prevent it from
reinstalling the software automatically), follow the steps below.
If computers have no update tool installed, you can disregard the
steps below.
You have to restart any computers from which you remove third-
party anti-virus software.
If computers have another vendor's update tool installed and you
wish to remove the update tool, you will need to modify the
configuration file before running the Remove third-party security
software option in the Protect computers wizard:
1. From the Central Installation Directory, find the data.zip file.
2. Extract the crt.cfg configuration file from data.zip.
3. Edit the crt.cfg file to change the line reading
"RemoveUpdateTools=0" to "RemoveUpdateTools=1".
4. Save your changes and save crt.cfg to the same directory that
contains data.zip. Don't put crt.cfg back into data.zip or it will
be overwritten the next time the data.zip file is updated.
When you run the Protect computers wizard and choose Remove
third-party security software, the modified configuration file will
now remove any third-party security update tools as well as third-
party security software.
If computers are running another vendor's firewall or HIPS

63
Sophos Enterprise Console user manual

product, you may need to leave that vendor's update tool intact.
See that vendor's documentation for clarification.

64
How do I check whether my network is protected?

9 How do I check whether my network is


protected?
This section describes how to use and configure the dashboard and
how to ensure that computers are properly protected. It also tells you
how to identify computers with a problem using the computer list
filters and take action to resolve the problem.
· The dashboard overview
· Configure the dashboard
· Which computers are protected?
· Which computers are up to date?
· Find computers that are unprotected
· Find computers without the firewall installed
· Find computers with alerts that need attention
· Find out-of-date computers
· Find computers not managed by the console
· Find computers disconnected from the network
You can also check whether all the computers in a group comply
with the policies for that group, as described in Check whether
computers use the group policies.

The dashboard overview


Use the dashboard to check your network's security status. To show
or hide the dashboard, click the Dashboard button on the toolbar.

65
Sophos Enterprise Console user manual

The dashboard interface


The dashboard consists of the following six sections:
Computers

This section displays the total number of computers on the network


and the number of connected, managed and unmanaged computers.
To view a list of managed, unmanaged, connected or all computers,
click one of the links in the Computers section.
Updates

This section displays the date and time of the last update from
Sophos.
To open the EM Library console, click the section title, Updates.
Computers with alerts

This section displays the number and percentage of managed


computers with alerts about:
· Known and unknown viruses and spyware
· Suspicious behavior and files
· Applications blocked by firewall
· Adware and other potentially unwanted applications
· Controlled applications
To view a list of managed computers with outstanding alerts, click

66
How do I check whether my network is protected?

the section title, Computers with alerts.


Policies

This section displays the number and percentage of managed


computers with group policy violations or policy comparison errors.
It also includes computers that haven't yet responded to the changed
policy sent to them from the console.
To view a list of managed computers that differ from policy, click the
section title, Policies.
Protection

This section displays the number and percentage of managed and


connected computers on which Sophos Anti-Virus is out of date or
uses unknown detection data.
To view a list of managed connected out-of-date computers, click the
section title, Protection.
Errors

This section displays the number and percentage of managed


computers with outstanding Sophos Anti-Virus, updating, or Sophos
Client Firewall errors.
To view a list of managed computers with outstanding Sophos
product errors, click the section title, Errors.

The dashboard security status indicators


There are three security status indicators that the dashboard can
display.
Sign Explanation
A green indicator corresponds to the "normal" status. The
number of affected computers is below the warning level.
An amber indicator corresponds to the "warning" status.
The warning threshold has been exceeded.
A red indicator corresponds to the "critical" status. The
critical threshold has been exceeded.

67
Sophos Enterprise Console user manual

The indicators are displayed for each section and for the entire
dashboard.
A dashboard section health indicator is an icon displayed in
the upper-right corner of a dashboard section next to its heading,
that shows the status of a particular security area represented by
the section.
A dashboard section health indicator shows the status of a section
indicator with the most severe status, that is:
· A section health indicator changes from "Normal" to "Warning"
when a warning threshold is exceeded for at least one indicator
in the section.
· A section health indicator changes from "Warning" to "Critical"
when a critical threshold is exceeded for at least one indicator in
the section.
The network's overall health indicator is an icon displayed in
the lower-right corner of the Enterprise Console window, in the
status bar, that shows overall security status of the network.
The network's overall health indicator shows the status of the
dashboard section with the most severe status, that is:
· The network's overall health indicator changes from "Normal" to
"Warning" when a warning threshold is exceeded for at least one
indicator in the dashboard.
· The network's overall health indicator changes from "Warning"
to "Critical" when a critical threshold is exceeded for at least one
indicator in the dashboard.

When you first install or upgrade Enterprise Console, the dashboard


uses the default warning and critical levels. You can configure your
own warning and critical levels in the Configure dashboard dialog
box. For instructions, see Configure the dashboard.
You can also set up email alerts to be sent to your chosen recipients
when a warning or critical level has been exceeded for a dashboard
section. For instructions, see Set up network status email alerts.

68
How do I check whether my network is protected?

Configure the dashboard


The dashboard displays warning or critical status indicators based on
the percentage of managed computers that have outstanding alerts or
errors, or on the time since the last update from Sophos.
You can set up the warning and critical levels you want to use.
1. On the Tools menu, select Configure, and then click
Dashboard. The Configure dashboard dialog box is
displayed.
For information about the default dashboard configuration
settings, see What are the default dashboard configuration
settings?
2. Change the threshold values in the Warning level and Critical
level text boxes as appropriate.
If you set a level to zero, warnings are triggered as soon as
the first alert is received.
Under Computers with outstanding alerts, Computers with
Sophos product errors, and Policy and protection, enter a
percentage of managed computers affected by a particular
problem, that will trigger the change of the respective indicator
to "warning" or "critical."
Under Latest protection from Sophos, enter the time since last
successful update from Sophos in hours, that will trigger the
change of the "Updates" indicator to "warning" or "critical."
Click OK.

You can also set up email alerts to be sent to your chosen recipients
when a warning or critical threshold has been exceeded. For
instructions, see Set up network status email alerts.

What are the default dashboard configuration settings?


The default dashboard configuration settings are shown in the figure
below.

69
Sophos Enterprise Console user manual

Which computers are protected?


Computers are protected if they are running on-access scanning and
the firewall (if you have installed it). For full protection, the software
must also be up to date.
You may have chosen not to use on-access scanning on certain
types of computer, e.g. file servers. In this case, ensure that the
computers use scheduled scans and that they are up to date.
To check that computers are protected:
1. Select the group of computers you want to check.
2. If you want to check computers in sub-groups of the group,
select At this level and below in the drop-down list.
3. In the list of computers, look in the On-access column. If you
see "Active", the computer is running on-access scanning. If

70
How do I check whether my network is protected?

you see a gray shield, it is not.


4. If you installed the firewall, look in the Firewall enabled
column. If you see "Yes", the computer has firewall protection.
5. Next look in the Up to date column. If you see "Yes", the
computer is up to date. If you see a clock icon and a date, it is
not.
You can display a list of computers that are not properly
protected or have other protection-related problems. Go to the
View drop-down list and select Computers with potential
problems. You can also select a subentry of this entry, to display
computers affected by a specific problem (e.g. computers that
differ from group policy or where a Sophos product error has
occurred).

Which computers are up to date?


If you set up Enterprise Console as recommended, computers should
receive updates automatically.
1. Select the group of computers you want to check.
2. If you want to check computers in any sub-groups, select At
this level and below in the drop-down list.
3. Look in the Up to date column.

71
Sophos Enterprise Console user manual

If you see "Yes", the computer is up to date.


If you see a clock icon, the computer is out of date. The text
indicates how long the computer has been out of date.

To update computers immediately, select the computers. Right-


click and select Update computers now.

Find computers that are unprotected


A computer is not properly protected if it is not running on-access
scanning or if the firewall (where installed) is disabled.
You may have chosen not to use on-access scanning on certain
types of computer, e.g. file servers. In this case, ensure that the
computers use scheduled scans and that they are up to date.
If a computer is not running on-access scanning, a gray shield and
the word "Inactive" are displayed in the On-access column on the
Status page.
If the firewall is disabled, a gray firewall icon (a brick wall) is
displayed in the Firewall enabled column.
To display all computers that are not properly protected and to deal
with the problem, do as follows:
1. Select the group where you want to find the computers.
2. On the toolbar, in the View drop-down list, select Computers
with potential problems. You can also select a subentry of this
entry, to display computers affected by a specific problem (e.g.
computers that differ from group policy or where a Sophos
product error has occurred).
3. If the group contains subgroups, select also whether you want
to find computers At this level only or At this level and below
.
4. Any computers that have protection problems will be listed.
If there are computers not running on-access scanning, check
which anti-virus policy is used by those computers. Ensure that
on-access scanning is enabled in that policy.

72
How do I check whether my network is protected?

If there are computers with the firewall disabled, check which


firewall policy is used by those computers. Ensure that the
firewall is enabled in that policy.
5. Ensure that the computers comply with the policy for their
group.

Find computers without the firewall installed


If a computer does not have the firewall installed, a gray firewall icon
(brick wall) is displayed in the Firewall enabled column on the
Status page.
To display all such computers and fix the problem, do as follows:
1. Select the group where you want to find computers with alerts.
2. On the toolbar, in the View drop-down list, select Computers
without Sophos firewall.
3. If the group contains subgroups, select also whether you want
to find computers At this level only or At this level and below
.
4. If there are computers on which you want to install the firewall,
select them, right-click and select Protect computers. When
prompted to select software, select Install Sophos Client
Firewall.

Find computers with alerts that need attention


If a computer has an alert that needs your attention, there is an alert
icon in the Alerts and errors column on the Status page.
A red warning sign indicates a virus or spyware. A yellow sign
indicates suspicious behavior or file, an adware or other potentially
unwanted application, an application blocked by the firewall, a
controlled application, or an error.
To display the computers that have alerts that still need attention, do
as follows:
1. Select the group where you want to find computers with alerts.

73
Sophos Enterprise Console user manual

2. On the toolbar, in the View drop-down list, select Managed


computers with outstanding alerts.
3. If the group contains subgroups, select also whether you want
to find computers At this level only or At this level and below
.
4. If there are computers with a virus or an application you do not
want, see Clean up computers now.
If there are computers with an adware or other potentially
unwanted application that you do want, see Authorize adware/
PUA.
If the firewall has blocked an application you do want to run,
see Allow applications that have been blocked.
If there are out-of-date computers, see Find out-of-date
computers for help with diagnosing and fixing the problem.

If you do not need the alert displayed any more, you can clear it.
Select the computer(s) with alerts, right-click and select
Acknowledge alerts and errors.

Find out-of-date computers


If a computer has out-of-date anti-virus software, a clock icon is
displayed in the Up to date column on the Status page. The text
indicates how long the computer has been out of date.
A computer can be out of date for one of two reasons:
· That computer has failed to fetch an update from the server.
· The server itself does not have the latest Sophos software.
This section tells you how to diagnose the problem and update the
computers.
1. Select the group where you want to find out-of-date computers.
2. On the Status tabbed page, click on the Up to date column to
sort computers by up-to-dateness.
3. Click the Update details tab and look in the Primary server

74
How do I check whether my network is protected?

column. This shows you the directory that each computer


updates from.
4. Now look at the computers that update from one particular
directory.
If some are out of date, but others are not, the problem is with
individual computers. Select them, right-click and select Update
computers now.
If all are out of date, the problem could be with the directory.
Click the Libraries icon on the toolbar. In the EM Library
console, click the library name (in the left-hand pane), then
click Central Installations. Select the directory that you suspect
to be out of date, right-click and select Update CID. Then go
back to the Enterprise Console, select the out-of-date computers,
right-click and select Update computers now.

Find computers not managed by the console


Windows, Mac, Linux, and UNIX computers should be managed by
Enterprise Console, so that they can be updated and monitored.
If a computer is not managed, its details on the Status tabbed page
are grayed out.
You find and fix unmanaged computers as follows:
1. On the toolbar, in the View drop-down list, select Unmanaged
computers.
2. Select any computers that are listed. Right-click and select
Protect computers to install a managed version of Sophos
Anti-Virus.
3. If there are computers on which Enterprise Console cannot
install Sophos Anti-Virus automatically, carry out a manual
installation.
Unless you use Active Directory synchronization, new computers
added to the network are not displayed or managed by the
console automatically. Click Find new computers in the toolbar
to search for them and place them in the Unassigned folder.

75
Sophos Enterprise Console user manual

Find computers disconnected from the network


If a computer is disconnected from the network, a red cross appears
by the icon next to its name on the Status page.
To display a list of the computers that are disconnected, do as
follows:
1. Select the group where you want to find disconnected
computers.
2. On the toolbar, in the View drop-down list, select
Disconnected computers.
3. If the group contains subgroups, select also whether you want
to find computers At this level only or At this level and below
.
"Disconnected computers" here means computers that are usually
managed by Enterprise Console, but are disconnected.
Unmanaged disconnected computers are not shown.

76
How do I update computers?

10 How do I update computers?


This section describes how to set up and configure automatic
updating of computers in each group and how to update computers
on request.
· Set up automatic updating
· Select a source for updates
· Select an alternative source for updates
· Schedule updates
· Update computers now
· Make computers update when they dial up
· Specify a proxy server for updating
· Limit the bandwidth used
· Select a different source for initial installation
· Log updates

Set up automatic updating


You set up automatic updating as follows:
You must follow these steps for each type of computer (e.g.
Windows 2000 and later) in the group(s) you will apply this updating
policy to.
1. To create a new updating policy, in the Policies pane, right-
click on Updating and select Create policy. Enter a name for
the policy, and then press Enter to save the name. Double-click
the new policy to edit it.
To edit the default policy, double-click Updating and then
double-click Default.
To edit a policy created earlier, check which updating policy is
used by the group(s) of computers you want to configure. In the

77
Sophos Enterprise Console user manual

Policies pane, double-click Updating. Then double-click the


policy you want to change.
2. In the Updating policy dialog box, select an operating system.
Click Configure.
3. In the Set updating policy dialog box, click the Primary
server tab and set the options as described below.
Address

Enter the address (UNC (network) path or web address) from


which Sophos Anti-Virus will usually fetch updates.
Username

If necessary, enter the Username for the account that will be


used to access the server, and then enter and confirm the
Password. This account should have read rights to the directory
you entered in the address field above.
If the Username needs to be qualified to indicate the
domain, use the form domain\username.
Advanced and Proxy details

If you want to limit the bandwidth used, or set computers to


make a dial-up connection automatically when it is needed for
updating, click Advanced.
If you access the internet via a proxy server, click Proxy details.
Note that some internet service providers require web requests to
be sent to a proxy server.
4. Click the Schedule tab and enter the details as described below.
Enable networked computers to use Sophos updates
automatically

Select this if you want computers to be updated at regular


intervals. Then enter the frequency (in minutes) with which
computers will check for updated software. The default is 5
minutes.

78
How do I update computers?

If the computers download updates directly from Sophos,


this frequency setting does not apply. Computers running
Sophos PureMessage can check for updates every 15
minutes. Computers that are not running Sophos
PureMessage will update every 60 minutes.
Check for updates on dial-up

Select this if the computers update via a dial-up connection to


the internet. Computers will then attempt to update whenever
they connect to the internet.
5. In the Policies pane, click on the new updating policy and drag
it onto the group of computers you want to configure.
If you have simply edited a policy already applied to the
group, e.g. the default policy, you do not need to carry out
step 5.

Select a source for updates


If you want computers to update themselves automatically, you must
specify where they fetch updates from.
You must specify where each type of computer (e.g. Windows
2000 and later) updates from.
1. Check which updating policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Updating. Then double-click
the policy you want to change.
3. In the Updating policy dialog box, select an operating system.
Click Configure.
4. In the Set updating policy dialog box, click the Primary
server tab. Set the options as described below.
Address

Enter the address (UNC (network) path or web address) from


which Sophos Anti-Virus will usually fetch updates.

79
Sophos Enterprise Console user manual

Username

If necessary, enter the Username for the account that will be


used to access the server, and then enter and confirm the
Password. This account should have read rights to the directory
you entered in the address field above.
If the Username needs to be qualified to indicate the
domain, use the form domain\username.
Advanced and Proxy details

If you want to limit the bandwidth used, or set computers to


make a dial-up connection automatically when it is needed for
updating, click Advanced.
If you access the internet via a proxy server, click Proxy details.
Note that some internet service providers require web requests to
be sent to a proxy server.

Select an alternative source for updates


You can set an alternative source for updates. If the computers
cannot contact their usual source, they will attempt to update from
this alternative source.
Sophos recommends that you set an alternative source for updates if
you have computers that are not always connected to the company
network, for example, laptops.
You must specify where each type of computer (e.g. Windows
2000 and later) updates from.
1. Check which updating policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Updating. Then double-click
the policy you want to change.
3. In the Updating policy dialog box, select an operating system.
Click Configure.
4. In the Set updating policy dialog box, click the Secondary

80
How do I update computers?

server tab. Select Specify secondary server details. Then


enter the details as described below.
Address

Enter the Address (UNC (network) path or web address) from


which computers will fetch updates if they cannot contact the
usual source. If you select Sophos, Sophos Anti-Virus will
download updates directly from Sophos via the internet.
Username

If necessary, enter the Username for the account that will be


used to access the server, and then enter and confirm the
Password. This account should have read rights to the directory
you entered in the address field above.
If the Username needs to be qualified to indicate the
domain, use the form domain\username.
Advanced and Proxy details

If you want to limit the bandwidth used, or set computers to


make a dial-up connection automatically when it is needed for
updating, click Advanced.
If you access the address via a proxy server, click Proxy details.
Note that some internet service providers require web requests to
be sent to a proxy server.

Schedule updates
You can specify when or how often computers are updated.
You enter these settings separately for each type of computer (e.
g. Windows 2000 and later).
1. Check which updating policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Updating. Then double-click
the policy you want to change.

81
Sophos Enterprise Console user manual

3. In the Updating policy dialog box, select an operating system.


Click Configure.
4. In the Set updating policy dialog box, click the Schedule tab.
Enter the details as described below.
Enable networked computers to use Sophos updates
automatically

Select this if you want computers to be updated at regular


intervals. Then enter the frequency (in minutes) with which
computers will check for updated software. The default is 5
minutes.
If the computers download updates directly from Sophos,
this frequency setting does not apply. Computers running
Sophos PureMessage can check for updates every 15
minutes. Computers that are not running Sophos
PureMessage will update every 60 minutes.
Check for updates on dial-up

Select this if the computers update via a dial-up connection to


the internet. Computers will then attempt to update whenever
they connect to the internet.

Update computers now


You can update a computer or computers immediately, without
waiting for the next automatic update.
Select the computer(s) you want to update. Right-click and select
Update computers now.

Make computers update when they dial up


If you want computers to update as soon as they dial a connection, do
as follows:

You enter these settings separately for each type of computer (e.

82
How do I update computers?

g. Windows 2000 and later).


1. Check which updating policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Updating. Then double-click
the policy you want to change.
3. In the Updating policy dialog box, select an operating system.
Click Configure.
4. In the Set updating policy dialog box, click the Schedule tab.
Select Check for updates on dial-up.

Specify a proxy server for updating


If computers fetch updates via the internet, you must enter details of
any proxy server used to connect to the internet.
You enter these settings separately for each type of computer (e.
g. Windows 2000 and later).
1. If you haven't already done so, check which updating policy is
used by the group(s) of computers you want to configure. In
the Policies pane, double-click Updating. Then double-click
the policy you want to change. In the Updating policy dialog
box, select an operating system. Click Configure.
2. In the Set updating policy dialog box, click the Primary
server tab or the Secondary server tab as required. Ensure that
all the details have been correctly entered. Then click Proxy
details.
3. In the Proxy details dialog box, select Access the server via a
proxy. Then enter the proxy server Address and Port number.
Enter a Username and Password that give access to the proxy
server. If the username needs to be qualified to indicate the
domain, use the form domain\username.

Limit the bandwidth used


You can limit the bandwidth used for updating. This prevents

83
Sophos Enterprise Console user manual

updating from using all the bandwidth when a computer needs it for
other purposes, e.g. downloading email.
You enter this setting separately for each type of computer (e.g.
Windows 2000 and later).
1. If you haven't already done so, check which updating policy is
used by the group(s) of computers you want to configure. In
the Policies pane, double-click Updating. Then double-click
the policy you want to change. In the Updating policy dialog
box, select an operating system. Click Configure.
2. In the Set updating policy dialog box, click the Primary
server tab or the Secondary server tab as required. Ensure that
all the details have been correctly entered. Then click
Advanced.
3. In the Advanced settings dialog box, select Limit amount of
bandwidth used and use the slider control to specify the
bandwidth in Kbits/second. If you specify more bandwidth than
the computer has available, updating uses all that is available.

Select a different source for initial installation


By default, anti-virus software is installed on computers and then
kept updated from the source (the "Primary server") you specify
when you first set up a computer group. If you want to make the
initial installation from a different source, you can do so as follows:
This setting applies only to Windows 2000 and later.
If your primary server is an HTTP (web) address, and you want
to perform installation on computers from the console, you must
specify a first-time install source.
1. Check which updating policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Updating. Then double-click
the policy you want to change.
3. In the Updating policy dialog box, select an operating system,
e.g. Windows 2000 and later. Click Configure.

84
How do I update computers?

4. In the Set updating policy dialog box, click the Initial install
source tab. Deselect Use primary server address. Then enter
the address of the source you want to use.

Log updates
You can configure computers to log their updating activity.
You enter these settings separately for each type of computer (e.
g. Windows 2000 and later).
1. Check which updating policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Updating. Then double-click
the policy you want to change.
3. In the Updating policy dialog box, select an operating system.
Click Configure.
4. In the Set updating policy dialog box, click the Logging tab.
Ensure that Log Sophos AutoUpdate activity is selected. Then
set other options as described below.
Maximum log size

Specify a maximum size for the log in MB.


Log level

You can select Normal or Verbose logging. Verbose logging


provides information on many more activities than usual, so the
log will grow faster. Use this setting only when detailed logging
is needed for troubleshooting.

85
Sophos Enterprise Console user manual

11 How do I change anti-virus and HIPS


settings?
This section describes how to change the settings used to detect and
clean up viruses, Trojans, worms, spyware as well as adware and
other potentially unwanted applications. It also tells you how to scan
your computers. You can use different settings for each set of
computers.
· What is HIPS?
· Scan for viruses, Trojans, worms, and spyware
· Detect suspicious behavior
· Scan for suspicious files
· Authorize suspicious items
· Scan for adware/PUA
· Authorize adware/PUA
· Change types of file scanned
· Exclude items from on-access scanning
· Scan for rootkits
· Scan inside archive files
· Scan Macintosh files
· Turn on-access scanning on or off
· Change when on-access scanning occurs
· Scan computers at set times
· Change scheduled scan settings
· Exclude items from scheduled scanning
· Items that can be excluded from scanning
You can also have computers cleaned up automatically as soon as a

86
How do I change anti-virus and HIPS settings?

virus or other threat is found. To do this, you change the settings for
on-access scanning as described in Clean up computers automatically
.

What is HIPS?
Host Intrusion Prevention System (HIPS) is a security
technology that protects computers from suspicious files,
unidentified viruses, and suspicious behavior.
HIPS options apply only to Sophos Anti-Virus 7 and later for
Windows 2000 and later.
There are the following HIPS methods:
· Runtime behavior analysis
Runtime behavior analysis comprises suspicious behavior
detection and buffer overflow detection. Suspicious behavior
detection is the dynamic analysis of all programs running on the
computer to detect and block activity that appears to be
malicious.
For more information, see Detect suspicious behavior.
· Suspicious file detection
Sophos Anti-Virus 7 or later can scan for suspicious files. These
contain certain characteristics that are common to malware but
not sufficient for the files to be identified as new pieces of
malware.
For more information, see Scan for suspicious files.

Scan for viruses, Trojans, worms, and spyware


By default, Sophos Anti-Virus detects known and unknown viruses,
Trojans, worms, and spyware automatically as soon as a user
attempts to access files that contain them. Sophos Anti-Virus 7 and
later for Windows 2000 and later also analyzes behavior of the
programs running on the system.

87
Sophos Enterprise Console user manual

You can also configure Sophos Anti-Virus to:


· Scan computers for suspicious files
· Scan for adware and other potentially unwanted applications
· Scan computers at set times

Detect suspicious behavior


By default, Sophos Anti-Virus detects viruses, Trojans, worms, and
spyware. Sophos Anti-Virus 7 and later for Windows 2000 and later
also analyzes behavior of the programs running on the system.
The runtime behavior analysis includes:
· Suspicious behavior detection
The "suspicious behavior detection" dynamically analyzes the
behavior of all programs running on the system in order to detect
and block activity which appears to be malicious. Suspicious
behavior may include changes to the registry that could allow a
virus to run automatically when the computer is restarted.

· Buffer overflow detection


The "buffer overflow detection" dynamically analyzes the
behavior of all programs running on the system in order to detect
buffer overflow attacks.
The "buffer overflow detection" feature is not available for
Windows Vista and 64-bit versions of Windows. These
operating systems are protected against buffer overflows by
Microsoft's Data Execution Prevention (DEP) feature.
To view or change the runtime behavior analysis settings:
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, click the HIPS

88
How do I change anti-virus and HIPS settings?

runtime behavior button.


4. The HIPS runtime behavior analysis settings dialog box is
displayed. There are two options:
§ Detect suspicious behavior
§ Detect buffer overflows
By default, these options are enabled. Sophos Anti-Virus detects
such behavior and sends alerts to Enterprise Console. However,
it does not block any of the programs detected.
Sophos recommends that you run Sophos Anti-Virus in
alert-only mode for a time and authorize the programs you
need before enabling automatic blocking of suspicious
behavior.
5. Leave the options enabled or change the settings, if you want
to, and click OK.
When suspicious behavior or buffer overflow is detected, you
can either remove or authorize the suspicious item.
6. When you are ready to enable automatic blocking of suspicious
behavior, clear the Alert only check box.

Scan for suspicious files


By default, Sophos Anti-Virus detects known and unknown viruses,
Trojans, worms, and spyware. You can also configure it to detect
suspicious files.
Suspicious file is a file that contains certain characteristics that
are common to malware but not sufficient for the file to be
identified as a new piece of malware (for example, a file
containing dynamic decompression code commonly used by
malware).
This option applies only to Sophos Anti-Virus 7 and later for
Windows 2000 and later.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.

89
Sophos Enterprise Console user manual

2. In the Policies pane, double-click Anti-virus and HIPS. Then


double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, set the options
as follows:
On-access scanning

To configure on-access scanning, in the Configure Sophos


Anti-Virus and HIPS panel, make sure the Enable on-access
scanning check box is selected. Click the On-access scanning
button.
On the Scanning tab, in the Scanning options panel, select the
Scan for suspicious files (HIPS) check box. Click OK.
Scheduled scanning

To configure scheduled scans, in the Scheduled scanning panel,


click Add (or select an existing scan and click Edit).
In the Scheduled scan settings dialog box, enter your settings
and then click Configure.
In the Scanning and cleanup settings dialog box, on the
Scanning tab, in the Scanning options panel, select the Scan
for suspicious files (HIPS) check box. Click OK.

When a suspicious file is detected, you can either remove or


authorize the file.

If you disable scanning for suspicious files, scanning for rootkits


is disabled at the same time.

Authorize suspicious items


If you have enabled one or more HIPS options (e.g. suspicious
behavior detection, buffer overflow detection, or suspicious file
detection), but you want to use some of the items detected, you can
authorize them as follows:
1. Check which anti-virus and HIPS policy is used by the group(s)

90
How do I change anti-virus and HIPS settings?

of computers you want to configure.


2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, click the
Authorization button.
4. In the Authorization Manager dialog box, click the tab for the
type of behavior that has been detected, e.g. Buffer overflow.
Find the program that has been detected and move it from the
Known list to the Authorized list.
If you want to allow an item that Sophos Anti-Virus has not yet
classified as suspicious, you can pre-authorize it as follows:
1. Click New entry.
2. Browse to the item and select it to add it to the Authorized list.
If you want to remove an item from the list, select the item and click
Delete entry. If you have authorized the item, removing it from the
list effectively blocks it again, so use this option only if you're sure
that it doesn't need to be authorized. This option doesn't delete the
item from disk.

Scan for adware/PUA


By default, Sophos Anti-Virus detects viruses, Trojans, worms, and
spyware. You can also configure it to detect adware and other
potentially unwanted applications (PUAs).
This option applies only to Sophos Anti-Virus 6 and later for
Windows 2000 and later.
Sophos recommends that you begin by using a scheduled scan to
detect potentially unwanted applications. This lets you deal safely
with applications that are already running on your network. You can
then enable on-access detection to protect your computers in future.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then

91
Sophos Enterprise Console user manual

double-click the policy you want to change. The Anti-virus


and HIPS policy dialog box is displayed.
3. In the Scheduled scanning panel, click Add to create a new
scan, or double-click a scan in the list to edit it.
4. In the Scheduled scan settings dialog box, click Configure (at
the bottom of the page).
5. In the Scanning and cleanup settings dialog box, on the
Scanning tab, under Scanning options, select Scan for
adware/PUA. Click OK.
6. When the scan is carried out, Sophos Anti-Virus may report
some adware or other potentially unwanted applications.
If you want your computers to run the applications, you must
authorize them. Otherwise, remove them.
7. If you want to enable on-access detection, open the Anti-Virus
and HIPS policy dialog box again. In the Configure Sophos
Anti-Virus and HIPS panel, make sure the Enable on-access
scanning check box is selected. Click the On-access scanning
button. In the On-access scan settings dialog box, select Scan
for adware/PUA.
Some applications "monitor" files and attempt to access
them frequently. If you have on-access scanning enabled, it
detects each access and sends multiple alerts. See Frequent
alerts about potentially unwanted applications.

Authorize adware/PUA
If you have enabled Sophos Anti-Virus to detect adware and other
potentially unwanted applications (PUAs), it may prevent the use of
an application that you want.
You can authorize such applications as follows:
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.

92
How do I change anti-virus and HIPS settings?

3. In the Anti-virus and HIPS policy dialog box, click the


Authorization button.
4. In the Authorization manager dialog box, on the Adware/
PUAs tab, in the Known adware/PUAs list, select the
application you want. Click Add to add it to the Authorized
adware/PUAs list.
If you cannot see the application you want to authorize, do the
following:
1. Click New entry. The Add new adware/PUA dialog box is
displayed.
2. Go to Sophos threat analyses web page, http://www.sophos.
com/security/analyses.
3. In the View by type field, select Adware or PUA, depending
on the type of application you want to authorize. Click Go.
4. Find the application you want to authorize and enter its name in
the Add new adware/PUA dialog box. Click OK. The
application will be added to the Known adware/PUAs list.
5. Select the application and click Add to add it to the
Authorized adware/PUAs list.
If you want to remove an application from the list, select the
application and click Delete entry.

Change types of file scanned


By default, Sophos Anti-Virus scans file types that are vulnerable to
viruses. You can scan additional file types or choose to exempt some
file types from scanning.
The file types scanned by default differ between operating systems
and change as the product is updated. To see a list of the file types,
go to a computer with the relevant operating system, open the Sophos
Anti-Virus window and look for the "Extensions" configuration
page.
These options apply to Windows computers only.

93
Sophos Enterprise Console user manual

On Windows 2000 or later, you can change these settings


separately for on-access and scheduled scanning. On Windows
NT/95/98/Me, changes made in the scheduled scan settings apply
to on-access scanning too.
You can make changes on Mac OS X computers with the Sophos
Update Manager, a utility supplied with Sophos Anti-Virus for
Mac OS X. To open Sophos Update Manager, on a Mac OS X
computer, in a Finder window, browse to the Sophos Anti-Virus:
ESOSX folder. Double-click Sophos Update Manager. For
further details, see Sophos Update Manager Help.
You can make changes on Linux computers using the savconfig
and savscan commands as described in the Sophos Anti-Virus for
Linux user manual.
You can make changes on UNIX computers using the savscan
command as described in the Sophos Anti-Virus for UNIX user
manual.

To change types of files scanned:


1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, set the options
as follows:
To configure on-access scanning, in the Configure Sophos
Anti-Virus and HIPS panel, make sure the Enable on-access
scanning check box is selected. Click the On-access scanning
button.
To configure scheduled scans, in the Scheduled scanning panel,
click Extensions and Exclusions.
4. On the Extensions tab, select Scan executable and infectable
files.
To scan additional file types, click Add and type the file
extension, e.g. PDF, in the Extension field.

94
How do I change anti-virus and HIPS settings?

To exempt some of the file types that are usually scanned by


default, click Exclude. This opens the Exclude extensions
dialog box. Enter the file extension.
By default, files with no extension are scanned.

You can also select to scan all files, although this will affect
computer performance.

Exclude items from on-access scanning


You can exclude items from on-access scanning.
These options apply only to Windows 2000 or later, Mac OS X,
Linux, and UNIX.
To exclude items on Windows NT/95/98/Me computers, use the
scheduled scan configuration pages, which apply to on-access
scanning too.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. The Anti-virus and HIPS policy dialog box is displayed. In
the Configure Sophos Anti-Virus and HIPS panel, click the
On-access scanning button.
4. Click the tab for Windows exclusions, Mac exclusions, or
Linux/Unix exclusions. To add items to the list, click Add and
enter the full path in the Exclude item dialog box. The items
you can exclude from scanning differ on each type of computer.
See Items that can be excluded from scanning.

Scan for rootkits


Scanning for rootkits is always performed when you run a full system
scan of a computer. However, if you want to change the setting for a
scheduled scan, do as follows.

95
Sophos Enterprise Console user manual

This option applies only to Sophos Anti-Virus 7 and later for


Windows 2000 and later.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, in the
Scheduled scanning panel, click Add (or select an existing
scan and click Edit).
4. In the Scheduled scan settings dialog box, enter your settings
and then click Configure.
5. In the Scanning and cleanup settings dialog box, on the
Scanning tab, in the Scanning options panel, select the Scan
for suspicious files (HIPS) check box. Click OK.
If you disable scanning for rootkits, scanning for suspicious files
is disabled at the same time.

Scan inside archive files


Scanning inside archive files makes scanning significantly
slower and is generally not required. Even if you don't select the
option, when you attempt to access a file extracted from the
archive file, the extracted file is scanned. Sophos therefore does
not recommend selecting this option.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, in the
Scheduled scanning panel, click Add (or select an existing
scan and click Edit).
4. In the Scheduled scan settings dialog box, enter your settings
and then click Configure (at the bottom of the page).

96
How do I change anti-virus and HIPS settings?

5. In the Scanning and cleanup settings dialog box, on the


Scanning tab, select Scan inside archive files. Click OK.

Scan Macintosh files


You can enable Sophos Anti-Virus to scan Macintosh files stored on
Windows computers.
This option applies only to Sophos Anti-Virus 7 and later for
Windows 2000 and later.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, set the options
as follows:
On-access scanning

To configure on-access scanning, in the Configure Sophos


Anti-Virus and HIPS panel, make sure the Enable on-access
scanning check box is selected. Click the On-access scanning
button.
On the Scanning tab, in the Scanning options panel, select the
Scan for Macintosh viruses check box.
Scheduled scanning

To configure scheduled scans, in the Scheduled scanning panel,


click Add (or select an existing scan and click Edit).
In the Scheduled scan settings dialog box, enter your settings
and then click Configure.
In the Scanning and cleanup settings dialog box, on the
Scanning tab, select the Scan for Macintosh viruses check
box.

97
Sophos Enterprise Console user manual

Turn on-access scanning on or off


By default, Sophos Anti-Virus scans files as the user attempts to
access them, and denies access unless the file is clean.
You may decide to turn off on-access scanning on Exchange servers
or other servers where performance might be affected. In this case,
put the servers in a special group and change the anti-virus and HIPS
policy used for that group as shown below.
If you turn off on-access scanning on a server, we recommend
you set up scheduled scans on the relevant computers.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. The Anti-virus and HIPS policy dialog box is displayed. To
turn off on-access scanning, clear the Enable on-access
scanning check box. Then, in the Scheduled scanning panel,
click Add and set up a scheduled scan.
If you later want to restart on-access scanning, select the check
box again.

Change when on-access scanning occurs


You can specify whether files are scanned when you open them ("on
read"), save them ("on write") or rename them.
Scanning files "on write" or "on rename" can have an impact on
the computers' performance. These options are not usually
recommended.
These options apply to Windows computers only.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.

98
How do I change anti-virus and HIPS settings?

3. In the Anti-virus and HIPS policy dialog box, in the


Configure Sophos Anti-Virus and HIPS panel, click the On-
access scanning button.
4. In the On-access scan settings dialog box, on the Scanning
tab, in the On-access scanning behavior panel, select the
options you want.

Scan computers at set times


You can have computers scanned at set times.
Scheduled scans will run only on Windows and UNIX
computers. On Windows 95/98/Me computers, scheduled scans
run only if the Sophos Anti-Virus window is open.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, in the
Scheduled scanning panel, click Add.
4. In the Scheduled scan settings dialog box, enter a name for the
scanning job. Select the items to scan (by default, all local hard
disks or mounted filesystems are scanned). Select the days and
times at which you want the scan to run.
If you want to change other scanning options or configure this
scan to clean up computers, click Configure at the bottom of the
dialog box.
For instructions on how to change the options for a scheduled
scan, see Change scheduled scan settings.

Change scheduled scan settings


You can change the settings for scheduled scanning.
1. Check which anti-virus and HIPS policy is used by the group(s)

99
Sophos Enterprise Console user manual

of computers you want to configure.


2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. In the Anti-virus and HIPS policy dialog box, in the
Scheduled scanning panel, you can change two different kinds
of setting:
To change the types of files scanned by all scheduled scans,
click Extensions and Exclusions.
To change settings specific to each scan (what is scanned, times,
scanning options, cleanup), highlight the scan and click Edit.
Then in the Scheduled scan settings dialog box, click
Configure.
For full details of how to use scanning options, see Scan for
suspicious files, Scan for adware/PUA, and Scan inside
archive files. For details of how to use cleanup options, see
Clean up computers automatically.

Exclude items from scheduled scanning


You can exclude items from scheduled scanning.
On Windows NT/95/98/Me, changes made in the scheduled scan
settings apply to on-access scanning too.
The "excluded items" settings for scheduled scans also apply to
full system scans run from the console and "scan my computer"
scans run on networked computers.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change.
3. The Anti-virus and HIPS policy dialog box is displayed. In
the Scheduled scanning panel, click Extensions and
Exclusions.
4. Click the Exclusions tab. To add items to the list, click Add

100
How do I change anti-virus and HIPS settings?

and enter the full path in the Exclude item dialog box. The
items you can exclude from scanning differ on each type of
computer. See Items that can be excluded from scanning.

Items that can be excluded from scanning


On each type of computer, there are different limitations on the items
that you can exclude from scanning.
Windows 2000 and later

On Windows 2000 and later, you can exclude drives, folders and
files.
You can use the wildcards * and ?
The wildcard ? can be used only in a filename or extension. It
generally matches any single character. However, when used at the
end of a filename or extension, it matches any single character or no
characters. For example file??.txt matches file.txt, file1.txt and
file12.txt but not file123.txt.
The wildcard * can be used only in a filename or extension, in the
form [filename].* or *.[extension]. For example, file*.txt, file.txt*
and file.*txt are invalid.
For further details see the help files or user manual for Sophos Anti-
Virus for Windows 2000 and later.
Windows NT

On Windows NT, you can exclude files and directories.


Windows 95/98/Me

On Windows 95/98/Me, you can exclude files, directories (for


scheduled scans), and drives.
Mac OS X

On Mac OS X, you can exclude volumes, folders, and files.


Although wildcard characters are not supported, you can specify

101
Sophos Enterprise Console user manual

which items are excluded by prefixing or suffixing the exclusion with


a slash or double slash.
For further details, see the help files or user manual for Sophos Anti-
Virus for Mac OS X.
Linux and UNIX

On Linux and UNIX, you can exclude directories and files by


specifying a path (with or without wildcards).
Enterprise Console supports only path-based Linux and UNIX
exclusions. You can also set up other types of exclusion directly
on the managed computers. Then you can use regular
expressions, exclude file types and filesystems. For instructions,
see the Sophos Anti-Virus for Linux user manual or the Sophos
Anti-Virus for UNIX user manual.
If you set up another path-based exclusion on a managed Linux
or UNIX computer, this computer will be reported to the console
as differing from the group policy.

102
How do I change application control settings?

12 How do I change application control


settings?
Enterprise Console enables you to detect and block "controlled
applications", i.e. legitimate applications that are not a security
threat, but that you decide are unsuitable for use in your office
environment. Such applications may include instant messaging (IM)
clients, Voice over Internet Protocol (VoIP) clients, digital imaging
software, media players, or browser plug-ins.
This option applies only to Sophos Anti-Virus 7 and later for
Windows 2000 and later.
Applications can be blocked or authorized for different groups of
computers with complete flexibility. For example, VoIP can be
switched off for office-based desktop computers, yet authorized for
remote computers.
The list of controlled applications is supplied by Sophos and
updated regularly. You cannot add new applications to the list.
This section describes how to select the applications you want to
control on your network and set up scanning for controlled
applications.
· Select the applications you want to control
· Scan for applications you want to control
· Uninstall controlled applications you do not want

Select the applications you want to control


By default, all applications are allowed. You can select the
applications you want to control as follows:
1. Check which application control policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Application control. Then
double-click the policy you want to change.

103
Sophos Enterprise Console user manual

3. In the Application control policy dialog box, click the


Authorization tab.
4. Select an Application type, e.g. File sharing. A full list of the
applications included in that group is displayed in the
Authorized list below.
To block an application, select it and move it to the Blocked list
by clicking the "Add" button.

To block any new applications that Sophos adds to that type in


the future, move All added by Sophos in the future to the
Blocked list.
To block all applications of that type, move all applications from
the Authorized list to the Blocked list by clicking the "Add all"
button.

5. On the Scanning tab of the Application control policy dialog


box, make sure that scanning for controlled applications is
enabled. (See Scan for applications you want to control for
details.) Click OK.

Scan for applications you want to control


You can configure Sophos Anti-Virus to scan for applications you
want to control on your network on access.
1. Check which application control policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Application control. Then
double-click the policy you want to change. The Application
control policy dialog box is displayed.
3. On the Scanning tab, set the options as follows:
To enable on-access scanning, select the Enable on-access
scanning check box. If you want to detect applications but do
not want to block them on access, select the Detect but allow to

104
How do I change application control settings?

run check box.


To enable on-demand and scheduled scanning, select the Enable
on-demand and scheduled scanning check box.
Your anti-virus and HIPS policy settings determine which
files are scanned (i.e. the extensions and exclusions).
If you want to remove controlled applications found on your
networked computers, follow the instructions in Uninstall controlled
applications you do not want.
You can also have alerts sent to particular users if a controlled
application is found on any of the computers in the group. For
instructions, see Set up application control alerts.

Uninstall controlled applications you do not want


Before you uninstall controlled applications, ensure that on-access
scanning for controlled applications is disabled. This type of
scanning blocks the programs used to install and uninstall
applications, so it may interfere with uninstallation.
You can remove an application in one of two ways:
· Go to each computer and run the uninstaller for that product.
You can usually do this by opening the Windows Control Panel
and using Add/Remove Programs.
· At the server, use your usual script or administration tool to run
the uninstaller for that product on your networked computers.
Now you can enable on-access scanning for controlled applications.

105
Sophos Enterprise Console user manual

13 How do I change firewall settings?


This section describes how to set up the firewall and change key
settings.
· Set up the firewall
· What are the default settings?
· Allow file and print sharing
· Allow applications that have been blocked
· Select interactive or non-interactive working
· Turn the firewall on or off
· Get help with advanced options

Set up the firewall


When you install the firewall, it is enabled by default and blocks all
non-essential traffic. For more details, see the default settings.
Before you begin using the firewall on your networked computers,
you must configure it to allow common applications to run. You
cannot do this easily from Enterprise Console, as the computers may
have different versions of the same application. Instead, use sample
computers to develop a configuration that you can then use as your
policy.
1. Install the firewall on computers that are representative of your
network.
2. Go to a computer, right-click the firewall taskbar icon (shown
below).

Click Configure.
3. In the Sophos Client Firewall Configuration Editor dialog
box, click the Applications tab. Click Add and browse to each
application you want. The application is then "trusted". For

106
How do I change firewall settings?

greater security, highlight the program, click Custom (bottom


right-hand of the dialog box) and create a rule.
Alternatively, on the General tabbed page, select
Interactive. The firewall will prompt you to allow or block
each application when it is used.
4. When the firewall is configured, on the General tabbed page,
click Export to export the configuration to your chosen
location.
5. Repeat the above steps on each computer you want to use as a
sample.
6. Now go to Enterprise Console. In the Policies pane, double-
click Firewall and then double-click on the policy you want to
edit.
7. In the Firewall policy dialog box, on the General tabbed page,
click Import and import a configuration you developed earlier.
When you import each configuration, you are given the
option to merge it with other configurations you have
already imported.
8. You have now configured the firewall to allow commonly-used
applications. You can also change other settings (for example,
to allow file and print sharing). See the Sophos Client Firewall
help files for details of all options.

What are the default settings?


By default, the Sophos Client Firewall is enabled and blocks all non-
essential traffic. Before you use it throughout your network, you
should configure it to allow the applications you want to use, as
described in Set up the firewall.
The firewall's other default settings are as follows:
· applies rules without asking the user for confirmation ("non-
interactive" mode)
· displays alerts in Enterprise Console if rules are changed locally
on managed computers

107
Sophos Enterprise Console user manual

· blocks processes if memory is modified by another application


· drops packets that are sent to blocked ports ("stealth" operation)
· uses checksums to identify new and modified applications
· blocks IPv6 packets (applies only to Sophos Client Firewall 1.5)
· reports new and modified applications to Enterprise Console
· warns about applications that may launch hidden processes.

Allow file and print sharing


You can allow computers to use file and print sharing as follows:
1. Check which firewall policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Firewall. Then double-click
the policy you want to change.
3. In the Firewall policy dialog box, click the LAN tab, and then
click Detect to detect addresses on the Local Area Network.
4. Select the NetBIOS check box next to the address(es) in the
list.

Allow applications that have been blocked


If the firewall blocks an application on your networked computers,
you see an alert next to the computer name(s) on the Status page.
You can find details of blocked applications, and allow them or
create new rules for them, as follows:
1. Check which firewall policy is used by the computer(s).
2. In the Policies pane, double-click Firewall. Then double-click
the policy you want to change.
3. In the Firewall policy dialog box, click the Applications tab.
4. On the Applications tab, click Add. The Application
Manager is displayed. Select an application from the list and

108
How do I change firewall settings?

click OK.
5. In the Application Rules dialog box, click Trust to allow the
application, or Custom to create a custom rule that specifies
when it can run.

Select interactive or non-interactive working


Sophos Client Firewall can work in two different modes:
· Interactive. The firewall asks the user how to deal with traffic.
· Non-interactive. The firewall deals with traffic automatically
using your rules.
To change the working mode for a group of computers, do as
follows:
1. Check which firewall policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Firewall. Then double-click
the policy you want to change.
3. In the Firewall policy dialog box, on the General tab, select
Non-interactive or Interactive. Click OK.

Turn the firewall on or off


When it is first installed, the Sophos Client Firewall is enabled by
default.
To turn the firewall on or off for a group of computers, do as follows:
1. Check which firewall policy is used by the group(s) of
computers you want to configure.
2. In the Policies pane, double-click Firewall. Then double-click
the policy you want to change.
3. In the Firewall policy dialog box, on the General tab, select or
clear the Allow all traffic check box. Click OK.

109
Sophos Enterprise Console user manual

Get help with advanced options


For full details of all the firewall options, see Sophos Client Firewall
Help.

110
How do I change NAC settings?

14 How do I change NAC settings?


This section describes how to set up NAC (network access control)
and edit NAC policies.
· Set up NAC
· Set up the NAC server URL
· Start NAC Manager
· What are the default NAC settings?
· What are the pre-defined NAC policies?
· Edit a NAC policy

Set up NAC
You can set up network access control (NAC), so that computers are
only allowed to log on to the network if they comply with conditions
you set.
Enterprise Console works together with Sophos NAC to give this
network protection. You need to have installed the following:
· The Sophos NAC server. You install this separately from
Enterprise Console.
· The Sophos NAC agent. You install this on your networked
computers, so that they can communicate with the NAC server.
You can install this with the Protect computers function.
This section assumes you have installed both.
By default, computers are allowed to access the network.

Set up the NAC server URL


If you want to use Sophos NAC, the URL of the Sophos NAC server
must be specified in Enterprise Console. This is so that:

111
Sophos Enterprise Console user manual

· Your computers can communicate with the NAC server and


receive their NAC policy.
· You can configure NAC policies, which are held on the NAC
server.
When you first install Enterprise Console, it attempts to locate the
NAC server and connect to it. However, if it fails, or if you change
the location of the NAC server, you may need to specify the URL.
To enter or change the URL:
1. On the Tools menu, select Configure NAC URL.
2. In the Sophos NAC URL dialog box, enter the URL of the
NAC server (for example, http://server).
If Sophos NAC is installed on more than one server, use the
address of the computer running the application, not the
computer with the database.
3. To check whether Enterprise Console can connect to the NAC
server using the supplied URL, click Test Connection.

Start NAC Manager


Sophos NAC Manager is the interface that enables you to edit NAC
policies.
To start NAC Manager:
1. Click the NAC button on the toolbar. Alternatively, on the
Tools menu, select Manage NAC.
You may be prompted to specify the NAC server URL, if
this has not been detected or specified previously.
2. Log in with your Sophos NAC user credentials (as issued by
the Sophos NAC administrator).
For full details of the interface, see the Sophos NAC Manager help
files or Sophos NAC Manager Guide.

112
How do I change NAC settings?

What are the default NAC settings?


By default, the Default NAC policy is applied to computers on which
Sophos NAC has been installed. Unless you have changed the
"policy mode", this means that:
· the computers are allowed access to the network
· Sophos NAC operates in report-only mode.
For details of the pre-defined Managed and Unmanaged policies,
see What are the pre-defined NAC policies?

What are the pre-defined NAC policies?


Three pre-defined policies are available. You can edit the settings in
each policy, as described in Edit a NAC policy.

Default
This policy is applied by default to computers on which Sophos NAC
has been installed. Unless you have changed the settings for this
policy, computers are allowed to access the network. Sophos NAC
operates in Report Only mode.

Managed
This policy can be used for computers that are managed by
Enterprise Console and have Sophos NAC installed. Its initial
settings are the same as those of the Default policy.

Unmanaged
This policy can be used for computers from outside the company,
which are not managed by Enterprise Console and do not have
Sophos NAC installed. Your company can ask such guest users to
connect to a website, where a web agent assesses them against the
policy before allowing them to access the network.
For more information, see "Using pre-defined policies" in the Sophos
NAC Manager Guide.

113
Sophos Enterprise Console user manual

Edit a NAC policy


You can change the settings for any of the pre-defined NAC policies.
1. In the Policies pane, double-click NAC. Double-click the
policy you want to configure.
2. Sophos NAC Manager is launched. Log in with your
credentials.
3. In the page for the policy, edit the options.
For information on the options, see "Updating policies" in the Sophos
NAC Manager Guide.

114
How do I scan computers?

15 How do I scan computers?


By default, Sophos Anti-Virus detects known and unknown viruses,
Trojans, worms, and spyware automatically as soon as a user
attempts to access files that contain them. Sophos Anti-Virus 7 and
later for Windows 2000 and later also analyzes behavior of the
programs running on the system.
You can also configure Sophos Anti-Virus to:
· Scan computers for suspicious files
· Scan for adware and other potentially unwanted applications
· Scan computers at set times
For more information about configuring scanning, see the section
How do I change anti-virus and HIPS settings?
This section describes how to perform a full system scan of selected
computers immediately.

Scan computers now


You can scan a computer or computers immediately, without waiting
for the next scheduled scan.
Only Windows computers running Sophos Anti-Virus 7 or later
or UNIX computers can perform immediate full system scans
originated from the console.
1. Select the computers in the computer list or a group in the
Groups pane. Right-click and select Full system scan.
Alternatively, on the Actions menu, select Full system scan.
2. In the Full system scan dialog box, review the details of the
computers to be scanned and click OK to start the scan.

115
Sophos Enterprise Console user manual

16 How do I set up alerts?


There are several alerting methods used in Enterprise Console.
· Alerts displayed in the console
If an item that requires attention is found on a computer, or an
error has occurred, Sophos Anti-Virus sends an alert to
Enterprise Console. The alert is displayed in the computer list.
For more information about such alerts, see How do I deal with
alerts?
These alerts are always displayed. You do not need to set them
up.
· Alerts sent by the console to your chosen recipients
By default, when an item is found on a computer, a message is
displayed on the computer desktop and an entry is added to the
Windows event log.
You can also set up email alerts or SNMP alerts for
administrators.

This section describes how to set up alerts that will be sent to your
chosen recipients.
· Set up anti-virus and HIPS email alerts
· Set up anti-virus and HIPS SNMP alerts
· Configure anti-virus and HIPS desktop alerts
· Set up application control alerts
· Set up network status email alerts
· Set up Active Directory synchronization email alerts
· Configure event logging

Set up anti-virus and HIPS email alerts


You can have email alerts sent to particular users if a virus, a

116
How do I set up alerts?

suspicious behavior, an unwanted application or an error is


encountered on any of the computers in a group.
Mac OS X computers can send email alerts to only one address.
1. In the Policies pane, double-click the anti-virus and HIPS
policy you want to change.
2. In the Anti-virus and HIPS policy dialog box, in the
Configure Sophos Anti-Virus and HIPS panel, click
Messaging.
3. In the Messaging dialog box, click the Email alerting tab. Set
the options as described below.
Enable email alerting

Select this to enable Sophos Anti-Virus to send email alerts.


Messages to send

Select the events for which you want Sophos Anti-Virus to send
email alerts:
§ Virus/spyware detection and cleanup
§ Suspicious behavior detection
§ Suspicious file detection
§ Adware/PUA detection and cleanup
§ Scanning errors (e.g. access denied)
§ Other errors
The Suspicious behavior detection and Suspicious file
detection settings apply only to Sophos Anti-Virus 7 and
later for Windows 2000 and later.
The Adware/PUA detection and cleanup setting applies
only to Sophos Anti-Virus 6 and later for Windows 2000
and later.
The Other errors setting applies only to Windows.
Recipients

117
Sophos Enterprise Console user manual

Click Add or Remove to add or remove, respectively, email


addresses to which email alerts should be sent. Click Rename to
change an email address you have added.
Mac OS X computers will send messages only to the first
recipient in the list.
Configure SMTP

Click this to change the settings for the SMTP server and the
language of the email alerts. In the Configure SMTP settings
dialog box, enter the details as described below.
SMTP server

In the text box, type the host name or IP address of the


SMTP server. Click Test to send a test email alert.
SMTP sender address

In the text box, type an email address to which bounces and


non-delivery reports can be sent.
SMTP reply-to address

As email alerts are sent from an unattended mailbox, you


can type in the text box an email address to which replies to
email alerts can be sent.
Linux and UNIX computers will ignore the SMTP
sender and reply-to addresses and use the address
root@<hostname>.
Language

Click the drop-down arrow, and select the language in


which email alerts should be sent.

Set up anti-virus and HIPS SNMP alerts


You can have SNMP alerts sent to particular users if a virus or error

118
How do I set up alerts?

is encountered on any of the computers in the group.


These settings apply only to Sophos Anti-Virus 6 and later for
Windows 2000 and later.
1. In the Policies pane, double-click the anti-virus and HIPS
policy you want to change.
2. In the Anti-virus and HIPS policy dialog box, in the
Configure Sophos Anti-Virus and HIPS panel, click
Messaging.
3. In the Messaging dialog box, click the SNMP messaging tab.
Set the options as described below.
Enable SNMP messaging

Select this to enable Sophos Anti-Virus to send SNMP


messages.
Messages to send

Select the types of event for which you want Sophos Anti-Virus
to send SNMP messages:
§ Virus/spyware detection and cleanup
§ Suspicious behavior detection
§ Suspicious file detection
§ Adware/PUA detection and cleanup
§ Scanning errors (e.g. access denied)
§ Other errors
The Suspicious behavior detection and Suspicious file
detection settings apply only to Sophos Anti-Virus 7 and
later for Windows 2000 and later.
SNMP trap destination

In this text box, enter the IP address of the recipient.


SNMP community name

119
Sophos Enterprise Console user manual

In this text box, enter the SNMP community name.

Configure anti-virus and HIPS desktop alerts


By default, desktop alerts are displayed on the computer on which a
virus, suspicious item or potentially unwanted application is found.
You can configure these alerts.
1. In the Policies pane, double-click the anti-virus and HIPS
policy you want to change.
2. In the Anti-virus and HIPS policy dialog box, in the
Configure Sophos Anti-Virus and HIPS panel, click
Messaging.
3. In the Messaging dialog box, click the Desktop messaging tab.
Set the options as described below.
Enable desktop messaging

Select this to enable Sophos Anti-Virus to display desktop


messages.
Messages to send

Select the types of event for which you want Sophos Anti-Virus
to display desktop messages:
§ Virus/spyware detection and cleanup
§ Suspicious behavior detection
§ Suspicious file detection
§ Adware/PUA detection and cleanup
The Suspicious behavior detection and Suspicious file
detection settings apply only to Sophos Anti-Virus 7 and
later for Windows 2000 and later.
The Adware/PUA detection and cleanup setting applies
only to Sophos Anti-Virus 6 and later for Windows 2000
and later.

120
How do I set up alerts?

User-defined message

In this text box, you can type a message that will be added to the
end of the standard message.

Set up application control alerts


You can send alerts to particular users when a controlled application
is found.
1. In the Policies pane, double-click the application control policy
you want to change.
2. In the Application control policy dialog box, on the
Messaging tab, set the options as described below.
Messaging

The Enable desktop messaging check box is enabled by


default. When an unauthorized controlled application is detected
by on-access scan and blocked, a desktop message will be
displayed to the user informing them that the application has
been blocked.
In the Message text box, you can type a message that will be
added to the end of the standard desktop message.
Select the Enable email alerting check box to enable Sophos
Anti-Virus to send email alerts.
Select the Enable SNMP messaging check box to enable
Sophos Anti-Virus to send SNMP messages.
Your anti-virus and HIPS policy settings determine email
and SNMP messaging configuration and recipients.
Console alerting

By default, an alert is displayed in the console the first time an


individual application is detected.
If you only want to see an alert every time the application is

121
Sophos Enterprise Console user manual

detected on a computer, clear the Display an alert for the first


detection only check box.

Set up network status email alerts


You can set up email alerts to be sent to your chosen recipients when
a warning or critical level has been exceeded for a dashboard section.
1. On the Tools menu, select Configure email alerts. The
Configure email alerts dialog box is displayed.
2. If SMTP settings have not been configured, or if you want to
view or change the settings, click Configure. In the Configure
SMTP settings dialog box, enter the details as described
below.
In the Server address text box, type the host name or IP address
of the SMTP server.
In the Sender text box, type an email address to which bounces
and non-delivery reports can be sent.
Click Test to test the connection.
3. In the Recipients panel, click Add. The Add a new email alert
recipient dialog box appears.
4. In the Email address field, enter the address of your recipient.
5. In the Language field, select the language in which email alerts
should be sent.
6. In the Subscriptions pane, select "warning level exceeded" and
"critical level exceeded" email alerts you want to send to this
recipient.
"Warning level exceeded" email alerts:
§ Alerts
§ Errors
§ Out-of-date computers
§ Computers that differ from policy

122
How do I set up alerts?

"Critical level exceeded" email alerts:


§ Alerts
§ Errors
§ Out-of-date computers
§ Computers that differ from policy
§ Time since last update from Sophos

Set up Active Directory synchronization email alerts


You can also set up email alerts to be sent to your chosen recipients
about new computers and groups discovered during synchronizations
with Active Directory. If you choose to protect computers in
synchronized groups automatically, you can also set up alerts about
automatic protection failures.
1. On the Tools menu, select Configure email alerts. The
Configure email alerts dialog box is displayed.
2. If SMTP settings have not been configured, or if you want to
view or change the settings, click Configure. In the Configure
SMTP settings dialog box, enter the details as described
below.
In the Server address text box, type the host name or IP address
of the SMTP server.
In the Sender text box, type an email address to which bounces
and non-delivery reports can be sent.
Click Test to test the connection.
3. In the Recipients panel, click Add. The Add a new email alert
recipient dialog box appears.
4. In the Email address field, enter the address of your recipient.
5. In the Language field, select the language in which email alerts
should be sent.
6. In the Subscriptions pane, select "Active Directory
synchronization" email alerts you want to send to this recipient.

123
Sophos Enterprise Console user manual

"Active Directory synchronization" email alerts:


§ New groups discovered
§ New computers discovered
§ Automatic computer protection has failed

Configure event logging


To enable Sophos Anti-Virus to add alerts to the Windows 2000 or
later event log when an item is found or an error occurs, do as
follows:
1. In the Policies pane, double-click the anti-virus and HIPS
policy you want to change.
2. In the Anti-virus and HIPS policy dialog box, in the
Configure Sophos Anti-Virus and HIPS panel, click
Messaging.
3. In the Messaging dialog box, click the Event log tab. Set the
options as described below.
Enable event logging

Select this to enable Sophos Anti-Virus to send messages to the


Windows event log.
Messages to send

Select the events for which you want Sophos Anti-Virus to send
messages. Scanning errors include instances when Sophos
Anti-Virus is denied access to an item that it attempts to scan.

124
How do I deal with alerts?

17 How do I deal with alerts?


This section describes how to deal with alerts.
It includes:
· What do the alert icons mean?
· Deal with virus and spyware alerts
· Deal with suspicious behavior alerts
· Deal with suspicious file alerts
· Deal with firewall alerts
· Deal with adware/PUA alerts
· Deal with controlled application alerts
· Clear alerts from the console

What do the alert icons mean?


If a virus or spyware, a suspicious item, an adware or other
potentially unwanted application is detected, alert icons are displayed
on the Status page in Enterprise Console.
Below is a key to the alert icons. In the other pages in this section,
you can find advice on dealing with alerts.
Warnings are also displayed in the console if software is disabled
or out of date. For information on this see How do I check
whether my network is protected?

Alert icons
Sign Explanation
A red warning sign displayed in the Alerts and errors
column means that a virus, worm, Trojan, spyware, or
suspicious behavior has been detected.

125
Sophos Enterprise Console user manual

Sign Explanation
A yellow warning sign displayed in the Alerts and errors
column indicates one of the following problems:
· A suspicious file has been detected.
· An adware or other potentially unwanted application
has been detected.
· A controlled application has been detected.
· The firewall has blocked an application.
· An error has occurred.
A yellow warning sign displayed in the Anti-virus and
HIPS policy, Firewall policy, Updating policy, or
Application control policy column means that the
computer is not using the same policies as other computers
in its group.

If there are multiple alerts or errors on a computer, the icon of an


alert that has the highest priority will be displayed in the Alerts and
errors column. Alert types are listed below in descending order of
priority.
Priority of alerts
1. Virus/spyware alerts
2. Suspicious behavior alerts
3. Suspicious file alerts
4. Firewall alerts
5. Adware/PUA alerts
6. Controlled application alerts
7. Sophos Anti-Virus, updating, and Sophos Client Firewall errors

Deal with virus and spyware alerts


If a virus or spyware is detected, you see a red warning triangle

126
How do I deal with alerts?

and the words "Virus/spyware detected" on the Status page.


For more details, click the Alert and error details tab. To deal with
the virus or spyware, follow the instructions in Clean up computers
now.

Deal with suspicious behavior alerts


If suspicious behavior or buffer overflow is detected during runtime
behavior analysis, you see a red warning triangle and the words
"Suspicious behavior detected" on the Status page.
For more details, click the Alert and error details tab. To remove
the suspicious item, follow the instructions in Clean up computers
now. If you want to authorize it, see Authorize suspicious items.

Deal with suspicious file alerts


If a suspicious file is detected, you see a yellow warning triangle
and the words "Suspicious file detected" on the Status page.
For more details, click the Alert and error details tab. The name of
the file is shown in the Item detected column.
To remove the file, see Clean up computers now.
To authorize the file, follow the instructions in Authorize suspicious
items.

Deal with firewall alerts


If the firewall blocks an application, you see a yellow warning
triangle and the words "Firewall alert" on the Status page.
This icon can also indicate an adware/PUA alert from Sophos
Anti-Virus. Then the words "Adware/PUA detected" are
displayed next to the icon.
For more details, click the Alert and error details tab. The name of

127
Sophos Enterprise Console user manual

the application blocked by the firewall is shown in the Item detected


column.
If you want to allow the application, or to make a new rule for it,
follow the instructions in Allow applications that have been blocked.

Deal with adware/PUA alerts


If an adware or other potentially unwanted application (PUA) is
detected, you see a yellow warning triangle and the words
"Adware/PUA detected" on the Status page.
This icon can also indicate a firewall alert. Then the words
"Firewall alert" are displayed next to the icon.
For more details, click the Alert and error details tab. The name of
the application is shown in the Item detected column.
To remove the application, see Clean up computers now.
To authorize the application, follow the instructions in Authorize
adware/PUA.

Deal with controlled application alerts


If a controlled application is detected, you see a yellow warning
triangle and the words "Controlled application detected" on the
Status page.
For more details, click the Alert and error details tab. The name of
the application is shown in the Item detected column.
To remove the application, see Uninstall controlled applications you
do not want.

Clear alerts from the console


If you are taking action to deal with alerts, or are sure that a computer
is safe, you can clear the alerts sign displayed in the console.

128
How do I deal with alerts?

You cannot clear alerts about installation errors. These are


cleared only when Sophos Anti-Virus is installed successfully on
the computer.
1. Select the computer(s) for which you want to clear alerts.
Right-click and select Acknowledge alerts and errors.
2. The Acknowledge alerts and errors dialog box is displayed.
To clear alerts from the console, in the Acknowledge alerts and
errors dialog box, on the Alerts tab, select the alerts you want
to clear and click OK. Acknowledged (cleared) alerts are no
longer displayed in the console.
To clear Sophos product errors from the console, in the
Acknowledge alerts and errors dialog box, go to the Sophos
Anti-Virus errors or Firewall errors tab, select the errors you
want to clear from the console and click OK.

129
Sophos Enterprise Console user manual

18 How do I clean up computers?


This section describes how to clean up computers that are infected
with a virus or have unwanted applications on them.
You can:
· Clean up computers now
· Deal with detected items if cleanup fails
· Set up automatic cleanup

Clean up computers now


From Enterprise Console, you can immediately clean up computers
that are infected with a virus or have unwanted applications on them.
This option applies only to Windows 2000 and later computers
running Sophos Anti-Virus 6 or later.
To clean up Windows 95/98/Me and NT4, Mac, Linux or UNIX
computers, you can either set up automatic cleanup from the console
or clean up the computers individually as described in Deal with
detected items if cleanup fails.
Sophos Anti-Virus may report that an item (e.g. a Trojan or
potentially unwanted application) is "partially detected". This
means that it has not found all the component parts of that
application. Before you can clean up the item, you will need to
find its other components by carrying out a full system scan of
the computer(s) affected. For more information, see Partially
detected item.
1. In the list of computers, right-click the computer(s) that you
want to clean up. Select Clean up detected items.
2. In the Clean up detected items dialog box, select the check
box for each item you want to clean up, or click Select all.
3. Click OK to clean the computer(s).
4. If the cleanup is successful, the alert(s) shown in the list of

130
How do I clean up computers?

computers will no longer be displayed.


If any alerts remain, you should clean up computers manually. See
Deal with detected items if cleanup fails.

Deal with detected items if cleanup fails


If you cannot clean up computers from the console, you can perform
the cleanup manually as follows:
1. In the computer list, click the Alert and error details tab. In
the Item detected column, look for the name of the item.
2. On the Help menu, click View item information. This
connects you to the Sophos website, where you can search for
the item and find advice on how to clean up the computer.
3. Go to each computer and carry out the cleanup manually.
The Sophos website provides special downloadable disinfectors
for certain viruses and worms.

Set up automatic cleanup


You can have computers cleaned up automatically as soon as a virus
or other item is found. To do this, you change the settings for on-
access scanning and scheduled scanning as follows:
On-access scanning cannot clean up adware and other potentially
unwanted applications (PUAs). You should deal with these as
described in Clean up computers now or enable automatic
cleanup of adware/PUA for scheduled scans.
1. Check which anti-virus and HIPS policy is used by the group(s)
of computers you want to configure.
2. In the Policies pane, double-click Anti-virus and HIPS. Then
double-click the policy you want to change. The Anti-virus
and HIPS policy dialog box is displayed.

On-access scanning

131
Sophos Enterprise Console user manual

In the Configure Sophos Anti-Virus and HIPS panel, click


the On-access scanning button. In the On-access scan settings
dialog box, click the Cleanup tab. Set the options as described
below.
Viruses/spyware

Select Automatically clean up items that contain a virus/


spyware. You can also specify what should be done with the
items if cleanup fails:
§ Do nothing (default)
§ Delete
§ Move to default location
§ Move to <specified UNC path>
None of the settings specifying what should be done if
cleanup fails apply to Windows 95, 98, or Me computers.
If you select Move to and specify a location, Mac OS X
computers will still move infected items to the default location.
The Move to default location and Move to settings do not
apply to Linux or UNIX computers and will be ignored by them.
Suspicious files

The "suspicious files" settings apply only to Sophos Anti-


Virus 7 and later for Windows 2000 and later.
You can specify what should be done with suspicious files when
they are detected:
§ Do nothing (default)
§ Delete
§ Move to default location
§ Move to <specified UNC path>

Scheduled scanning

132
How do I clean up computers?

In the Anti-virus and HIPS policy dialog box, in the


Scheduled scanning panel, highlight the scan and click Edit.
Then in the Scheduled scan settings dialog box, click
Configure. In the Scanning and cleanup settings dialog box,
click the Cleanup tab. Set the options as described below.
Viruses/spyware

Select Automatically clean up items that contain a virus/


spyware. You can also specify what should be done with the
items if cleanup fails:
§ Do nothing (default)
§ Delete
§ Move to default location
§ Move to <specified UNC path>
If you select Move to and specify a location, Windows 95,
98, and Me computers will still move infected items to the
default location.
Adware/PUA

Select Automatically clean up adware/PUA, if you want to.


The "adware/PUA" setting applies only to Sophos Anti-
Virus 6 and later for Windows 2000 and later.
Suspicious files

The "suspicious files" settings apply only to Sophos Anti-


Virus 7 and later for Windows 2000 and later.
You can specify what should be done with suspicious files when
they are detected:
§ Do nothing (default)
§ Delete
§ Move to default location
§ Move to <specified UNC path>

133
Sophos Enterprise Console user manual

19 How do I generate reports?


You can generate reports about alerts on your network.
To do this, you click the Reports icon on the toolbar and then use
the Reporting options as described in this section.
You can:
· Generate a report
· Display a report as a table
· Display a report as a chart
· Show the number of alerts per item name
· Show the number of alerts per location
· Show the rate of alerts
· Show history of alerts
· Print a report
· Export a report to a file
· Change the report layout

Generate a report
To create a report, do as follows:
1. In Enterprise Console, open the Tools menu and select View
Reports. The Reporting dialog box is displayed.
2. In the drop-down menu, click the type of report that you want.
§ Alerts by item name shows the number of alerts for each
item (such as a virus or unwanted application) detected on
your network.
§ Alerts per location shows the number of alerts for each
computer or group of computers.
§ Alerts by time shows the rate of alerts occurring during a set

134
How do I generate reports?

time.
§ Alert History shows full details of each alert.
On the Configuration tab, you can customize the report.
Then click the Table or Chart tab to view the report.

Display a report as a table


1. In the Sophos Enterprise Console, open the Tools menu and
select View Reports.
2. In the Reporting dialog box, in the drop-down menu, select the
type of report you want to create. On the Configuration tab,
configure the report. Then click the Table tab.
3. The table is displayed. The Report Description summarizes
the criteria (e.g. the length of time covered) used to create the
report.

Display a report as a chart


The chart view is not available for 'Alert history' reports.
1. In the Sophos Enterprise Console, open the Tools menu and
select View Reports.
2. In the Reporting dialog box, in the drop-down menu, select the
type of report you want to create. On the Configuration tab,
configure the report. Then click the Chart tab.
3. The chart is displayed. The Report Description summarizes
the criteria (e.g. the length of time covered) used to create the
report.

Show the number of alerts per item name


1. In the Sophos Enterprise Console, click the Reports icon on
the toolbar.

135
Sophos Enterprise Console user manual

2. In the Reporting dialog box, in the drop-down menu, select


Alerts by item name.
3. On the Configuration tab, you can select the options described
below. When you have finished, click one of the other tabs to
display the report as a chart or table.
Reporting Period

In the Period text box, click the drop-down arrow and select a
time period. You can either select a fixed period, e.g. Last
month, or select Custom and specify your own time period in
the Start and End boxes.
Location

Click Group of computers or Individual computer. Then click


the drop-down arrow to specify a group or computer name.
Filter

By default, the report shows all alerts and the number of


occurrences for each. You can change the types of alert shown to
one of the following:
§ All (except controlled applications)
§ Viruses/spyware only
§ Suspicious behavior only
§ Suspicious files only
§ Firewall only
§ Adware/PUA only
§ Controlled applications only
You can also configure the report to show only:
§ the top n alerts (where n is a number you specify), or
§ alerts with m occurrences or more (where m is a number you
specify).
Sort by

136
How do I generate reports?

By default, the report lists alerts in order of decreasing number


of occurrences. Select Alert name if you want them listed by
name in alphabetical order.

Show the number of alerts per location


1. In the Sophos Enterprise Console, click the Reports icon on
the toolbar.
2. In the Reporting dialog box, in the drop-down menu, select
Alerts per location.
3. On the Configuration tab, you can select the options described
below. When you have finished, click one of the other tabs to
display the report as a chart or table.
Reporting Period

In the Period text box, click the drop-down arrow and select a
time period. You can either select a fixed period, e.g. Last
month, or select Custom and specify your own time period in
the Start and End boxes.
Location

Click Computers to show alerts per computer or Group to


show alerts for each group of computers.
Filter

By default, the report shows all alerts and the number of


occurrences for each. You can change the types of alert shown to
one of the following:
§ All (except controlled applications)
§ Viruses/spyware only
§ Suspicious behavior only
§ Suspicious files only
§ Firewall only

137
Sophos Enterprise Console user manual

§ Adware/PUA only
§ Controlled applications only
Alternatively, you can configure the report to show only
locations that have reported a particular alert. To specify a single
alert, click the drop-down arrow and click an alert name in the
list. To specify more than one alert, type a name in the text box,
using wildcards. Use ? for any single character in the name, and
* for any string of characters. For example, W32/* would
specify all viruses with names beginning W32/.
By default, the report shows all computers or groups (depending
on the selection made for Location). However, you can
configure it to show only:
§ the top n locations that have recorded the most alerts (where n
is a number you specify), or
§ locations with m alerts or more (where m is a number you
specify).
Sort by

By default, the report lists locations in order of decreasing


number of alerts per location. Select Location if you want them
sorted by name in alphabetical order.

Show the rate of alerts


1. In Sophos Enterprise Console, click the Reports icon on the
toolbar.
2. In the Reporting dialog box, in the drop-down menu, select
Alerts by time.
3. On the Configuration tab, you can select the options described
below. When you have finished, click one of the other tabs to
display the report as a chart or table.
Reporting Period

In the Period text box, click the drop-down arrow and select a

138
How do I generate reports?

time period. You can either select a fixed period, e.g. Last
month, or select Custom and specify your own time period in
the Start and End boxes.
Location

Click Group of computers or Individual computer. Then click


the drop-down arrow to specify a group or computer name.
Filter

By default, the report shows all alerts and the number of


occurrences for each. You can change the types of alert shown to
one of the following:
§ All (except controlled applications)
§ Viruses/spyware only
§ Suspicious behavior only
§ Suspicious files only
§ Firewall only
§ Adware/PUA only
§ Controlled applications only
If you want the report to show statistics only for a particular
alert or group of alerts, use the Show only alerts like text box.
To specify a single alert, click the drop-down arrow and click an
alert name in the list. To specify more than one alert, type a
name in the text box, using wildcards. Use ? for any single
character in the name, and * for any string of characters. For
example, W32/* would specify all viruses with names beginning
W32/.
Intervals at which the rate is measured

To specify the intervals of time at which the rate of alerts is


measured, e.g. each hour or each day, click the drop-down arrow
and select an interval.

139
Sophos Enterprise Console user manual

Show history of alerts


1. In the Sophos Enterprise Console, open the Tools menu and
select View Reports.
2. In the Reporting dialog box, in the drop-down menu, select
Alert History.
3. On the Configuration tab, you can select the options described
below. When you have finished, click the Table tab to display
the report.
Reporting period

In the Period text box, click the drop-down arrow and select a
time period. You can either select a fixed period, e.g. Last
month, or select Custom and specify your own time period in
the Start and End boxes.
Location

Select Group of computers or Individual computer. Then


click the drop-down arrow to specify a group or computer name.
Filter

By default, the report shows all alerts and the number of


occurrences for each. You can change the types of alert shown to
one of the following:
§ All (except controlled applications)
§ Viruses/spyware only
§ Suspicious behavior only
§ Suspicious files only
§ Firewall only
§ Adware/PUA only
§ Controlled applications only
If you want the report to show statistics only for a particular
alert or group of alerts, use the Show only alerts like text box.

140
How do I generate reports?

To specify a single alert, click the drop-down arrow and click an


alert name in the list. To specify more than one alert, type a
name in the text box, using wildcards. Use ? for any single
character in the name, and * for any string of characters. For
example, W32/* would specify all viruses with names beginning
W32/.
Sort by

By default, alert details are sorted according to Alert name.


However, reports can also be sorted by Computer name,
computer Group name, or Date and time.

Print a report
To print a report, click the Print icon in the toolbar at the top of the
report.

Export a report to a file


To export a report to a file:
1. Click the Export icon in the toolbar at the top of the report.

2. In the Export report dialog box, select the type of document or


spreadsheet you would like to export the report to. The options
are:
§ PDF (Acrobat)
§ HTML
§ Microsoft Excel
§ Microsoft Word
§ Rich Text Format (RTF)

141
Sophos Enterprise Console user manual

§ Comma separated values (CSV)


§ XML
3. Click the File Name browse button to select a location. Then
enter a name. Click OK.

Change the report layout


You can change the page layout used for reports. For example, you
can display a report in landscape (wide-page) format.
1. Click the page layout icon in the toolbar at the top of the report.

2. In the Page Setup dialog box, specify page size, orientation


and margins. Click OK. The report is then displayed with these
page settings.
These page settings are also used when you print or export the
report.

142
How can another user use Enterprise Console?

20 How can another user use Enterprise


Console?
Only members of the Sophos Console Administrators group can
use Enterprise Console.
If you want to enable another user to use Enterprise Console, use
Windows tools to add that user to the group.

143
Sophos Enterprise Console user manual

21 How do I turn reporting to Sophos on or


off?
You can choose to allow Sophos Enterprise Console to report to
Sophos the number of managed computers and information about the
types and versions of operating systems and Sophos products in use
each week. Sophos will use this information to provide a better
support service and also to increase our understanding of how
customers use our products. Any information reported to Sophos
about your computers will not identify individuals or specific
computers. Sophos will not use the information reported to Sophos to
identify your company unless you provide us with your EM
download username and/or a contact email address.
You are given the option of enabling reporting to Sophos when
installing or upgrading the console, in the Sophos Enterprise Console
installation wizard.
If you want to turn reporting to Sophos on or off after installation, do
the following:
1. On the Tools menu, select Reporting to Sophos.
2. The Reporting to Sophos dialog box is displayed.
If you want to enable reporting to Sophos, read the agreement
and select the I agree check box if you agree to the terms.
If you want to enable Sophos customer support to contact you
directly, e.g. if there is a platform or version issue, enter your
EM download username and/or contact email address.
You need not provide the username or email address if you are
happy to report this information but would like to remain
anonymous.
If you want to disable reporting to Sophos, clear the I agree
check box.
3. Click OK.

144
Troubleshooting

22 Troubleshooting
This section describes how to deal with problems that might arise
when using Enterprise Console.
· Cannot protect computers in Unassigned folder
· Sophos Anti-Virus installation failed
· Computers are not updated
· Anti-virus settings do not take effect on Macs
· Anti-virus settings do not take effect on Linux
· Linux computer does not comply with policy
· On-access scan settings do not take effect
· New scan appears unexpectedly on 2000 or later
· Connectivity and timeout problems
· Adware/PUAs are not detected
· Partially detected item
· Frequent alerts about potentially unwanted applications
· Cleanup failed
· Recover from virus side-effects
· Recover from application side-effects
· Technical support

Cannot protect computers in Unassigned folder


The Unassigned folder is only for holding computers that are not yet
in groups. You cannot protect computers until you place them in a
group.

145
Sophos Enterprise Console user manual

Sophos Anti-Virus installation failed


If the Protect computers wizard fails to install Sophos Anti-Virus on
computers, it could be because:
· Enterprise Console does not know which operating system the
computers are running. This is probably because you did not
enter your username in the format domain\user when finding
computers.
· The computers are running a firewall (usually this is the case on
Windows XP SP2 and Windows Vista computers).
· "Simple File Sharing" hasn't been turned off on Windows XP
computers.
For a full list of requirements for the anti-virus and firewall software,
see the Sophos Endpoint Security and Control Network Startup
Guide.

Computers are not updated


If a computer has out-of-date anti-virus software, a clock icon is
displayed in the Up to date column on the Status page. The text
indicates how long the computer has been out of date.
A computer can be out of date for one of two reasons:
· That computer has failed to fetch an update from the server.
· The server itself does not have the latest Sophos software.
This section tells you how to diagnose the problem and update the
computers.
1. Select the group where you want to find out-of-date computers.
2. On the Status tabbed page, click on the Up-to-date column to
sort computers by up-to-dateness.
3. Click the Update details tab and look in the Primary server
column. This shows you the directory that each computer
updates from.

146
Troubleshooting

4. Now look at the computers that update from one particular


directory.
If some are out of date, but others are not, the problem is with
individual computers. Select them, right-click and select Update
computers now.
If all are out of date, the problem could be with the directory.
Click the Libraries icon in the toolbar. In the EM Library
console, click the library name (in the left-hand pane), then
click Central Installations. Select the directory that you suspect
to be out of date. Right-click and select Update CID. Then go
back to the Enterprise Console, select the out-of-date computers,
right-click and select Update computers now.

Anti-virus settings do not take effect on Macs


Some anti-virus settings cannot be applied to Mac computers. In this
case, there is a warning on that page of settings.
You can change anti-virus settings on Mac computers with Sophos
Update Manager, a utility supplied with Sophos Anti-Virus for Mac.
To open Sophos Update Manager, on a Mac computer, in a Finder
window, browse to the Sophos Anti-Virus:ESOSX folder. Double-
click Sophos Update Manager. For further details, see Sophos
Update Manager Help.

Anti-virus settings do not take effect on Linux or UNIX


Some anti-virus settings cannot be applied to Linux or UNIX
computers. In this case, there is a warning on that page of settings.
You can change anti-virus settings on Linux computers using the
savconfig and savscan commands as described in the Sophos Anti-
Virus for Linux user manual. You can change anti-virus settings on
UNIX computers using the savscan command as described in the
Sophos Anti-Virus for UNIX user manual.

147
Sophos Enterprise Console user manual

Linux or UNIX computer does not comply with policy


If you use a corporate configuration file in the CID, and the file
contains a configuration value which conflicts with the policy, the
computer will be shown as not complying with the policy.
Selecting the Comply with policy option will bring the computer in
compliance only temporarily, until the CID-based configuration is
reapplied.
To resolve the problem, review the corporate configuration file and,
where possible, replace by console-based configuration.

On-access scan settings do not take effect


For Windows NT, 95, 98, and Me computers, changing certain
settings on the on-access scan settings pages has no effect. There is a
warning about this on the relevant pages.
In these cases, changes you make in the scheduled scan settings
pages apply to both scheduled and on-access scanning. This is due to
the design of Sophos Anti-Virus for these earlier versions of
Windows.

New scan appears unexpectedly on 2000 or later


If you look at the local copy of Sophos Anti-Virus on Windows 2000
or later computers, you may see that a new "Available scan" is listed,
even though the user has not created one.
This new scan is actually a scheduled scan that you have set up from
the console. You should not delete it.

Connectivity and timeout problems


If the communications between Enterprise Console and a networked
computer become slow or the computer becomes unresponsive, there
may be a connectivity problem.

148
Troubleshooting

Check the Sophos Network Communications Report that presents an


overview of the current state of communications between a computer
and Enterprise Console. To view the report, go to the computer
where the problem occurred. On the taskbar, click the Start button,
select All Programs|Sophos|Sophos Anti-Virus, and then click
View Sophos Network Communications Report.
The report shows possible problem areas and, if a problem is
detected, remedial actions.

Adware/PUAs are not detected


If adware and other potentially unwanted applications (PUAs) are not
detected, you should check that:
· Detection has been enabled. See Scan for adware/PUA.
· The applications are on a computer running Sophos Anti-Virus 6
or later on Windows 2000 or later.

Partially detected item


Sophos Anti-Virus may report that an item (e.g. a Trojan or
potentially unwanted application) is "partially detected". This means
that it has not found all the component parts of that application.
To find the other components, you need to carry out a full system
scan of the computer(s) affected. On computers running Sophos
Anti-Virus 7 for Windows 2000/XP/2003/Vista, you can do this by
selecting the computer(s), right-clicking and selecting Full system
scan. You can also set up a scheduled scan for adware and other
potentially unwanted applications.
If the application has still not been fully detected, it may be because:
· you have insufficient access rights
· some drives or folders on the computer, containing the
application's components, are excluded from scanning.
If the latter is the case, check the list of items excluded from

149
Sophos Enterprise Console user manual

scanning. If there are some items on the list, remove them from the
list and scan your computer again.
Sophos Anti-Virus may not be able to fully detect or remove adware
and other potentially unwanted applications with components
installed on network drives.
For advice, contact Sophos technical support.

Frequent alerts about potentially unwanted


applications
You may receive very large numbers of alerts about potentially
unwanted applications, including multiple reports of the same
application.
This can occur because some types of potentially unwanted
application "monitor" files, trying to access them frequently. If you
have on-access scanning enabled, Sophos Anti-Virus detects each
file access and sends an alert.
You should do one of the following:
· Disable on-access scanning for adware/PUA. You can use a
scheduled scan instead.
· Authorize the application (if you want to have it running on your
computers).
· Clean up the computer(s), removing applications that you have
not authorized.

Cleanup failed
If Sophos Anti-Virus fails in an attempt to clean up items ("Cleanup
failed"), the reason could be:
· It has not found all the components of a multi-component item.
Run a full system scan of the computer(s) to find the other
components.
· Some drives or folders that contain item components are

150
Troubleshooting

excluded from scanning. Check the items excluded from


scanning. If there are some items on the list, remove them from
the list.
· You have insufficient access rights.
· It cannot clean up that type of item.
· It has found a virus fragment, rather than an exact virus match.
· The item is on a write-protected floppy disk or CD.
· The item is on a write-protected NTFS volume (Windows 2000
or later).

Recover from virus side-effects


Cleanup can remove a virus from computers, but it cannot always
reverse the side-effects.
Some viruses leave no side-effects. Others may make changes or
corrupt data in ways that are hard to detect. To deal with this, you
should:
· On the Help menu, click View item information. This connects
you to the Sophos website, where you can read the virus
analysis.
· Use backups or original copies of programs to replace infected
programs. If you did not have backup copies before the
infection, create them now in case of future infections.
Sometimes you can recover data from disks damaged by a virus.
Sophos can supply utilities for repairing the damage caused by some
viruses. Contact Sophos technical support for advice.

Recover from application side-effects


Cleanup can remove unwanted applications, but it cannot always
reverse the side-effects.
Some applications modify the operating system, e.g. by changing

151
Sophos Enterprise Console user manual

your internet connection settings. Sophos Anti-Virus cannot always


restore all settings. For example, if an application changed the
browser home page, Sophos Anti-Virus cannot know what the
previous home page setting was.
Some applications install utilities, such as .dll or .ocx files, on your
computer. If a utility is harmless (that is, does not possess the
qualities of a potentially unwanted application), e.g. a language
library, and is not integral to the application, Sophos Anti-Virus may
not detect it as part of the application. In this case, cleanup won't
remove the file from your computer.
Sometimes an application, such as adware, is part of a program that
you intentionally installed, and needs to be there for the program to
run. If you remove the application, the program may stop running on
your computer.
You should:
· On the Help menu, click View item information. This connects
you to the Sophos website, where you can read the application
analysis.
· Use backups to restore your system settings or programs you
want to use. If you did not have backup copies before, create
them now in case of future incidents.
For more information or advice on recovering from an adware/PUA's
side-effects, contact Sophos technical support.

Technical support
For technical support, visit www.sophos.com/support.
If you contact technical support, provide as much information as
possible, including the following:
· Sophos software version number(s)
· Operating system(s) and patch level(s)
· The exact text of any error messages

152
Glossary

23 Glossary
A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|
U|V|W|X|Y|Z

-A-

Active Directory synchronization


A one-way synchronization of Sophos Enterprise Console groups
with Active Directory containers.
adware
A program that displays advertising - such as pop-up messages -
which affects user productivity and system efficiency.
Application Control
A feature in Sophos Anti-Virus that enables you to block or
authorize execution of legitimate applications, according to your
organization's policy.
Top of page

-C-
comma-separated values (CSV)
Another name for the comma-delimited format, a type of data
format in which each piece of data is separated by a comma. This
is a popular format for transferring data from one application to
another, because most database systems are able to import and
export comma-delimited data. For example, a .csv file can be
imported into Microsoft Excel for further analysis.
controlled application
A legitimate application that is not a security threat, but that you

153
Sophos Enterprise Console user manual

decide is unsuitable for use in your office environment. Controlled


applications may include games, instant messaging (IM) clients,
Voice over Internet Protocol (VoIP) clients, digital imaging
software, media players, or browser plug-ins.
Top of page

-D-
dashboard
An at-a-glance view of the network's security status.
Top of page

-H-
Host Intrusion Prevention System (HIPS)
Security technology that protects computers from suspicious files,
unidentified viruses, and suspicious behavior.
Top of page

-M-
malware
Short for malicious software, software designed specifically to
damage or disrupt a system, such as a virus, worm, Trojan, or
spyware.
Top of page

-N-
Network Access Control (NAC)
A system that reduces the security threat from unauthorized, non-

154
Glossary

compliant, or infected computers by restricting their access to


network resources.
Top of page

-P-
potentially unwanted application (PUA)
A program that is not inherently malicious, but is generally
considered unsuitable for the majority of business networks.
Potentially unwanted applications perform actions such as
displaying advertising, tracking web sites visited, or changing the
configuration of a computer. They include a wide range of
programs such as adware, dialers, remote administration tools, and
hacking tools.
Top of page

-R-
runtime behavior analysis
Dynamic analysis of the behavior of the programs running on the
system performed by the "suspicious behavior detection" and
"buffer overflow detection" features.
Top of page

-S-
spyware
A program that installs itself onto a user's computer by stealth,
subterfuge or social engineering and sends information from that
computer to a third party without the user's permission or
knowledge. Spyware includes key loggers, backdoor Trojans,
password stealers, and botnet worms, which cause corporate data
theft, financial loss and network damage.

155
Sophos Enterprise Console user manual

suspicious behavior
Behavior normally attributed to malware, exhibited by an
application that had not been identified as malicious before it was
run.
suspicious file
A file that contains certain characteristics that are common to
malware but not sufficient for the file to be identified as a new
piece of malware (for example, a file containing dynamic
decompression code commonly used by malware).
synchronization point
An Enterprise Console group that points to a container (or subtree)
in Active Directory.
synchronized group
A subgroup of a synchronization point, imported from Active
Directory.
Top of page

-U-
unidentified virus
A virus for which there is no identity; an unknown virus.
Top of page

-V-
virus
A program which can spread across computers and networks by
attaching itself to another program and making copies of itself.
Top of page

156
Index

Index
B
block controlled applications 103
A buffer overflow 88
acknowledge alerts 128
acknowledge errors 128 C
Active Directory synchronization 43
Active Directory synchronization cleanup 150
alerts 123 cleanup:automatic 131
Active Directory cleanup:failed 150
synchronization:overview 43 cleanup:manual 131
Active Directory:import from 38 clear alerts 128
Active Directory:synchronize with 46 clear errors 128
add computers to a group 28 connectivity problems 148
adware 149 console GUI 13
adware alerts 128 controlled application alerts 128
adware/PUA:authorize 92 controlled applications 104
alerts 73 controlled applications:uninstall 105
alerts:controlled applications 121 create a group 27
allow file and print sharing 108 create a policy 35
anti-virus and HIPS policy 16 cut and paste a group 28
anti-virus policy 103
anti-virus protection 60
application control 103 D
application control alerts 121 dashboard 65
application control policy 16 dashboard:configure 69
archive files 96 dashboard:overview 65
authorize suspicious items 90 default NAC settings 113
authorize:suspicious items 90 delete a group 29
automatic cleanup 131 delete a policy 36
automatic disinfection 131 desktop alerts 120
automatic updating 77 disable firewall 109
disable synchronization 51

157
Sophos Enterprise Console user manual

disconnected computers 76
disinfection 115
disinfection:automatic 131 G
disinfection:manual 131 get further help 152
getting started 20
glossary 153
E group 16
edit a policy 35 group policy 37
email alerts 123 group policy:enforce 37
enable firewall 109 group:add computers 28
enable synchronization 51 group:apply policy 35
Enterprise Console:overview 13 group:create 27
event logging 124 group:cut and paste 28
exclude items from scanning 100 group:delete 29
exclusions 100 group:import from Active Directory
export report 141 38
extensions 93 group:remove computers 28
group:rename 29
group:synchronize with Active
F Directory 46
group:Unassigned 16
failed cleanup 150
group:which policies are used 29
file and print sharing:allow 108
file types scanned 93
find computers 38 H
find computers:Active Directory 40
find computers:import from file 41 HIPS 87
find computers:IP range 41 HIPS alerts 120
find computers:network 40 Host Intrusion Prevention System 87
firewall 73
firewall alerts 127
I
firewall policy 16
full system scan 115 icons 17
immediate scan 115
initial installation source 84

158
Index

interactive firewall 109 on rename 98


interface 13 on write 98
on-access scanning 148
on-access scanning:cleanup 131
L out-of-date computers 146
libraries 17 outstanding alerts 73

M P
Mac viruses 97 partially detected 149
Macintosh files 97 policy 32
Macintosh viruses 97 policy:apply to a group 35
manual cleanup 131 policy:create 35
manual disinfection 131 policy:default 33
manual installation 57 policy:delete 36
manual updating 82 policy:edit 35
messaging 116 policy:rename 36
policy:which groups use 36
potentially unwanted application
N alerts 128
potentially unwanted applications
NAC 114 149
NAC Manager 112 primary server 79
NAC policy 114 print report 141
NAC server URL 111 protect computers 56
NAC URL 111 protect computers:automatically 63
network access control 114 protect computers:firewall 61
network status alerts 122 protect computers:manually 57
new computers 63 protect computers:with login script
new user 143 60
non-interactive firewall 109 protected computers 70
protected network 65
proxy server 83
O PUA 149
on read 98 PUA:side-effects 151

159
Sophos Enterprise Console user manual

Sophos Endpoint Security and


Control 10
R Sophos technical support 152
remove 63 sort computers 76
remove computers from a group 28 spyware 87
rename a group 29 spyware alerts 126
rename a policy 36 start NAC Manager 112
report 134 suspicious behavior 88
report:display as chart 135 suspicious behavior alerts 127
report:display as table 135 suspicious file alerts 127
report:export 141 suspicious files 89
report:generate 134 synchronization 51
report:history of alerts 140 synchronization point 45
report:layout 142 synchronization properties:edit 49
report:print 141 synchronization properties:view 49
report:rate of alerts 138 synchronization with Active Directory
43
report:show alerts per item name 135
synchronization:automatic protection
report:show alerts per location 137 48
reporting to Sophos 144 synchronization:properties 49
rootkits 95 synchronize with Active Directory 46
runtime behavior analysis 88 synchronized group 46
runtime behavior analysis alerts 127

T
S
technical support 152
SAV policy 103 timeout 148
scan now 115 Trojans 87
schedule updates 81 troubleshooting 145
scheduled scanning 99 troubleshooting:Linux 148
secondary server 80 troubleshooting:Mac 147
select controlled applications 103 troubleshooting:UNIX 148
SNMP alerts 118 troubleshooting:Windows 2000 148
Sophos Anti-Virus installation failure Troubleshooting:Windows
146 NT/95/98/Me 148

160
Index

U
Unassigned folder 145
uninstall 63
uninstall controlled applications 105
unmanaged computers 75
unprotected computers 72
update source 80
updating 77
updating policy 16
updating:advanced settings 83
updating:automatic 77
updating:bandwidth 83
updating:logging 85
updating:manual 82
updating:on dial-up 82
updating:primary server 79
updating:schedule 81
updating:secondary server 80
updating:via a proxy 83
up-to-date computers 71

V
virus alerts 126
virus:side-effects 151
viruses 87

W
warning signs 17
worms 87

161
Sophos Enterprise Console user manual

Copyright © 2005-2008 Sophos Group. All rights reserved. No part of this


publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by any means, electronic, mechanical, photocopying, recording or
otherwise unless you are either a valid licensee where the documentation can be
reproduced in accordance with the licence terms or you otherwise have the prior
permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and
Sophos Group. All other product and company names mentioned are trademarks
or registered trademarks of their respective owners.

162