sophos manual

Document date: October 2008

Sophos Enterprise Console, version 3.1user manual

3

Contents

Contents

...................................................................................................................................About Sophos Endpoint Security and Control1 10

...................................................................................................................................Introduction to Enterprise Console2 13

................................................................................................................................... 13About the interface 13

................................................................................................................................... 13What is a group? 16

................................................................................................................................... 13What is a policy? 16

................................................................................................................................... 13What is the Unassigned folder? 16

................................................................................................................................... 13What are libraries? 17

................................................................................................................................... 13What do the icons mean? 17

...................................................................................................................................How do I get started?3 20

...................................................................................................................................How do I create and use groups?4 26

................................................................................................................................... 26What are groups for? 27

................................................................................................................................... 26Create a group 27

................................................................................................................................... 26Add computers to a group 28

................................................................................................................................... 26Delete computers from a group 28

................................................................................................................................... 26Cut and paste a group 28

................................................................................................................................... 26Delete a group 29

................................................................................................................................... 26Rename a group 29

................................................................................................................................... 26Apply a policy to a group 29

................................................................................................................................... 26See which policies a group uses 29

...................................................................................................................................How do I create and use policies?5 31

................................................................................................................................... 31What are policies for? 31

................................................................................................................................... 31What are the default policies? 32

................................................................................................................................... 31Do I need to create my own policies? 33

4

Sophos Enterprise Console user manual

................................................................................................................................... 31Create a policy 35

................................................................................................................................... 31Apply a policy 35

................................................................................................................................... 31Edit a policy 35

................................................................................................................................... 31Rename a policy 36

................................................................................................................................... 31Delete a policy 36

................................................................................................................................... 31See which groups use a policy 36

................................................................................................................................... 31Check whether computers use the group policy 37

................................................................................................................................... 31Make computers use the group policy 37

...................................................................................................................................How do I add computers to the console?6 38

................................................................................................................................... 38Import groups from Active Directory 38

................................................................................................................................... 38Use Active Directory to find computers 40

................................................................................................................................... 38Use network browsing to find computers 40

................................................................................................................................... 38Use IP range to find computers 41

................................................................................................................................... 38Import computers from a file 41

...................................................................................................................................How do I synchronize with Active Directory?7 43

................................................................................................................................... 43About Active Directory synchronization 43

................................................................................................................................... 43What is a synchronization point? 45

................................................................................................................................... 43What is a synchronized group? 46

................................................................................................................................... 43Synchronize with Active Directory 46

................................................................................................................................... 43Protect computers automatically 48

................................................................................................................................... 43View and edit synchronization properties 49

................................................................................................................................... 43Turn synchronization on or off 51

...................................................................................................................................How do I protect new computers?8 52

................................................................................................................................... 52Protect new computers 52

................................................................................................................................... 52Protect new types of computer 54

................................................................................................................................... 52Protect computers that are already in a group 56

................................................................................................................................... 52Protect computers that require manual installation 57

5

Contents

................................................................................................................................... 52Protect computers by using a login script 58

................................................................................................................................... 52Protect Windows 95/98/Me computers with a login script 60

................................................................................................................................... 52Add the firewall to protected computers 61

................................................................................................................................... 52Select software packages 61

................................................................................................................................... 52Default update directories 62

................................................................................................................................... 52Remove third-party security software 63

...................................................................................................................................How do I check whether my network is protected?9 65

................................................................................................................................... 65The dashboard overview 65

................................................................................................................................... 65Configure the dashboard 69

................................................................................................................................... 65Which computers are protected? 70

................................................................................................................................... 65Which computers are up to date? 71

................................................................................................................................... 65Find computers that are unprotected 72

................................................................................................................................... 65Find computers without the firewall installed 73

................................................................................................................................... 65Find computers with alerts that need attention 73

................................................................................................................................... 65Find out-of-date computers 74

................................................................................................................................... 65Find computers not managed by the console 75

................................................................................................................................... 65Find computers disconnected from the network 76

...................................................................................................................................How do I update computers?10 77

................................................................................................................................... 77Set up automatic updating 77

................................................................................................................................... 77Select a source for updates 79

................................................................................................................................... 77Select an alternative source for updates 80

................................................................................................................................... 77Schedule updates 81

................................................................................................................................... 77Update computers now 82

................................................................................................................................... 77Make computers update when they dial up 82

................................................................................................................................... 77Specify a proxy server for updating 83

................................................................................................................................... 77Limit the bandwidth used 83

................................................................................................................................... 77Select a different source for initial installation 84

6


................................................................................................................................... 77Log updates 85

...................................................................................................................................How do I change anti-virus and HIPS settings?11 86

................................................................................................................................... 86What is HIPS? 87

................................................................................................................................... 86Scan for viruses, Trojans, worms, and spyware 87

................................................................................................................................... 86Detect suspicious behavior 88

................................................................................................................................... 86Scan for suspicious files 89

................................................................................................................................... 86Authorize suspicious items 90

................................................................................................................................... 86Scan for adware/PUA 91

................................................................................................................................... 86Authorize adware/PUA 92

................................................................................................................................... 86Change types of file scanned 93

................................................................................................................................... 86Exclude items from on-access scanning 95

................................................................................................................................... 86Scan for rootkits 95

................................................................................................................................... 86Scan inside archive files 96

................................................................................................................................... 86Scan Macintosh files 97

................................................................................................................................... 86Turn on-access scanning on or off 98

................................................................................................................................... 86Change when on-access scanning occurs 98

................................................................................................................................... 86Scan computers at set times 99

................................................................................................................................... 86Change scheduled scan settings 99

................................................................................................................................... 86Exclude items from scheduled scanning 100

................................................................................................................................... 86Items that can be excluded from scanning 101

...................................................................................................................................How do I change application control settings?12 103

................................................................................................................................... 103Select the applications you want to control 103

................................................................................................................................... 103Scan for applications you want to control 104

................................................................................................................................... 103Uninstall controlled applications you do not want 105

...................................................................................................................................How do I change firewall settings?13 106

................................................................................................................................... 106Set up the firewall 106

................................................................................................................................... 106What are the default settings? 107

7

Contents

................................................................................................................................... 106Allow file and print sharing 108

................................................................................................................................... 106Allow applications that have been blocked 108

................................................................................................................................... 106Select interactive or non-interactive working 109

................................................................................................................................... 106Turn the firewall on or off 109

................................................................................................................................... 106Get help with advanced options 110

...................................................................................................................................How do I change NAC settings?14 111

................................................................................................................................... 111Set up NAC 111

................................................................................................................................... 111Set up the NAC server URL 111

................................................................................................................................... 111Start NAC Manager 112

................................................................................................................................... 111What are the default settings? 113

................................................................................................................................... 111What are the pre-defined NAC policies? 113

................................................................................................................................... 111Edit a NAC policy 114

...................................................................................................................................How do I scan computers?15 115

................................................................................................................................... 115Scan computers now 115

...................................................................................................................................How do I set up alerts?16 116

................................................................................................................................... 116Set up anti-virus and HIPS email alerts 116

................................................................................................................................... 116Set up anti-virus and HIPS SNMP alerts 118

................................................................................................................................... 116Configure anti-virus and HIPS desktop alerts 120

................................................................................................................................... 116Set up application control alerts 121

................................................................................................................................... 116Set up network status email alerts 122

................................................................................................................................... 116Set up Active Directory synchronization email alerts 123

................................................................................................................................... 116Configure event logging 124

...................................................................................................................................How do I deal with alerts?17 125

................................................................................................................................... 125What do the alert icons mean? 125

................................................................................................................................... 125Deal with virus and spyware alerts 126

................................................................................................................................... 125Deal with suspicious behavior alerts 127

8


................................................................................................................................... 125Deal with suspicious file alerts 127

................................................................................................................................... 125Deal with firewall alerts 127

................................................................................................................................... 125Deal with adware/PUA alerts 128

................................................................................................................................... 125Deal with controlled application alerts 128

................................................................................................................................... 125Clear alerts from the console 128

...................................................................................................................................How do I clean up computers?18 130

................................................................................................................................... 130Clean up computers now 130

................................................................................................................................... 130Deal with detected items if cleanup fails 131

................................................................................................................................... 130Set up automatic cleanup 131

...................................................................................................................................How do I generate reports?19 134

................................................................................................................................... 134Generate a report 134

................................................................................................................................... 134Display a report as a table 135

................................................................................................................................... 134Display a report as a chart 135

................................................................................................................................... 134Show the number of alerts per item name 135

................................................................................................................................... 134Show the number of alerts per location 137

................................................................................................................................... 134Show the rate of alerts 138

................................................................................................................................... 134Show history of alerts 140

................................................................................................................................... 134Print a report 141

................................................................................................................................... 134Export a report to a file 141

................................................................................................................................... 134Change the report layout 142

...................................................................................................................................How can another user use Enterprise Console?20 143

...................................................................................................................................How do I turn reporting to Sophos on or off?21 144

...................................................................................................................................Troubleshooting22 145

................................................................................................................................... 145Cannot protect computers in Unassigned folder 145

................................................................................................................................... 145Sophos Anti-Virus installation failed 146

................................................................................................................................... 145Computers are not updated 146

9

Contents

................................................................................................................................... 145Anti-virus settings do not take effect on Macs 147

................................................................................................................................... 145Anti-virus settings do not take effect on Linux or UNIX 147

................................................................................................................................... 145Linux or UNIX computer does not comply with policy 148

................................................................................................................................... 145On-access scan settings do not take effect 148

................................................................................................................................... 145New scan appears unexpectedly on 2000 or later 148

................................................................................................................................... 145Connectivity and timeout problems 148

................................................................................................................................... 145Adware/PUAs are not detected 149

................................................................................................................................... 145Partially detected item 149

................................................................................................................................... 145Frequent alerts about potentially unwanted applications 150

................................................................................................................................... 145Cleanup failed 150

................................................................................................................................... 145Recover from virus side-effects 151

................................................................................................................................... 145Recover from application side-effects 151

................................................................................................................................... 145Technical support 152

...................................................................................................................................Glossary23 153

...................................................................................................................................Index 157

10


1 About Sophos Endpoint Security andControl

Sophos Endpoint Security and Control protects your file servers,desktops and laptops against known and unknown threats, adwareand other potentially unwanted applications, and unwanted behavior,and provides simplified, centralized management of your network. Itcomprises Sophos Anti-Virus, Sophos Client Firewall, SophosNetwork Access Control, and Sophos Enterprise Console (includingEM Library which downloads software and updates from Sophosautomatically).

The figure below shows how the Sophos Endpoint Security andControl components work together.

Sophos Enterprise Console enables you to centrally deploy, update,and monitor anti-virus and firewall software on your computers, thusprotecting them against viruses, worms, Trojans, spyware, hackers,unknown threats, and unwanted behavior. Enterprise Consoleincludes EM Library which downloads software and updates fromSophos automatically.

About Sophos Endpoint Security and Control

11

Sophos Anti-Virus (for Windows 98/Me/2000 and later, Mac OS X,Linux, and UNIX) detects and eliminates viruses, worms, Trojans,and spyware on your computer or network. Sophos Anti-Virus forWindows 2000 and later can also detect and stop unknown threats,adware and other potentially unwanted applications, unwantedbehavior, and rootkits.

In particular, Sophos Anti-Virus can:

· Scan your computer or network for threats, suspicious files,adware and other potentially unwanted applications.

· Check each file you access for threats and suspicious behavior.

· Alert you when it finds a threat, suspicious file, or unwantedapplication.

· Clean up infected items by removing a virus from a file or bootsector.

· Prevent potentially unwanted applications from running on yourcomputer.

· Remove potentially unwanted applications from your computer.

· Block "controlled applications" - legitimate consumerapplications that can undermine productivity and networkperformance.

· Keep a log of its activity.

· Be updated to detect the latest threats and potentially unwantedapplications.

Sophos Client Firewall (for Windows 2000 and later) can limitaccess to the company network or the internet to specificallypermitted applications or classes of applications. It proactively locksdown computers, protecting networks against internet worms,hackers and the risk of virus infection from unprotected computers,especially those that connect directly to the internet.

Sophos Network Access Control (NAC) (for Windows 2000 andlater) protects the company network from non-compliant or untrustedcomputers. It controls access based on security policies set andcontrolled by the administrator and enforces compliance with the

12


policies.

To learn more about Sophos EM Library, Sophos Anti-Virus, SophosClient Firewall, or Sophos Network Access Control, refer to therespective Help or user manual.

To learn more about threats, go to Sophos security information webpage.

Introduction to Enterprise Console

13

2 Introduction to Enterprise Console

This section gives you an overview of the interface and key featuresof Sophos Enterprise Console.

· About the interface

· What is a group?

· What is a policy?

· What is the Unassigned folder?

· What are libraries?

· What do the icons mean?

About the interface

The Enterprise Console interface enables you to protect computerson your network, ensure that they are up to date, view any threats,potential threats, or unwanted applications that are detected and cleanthem up. See below for a description of the features.

14


The Dashboard

The Dashboard provides an at-a-glance view of the network'ssecurity status. To show or hide the dashboard, click the Dashboardbutton on the toolbar.

The Groups pane

In the Groups pane, you create groups and put networkedcomputers in them. You can create groups yourself or import them,with or without computers, from Active Directory. You can also setup synchronization with Active Directory so that new computers andgroups as well as other changes in Active Directory are copied intoEnterprise Console automatically.

The Unassigned folder is for computers that are not yet in agroup. To configure a group, select it and right-click.

The Policies pane

In the Policies pane, you create or change the policies applied togroups of computers. To configure a policy, select it and right-click.


15

The computer list

The computer list (right-hand pane) displays the computers in theselected group.

If you have Linux or UNIX computers managed from theconsole, make sure a unique hostname is configured for eachcomputer. Otherwise, each computer will be displayed in theconsole with the default name "localhost."

The Status tab shows whether the computers are protected by on-access scanning, whether the firewall is enabled, whether NAC(network access control) is enabled, and whether the software is up todate. This page also shows if there are any alerts. The other tabs givemore detailed information on each of these subjects.

For an explanation of the icons displayed in the computer list, see What do the icons mean?

The toolbar

Find new computers searches for computers on the network andadds them to the console.

Create group creates a new group for computers.

View/Edit policy enables you to open and change a policy selectedin the Policies pane.

Protect enables you to install anti-virus and firewall software oncomputers selected in the computer list.

Libraries opens Sophos EM Library, which you use to download thelatest software packages and make them available on your network.

Reports enables you to generate reports about alerts on yournetworks.

Dashboard opens the Dashboard, which provides an overview of thenetwork's security status.

NAC opens Sophos NAC Manager, which you use to edit NAC(network access control) policies.

16


What is a group?

A group is a folder that holds a number of computers.

You can create groups yourself or import them, with or withoutcomputers, from Active Directory. You can also set upsynchronization with Active Directory so that new computers andgroups as well as other changes in Active Directory are copied intoEnterprise Console automatically.

Each group has settings for updating, anti-virus and HIPS protection,firewall protection, application control, and NAC (network accesscontrol). All the computers in a group should usually use thesesettings, which are called a "policy".

A group can contain sub-groups.

What is a policy?

A policy is a collection of settings applied to all the computers in agroup.

· The Updating policy specifies how computers are updated withnew security software.

· The Anti-virus and HIPS policy specifies how the securitysoftware scans computers for viruses, Trojans, worms, spyware,adware, potentially unwanted applications, suspicious behaviourand suspicious files, and how it cleans them up.

· The Application control policy specifies which applications areblocked and which are allowed on your computers.

· The Firewall policy specifies how the firewall protectscomputers.

· The NAC policy specifies the conditions that computers mustcomply with before they can access the network.

What is the Unassigned folder?

The Unassigned folder is a folder where Enterprise Console holds


17

computers before you put them into groups.

You cannot:

· apply policies to the Unassigned folder

· create subfolders in the Unassigned folder

· move or delete the Unassigned folder.

What are libraries?

Libraries download the latest software from Sophos and make itavailable on your server, ready for installation on networkedcomputers.

A component called EM Library keeps the libraries up to date. Touse EM Library, click the Libraries icon in the toolbar.

What do the icons mean?

In the list of computers, icons are used to indicate:

· alerts

· protection disabled or out of date

· the status of each computer, e.g. whether software is beinginstalled.

Alerts

Sign Explanation

A red warning sign displayed in the Alerts and errorscolumn means that a virus, worm, Trojan, spyware, orsuspicious behavior has been detected.

A yellow warning sign displayed in the Alerts and errorscolumn indicates one of the following problems:

· A suspicious file has been detected.

· An adware or other potentially unwanted application

18


Sign Explanation

has been detected.

· A controlled application has been detected.

· The firewall has blocked an application.

· An error has occurred.

A yellow warning sign displayed in the Anti-virus andHIPS policy, Firewall policy, Updating policy, orApplication control policy column means that thecomputer is not using the same policies as other computersin its group.

If there are multiple alerts or errors on a computer, the icon of analert that has the highest priority will be displayed in the Alerts anderrors column. Alert types are listed below in descending order ofpriority.

Priority of alerts

1. Virus/spyware alerts

2. Suspicious behavior alerts

3. Suspicious file alerts

4. Firewall alerts

5. Adware/PUA alerts

6. Controlled application alerts

7. Sophos Anti-Virus, updating, and Sophos Client Firewall errors

Protection disabled or out of date

Sign Explanation

A gray shield means that on-access scanning is inactive.

A gray firewall sign means that the firewall is disabled.

A clock icon means that the software is out of date.


19

Computer status

Sign Explanation

A blue computer sign means that the computer is managedby Enterprise Console.

A computer sign with a yellow arrow means that installationof anti-virus and firewall software is pending.

A computer sign with a green arrow means that installationis in progress.

A computer sign with an hourglass means that the automaticupdating component of Sophos Anti-Virus has beeninstalled and is now downloading the latest version of theproduct.

A gray computer sign means that the computer is notmanaged by Enterprise Console.

A computer sign with a red cross beside it means that thecomputer is disconnected.

20


3 How do I get started?

You protect your network with Enterprise Console as follows:

This is only an overview, so you may want to consult the othermaterials and sections mentioned.

· Step 1: Set up a library for software and updates

· Step 2: Create groups

· Step 3: Set up policies

· Step 4: Add computers to the console

· Step 5: Protect computers

· Step 6: Check computers are protected

· Step 7: Protect against adware, other potentially unwantedapplications (PUAs), and suspicious or unwanted behavior

· Step 8: Clean up computers

Step 1: Set up a library for software and updates

After you install Enterprise Console, you need to set up a library thatwill download and update security software and data from Sophosand make them available to your networked computers.

When you start Enterprise Console for the first time, the Welcome toSophos Endpoint Security and Control dialog box is displayed. Inthis dialog box, select the type of setup you prefer. There are twooptions:

· Quick setup - select this if you want to subscribe to Sophosupdates quickly, using default settings. This will start the Subscribe to Sophos Updates Wizard. Your chosen softwarewill be placed in default locations and updated hourly. If youhave Active Directory, groups and computers will be importedfrom Active Directory into Enterprise Console.

· Advanced setup - select this if you want to have more control

How do I get started?

21

over the library settings. This will open EM Library console. Forinstructions on how to use it to set up a library, see EM LibraryHelp, the section "How do I get started?"

The Welcome to Sophos Endpoint Security and Controldialog box is displayed only once, when you start EnterpriseConsole for the first time. After you close this dialog, it won't bedisplayed again, and you won't be able to use the Quick setupoption anymore.

Step 2: Create groups

You can choose among the following three approaches to creatinggroups, depending on which suits you best.

· Using the Quick setup option

If you have Active Directory and selected the Quick setupoption described in step 1, the Subscribe to Sophos UpdatesWizard has already imported groups and computers from ActiveDirectory into Enterprise Console. You do not need to doanything in this case.

· Creating groups one by one

You can create groups one by one, using the Create groupoption. To do this, click the Create group icon on the toolbar. Anew group is displayed in the Groups pane. Rename it. Formore information, see How do I create and use groups?

· Importing groups from Active Directory

You can import your group structure from Active Directory,with or without the computers. To do this, follow theinstructions in Import groups from Active Directory.

Step 3: Set up policies

Updating policy

If after you had installed Enterprise Console you chose the Quick

22


setup option and completed the Subscribe to Sophos UpdatesWizard, the default updating policy has already been set up.

If you didn't complete the Subscribe to Sophos UpdatesWizard, enter details of the location from which updates arefetched (see Set up automatic updating). Computers cannot beprotected and updated until the policy has an updating location.

For more information on configuring updating, see How do I updatecomputers?

Anti-virus and HIPS policy

If you want to modify scanning and set up alerts, double-click Anti-virus and HIPS. Then double-click Default. See How do I changeanti-virus and HIPS settings? and How do I set up alerts?

Application control policy

For instructions on setting up an application control policy, see Howdo I change application control settings?

Firewall policy

For instructions on configuring a firewall policy, see How do Ichange firewall settings?

NAC policy

For instructions on configuring a NAC policy, see How do I changeNAC settings?

Step 4: Add computers to the console

You can choose among the following four approaches to addinggroups to the console, depending on which suits you best.

· Using the Quick setup option

If you have Active Directory and selected the Quick setupoption described in step 1, the Subscribe to Sophos UpdatesWizard has already imported groups and computers from Active


23

Directory into Enterprise Console. You do not need to doanything in this case.

· Using the Find new computers option

Click the Find new computers icon on the toolbar. Select thesearch method you want to use, click OK, and follow theinstructions in the wizard or dialog box that is displayed. Fordetails, see How do I add computers to the console?

If you used an option other than Import from Active Directory,click the Unassigned folder to see the computers that have beenfound. Select the computers you want to place in the new group.Drag and drop the computers onto the new group.

· Importing groups and computers from Active Directory

Select a group you want to import your Active Directorycontainers and computers into, right-click and select Importfrom Active Directory. Alternatively, on the Groups menu,select Import from Active Directory. This option is alsoavailable in the Find new computers dialog box describedabove.

Follow the instructions in the Import from Active DirectoryWizard. To import computers as well as groups, on the ChooseWhat to Import page of the Import from Active DirectoryWizard, select Computers and groups. For more information,see Import groups from Active Directory.

· Synchronizing with Active Directory

Select a group you want to synchronize with Active Directory,right-click and select Synchronize with Active Directory.Alternatively, on the Groups menu, select Synchronize withActive Directory. Follow the instructions in the Synchronizewith Active Directory Wizard. For more information, see Howdo I synchronize with Active Directory?

Step 5: Protect computers

You can choose between two approaches to protecting your

24


networked computers, depending on which suits you best.

· Using the Protect computers wizard

When you drag a computer from the Unassigned folder anddrop it onto a group, a wizard is launched to help you protect thecomputers. See How do I protect new computers?

If you want to use Sophos Client Firewall, install it on only afew sample computers first. The firewall must be configuredbefore you install it on all computers as it is designed toprevent network access to unauthorized applications. See Setup the firewall.

Protect computers that require manual installation as describedin Protect computers that require manual installation.

· Protecting computers automatically during synchronizationwith Active Directory

If you chose to synchronize with Active Directory, you can alsochoose to protect your Windows 2000 or later computersautomatically. You can do so in the Synchronize with ActiveDirectory Wizard or Synchronization properties dialog box.For instructions, see Protect computers automatically.

Computers running Windows 95/98/Me, Windows serveroperating systems, Mac, Linux, or UNIX will not be protectedautomatically. You must protect such computers manually asdescribed in Protect computers that require manual installation.

Step 6: Check computers are protected

When installation is complete, look at the list of computers in thenew group again. In the On-access column, you should see the word"Active": this shows that the computer is protected by on-accessscanning, and that it is now managed by Enterprise Console. Formore information, see How do I check whether my network isprotected?


25

Step 7: Protect against adware, other potentiallyunwanted applications (PUAs), and suspicious orunwanted behavior

By default, Sophos Anti-Virus detects viruses, Trojans, worms, andspyware. Sophos Anti-Virus 7 and later for Windows 2000 and lateralso analyzes behavior of the programs running on the system. Toadd further protection, you can:

· Scan for suspicious files

· Scan for adware and other potentially unwanted applications

· Control applications on your network

Step 8: Clean up computers

If a virus or other item or an unwanted application has been detectedon your network, clean up affected computers as described in

How do I clean up computers?

26


4 How do I create and use groups?

This section describes how to create and manage groups ofcomputers.

When planning and creating a group structure, remember that a goodgroup structure should:

· Be manageable

You must decide what is a manageable size for the groups youcreate. You should be able to deploy software, scan and clean upcomputers easily. This is especially important for the initialdeployment.

· Reflect the needs of different users within the organization

Consider your users' individual requirements when creatinggroups. For example, if you want to block a certain applicationon some computers and allow it to run on others, you shouldcreate two different groups for that purpose.

You can either create groups manually and set up the group structureyourself or import the group structure from Active Directory.

If you want to set up a group structure that will correspond to yourActive Directory containers, see Import groups from ActiveDirectory.

· What are groups for?

· Create a group

· Add computers to a group

· Delete computers from a group

· Cut and paste a group

· Delete a group

· Rename a group

· Apply a policy to a group

How do I create and use groups?

27

· See which policies a group uses

What are groups for?

You must create groups and place computers in them before you canprotect and manage those computers.

Groups are useful because you can:

· Have computers in different groups updated from differentsources or on different schedules.

· Use different anti-virus and HIPS, application control, firewall,or NAC (network access control) policies for different groups.

· Manage computers more easily.

You can create groups within groups and apply a specific set ofpolicies to each group and subgroup.

Create a group

To create a new group for computers, do as follows:

1. In the Groups pane (on the left-hand side of the console),select where you want to create the group. Click the computername at the top if you want to create a new top-level group.Click an existing group if you want to create a sub-group.

2. On the toolbar, click the Create group icon.

3. A "New Group" is added to the list, with its name highlighted.Type a new name for the group.

Updating, anti-virus and HIPS, application control, firewall, andNAC (network access control) policies are applied to the new groupautomatically. You can edit these policies, or apply different policies.

If the new group is a sub-group, it initially uses the same settingsas the group it is within.

28


Add computers to a group

To add computers to a group, do as follows:

1. Select the computers that you want to add to a group. Forexample, click the Unassigned folder and select computersthere.

2. Drag and drop the computers onto the new group.

If you move unprotected computers from the Unassigned folderto a group that has automatic updating set up, a wizard islaunched to help you protect them.

If you move computers from one group to another, they will usethe same policies as the computers already in the group they aremoved to.

Delete computers from a group

You can delete computers from a group, e.g. if you want to removeentries for computers that are no longer on the network.

If you delete computers that are still on the network, they will nolonger be listed or managed by the console.

To delete computers:

1. Select the computers that you want to delete.

2. Right-click and select Delete.

If you want to see the computers again, click the Find newcomputers icon on the toolbar. These computers will not beshown as managed until they are restarted.

Cut and paste a group

To cut and paste a group, do as follows:

1. Select the group you want to cut and paste. On the Edit menu,click Cut.

2. Select the group where you want to place the group. On the

How do I create and use groups?

29

Edit menu, click Paste.

Delete a group

To delete a group, do as follows:

Any computers that were in the deleted group will be placed inthe Unassigned folder.

1. Select the group you want to delete.

2. Right-click and select Delete. When prompted, confirm thatyou want to delete the group and, if the group has anysubgroups, its subgroups.

Rename a group

To rename a group, do as follows:

1. Select the group you want to rename.

2. Right-click and select Rename.

Apply a policy to a group

You apply a policy to a group as follows:

1. In the Policies pane, highlight the policy.

2. Click the policy and drag it onto the group to which you wantto apply the policy. When prompted, confirm that you want tocontinue.

Alternatively, you can right-click a group and select View grouppolicy details. You can then select policies for that group fromdrop-down menus.

See which policies a group uses

To see which policies have been applied to a group, do as follows:

30


1. In the Groups pane, right-click the group. Select View grouppolicy details.

2. In the group details dialog box, you can see the policiescurrently used.

How do I create and use policies?

31

5 How do I create and use policies?

This section describes how to create policies and apply them togroups of computers. The section also tells you how to ensure that allthe computers in a group use the same updating, anti-virus and HIPS,application control, firewall, and NAC (network access control)settings.

· What are policies for?

· What are the default policies?

· Do I need to create my own policies?

· Create a policy

· Apply a policy

· Edit a policy

· Rename a policy

· Delete a policy

· See which groups use a policy

· Check whether computers use the group policy

· Make computers use the group policy

What are policies for?

A policy is a collection of settings applied to all the computers in agroup.

· The Updating policy specifies how computers are updated withnew security software.

· The Anti-virus and HIPS policy specifies how the securitysoftware scans computers for viruses, Trojans, worms, spyware,adware, potentially unwanted applications, suspicious behaviourand suspicious files, and how it cleans them up.

· The Application control policy specifies which applications are

32


blocked and which are allowed on your computers.

· The Firewall policy specifies how the firewall protectscomputers.

· The NAC policy specifies the conditions that computers mustcomply with before they can access the network.

You can create more than one policy of each type.

You can apply the same policy to more than one group.

What are the default policies?

When you install Enterprise Console, "default" policies are createdfor you.

Updating policy

The default updating policy provides:

· Automatic updating of computers every five minutes, providedthat the policy includes details of the location from whichupdates are fetched.

If after you had installed Enterprise Console you chose the Quicksetup option and completed the Subscribe to Sophos UpdatesWizard, the default updating policy already includes an updatinglocation.


Anti-virus and HIPS policy

The default anti-virus and HIPS policy provides:

· On-access scanning for viruses and spyware (but not suspiciousfiles and adware and other potentially unwanted applications).

· Analysis of the execution of programs running on the system(Sophos Anti-Virus 7 for Windows 2000 and later).


33

· Security alerts displayed on the desktop of the affected computerand added to the event log.

Application control policy

By default, all applications and application types are allowed. On-access scanning for applications you may want to control on yournetwork is disabled.

Firewall policy

By default, the Sophos Client Firewall is enabled and blocks all non-essential traffic. Before you use it throughout your network, youshould configure it to allow the applications you want to use, asdescribed in Set up the firewall.

The firewall's other default settings are as follows:

· Applies rules without asking the user for confirmation ("non-interactive" mode).

· Displays alerts in Enterprise Console if rules are changed locallyon managed computers.

· Blocks processes if memory is modified by another application.

· Drops packets that are sent to blocked ports ("stealth"operation).

· Uses checksums to identify new and modified applications.

· Reports new and modified applications to Enterprise Console.

· Warns about applications that may launch hidden processes.

NAC policy

By default, computers are allowed to access the network (unless youhave modified the default policy or changed the "policy mode" inNAC server).

Do I need to create my own policies?

When you install Enterprise Console, "default" policies are created

34


for you. These policies are applied to any groups you create.

The default policies offer a basic level of security, but you need tocreate new policies or change the default policies if you want to usefeatures like network access control or application control.

Updating policy

If, after you installed Enterprise Console, you chose the Quick setupoption and completed the Subscribe to Sophos Updates Wizard,the default updating policy has already been set up for you.


Anti-virus and HIPS

The default anti-virus and HIPS policy will protect computers againstviruses and other malware. However, you may want to create newpolicies, or change the default policy, to enable detection of otherunwanted applications or behaviour. See How do I change anti-virusand HIPS settings?

Application control

You need to configure an application control policy to specify whichapplications can be used. See How do I change application controlsettings?

Firewall

You need to configure the firewall to allow applications used on yourcomputers. See Set up the firewall.

NAC

By default, Sophos NAC allows all computers to access the network.You need to configure a NAC policy in order to control access. See Edit a NAC policy.


35

Create a policy

To create a policy, do as follows:

You cannot create NAC policies. You can only edit them. See Edit a NAC policy.

1. In the Policies pane, right-click the type of policy you want tocreate, e.g. "Updating Policy" and select Create policy.

2. A "New Policy" is added to the list, with its name highlighted.Type a new name for the policy.

3. Double-click the new policy. Enter the settings you want.

For instructions on how to set up different policies, see:

§ How do I change anti-virus and HIPS settings?

§ How do I change application control settings?

§ How do I change firewall settings?

§ How do I update computers?

You have created a policy that can now be applied to groups.

Apply a policy

You apply a policy to a group as follows:

1. In the Policies pane, highlight the policy.

2. Click the policy and drag it onto the group to which you wantto apply the policy. When prompted, confirm that you want tocontinue.

Alternatively, you can right-click a group and select View grouppolicy details. You can then select policies for that group fromdrop-down menus.

Edit a policy

To edit a policy for a group or groups of computers, do as follows:

36


1. In the Policies pane, double-click the policy you want to edit.

2. Edit the settings.

For instructions on how to set up different policies, see:

§ How do I change anti-virus and HIPS settings?

§ How do I change application control settings?

§ How do I change firewall settings?

§ How do I change NAC settings?

§ How do I update computers?

Rename a policy

To rename a policy, do as follows:

You cannot rename a "Default" policy.

1. In the Policies pane, select the policy you want to rename.

2. Right-click and select Rename policy.

Delete a policy

To delete a policy, do as follows:

You cannot delete a "Default" policy.

1. In the Policies pane, right-click the policy you want to deleteand select Delete Policy.

2. Any groups that use the deleted policy will revert to using thedefault policy.

See which groups use a policy

To see which groups a particular policy has been applied to, do asfollows:

1. In the Policies pane, right-click the policy and select View


37

groups using policy.

2. A list of the groups that use the policy is displayed.

Check whether computers use the group policy

You can check whether all the computers in a group comply with theupdating, anti-virus and HIPS, application control, firewall, and NACpolicy for that group.

1. Select the group which you want to check.

2. On the Status page, look in the column for each policy, e.g.Anti-virus and HIPS policy. If the computer does not use thesame policy as the rest of the group, you see a warning sign andthe words "Differs from policy".

If you want your computers to comply with their group policies, see Make computers use the group policy.

Make computers use the group policy

If you find computers that do not comply with the updating, anti-virus and HIPS, application control, firewall, or NAC policy for theirgroup, you can apply the group policy to that computer.

1. Select the computer(s) that do not comply with group policy.

2. Right-click and select Comply with. Then select theappropriate policy type, e.g. Group anti-virus and HIPSpolicy.

38


6 How do I add computers to the console?

You can use the "Find new computers" function and choose amongseveral options that allow you to find networked computers and addthem to Enterprise Console.

If you use Active Directory, you can import your Active Directorygroup structure as well as computers.

If you choose to add computers only, the computers will be placed inthe Unassigned folder in the Groups pane. You must create groups,set up group policies, and place the computers in the groups beforeyou can protect and manage the computers.

Use one of the following options to find networked computers andlist them in Enterprise Console:

· Import from Active Directory

· Find with Active Directory

· Find on the network

· Find by IP range

· Import from file

Import groups from Active Directory

Importing groups from Active Directory retrieves the Active Directorycontainer structure and copies it into Enterprise Console as a computergroup structure. You can import the group structure only or groups andcomputers. If you choose the latter, computers found in Active Directoryare placed in their respective group, and not in the Unassigned folder.

You can have both "normal" groups that you create and manageyourself and groups imported from Active Directory. You can alsosynchronize the imported groups with Active Directory.

To import groups from Active Directory:

1. On the toolbar, click the Find new computers icon.

2. In the Find new computers dialog box, select Import from

How do I add computers to the console?

39

Active Directory and click OK. The Import from ActiveDirectory Wizard starts.

Alternatively, select a group you want to import your ActiveDirectory container(s) into, right-click and select Import fromActive Directory. You can also select Import from ActiveDirectory on the Groups menu.

3. On the Overview page of the wizard, click Next.

4. On the Choose an Enterprise Console group page, select orcreate an Enterprise Console group which you want to importto. Click Next.

5. On the Choose an Active Directory container page, select anActive Directory container from which you want to importcomputers and subgroups. Enter the name of the container (e.g.LDAP://CN=Computers,DC=domain_name,DC=local) or click Browse to browse to the container in Active Directory. ClickNext.

6. On the Choose What to Import page, select Computers andgroups or Groups only, depending on what you want toimport.

7. On the Confirm Your Choices page, check the details, andthen click Next to proceed.

8. On the last page of wizard, you can view the details of thegroups and computers that have been imported. To close thewizard, click Finish.

9. After you have imported the groups from Active Directory,apply policies to the groups. See How do I create and usepolicies?

After you have imported groups from Active Directory and appliedgroup policies to the groups, you can synchronize the groups withActive Directory, if you want to. For instructions, see Synchronizewith Active Directory.

40


Use Active Directory to find computers

You can use Active Directory to find networked computers and listthem in the Unassigned folder.


2. In the Find new computers dialog box, select Find withActive Directory and click OK.

3. You are prompted to enter a username and password. You needto do this if you have computers (e.g. Windows XP ServicePack 2) that cannot be accessed without account details. Theaccount must be a domain administrator's account, or have fulladministrative rights over the target XP machines.

If you are using a domain account, you must enter theusername in the form domain\user.

4. In the Find computers dialog box, select the domains you wantto search. Click OK.

5. Click the Unassigned folder to see the computers that havebeen found.

To begin managing computers, select them and drag them to a group.

Use network browsing to find computers

To add a list of computers found in Windows domains andworkgroups to the Unassigned folder:


2. In the Find new computers dialog box, select Find on thenetwork and click OK.

3. You are prompted to enter a username and password. You needto do this if you have computers (e.g. Windows XP ServicePack 2) that cannot be accessed without account details. Theaccount must be a domain administrator's account, or have fulladministrative rights over the target XP machines.

How do I add computers to the console?

41


4. In the Find computers dialog box, select the domains orworkgroups you want to search. Click OK.



Use IP range to find computers

You can use a range of IP addresses to find networked computers andlist them in the Unassigned folder.

You cannot use IPv6 addresses.


2. In the Find new computers dialog box, select Find by IPrange and click OK.

3. In the Find computers dialog box, enter the Start of IP Rangeand End of IP Range. Click OK.



Import computers from a file

To enable Enterprise Console to list your computers, you can importthe computer names from a file.

The file that contains the computer names must be one of thefollowing:

· A file that uses the conventions listed below.

· An SGR file exported from Sophos SAVAdmin.

42


You can create a file using entries like this:

[GroupName1]Domain1|Windows2000|ComputerName1Domain1|Windows2000Server|ComputerName2

You do not have to specify which group the computers will beput in. If you enter [] for the group name, computers will be putin the Unassigned folder.

Valid operating system names are: Windows95, Windows98,Windows9x, WindowsMe, WindowsNT, WindowsNTServer,Windows2000, Windows2000Server, WindowsXP,Windows2003, WindowsVista, Windows Server 2008,MACOS9, MACOSX, Linux, and Unix.

The domain name and the operating system are both optional. So anentry can look like this:

[GroupName1]||ComputerName1

You import computer names as follows:

1. On the File menu, click Import computers from file.

2. In the browser window, select the file.


4. To begin managing computers, select them and drag them to agroup.

How do I synchronize with Active Directory?

43

7 How do I synchronize with ActiveDirectory?

This section describes how to synchronize Enterprise Console groupswith Active Directory containers.

· About Active Directory synchronization

· What is a synchronization point?

· What is a synchronized group?

· Synchronize with Active Directory

· Protect computers automatically

· View and edit synchronization properties

· Turn synchronization on or off

About Active Directory synchronization

What does Active Directory synchronization do for me?

With Active Directory synchronization, you can synchronizeEnterprise Console groups with Active Directory containers. Newcomputers and containers discovered in Active Directory will be copiedinto Enterprise Console automatically. You can also choose toprotect discovered Windows 2000 or later workstationsautomatically. This will allow you to minimize the time in whichcomputers can become infected and reduce the amount of work youneed to do to organize and protect computers.

Computers running Windows 95/98/Me, Windows serveroperating systems, Mac, Linux, or UNIX will not be protectedautomatically. You must protect such computers manually.

After you have set up synchronization, you can set up email alerts tobe sent to your chosen recipients about new computers and containersdiscovered during future synchronizations. If you choose to protectcomputers in synchronized Enterprise Console groups automatically,you can also set up alerts about automatic protection failures.

44


How does Active Directory synchronization work?

In Enterprise Console, you can have both "normal," unsynchronizedgroups that you manage yourself and groups synchronized withActive Directory.

When setting up synchronization, you select or create asynchronization point, an Enterprise Console group that will besynchronized with an Active Directory container. All subgroups andcomputers that the Active Directory container may contain will becopied into Enterprise Console and kept synchronized with ActiveDirectory.

To learn more about synchronization points, see What is asynchronization point? To learn more about synchronizedgroups, see What is a synchronized group?

After you set up synchronization with Active Directory, thesynchronized part of Enterprise Console group structure matchesexactly the Active Directory container it is synchronized with. Thismeans the following:

· If a new computer is added to the Active Directory container,then it also appears in Enterprise Console.

· If a computer is removed from Active Directory or is moved intoan unsynchronized container, then the computer is moved to the Unassigned folder in Enterprise Console.

When a computer is moved to the Unassigned folder, itstops receiving new policies.

· If a computer is moved from one synchronized container toanother, then the computer is moved from one EnterpriseConsole group to the other.

· If a computer already exists in an Enterprise Console groupwhen it is first synchronized, then it is moved from that group tothe synchronized group that matches its location in ActiveDirectory.

· When a computer is moved into a new group with differentpolicies, then new policies are sent to the computer.


45

By default, synchronization occurs every 60 minutes. You canchange the synchronization interval, if you want to.

How do I approach synchronization?

It is totally up to you to decide what groups to synchronize withActive Directory and how many synchronization points to set up.You must decide whether the size of groups that will be created as aresult of synchronization is manageable. You should be able todeploy software, scan and clean up computers easily. This isespecially important for the initial deployment.

The recommended approach is as follows:

1. Import the group structure (without computers), using the Import from Active Directory function. For instructions, seeImport groups from Active Directory.

2. Review the imported group structure and choose yoursynchronization points.

3. Set up group policies and apply them to the groups andsubgroups. For instructions, see How do I create and usepolicies?

4. Synchronize your chosen synchronization points, one at a time,with Active Directory. For instructions, see Synchronize withActive Directory.

What is a synchronization point?

A synchronization point is an Enterprise Console group thatpoints to a container (or subtree) in Active Directory. Asynchronization point can contain synchronized groups importedfrom Active Directory.

In the Groups pane, a synchronization point will appear as follows:

You can move, rename, or delete a synchronization point. You canalso change policies and synchronization settings, includingautomatic protection settings, for a synchronization point.

46


You cannot create or delete subgroups in a synchronization point, ormove other groups into it. You cannot move computers into or fromthe synchronization point.

What is a synchronized group?

A synchronized group is a subgroup of a synchronization point,imported from Active Directory.

In the Groups pane, a synchronized group will appear as follows:

You can change policies assigned to a synchronized group.

You cannot change any synchronized group settings other thangroup policies. You cannot rename, move, or delete a synchronizedgroup. You cannot move computers or groups into or from the group.You cannot create or delete subgroups in the group. You cannotchange synchronization settings for the group.

Synchronize with Active Directory

To synchronize with Active Directory:

1. Select a group that will become your synchronization point,right-click and select Synchronize with Active Directory.The Synchronize with Active Directory wizard starts.

2. On the Overview page of the wizard, click Next.

3. On the Choose an Enterprise Console group page, select orcreate an Enterprise Console group that you want keepsynchronized with Active Directory (synchronization point).Click Next.

4. On the Choose an Active Directory container page, select anActive Directory container which you want to synchronize thegroup with. Enter the name of the container (e.g. LDAP://CN=Computers,DC=domain_name,DC=local) or click Browseto browse to the container in Active Directory. Click Next.


47

5. If you want to protect Windows 2000 or later workstationsautomatically, on the Protect Computers Automatically page,select the software you want to install. Leave Remove third-party security software selected if you want to have anothervendor's software removed automatically.

If you need to remove another vendor's updating tool, see Remove third-party security software.

You cannot install the firewall on computers running serveroperating systems.

Before you can install Sophos NAC on computers, you mustclick the link to specify the NAC server URL.

All Windows 2000 or later workstations discovered during thisand future synchronizations will be protected automatically, incompliance with their respective group policies.

Computers running Windows 95/98/Me, Windows serveroperating systems, Mac OS, Linux, or UNIX will not beprotected automatically. You must protect such computersmanually, as described in Protect computers that requiremanual installation.

You can enable or disable automatic protection later, asdescribed in View and edit synchronization properties.

Click Next.

6. If you chose to protect computers automatically, on the EnterActive Directory Credentials page, enter the details of anadministrator account that will be used to install software onthe computers. Click Next.

7. On the Choose the Synchronization Interval page, choosehow often you want to synchronize the Enterprise Consolegroup with the Active Directory container. The default is 60minutes.

You can change the synchronization interval later, asdescribed in View and edit synchronization properties.

8. On the Confirm Your Choices page, check the details, andthen click Next to proceed.

48


9. On the last page of wizard, you can view the details of thegroups and computers that have been synchronized.

You can also set up email alerts to be sent to your chosenrecipients about new computers and groups discovered duringfuture synchronizations. If you chose to protect computers insynchronized groups automatically, you can also set up alertsabout automatic protection failures. To open the Configureemail alerts dialog box after you click Finish, select the checkbox on the last page of the wizard. For instructions, see Set upActive Directory email alerts.

To close the wizard, click Finish.

Protect computers automatically

Only workstations running Windows 2000 or later can be protectedautomatically when discovered during synchronization with ActiveDirectory.

Computers running Windows 95/98/Me, Windows serveroperating systems, Mac OS, Linux, or UNIX will not beprotected automatically. You must protect such computersmanually as described in Protect computers that require manualinstallation.

You can protect computers in synchronized groups automaticallyeither when running the Synchronize with Active Directory wizardor by editing the synchronization properties in the Synchronizationproperties dialog box.



Enable automatic protection in the Synchronize withActive Directory wizard

1. On the Protect Computers Automatically page, select thesoftware you want to install. Leave Remove third-party


49

security software selected if you want to have another vendor'ssoftware removed automatically.


2. On the Enter Active Directory Credentials page of thewizard, enter the username and password of an administratoraccount that will be used to install software on the computers.Click Next and complete the wizard.

Enable automatic protection in the Synchronizationproperties dialog box

1. In the Groups pane, select the group (synchronization point)for which you want to enable automatic protection. Right-clickthe group and select Synchronization properties.

2. In the Synchronization properties dialog box, select thesoftware you want to install. Leave Remove third-partysecurity software selected if you want to have another vendor'ssoftware removed automatically.

3. Enter the username and password of an administrator accountthat will be used to install software on the computers. Click OK.

Disable automatic protection

Should you want to disable automatic protection later, in the Synchronization properties dialog box, clear the Install SophosAnti-Virus automatically check box.

View and edit synchronization properties

1. In the Groups pane, select the group (synchronization point)for which you want to edit synchronization properties. Right-click the group and select Synchronization properties.

2. In the Synchronization properties dialog box, set the optionsas described below.

50


Active Directory container

This field displays an Active Directory container which thegroup is synchronized with.

This field is non-editable. You cannot change the container fromthe Synchronization properties dialog box. If you want tosynchronize the group with a different Active Directorycontainer, remove synchronization and run the Synchronizewith Active Directory wizard again.

Synchronization interval

By default, synchronization occurs every 60 minutes. You canchange the synchronization interval. The minimumsynchronization interval is 5 minutes.

Automatic protection

Select the Install Sophos Anti-Virus automatically check boxif you want to protect all newly discovered Windows 2000 orlater workstations automatically, in compliance with theirrespective group policies.

If you want to install the firewall or network access control aswell as anti-virus software, select Install Sophos ClientFirewall automatically or Install Sophos Network AccessControl automatically.


Only Windows 2000 or later workstations will be protectedautomatically. Computers running Windows 95/98/Me,Windows server operating systems, Mac OS, Linux, orUNIX will not be protected automatically. You must protectsuch computers manually, as described in Protect computersthat require manual installation.

In the Username field, enter the username of an administratoraccount that will be used to install software on the computers.


51

In the Password field, enter the password of an administratoraccount that will be used to install software on the computers.

Turn synchronization on or off

To turn the synchronization on, run the Synchronize with ActiveDirectory wizard as described in Synchronize with Active Directory.

To turn the synchronization off, select the group (synchronizationpoint) which you do not want to synchronize with Active Directoryanymore, right-click and select Remove synchronization. Click Yesto confirm.

52


8 How do I protect new computers?

This section describes how to install Sophos Anti-Virus, SophosClient Firewall, and Sophos Network Access Control on networkedcomputers.

· Protect new computers

· Protect new types of computer

· Protect computers that are already in a group

· Protect computers that require manual installation

· Protect computers by using a login script

· Protect Windows 95/98/Me computers with a login script

· Add the firewall to protected computers

· Select software packages

· Default update directories

· Remove third-party security software

Protect new computers

New Windows computers can be protected automatically from theconsole.

These instructions assume that you have already created groups andapplied an updating policy to them.

Automatic installation is not possible on Windows 95/98/Me,Mac, Linux, and UNIX computers. Use manual installationinstead.

If you want to protect Windows XP computers automaticallyfrom the console, make sure that "Simple File Sharing" is turnedoff. For a full list of requirements for the anti-virus and firewallsoftware, see the Sophos Endpoint Security and Control NetworkStartup Guide. For a list of system requirements for SophosNAC, see the Sophos NAC Installation Guide.

How do I protect new computers?

53

If you chose to synchronize with Active Directory and protect thecomputers automatically, you do not need to follow the stepsbelow. See How do I synchronize with Active Directory? fordetails.

1. Click the Find new computers icon on the toolbar. In the Findnew computers dialog box, specify how you want to findcomputers.

Depending on your choice, Enterprise Console either creates agroup structure that mirrors an Active Directory container orplaces new computers in the Unassigned folder. (See How do Iadd computers to the console? for details.)

2. If you have computers in the Unassigned folder, drag thecomputer(s) onto a group.

If you have imported groups and computers from ActiveDirectory, select the computers you want to protect, right-clickand select Protect computers.

The Protect computers wizard is launched.

3. On the Welcome page of the wizard, click Next.

4. On the Select security software page, select the software youwant. Leave Remove third-party security software selected ifyou want to have another vendor's software removedautomatically.


Third-party software removal uninstalls only products withthe same functionality as those you install.

Sophos Client Firewall and Sophos NAC are available only ifyour license includes them, and only for Windows 2000 or later.


Before you can install Sophos NAC on computers, you mustclick the link to specify the NAC server URL. If SophosNAC is installed on more than one server, use the URL of

54


the computer running the application, not the computer withthe database.

Click Next.

5. On the Protection summary page, any problems withinstallation are shown in the Protection issues column. See thetroubleshooting section, or carry out manual installation forthese computers. Click Next.

6. On the Credentials page, enter details of an account which canbe used to install software. This account is typically a domainadministrator account. It must:

§ have local administrator rights on computers you want toprotect

§ be able to log on on the computer where you installed themanagement server

§ have read access to the Primary server location specified inthe Updating policy.


Protect new types of computer

If you add computers to the network that use an operating system youhave not protected before, follow the steps below.

Sophos treats Windows 2000 and later as one type of computer,and Windows 95, 98 and Me as another type. If you haveWindows 2000 protected on your network already, and then addWindows 2003 computers, you can use the usual steps to protectnew computers.

1. If you have not already done so, use EM Library to select anddownload the software package for the new operating system.For instructions, see Select software packages.

2. In Enterprise Console, find new computers on the network andput them in the Unassigned folder.


55

3. Right-click the group where you will place the new computersand select View group policy details. Make a note of theupdating policy used.

4. In the Policies pane, double-click the updating policy.

5. Select the new operating system. Click Configure.

6. In the Set updating policy dialog box, on the Primary servertab, enter details of the folder from which computers will beupdated. Enter the username and password. Click OK. ClickOK again.

7. Drag the new computers onto the group. A wizard is launchedto help you protect the computers.







Click Next.

10.On the Protection summary page, any problems withinstallation are shown in the Protection issues column. See theTroubleshooting section, or carry out manual installation forthese computers. Click Next.

11.On the Credentials page, enter details of an account which canbe used to install software. This account is typically a domainadministrator account. It must:

56






12.Repeat steps 3 to 11 for any other groups in which you want toput the new computers.

Protect computers that are already in a group

If you have placed computers in a user-defined group, but notprotected them yet, you can protect them automatically as follows:

These instructions assume that you have already applied an updatingpolicy to the group.

Automatic installation is not possible on Windows 95/98/Mecomputers. Use manual installation instead.

1. Select the computer(s). Right-click and select Protectcomputers. The Protect computers wizard is launched.







57


Click Next.


5. On the Credentials page, enter details of an account which canbe used to install software. This account is typically a domainadministrator account. It must:





Protect computers that require manual installation

If Enterprise Console is unable to install anti-virus, firewall, or NACsoftware on certain computers automatically, you can perform theinstallation manually.

Enterprise Console will subsequently manage and update theseinstallations, provided that you have put the computers into a groupor groups.

Alternatively, you can perform the installation automatically byusing a script. See Protect computers by using a login script.

If you have a previous version of Sophos Anti-Virus onWindows 95, 98 or Me, you must uninstall it before installing thelatest version.

You install manually as follows:

58


1. In Enterprise Console, select the computer(s) where you wantto make a manual installation. Click the Update details tab andlook in the Primary server column. This shows you thedirectory that each computer will update from.

Alternatively, if you are using the default directories, see Default update directories for a list of the directories.

If your license includes the firewall, you can install it alongwith the NAC and anti-virus software, on Windows 2000 orlater computers. Look for the directory for Sophos EndpointSecurity and Control. The directory name is SAVSCFXP.

2. Go to the computer and browse to the directory that it willupdate from.

On a Windows computer, double-click setup.exe.

To protect Windows 2000 or later computers with the firewall,as well as anti-virus software, open a command prompt and runsetup.exe with the appropriate qualifier:To install anti-virus only, type: setup.exe -savTo install anti-virus and firewall, type: setup.exe -scfTo install anti-virus, firewall, and NAC (and specify the NACserver location), type: setup.exe -scf -nac http://<nacserver>

On a Mac OS X computer, double-click Sophos Anti-Virus.mpkg.

On a Linux or UNIX computer, install Sophos Anti-Virus usingthe distribution package, as described in the Sophos EndpointSecurity and Control Network Startup Guide.

If you have Linux or UNIX computers managed from theconsole, make sure a unique hostname is configured for eachcomputer. Otherwise, each computer will be displayed in theconsole with the default name "localhost."

Protect computers by using a login script

You can protect computers with anti-virus software (and with thefirewall if your license includes it) by running the installation


59

program with a script or a program like Microsoft SMS.

Enterprise Console will subsequently manage and update theseinstallations, provided that you have put the computers into agroup or groups.

Finding the installation program you need

The installation program is in the directory where EM Library placesSophos updates. To check which directory this is, look in thecomputer list and find the computer(s) you want to protect. Click the Update details tab and look in the Primary server column.

Alternatively, if you are using the default directories, see Defaultupdate directories for a list of the directories.

Protecting Windows 95/98/Me computers

For Windows 95/98/Me computers, use a login script to run setup.exe. For instructions, see Protect Windows 95/98/Me computers witha login script.

Protecting Mac OS X computers

For Mac OS X computers, use Apple Remote Desktop. Go to thecentral installation directory and copy the installer to the computerrunning Apple Remote Desktop before using it.

Protecting Windows 2000 or later computers

If you want to protect Windows 2000 or later computers with thefirewall and/or network access control, as well as anti-virus software,you must:

· Ensure that you use the correct setup program. This is the setupprogram for Sophos Endpoint Security and Control and it is in adirectory called SAVSCFXP.

· Run the setup program with the -scf qualifier (for the firewall)and the -nac qualifier for network access control.

60


Protect Windows 95/98/Me computers with a loginscript

To protect Windows 95/98/Me computers with a login script, do asfollows:

1. If you do not already know it, find the location of the directorythat contains the installation program.

To do this, check which updating policy the computers use. Inthe Policies pane, double-click the policy. Select Windows95/98/Me and click Configure. Then note the Address shown.

2. Add the following line to the login script:

[Path]\setup.exe -user [domain\name] -pwd [password] -login -s

where [Path] is the location of the directory that contains theinstallation program (e.g. \\Servername\InterChk\ES9x), and theusername and password are for an account that is able to log onto your Windows 95/98/Me computers, and has read access tothe CID share (in this example \\Servername\InterChk).

If you have any Windows 95 computers, you must run asmall utility on them before installation. From the SophosEndpoint Security and Control Network Install CD, copy thefile Tools/Utils/w95ws2setup.exe to your server. Then inserta line in the login script, before the line shown above, to runthis utility.

The user account you specify must

§ be able to log on to the computers you want to protect

§ have administrator rights on the computers you want toprotect


If you do not want to manage the computers with EnterpriseConsole, you should add the parameter -mng no

The next time your users log in, their computers will install the anti-virus software.


61

Add the firewall to protected computers

If you have already protected your computers with Sophos Anti-Virus, you can install the Sophos Client Firewall on them, providedthat your license includes the firewall.

The firewall can be installed only on computers runningWindows 2000 or later.


1. If you have not already done so, use EM Library to select anddownload the "Sophos Endpoint Security and Control"package, which includes the firewall. For instructions, see Select software packages.

2. Select the computer(s) where you want to install the firewall.Right-click and select Protect computers. A wizard islaunched.


4. On the Select security software page, select Install SophosClient Firewall.


6. On the Credentials page, enter details of an account which canbe used to install software. This account is typically a domainadministrator account.

Select software packages

Before you can install new anti-virus, firewall, or network accesscontrol software on your networked computers, you must ensure thatyou have selected the right software packages to be downloaded fromSophos.

You do this as follows:

62


1. Click the Libraries icon on the toolbar. The Sophos EMLibrary window is displayed.

2. The Configuration view is open by default. Click SelectPackages. Right-click the package you want. Select Subscribe,and follow the prompts.

The "Sophos Endpoint Security and Control" packageincludes Sophos Anti-Virus for Windows 2000/XP/2003/Vista, Sophos Client Firewall, and Sophos NAC.

A quick way to get a new package is to go to the Librarymenu, and select Select Packages there. This puts thepackage in a default location.

3. Click Download Packages.

4. In the EM Library message box, click Yes.

5. Close the EM Library window to return to Enterprise Console.

Default update directories

If you accepted the defaults when you set up Sophos EM Library, thefolders from which each product is installed and updated are asfollows:

The directory for "Sophos Endpoint Security and Control"contains the installer for Sophos Anti-Virus, Sophos ClientFirewall and Sophos NAC.

Sophos Endpoint Security and Control forWindows 2000/XP/2003/Vista

\\Servername\InterChk\SAVSCFXP

Sophos Anti-Virus for Windows 2000/XP/2003/Vista

\\Servername\InterChk\ESXP

Sophos Anti-Virus for Windows NT \\Servername\InterChk\ESNT

Sophos Anti-Virus for Windows 95/98/Me \\Servername\InterChk\ES9x

Sophos Anti-Virus for Mac OS X \\Servername\InterChk\ESOSX

Sophos Anti-Virus for Linux \\Servername\InterChk\savlinux

Sophos Anti-Virus for UNIX \\Servername\InterChk\EESAVUNIX


63

Remove third-party security software

If you want to remove any previously installed security software, youshould do as follows BEFORE running the Remove third-partysecurity software option in the Protect computers wizard:

· If computers are running another vendor's anti-virus software,ensure that its user interface is closed.

· If computers are running another vendor's firewall or HIPSproduct, ensure that it is turned off or configured to allow theSophos installer to run.

· If you want to remove not just the other vendor's software butalso the other vendor's update tool (to prevent it fromreinstalling the software automatically), follow the steps below.If computers have no update tool installed, you can disregard thesteps below.

You have to restart any computers from which you remove third-party anti-virus software.

If computers have another vendor's update tool installed and youwish to remove the update tool, you will need to modify theconfiguration file before running the Remove third-party securitysoftware option in the Protect computers wizard:

1. From the Central Installation Directory, find the data.zip file.

2. Extract the crt.cfg configuration file from data.zip.

3. Edit the crt.cfg file to change the line reading"RemoveUpdateTools=0" to "RemoveUpdateTools=1".

4. Save your changes and save crt.cfg to the same directory thatcontains data.zip. Don't put crt.cfg back into data.zip or it willbe overwritten the next time the data.zip file is updated.

When you run the Protect computers wizard and choose Removethird-party security software, the modified configuration file willnow remove any third-party security update tools as well as third-party security software.

If computers are running another vendor's firewall or HIPS

64


product, you may need to leave that vendor's update tool intact.See that vendor's documentation for clarification.

How do I check whether my network is protected?

65

9 How do I check whether my network isprotected?

This section describes how to use and configure the dashboard andhow to ensure that computers are properly protected. It also tells youhow to identify computers with a problem using the computer listfilters and take action to resolve the problem.

· The dashboard overview

· Configure the dashboard

· Which computers are protected?

· Which computers are up to date?

· Find computers that are unprotected

· Find computers without the firewall installed

· Find computers with alerts that need attention

· Find out-of-date computers

· Find computers not managed by the console

· Find computers disconnected from the network

You can also check whether all the computers in a group complywith the policies for that group, as described in Check whethercomputers use the group policies.

The dashboard overview

Use the dashboard to check your network's security status. To showor hide the dashboard, click the Dashboard button on the toolbar.

66


The dashboard interface

The dashboard consists of the following six sections:

Computers

This section displays the total number of computers on the networkand the number of connected, managed and unmanaged computers.

To view a list of managed, unmanaged, connected or all computers,click one of the links in the Computers section.

Updates

This section displays the date and time of the last update fromSophos.

To open the EM Library console, click the section title, Updates.

Computers with alerts

This section displays the number and percentage of managedcomputers with alerts about:

· Known and unknown viruses and spyware

· Suspicious behavior and files

· Applications blocked by firewall

· Adware and other potentially unwanted applications

· Controlled applications

To view a list of managed computers with outstanding alerts, click


67

the section title, Computers with alerts.

Policies

This section displays the number and percentage of managedcomputers with group policy violations or policy comparison errors.It also includes computers that haven't yet responded to the changedpolicy sent to them from the console.

To view a list of managed computers that differ from policy, click thesection title, Policies.

Protection

This section displays the number and percentage of managed andconnected computers on which Sophos Anti-Virus is out of date oruses unknown detection data.

To view a list of managed connected out-of-date computers, click thesection title, Protection.

Errors

This section displays the number and percentage of managedcomputers with outstanding Sophos Anti-Virus, updating, or SophosClient Firewall errors.

To view a list of managed computers with outstanding Sophosproduct errors, click the section title, Errors.

The dashboard security status indicators

There are three security status indicators that the dashboard candisplay.

Sign Explanation

A green indicator corresponds to the "normal" status. Thenumber of affected computers is below the warning level.

An amber indicator corresponds to the "warning" status.The warning threshold has been exceeded.

A red indicator corresponds to the "critical" status. Thecritical threshold has been exceeded.

68


The indicators are displayed for each section and for the entiredashboard.

A dashboard section health indicator is an icon displayed inthe upper-right corner of a dashboard section next to its heading,that shows the status of a particular security area represented bythe section.

A dashboard section health indicator shows the status of a sectionindicator with the most severe status, that is:

· A section health indicator changes from "Normal" to "Warning"when a warning threshold is exceeded for at least one indicatorin the section.

· A section health indicator changes from "Warning" to "Critical"when a critical threshold is exceeded for at least one indicator inthe section.

The network's overall health indicator is an icon displayed inthe lower-right corner of the Enterprise Console window, in thestatus bar, that shows overall security status of the network.

The network's overall health indicator shows the status of thedashboard section with the most severe status, that is:

· The network's overall health indicator changes from "Normal" to"Warning" when a warning threshold is exceeded for at least oneindicator in the dashboard.

· The network's overall health indicator changes from "Warning"to "Critical" when a critical threshold is exceeded for at least oneindicator in the dashboard.

When you first install or upgrade Enterprise Console, the dashboarduses the default warning and critical levels. You can configure yourown warning and critical levels in the Configure dashboard dialogbox. For instructions, see Configure the dashboard.

You can also set up email alerts to be sent to your chosen recipientswhen a warning or critical level has been exceeded for a dashboardsection. For instructions, see Set up network status email alerts.


69

Configure the dashboard

The dashboard displays warning or critical status indicators based onthe percentage of managed computers that have outstanding alerts orerrors, or on the time since the last update from Sophos.

You can set up the warning and critical levels you want to use.

1. On the Tools menu, select Configure, and then clickDashboard. The Configure dashboard dialog box isdisplayed.

For information about the default dashboard configurationsettings, see What are the default dashboard configurationsettings?

2. Change the threshold values in the Warning level and Criticallevel text boxes as appropriate.

If you set a level to zero, warnings are triggered as soon asthe first alert is received.

Under Computers with outstanding alerts, Computers withSophos product errors, and Policy and protection, enter apercentage of managed computers affected by a particularproblem, that will trigger the change of the respective indicatorto "warning" or "critical."

Under Latest protection from Sophos, enter the time since lastsuccessful update from Sophos in hours, that will trigger thechange of the "Updates" indicator to "warning" or "critical."

Click OK.

You can also set up email alerts to be sent to your chosen recipientswhen a warning or critical threshold has been exceeded. Forinstructions, see Set up network status email alerts.

What are the default dashboard configuration settings?

The default dashboard configuration settings are shown in the figurebelow.

70


Which computers are protected?

Computers are protected if they are running on-access scanning andthe firewall (if you have installed it). For full protection, the softwaremust also be up to date.

You may have chosen not to use on-access scanning on certaintypes of computer, e.g. file servers. In this case, ensure that thecomputers use scheduled scans and that they are up to date.

To check that computers are protected:

1. Select the group of computers you want to check.

2. If you want to check computers in sub-groups of the group,select At this level and below in the drop-down list.

3. In the list of computers, look in the On-access column. If yousee "Active", the computer is running on-access scanning. If


71

you see a gray shield, it is not.

4. If you installed the firewall, look in the Firewall enabledcolumn. If you see "Yes", the computer has firewall protection.

5. Next look in the Up to date column. If you see "Yes", thecomputer is up to date. If you see a clock icon and a date, it isnot.

You can display a list of computers that are not properlyprotected or have other protection-related problems. Go to the View drop-down list and select Computers with potentialproblems. You can also select a subentry of this entry, to displaycomputers affected by a specific problem (e.g. computers thatdiffer from group policy or where a Sophos product error hasoccurred).

Which computers are up to date?

If you set up Enterprise Console as recommended, computers shouldreceive updates automatically.

1. Select the group of computers you want to check.

2. If you want to check computers in any sub-groups, select Atthis level and below in the drop-down list.

3. Look in the Up to date column.

72


If you see "Yes", the computer is up to date.

If you see a clock icon, the computer is out of date. The textindicates how long the computer has been out of date.

To update computers immediately, select the computers. Right-click and select Update computers now.

Find computers that are unprotected

A computer is not properly protected if it is not running on-accessscanning or if the firewall (where installed) is disabled.

You may have chosen not to use on-access scanning on certaintypes of computer, e.g. file servers. In this case, ensure that thecomputers use scheduled scans and that they are up to date.

If a computer is not running on-access scanning, a gray shield andthe word "Inactive" are displayed in the On-access column on theStatus page.

If the firewall is disabled, a gray firewall icon (a brick wall) isdisplayed in the Firewall enabled column.

To display all computers that are not properly protected and to dealwith the problem, do as follows:

1. Select the group where you want to find the computers.

2. On the toolbar, in the View drop-down list, select Computerswith potential problems. You can also select a subentry of thisentry, to display computers affected by a specific problem (e.g.computers that differ from group policy or where a Sophosproduct error has occurred).

3. If the group contains subgroups, select also whether you wantto find computers At this level only or At this level and below.

4. Any computers that have protection problems will be listed.

If there are computers not running on-access scanning, checkwhich anti-virus policy is used by those computers. Ensure thaton-access scanning is enabled in that policy.


73

If there are computers with the firewall disabled, check whichfirewall policy is used by those computers. Ensure that thefirewall is enabled in that policy.

5. Ensure that the computers comply with the policy for theirgroup.

Find computers without the firewall installed

If a computer does not have the firewall installed, a gray firewall icon(brick wall) is displayed in the Firewall enabled column on theStatus page.

To display all such computers and fix the problem, do as follows:

1. Select the group where you want to find computers with alerts.

2. On the toolbar, in the View drop-down list, select Computerswithout Sophos firewall.


4. If there are computers on which you want to install the firewall,select them, right-click and select Protect computers. Whenprompted to select software, select Install Sophos ClientFirewall.

Find computers with alerts that need attention

If a computer has an alert that needs your attention, there is an alerticon in the Alerts and errors column on the Status page.

A red warning sign indicates a virus or spyware. A yellow signindicates suspicious behavior or file, an adware or other potentiallyunwanted application, an application blocked by the firewall, acontrolled application, or an error.

To display the computers that have alerts that still need attention, doas follows:

1. Select the group where you want to find computers with alerts.

74


2. On the toolbar, in the View drop-down list, select Managedcomputers with outstanding alerts.


4. If there are computers with a virus or an application you do notwant, see Clean up computers now.

If there are computers with an adware or other potentiallyunwanted application that you do want, see Authorize adware/PUA.

If the firewall has blocked an application you do want to run,see Allow applications that have been blocked.

If there are out-of-date computers, see Find out-of-datecomputers for help with diagnosing and fixing the problem.

If you do not need the alert displayed any more, you can clear it.Select the computer(s) with alerts, right-click and select Acknowledge alerts and errors.

Find out-of-date computers

If a computer has out-of-date anti-virus software, a clock icon isdisplayed in the Up to date column on the Status page. The textindicates how long the computer has been out of date.

A computer can be out of date for one of two reasons:

· That computer has failed to fetch an update from the server.

· The server itself does not have the latest Sophos software.

This section tells you how to diagnose the problem and update thecomputers.

1. Select the group where you want to find out-of-date computers.

2. On the Status tabbed page, click on the Up to date column tosort computers by up-to-dateness.

3. Click the Update details tab and look in the Primary server


75

column. This shows you the directory that each computerupdates from.

4. Now look at the computers that update from one particulardirectory.

If some are out of date, but others are not, the problem is withindividual computers. Select them, right-click and select Updatecomputers now.

If all are out of date, the problem could be with the directory.Click the Libraries icon on the toolbar. In the EM Libraryconsole, click the library name (in the left-hand pane), thenclick Central Installations. Select the directory that you suspectto be out of date, right-click and select Update CID. Then goback to the Enterprise Console, select the out-of-date computers,right-click and select Update computers now.

Find computers not managed by the console

Windows, Mac, Linux, and UNIX computers should be managed byEnterprise Console, so that they can be updated and monitored.

If a computer is not managed, its details on the Status tabbed pageare grayed out.

You find and fix unmanaged computers as follows:

1. On the toolbar, in the View drop-down list, select Unmanagedcomputers.

2. Select any computers that are listed. Right-click and select Protect computers to install a managed version of SophosAnti-Virus.

3. If there are computers on which Enterprise Console cannotinstall Sophos Anti-Virus automatically, carry out a manualinstallation.

Unless you use Active Directory synchronization, new computersadded to the network are not displayed or managed by theconsole automatically. Click Find new computers in the toolbarto search for them and place them in the Unassigned folder.

76


Find computers disconnected from the network

If a computer is disconnected from the network, a red cross appearsby the icon next to its name on the Status page.

To display a list of the computers that are disconnected, do asfollows:

1. Select the group where you want to find disconnectedcomputers.

2. On the toolbar, in the View drop-down list, selectDisconnected computers.


"Disconnected computers" here means computers that are usuallymanaged by Enterprise Console, but are disconnected.Unmanaged disconnected computers are not shown.

How do I update computers?

77

10 How do I update computers?

This section describes how to set up and configure automaticupdating of computers in each group and how to update computerson request.

· Set up automatic updating

· Select a source for updates

· Select an alternative source for updates

· Schedule updates

· Update computers now

· Make computers update when they dial up

· Specify a proxy server for updating

· Limit the bandwidth used

· Select a different source for initial installation

· Log updates

Set up automatic updating

You set up automatic updating as follows:

You must follow these steps for each type of computer (e.g.Windows 2000 and later) in the group(s) you will apply this updatingpolicy to.

1. To create a new updating policy, in the Policies pane, right-click on Updating and select Create policy. Enter a name forthe policy, and then press Enter to save the name. Double-clickthe new policy to edit it.

To edit the default policy, double-click Updating and thendouble-click Default.

To edit a policy created earlier, check which updating policy isused by the group(s) of computers you want to configure. In the

78


Policies pane, double-click Updating. Then double-click thepolicy you want to change.

2. In the Updating policy dialog box, select an operating system.Click Configure.

3. In the Set updating policy dialog box, click the Primaryserver tab and set the options as described below.

Address

Enter the address (UNC (network) path or web address) fromwhich Sophos Anti-Virus will usually fetch updates.

Username

If necessary, enter the Username for the account that will beused to access the server, and then enter and confirm the Password. This account should have read rights to the directoryyou entered in the address field above.

If the Username needs to be qualified to indicate thedomain, use the form domain\username.

Advanced and Proxy details

If you want to limit the bandwidth used, or set computers tomake a dial-up connection automatically when it is needed forupdating, click Advanced.

If you access the internet via a proxy server, click Proxy details.Note that some internet service providers require web requests tobe sent to a proxy server.

4. Click the Schedule tab and enter the details as described below.

Enable networked computers to use Sophos updatesautomatically

Select this if you want computers to be updated at regularintervals. Then enter the frequency (in minutes) with whichcomputers will check for updated software. The default is 5minutes.


79

If the computers download updates directly from Sophos,this frequency setting does not apply. Computers runningSophos PureMessage can check for updates every 15minutes. Computers that are not running SophosPureMessage will update every 60 minutes.

Check for updates on dial-up

Select this if the computers update via a dial-up connection tothe internet. Computers will then attempt to update wheneverthey connect to the internet.

5. In the Policies pane, click on the new updating policy and dragit onto the group of computers you want to configure.

If you have simply edited a policy already applied to thegroup, e.g. the default policy, you do not need to carry outstep 5.

Select a source for updates

If you want computers to update themselves automatically, you mustspecify where they fetch updates from.

You must specify where each type of computer (e.g. Windows2000 and later) updates from.

1. Check which updating policy is used by the group(s) ofcomputers you want to configure.

2. In the Policies pane, double-click Updating. Then double-clickthe policy you want to change.


4. In the Set updating policy dialog box, click the Primaryserver tab. Set the options as described below.

Address

Enter the address (UNC (network) path or web address) fromwhich Sophos Anti-Virus will usually fetch updates.

80


Username





If you access the internet via a proxy server, click Proxy details.Note that some internet service providers require web requests tobe sent to a proxy server.

Select an alternative source for updates

You can set an alternative source for updates. If the computerscannot contact their usual source, they will attempt to update fromthis alternative source.

Sophos recommends that you set an alternative source for updates ifyou have computers that are not always connected to the companynetwork, for example, laptops.

You must specify where each type of computer (e.g. Windows2000 and later) updates from.




4. In the Set updating policy dialog box, click the Secondary


81

server tab. Select Specify secondary server details. Thenenter the details as described below.

Address

Enter the Address (UNC (network) path or web address) fromwhich computers will fetch updates if they cannot contact theusual source. If you select Sophos, Sophos Anti-Virus willdownload updates directly from Sophos via the internet.

Username





If you access the address via a proxy server, click Proxy details.Note that some internet service providers require web requests tobe sent to a proxy server.

Schedule updates

You can specify when or how often computers are updated.

You enter these settings separately for each type of computer (e.g. Windows 2000 and later).



82



4. In the Set updating policy dialog box, click the Schedule tab.Enter the details as described below.

Enable networked computers to use Sophos updatesautomatically

Select this if you want computers to be updated at regularintervals. Then enter the frequency (in minutes) with whichcomputers will check for updated software. The default is 5minutes.

If the computers download updates directly from Sophos,this frequency setting does not apply. Computers runningSophos PureMessage can check for updates every 15minutes. Computers that are not running SophosPureMessage will update every 60 minutes.

Check for updates on dial-up

Select this if the computers update via a dial-up connection tothe internet. Computers will then attempt to update wheneverthey connect to the internet.

Update computers now

You can update a computer or computers immediately, withoutwaiting for the next automatic update.

Select the computer(s) you want to update. Right-click and select Update computers now.

Make computers update when they dial up

If you want computers to update as soon as they dial a connection, doas follows:

You enter these settings separately for each type of computer (e.


83

g. Windows 2000 and later).




4. In the Set updating policy dialog box, click the Schedule tab.Select Check for updates on dial-up.

Specify a proxy server for updating

If computers fetch updates via the internet, you must enter details ofany proxy server used to connect to the internet.


1. If you haven't already done so, check which updating policy isused by the group(s) of computers you want to configure. Inthe Policies pane, double-click Updating. Then double-clickthe policy you want to change. In the Updating policy dialogbox, select an operating system. Click Configure.

2. In the Set updating policy dialog box, click the Primaryserver tab or the Secondary server tab as required. Ensure thatall the details have been correctly entered. Then click Proxydetails.

3. In the Proxy details dialog box, select Access the server via aproxy. Then enter the proxy server Address and Port number.Enter a Username and Password that give access to the proxyserver. If the username needs to be qualified to indicate thedomain, use the form domain\username.

Limit the bandwidth used

You can limit the bandwidth used for updating. This prevents

84


updating from using all the bandwidth when a computer needs it forother purposes, e.g. downloading email.

You enter this setting separately for each type of computer (e.g.Windows 2000 and later).

1. If you haven't already done so, check which updating policy isused by the group(s) of computers you want to configure. Inthe Policies pane, double-click Updating. Then double-clickthe policy you want to change. In the Updating policy dialogbox, select an operating system. Click Configure.

2. In the Set updating policy dialog box, click the Primaryserver tab or the Secondary server tab as required. Ensure thatall the details have been correctly entered. Then click Advanced.

3. In the Advanced settings dialog box, select Limit amount ofbandwidth used and use the slider control to specify thebandwidth in Kbits/second. If you specify more bandwidth thanthe computer has available, updating uses all that is available.

Select a different source for initial installation

By default, anti-virus software is installed on computers and thenkept updated from the source (the "Primary server") you specifywhen you first set up a computer group. If you want to make theinitial installation from a different source, you can do so as follows:

This setting applies only to Windows 2000 and later.

If your primary server is an HTTP (web) address, and you wantto perform installation on computers from the console, you mustspecify a first-time install source.



3. In the Updating policy dialog box, select an operating system,e.g. Windows 2000 and later. Click Configure.


85

4. In the Set updating policy dialog box, click the Initial installsource tab. Deselect Use primary server address. Then enterthe address of the source you want to use.

Log updates

You can configure computers to log their updating activity.





4. In the Set updating policy dialog box, click the Logging tab.Ensure that Log Sophos AutoUpdate activity is selected. Thenset other options as described below.

Maximum log size

Specify a maximum size for the log in MB.

Log level

You can select Normal or Verbose logging. Verbose loggingprovides information on many more activities than usual, so thelog will grow faster. Use this setting only when detailed loggingis needed for troubleshooting.

86


11 How do I change anti-virus and HIPSsettings?

This section describes how to change the settings used to detect andclean up viruses, Trojans, worms, spyware as well as adware andother potentially unwanted applications. It also tells you how to scanyour computers. You can use different settings for each set ofcomputers.

· What is HIPS?

· Scan for viruses, Trojans, worms, and spyware

· Detect suspicious behavior

· Scan for suspicious files

· Authorize suspicious items

· Scan for adware/PUA

· Authorize adware/PUA

· Change types of file scanned

· Exclude items from on-access scanning

· Scan for rootkits

· Scan inside archive files

· Scan Macintosh files

· Turn on-access scanning on or off

· Change when on-access scanning occurs

· Scan computers at set times

· Change scheduled scan settings

· Exclude items from scheduled scanning

· Items that can be excluded from scanning

You can also have computers cleaned up automatically as soon as a

How do I change anti-virus and HIPS settings?

87

virus or other threat is found. To do this, you change the settings foron-access scanning as described in Clean up computers automatically.

What is HIPS?

Host Intrusion Prevention System (HIPS) is a securitytechnology that protects computers from suspicious files,unidentified viruses, and suspicious behavior.

HIPS options apply only to Sophos Anti-Virus 7 and later forWindows 2000 and later.

There are the following HIPS methods:

· Runtime behavior analysis

Runtime behavior analysis comprises suspicious behaviordetection and buffer overflow detection. Suspicious behaviordetection is the dynamic analysis of all programs running on thecomputer to detect and block activity that appears to bemalicious.

For more information, see Detect suspicious behavior.

· Suspicious file detection

Sophos Anti-Virus 7 or later can scan for suspicious files. Thesecontain certain characteristics that are common to malware butnot sufficient for the files to be identified as new pieces ofmalware.

For more information, see Scan for suspicious files.

Scan for viruses, Trojans, worms, and spyware

By default, Sophos Anti-Virus detects known and unknown viruses,Trojans, worms, and spyware automatically as soon as a userattempts to access files that contain them. Sophos Anti-Virus 7 andlater for Windows 2000 and later also analyzes behavior of theprograms running on the system.

88


You can also configure Sophos Anti-Virus to:

· Scan computers for suspicious files



Detect suspicious behavior

By default, Sophos Anti-Virus detects viruses, Trojans, worms, andspyware. Sophos Anti-Virus 7 and later for Windows 2000 and lateralso analyzes behavior of the programs running on the system.

The runtime behavior analysis includes:

· Suspicious behavior detection

The "suspicious behavior detection" dynamically analyzes thebehavior of all programs running on the system in order to detectand block activity which appears to be malicious. Suspiciousbehavior may include changes to the registry that could allow avirus to run automatically when the computer is restarted.

· Buffer overflow detection

The "buffer overflow detection" dynamically analyzes thebehavior of all programs running on the system in order to detectbuffer overflow attacks.

The "buffer overflow detection" feature is not available forWindows Vista and 64-bit versions of Windows. Theseoperating systems are protected against buffer overflows byMicrosoft's Data Execution Prevention (DEP) feature.

To view or change the runtime behavior analysis settings:

1. Check which anti-virus and HIPS policy is used by the group(s)of computers you want to configure.

2. In the Policies pane, double-click Anti-virus and HIPS. Thendouble-click the policy you want to change.

3. In the Anti-virus and HIPS policy dialog box, click the HIPS


89

runtime behavior button.

4. The HIPS runtime behavior analysis settings dialog box isdisplayed. There are two options:

§ Detect suspicious behavior

§ Detect buffer overflows

By default, these options are enabled. Sophos Anti-Virus detectssuch behavior and sends alerts to Enterprise Console. However,it does not block any of the programs detected.

Sophos recommends that you run Sophos Anti-Virus inalert-only mode for a time and authorize the programs youneed before enabling automatic blocking of suspiciousbehavior.

5. Leave the options enabled or change the settings, if you wantto, and click OK.

When suspicious behavior or buffer overflow is detected, youcan either remove or authorize the suspicious item.

6. When you are ready to enable automatic blocking of suspiciousbehavior, clear the Alert only check box.

Scan for suspicious files

By default, Sophos Anti-Virus detects known and unknown viruses,Trojans, worms, and spyware. You can also configure it to detectsuspicious files.

Suspicious file is a file that contains certain characteristics thatare common to malware but not sufficient for the file to beidentified as a new piece of malware (for example, a filecontaining dynamic decompression code commonly used bymalware).

This option applies only to Sophos Anti-Virus 7 and later forWindows 2000 and later.


90



3. In the Anti-virus and HIPS policy dialog box, set the optionsas follows:

On-access scanning

To configure on-access scanning, in the Configure SophosAnti-Virus and HIPS panel, make sure the Enable on-accessscanning check box is selected. Click the On-access scanningbutton.

On the Scanning tab, in the Scanning options panel, select theScan for suspicious files (HIPS) check box. Click OK.

Scheduled scanning

To configure scheduled scans, in the Scheduled scanning panel,click Add (or select an existing scan and click Edit).

In the Scheduled scan settings dialog box, enter your settingsand then click Configure.

In the Scanning and cleanup settings dialog box, on theScanning tab, in the Scanning options panel, select the Scanfor suspicious files (HIPS) check box. Click OK.

When a suspicious file is detected, you can either remove orauthorize the file.

If you disable scanning for suspicious files, scanning for rootkitsis disabled at the same time.

Authorize suspicious items

If you have enabled one or more HIPS options (e.g. suspiciousbehavior detection, buffer overflow detection, or suspicious filedetection), but you want to use some of the items detected, you canauthorize them as follows:

1. Check which anti-virus and HIPS policy is used by the group(s)


91

of computers you want to configure.


3. In the Anti-virus and HIPS policy dialog box, click theAuthorization button.

4. In the Authorization Manager dialog box, click the tab for thetype of behavior that has been detected, e.g. Buffer overflow.Find the program that has been detected and move it from the Known list to the Authorized list.

If you want to allow an item that Sophos Anti-Virus has not yetclassified as suspicious, you can pre-authorize it as follows:

1. Click New entry.

2. Browse to the item and select it to add it to the Authorized list.

If you want to remove an item from the list, select the item and click Delete entry. If you have authorized the item, removing it from thelist effectively blocks it again, so use this option only if you're surethat it doesn't need to be authorized. This option doesn't delete theitem from disk.

Scan for adware/PUA

By default, Sophos Anti-Virus detects viruses, Trojans, worms, andspyware. You can also configure it to detect adware and otherpotentially unwanted applications (PUAs).


Sophos recommends that you begin by using a scheduled scan todetect potentially unwanted applications. This lets you deal safelywith applications that are already running on your network. You canthen enable on-access detection to protect your computers in future.


2. In the Policies pane, double-click Anti-virus and HIPS. Then

92


double-click the policy you want to change. The Anti-virusand HIPS policy dialog box is displayed.

3. In the Scheduled scanning panel, click Add to create a newscan, or double-click a scan in the list to edit it.

4. In the Scheduled scan settings dialog box, click Configure (atthe bottom of the page).

5. In the Scanning and cleanup settings dialog box, on theScanning tab, under Scanning options, select Scan foradware/PUA. Click OK.

6. When the scan is carried out, Sophos Anti-Virus may reportsome adware or other potentially unwanted applications.

If you want your computers to run the applications, you must authorize them. Otherwise, remove them.

7. If you want to enable on-access detection, open the Anti-Virusand HIPS policy dialog box again. In the Configure SophosAnti-Virus and HIPS panel, make sure the Enable on-accessscanning check box is selected. Click the On-access scanningbutton. In the On-access scan settings dialog box, select Scanfor adware/PUA.

Some applications "monitor" files and attempt to accessthem frequently. If you have on-access scanning enabled, itdetects each access and sends multiple alerts. See Frequentalerts about potentially unwanted applications.

Authorize adware/PUA

If you have enabled Sophos Anti-Virus to detect adware and otherpotentially unwanted applications (PUAs), it may prevent the use ofan application that you want.

You can authorize such applications as follows:




93

3. In the Anti-virus and HIPS policy dialog box, click theAuthorization button.

4. In the Authorization manager dialog box, on the Adware/PUAs tab, in the Known adware/PUAs list, select theapplication you want. Click Add to add it to the Authorizedadware/PUAs list.

If you cannot see the application you want to authorize, do thefollowing:

1. Click New entry. The Add new adware/PUA dialog box isdisplayed.

2. Go to Sophos threat analyses web page, http://www.sophos.com/security/analyses.

3. In the View by type field, select Adware or PUA, dependingon the type of application you want to authorize. Click Go.

4. Find the application you want to authorize and enter its name inthe Add new adware/PUA dialog box. Click OK. Theapplication will be added to the Known adware/PUAs list.

5. Select the application and click Add to add it to theAuthorized adware/PUAs list.

If you want to remove an application from the list, select theapplication and click Delete entry.

Change types of file scanned

By default, Sophos Anti-Virus scans file types that are vulnerable toviruses. You can scan additional file types or choose to exempt somefile types from scanning.

The file types scanned by default differ between operating systemsand change as the product is updated. To see a list of the file types,go to a computer with the relevant operating system, open the SophosAnti-Virus window and look for the "Extensions" configurationpage.

These options apply to Windows computers only.

94


On Windows 2000 or later, you can change these settingsseparately for on-access and scheduled scanning. On WindowsNT/95/98/Me, changes made in the scheduled scan settings applyto on-access scanning too.

You can make changes on Mac OS X computers with the SophosUpdate Manager, a utility supplied with Sophos Anti-Virus forMac OS X. To open Sophos Update Manager, on a Mac OS Xcomputer, in a Finder window, browse to the Sophos Anti-Virus:ESOSX folder. Double-click Sophos Update Manager. Forfurther details, see Sophos Update Manager Help.

You can make changes on Linux computers using the savconfigand savscan commands as described in the Sophos Anti-Virus forLinux user manual.

You can make changes on UNIX computers using the savscancommand as described in the Sophos Anti-Virus for UNIX usermanual.

To change types of files scanned:





To configure scheduled scans, in the Scheduled scanning panel,click Extensions and Exclusions.

4. On the Extensions tab, select Scan executable and infectablefiles.

To scan additional file types, click Add and type the fileextension, e.g. PDF, in the Extension field.


95

To exempt some of the file types that are usually scanned bydefault, click Exclude. This opens the Exclude extensionsdialog box. Enter the file extension.

By default, files with no extension are scanned.

You can also select to scan all files, although this will affectcomputer performance.

Exclude items from on-access scanning

You can exclude items from on-access scanning.

These options apply only to Windows 2000 or later, Mac OS X,Linux, and UNIX.

To exclude items on Windows NT/95/98/Me computers, use the scheduled scan configuration pages, which apply to on-accessscanning too.



3. The Anti-virus and HIPS policy dialog box is displayed. Inthe Configure Sophos Anti-Virus and HIPS panel, click theOn-access scanning button.

4. Click the tab for Windows exclusions, Mac exclusions, orLinux/Unix exclusions. To add items to the list, click Add andenter the full path in the Exclude item dialog box. The itemsyou can exclude from scanning differ on each type of computer.See Items that can be excluded from scanning.

Scan for rootkits

Scanning for rootkits is always performed when you run a full systemscan of a computer. However, if you want to change the setting for ascheduled scan, do as follows.

96





3. In the Anti-virus and HIPS policy dialog box, in theScheduled scanning panel, click Add (or select an existingscan and click Edit).

4. In the Scheduled scan settings dialog box, enter your settingsand then click Configure.

5. In the Scanning and cleanup settings dialog box, on theScanning tab, in the Scanning options panel, select the Scanfor suspicious files (HIPS) check box. Click OK.

If you disable scanning for rootkits, scanning for suspicious filesis disabled at the same time.

Scan inside archive files

Scanning inside archive files makes scanning significantlyslower and is generally not required. Even if you don't select theoption, when you attempt to access a file extracted from thearchive file, the extracted file is scanned. Sophos therefore doesnot recommend selecting this option.



3. In the Anti-virus and HIPS policy dialog box, in theScheduled scanning panel, click Add (or select an existingscan and click Edit).

4. In the Scheduled scan settings dialog box, enter your settingsand then click Configure (at the bottom of the page).


97

5. In the Scanning and cleanup settings dialog box, on theScanning tab, select Scan inside archive files. Click OK.

Scan Macintosh files

You can enable Sophos Anti-Virus to scan Macintosh files stored onWindows computers.





On-access scanning


On the Scanning tab, in the Scanning options panel, select theScan for Macintosh viruses check box.

Scheduled scanning

To configure scheduled scans, in the Scheduled scanning panel,click Add (or select an existing scan and click Edit).

In the Scheduled scan settings dialog box, enter your settingsand then click Configure.

In the Scanning and cleanup settings dialog box, on theScanning tab, select the Scan for Macintosh viruses checkbox.

98


Turn on-access scanning on or off

By default, Sophos Anti-Virus scans files as the user attempts toaccess them, and denies access unless the file is clean.

You may decide to turn off on-access scanning on Exchange serversor other servers where performance might be affected. In this case,put the servers in a special group and change the anti-virus and HIPSpolicy used for that group as shown below.

If you turn off on-access scanning on a server, we recommendyou set up scheduled scans on the relevant computers.



3. The Anti-virus and HIPS policy dialog box is displayed. Toturn off on-access scanning, clear the Enable on-accessscanning check box. Then, in the Scheduled scanning panel,click Add and set up a scheduled scan.

If you later want to restart on-access scanning, select the checkbox again.

Change when on-access scanning occurs

You can specify whether files are scanned when you open them ("onread"), save them ("on write") or rename them.

Scanning files "on write" or "on rename" can have an impact onthe computers' performance. These options are not usuallyrecommended.

These options apply to Windows computers only.




99

3. In the Anti-virus and HIPS policy dialog box, in theConfigure Sophos Anti-Virus and HIPS panel, click the On-access scanning button.

4. In the On-access scan settings dialog box, on the Scanningtab, in the On-access scanning behavior panel, select theoptions you want.

Scan computers at set times

You can have computers scanned at set times.

Scheduled scans will run only on Windows and UNIXcomputers. On Windows 95/98/Me computers, scheduled scansrun only if the Sophos Anti-Virus window is open.



3. In the Anti-virus and HIPS policy dialog box, in theScheduled scanning panel, click Add.

4. In the Scheduled scan settings dialog box, enter a name for thescanning job. Select the items to scan (by default, all local harddisks or mounted filesystems are scanned). Select the days andtimes at which you want the scan to run.

If you want to change other scanning options or configure thisscan to clean up computers, click Configure at the bottom of thedialog box.

For instructions on how to change the options for a scheduledscan, see Change scheduled scan settings.

Change scheduled scan settings

You can change the settings for scheduled scanning.

1. Check which anti-virus and HIPS policy is used by the group(s)

100


of computers you want to configure.


3. In the Anti-virus and HIPS policy dialog box, in theScheduled scanning panel, you can change two different kindsof setting:

To change the types of files scanned by all scheduled scans,click Extensions and Exclusions.

To change settings specific to each scan (what is scanned, times,scanning options, cleanup), highlight the scan and click Edit.Then in the Scheduled scan settings dialog box, clickConfigure.

For full details of how to use scanning options, see Scan forsuspicious files, Scan for adware/PUA, and Scan insidearchive files. For details of how to use cleanup options, seeClean up computers automatically.

Exclude items from scheduled scanning

You can exclude items from scheduled scanning.

On Windows NT/95/98/Me, changes made in the scheduled scansettings apply to on-access scanning too.

The "excluded items" settings for scheduled scans also apply to full system scans run from the console and "scan my computer"scans run on networked computers.



3. The Anti-virus and HIPS policy dialog box is displayed. Inthe Scheduled scanning panel, click Extensions andExclusions.

4. Click the Exclusions tab. To add items to the list, click Add


101

and enter the full path in the Exclude item dialog box. Theitems you can exclude from scanning differ on each type ofcomputer. See Items that can be excluded from scanning.

Items that can be excluded from scanning

On each type of computer, there are different limitations on the itemsthat you can exclude from scanning.

Windows 2000 and later

On Windows 2000 and later, you can exclude drives, folders andfiles.

You can use the wildcards * and ?

The wildcard ? can be used only in a filename or extension. Itgenerally matches any single character. However, when used at theend of a filename or extension, it matches any single character or nocharacters. For example file??.txt matches file.txt, file1.txt andfile12.txt but not file123.txt.

The wildcard * can be used only in a filename or extension, in theform [filename].* or *.[extension]. For example, file*.txt, file.txt*and file.*txt are invalid.

For further details see the help files or user manual for Sophos Anti-Virus for Windows 2000 and later.

Windows NT

On Windows NT, you can exclude files and directories.

Windows 95/98/Me

On Windows 95/98/Me, you can exclude files, directories (forscheduled scans), and drives.

Mac OS X

On Mac OS X, you can exclude volumes, folders, and files.

Although wildcard characters are not supported, you can specify

102


which items are excluded by prefixing or suffixing the exclusion witha slash or double slash.

For further details, see the help files or user manual for Sophos Anti-Virus for Mac OS X.

Linux and UNIX

On Linux and UNIX, you can exclude directories and files byspecifying a path (with or without wildcards).

Enterprise Console supports only path-based Linux and UNIXexclusions. You can also set up other types of exclusion directlyon the managed computers. Then you can use regularexpressions, exclude file types and filesystems. For instructions,see the Sophos Anti-Virus for Linux user manual or the SophosAnti-Virus for UNIX user manual.

If you set up another path-based exclusion on a managed Linuxor UNIX computer, this computer will be reported to the consoleas differing from the group policy.

How do I change application control settings?

103

12 How do I change application controlsettings?

Enterprise Console enables you to detect and block "controlledapplications", i.e. legitimate applications that are not a securitythreat, but that you decide are unsuitable for use in your officeenvironment. Such applications may include instant messaging (IM)clients, Voice over Internet Protocol (VoIP) clients, digital imagingsoftware, media players, or browser plug-ins.


Applications can be blocked or authorized for different groups ofcomputers with complete flexibility. For example, VoIP can beswitched off for office-based desktop computers, yet authorized forremote computers.

The list of controlled applications is supplied by Sophos andupdated regularly. You cannot add new applications to the list.

This section describes how to select the applications you want tocontrol on your network and set up scanning for controlledapplications.

· Select the applications you want to control

· Scan for applications you want to control

· Uninstall controlled applications you do not want

Select the applications you want to control

By default, all applications are allowed. You can select theapplications you want to control as follows:

1. Check which application control policy is used by the group(s)of computers you want to configure.

2. In the Policies pane, double-click Application control. Thendouble-click the policy you want to change.

104


3. In the Application control policy dialog box, click theAuthorization tab.

4. Select an Application type, e.g. File sharing. A full list of theapplications included in that group is displayed in the Authorized list below.

To block an application, select it and move it to the Blocked listby clicking the "Add" button.

To block any new applications that Sophos adds to that type inthe future, move All added by Sophos in the future to theBlocked list.

To block all applications of that type, move all applications fromthe Authorized list to the Blocked list by clicking the "Add all"button.

5. On the Scanning tab of the Application control policy dialogbox, make sure that scanning for controlled applications isenabled. (See Scan for applications you want to control fordetails.) Click OK.

Scan for applications you want to control

You can configure Sophos Anti-Virus to scan for applications youwant to control on your network on access.

1. Check which application control policy is used by the group(s)of computers you want to configure.

2. In the Policies pane, double-click Application control. Thendouble-click the policy you want to change. The Applicationcontrol policy dialog box is displayed.

3. On the Scanning tab, set the options as follows:

To enable on-access scanning, select the Enable on-accessscanning check box. If you want to detect applications but donot want to block them on access, select the Detect but allow to

How do I change application control settings?

105

run check box.

To enable on-demand and scheduled scanning, select the Enableon-demand and scheduled scanning check box.

Your anti-virus and HIPS policy settings determine whichfiles are scanned (i.e. the extensions and exclusions).

If you want to remove controlled applications found on yournetworked computers, follow the instructions in Uninstall controlledapplications you do not want.

You can also have alerts sent to particular users if a controlledapplication is found on any of the computers in the group. Forinstructions, see Set up application control alerts.

Uninstall controlled applications you do not want

Before you uninstall controlled applications, ensure that on-accessscanning for controlled applications is disabled. This type ofscanning blocks the programs used to install and uninstallapplications, so it may interfere with uninstallation.

You can remove an application in one of two ways:

· Go to each computer and run the uninstaller for that product.You can usually do this by opening the Windows Control Paneland using Add/Remove Programs.

· At the server, use your usual script or administration tool to runthe uninstaller for that product on your networked computers.

Now you can enable on-access scanning for controlled applications.

106


13 How do I change firewall settings?

This section describes how to set up the firewall and change keysettings.

· Set up the firewall

· What are the default settings?

· Allow file and print sharing

· Allow applications that have been blocked

· Select interactive or non-interactive working

· Turn the firewall on or off

· Get help with advanced options

Set up the firewall

When you install the firewall, it is enabled by default and blocks allnon-essential traffic. For more details, see the default settings.

Before you begin using the firewall on your networked computers,you must configure it to allow common applications to run. Youcannot do this easily from Enterprise Console, as the computers mayhave different versions of the same application. Instead, use samplecomputers to develop a configuration that you can then use as yourpolicy.

1. Install the firewall on computers that are representative of yournetwork.

2. Go to a computer, right-click the firewall taskbar icon (shownbelow).

Click Configure.

3. In the Sophos Client Firewall Configuration Editor dialogbox, click the Applications tab. Click Add and browse to eachapplication you want. The application is then "trusted". For

How do I change firewall settings?

107

greater security, highlight the program, click Custom (bottomright-hand of the dialog box) and create a rule.

Alternatively, on the General tabbed page, selectInteractive. The firewall will prompt you to allow or blockeach application when it is used.

4. When the firewall is configured, on the General tabbed page,click Export to export the configuration to your chosenlocation.

5. Repeat the above steps on each computer you want to use as asample.

6. Now go to Enterprise Console. In the Policies pane, double-click Firewall and then double-click on the policy you want toedit.

7. In the Firewall policy dialog box, on the General tabbed page,click Import and import a configuration you developed earlier.

When you import each configuration, you are given theoption to merge it with other configurations you havealready imported.

8. You have now configured the firewall to allow commonly-usedapplications. You can also change other settings (for example,to allow file and print sharing). See the Sophos Client Firewallhelp files for details of all options.

What are the default settings?

By default, the Sophos Client Firewall is enabled and blocks all non-essential traffic. Before you use it throughout your network, youshould configure it to allow the applications you want to use, asdescribed in Set up the firewall.

The firewall's other default settings are as follows:

· applies rules without asking the user for confirmation ("non-interactive" mode)

· displays alerts in Enterprise Console if rules are changed locallyon managed computers

108


· blocks processes if memory is modified by another application

· drops packets that are sent to blocked ports ("stealth" operation)

· uses checksums to identify new and modified applications

· blocks IPv6 packets (applies only to Sophos Client Firewall 1.5)

· reports new and modified applications to Enterprise Console

· warns about applications that may launch hidden processes.

Allow file and print sharing

You can allow computers to use file and print sharing as follows:

1. Check which firewall policy is used by the group(s) ofcomputers you want to configure.

2. In the Policies pane, double-click Firewall. Then double-clickthe policy you want to change.

3. In the Firewall policy dialog box, click the LAN tab, and thenclick Detect to detect addresses on the Local Area Network.

4. Select the NetBIOS check box next to the address(es) in thelist.

Allow applications that have been blocked

If the firewall blocks an application on your networked computers,you see an alert next to the computer name(s) on the Status page.

You can find details of blocked applications, and allow them orcreate new rules for them, as follows:

1. Check which firewall policy is used by the computer(s).


3. In the Firewall policy dialog box, click the Applications tab.

4. On the Applications tab, click Add. The ApplicationManager is displayed. Select an application from the list and

How do I change firewall settings?

109

click OK.

5. In the Application Rules dialog box, click Trust to allow theapplication, or Custom to create a custom rule that specifieswhen it can run.

Select interactive or non-interactive working

Sophos Client Firewall can work in two different modes:

· Interactive. The firewall asks the user how to deal with traffic.

· Non-interactive. The firewall deals with traffic automaticallyusing your rules.

To change the working mode for a group of computers, do asfollows:



3. In the Firewall policy dialog box, on the General tab, selectNon-interactive or Interactive. Click OK.

Turn the firewall on or off

When it is first installed, the Sophos Client Firewall is enabled bydefault.

To turn the firewall on or off for a group of computers, do as follows:



3. In the Firewall policy dialog box, on the General tab, select orclear the Allow all traffic check box. Click OK.

110


Get help with advanced options

For full details of all the firewall options, see Sophos Client FirewallHelp.

How do I change NAC settings?

111

14 How do I change NAC settings?

This section describes how to set up NAC (network access control)and edit NAC policies.

· Set up NAC

· Set up the NAC server URL

· Start NAC Manager

· What are the default NAC settings?

· What are the pre-defined NAC policies?

· Edit a NAC policy

Set up NAC

You can set up network access control (NAC), so that computers areonly allowed to log on to the network if they comply with conditionsyou set.

Enterprise Console works together with Sophos NAC to give thisnetwork protection. You need to have installed the following:

· The Sophos NAC server. You install this separately fromEnterprise Console.

· The Sophos NAC agent. You install this on your networkedcomputers, so that they can communicate with the NAC server.You can install this with the Protect computers function.

This section assumes you have installed both.

By default, computers are allowed to access the network.

Set up the NAC server URL

If you want to use Sophos NAC, the URL of the Sophos NAC servermust be specified in Enterprise Console. This is so that:

112


· Your computers can communicate with the NAC server andreceive their NAC policy.

· You can configure NAC policies, which are held on the NACserver.

When you first install Enterprise Console, it attempts to locate theNAC server and connect to it. However, if it fails, or if you changethe location of the NAC server, you may need to specify the URL.

To enter or change the URL:

1. On the Tools menu, select Configure NAC URL.

2. In the Sophos NAC URL dialog box, enter the URL of theNAC server (for example, http://server).

If Sophos NAC is installed on more than one server, use theaddress of the computer running the application, not thecomputer with the database.

3. To check whether Enterprise Console can connect to the NACserver using the supplied URL, click Test Connection.

Start NAC Manager

Sophos NAC Manager is the interface that enables you to edit NACpolicies.

To start NAC Manager:

1. Click the NAC button on the toolbar. Alternatively, on theTools menu, select Manage NAC.

You may be prompted to specify the NAC server URL, ifthis has not been detected or specified previously.

2. Log in with your Sophos NAC user credentials (as issued bythe Sophos NAC administrator).

For full details of the interface, see the Sophos NAC Manager helpfiles or Sophos NAC Manager Guide.

How do I change NAC settings?

113

What are the default NAC settings?

By default, the Default NAC policy is applied to computers on whichSophos NAC has been installed. Unless you have changed the"policy mode", this means that:

· the computers are allowed access to the network

· Sophos NAC operates in report-only mode.

For details of the pre-defined Managed and Unmanaged policies,see What are the pre-defined NAC policies?

What are the pre-defined NAC policies?

Three pre-defined policies are available. You can edit the settings ineach policy, as described in Edit a NAC policy.

Default

This policy is applied by default to computers on which Sophos NAChas been installed. Unless you have changed the settings for thispolicy, computers are allowed to access the network. Sophos NACoperates in Report Only mode.

Managed

This policy can be used for computers that are managed byEnterprise Console and have Sophos NAC installed. Its initialsettings are the same as those of the Default policy.

Unmanaged

This policy can be used for computers from outside the company,which are not managed by Enterprise Console and do not haveSophos NAC installed. Your company can ask such guest users toconnect to a website, where a web agent assesses them against thepolicy before allowing them to access the network.

For more information, see "Using pre-defined policies" in the SophosNAC Manager Guide.

114


Edit a NAC policy

You can change the settings for any of the pre-defined NAC policies.

1. In the Policies pane, double-click NAC. Double-click thepolicy you want to configure.

2. Sophos NAC Manager is launched. Log in with yourcredentials.

3. In the page for the policy, edit the options.

For information on the options, see "Updating policies" in the SophosNAC Manager Guide.

How do I scan computers?

115

15 How do I scan computers?

By default, Sophos Anti-Virus detects known and unknown viruses,Trojans, worms, and spyware automatically as soon as a userattempts to access files that contain them. Sophos Anti-Virus 7 andlater for Windows 2000 and later also analyzes behavior of theprograms running on the system.

You can also configure Sophos Anti-Virus to:

· Scan computers for suspicious files



For more information about configuring scanning, see the section How do I change anti-virus and HIPS settings?

This section describes how to perform a full system scan of selectedcomputers immediately.

Scan computers now

You can scan a computer or computers immediately, without waitingfor the next scheduled scan.

Only Windows computers running Sophos Anti-Virus 7 or lateror UNIX computers can perform immediate full system scansoriginated from the console.

1. Select the computers in the computer list or a group in the Groups pane. Right-click and select Full system scan.

Alternatively, on the Actions menu, select Full system scan.

2. In the Full system scan dialog box, review the details of thecomputers to be scanned and click OK to start the scan.

116


16 How do I set up alerts?

There are several alerting methods used in Enterprise Console.

· Alerts displayed in the console

If an item that requires attention is found on a computer, or anerror has occurred, Sophos Anti-Virus sends an alert toEnterprise Console. The alert is displayed in the computer list.For more information about such alerts, see How do I deal withalerts?

These alerts are always displayed. You do not need to set themup.

· Alerts sent by the console to your chosen recipients

By default, when an item is found on a computer, a message isdisplayed on the computer desktop and an entry is added to theWindows event log.

You can also set up email alerts or SNMP alerts foradministrators.

This section describes how to set up alerts that will be sent to yourchosen recipients.

· Set up anti-virus and HIPS email alerts

· Set up anti-virus and HIPS SNMP alerts

· Configure anti-virus and HIPS desktop alerts

· Set up application control alerts

· Set up network status email alerts

· Set up Active Directory synchronization email alerts

· Configure event logging

Set up anti-virus and HIPS email alerts

You can have email alerts sent to particular users if a virus, a

How do I set up alerts?

117

suspicious behavior, an unwanted application or an error isencountered on any of the computers in a group.

Mac OS X computers can send email alerts to only one address.

1. In the Policies pane, double-click the anti-virus and HIPSpolicy you want to change.

2. In the Anti-virus and HIPS policy dialog box, in theConfigure Sophos Anti-Virus and HIPS panel, clickMessaging.

3. In the Messaging dialog box, click the Email alerting tab. Setthe options as described below.

Enable email alerting

Select this to enable Sophos Anti-Virus to send email alerts.

Messages to send

Select the events for which you want Sophos Anti-Virus to sendemail alerts:

§ Virus/spyware detection and cleanup

§ Suspicious behavior detection

§ Suspicious file detection

§ Adware/PUA detection and cleanup

§ Scanning errors (e.g. access denied)

§ Other errors

The Suspicious behavior detection and Suspicious filedetection settings apply only to Sophos Anti-Virus 7 andlater for Windows 2000 and later.

The Adware/PUA detection and cleanup setting appliesonly to Sophos Anti-Virus 6 and later for Windows 2000and later.

The Other errors setting applies only to Windows.

Recipients

118


Click Add or Remove to add or remove, respectively, emailaddresses to which email alerts should be sent. Click Rename tochange an email address you have added.

Mac OS X computers will send messages only to the firstrecipient in the list.

Configure SMTP

Click this to change the settings for the SMTP server and thelanguage of the email alerts. In the Configure SMTP settingsdialog box, enter the details as described below.

SMTP server

In the text box, type the host name or IP address of theSMTP server. Click Test to send a test email alert.

SMTP sender address

In the text box, type an email address to which bounces andnon-delivery reports can be sent.

SMTP reply-to address

As email alerts are sent from an unattended mailbox, youcan type in the text box an email address to which replies toemail alerts can be sent.

Linux and UNIX computers will ignore the SMTPsender and reply-to addresses and use the addressroot@<hostname>.

Language

Click the drop-down arrow, and select the language inwhich email alerts should be sent.

Set up anti-virus and HIPS SNMP alerts

You can have SNMP alerts sent to particular users if a virus or error


119

is encountered on any of the computers in the group.

These settings apply only to Sophos Anti-Virus 6 and later forWindows 2000 and later.



3. In the Messaging dialog box, click the SNMP messaging tab.Set the options as described below.

Enable SNMP messaging

Select this to enable Sophos Anti-Virus to send SNMPmessages.

Messages to send

Select the types of event for which you want Sophos Anti-Virusto send SNMP messages:





§ Scanning errors (e.g. access denied)

§ Other errors


SNMP trap destination

In this text box, enter the IP address of the recipient.

SNMP community name

120


In this text box, enter the SNMP community name.

Configure anti-virus and HIPS desktop alerts

By default, desktop alerts are displayed on the computer on which avirus, suspicious item or potentially unwanted application is found.You can configure these alerts.



3. In the Messaging dialog box, click the Desktop messaging tab.Set the options as described below.

Enable desktop messaging

Select this to enable Sophos Anti-Virus to display desktopmessages.

Messages to send

Select the types of event for which you want Sophos Anti-Virusto display desktop messages:






The Adware/PUA detection and cleanup setting appliesonly to Sophos Anti-Virus 6 and later for Windows 2000and later.


121

User-defined message

In this text box, you can type a message that will be added to theend of the standard message.

Set up application control alerts

You can send alerts to particular users when a controlled applicationis found.

1. In the Policies pane, double-click the application control policyyou want to change.

2. In the Application control policy dialog box, on theMessaging tab, set the options as described below.

Messaging

The Enable desktop messaging check box is enabled bydefault. When an unauthorized controlled application is detectedby on-access scan and blocked, a desktop message will bedisplayed to the user informing them that the application hasbeen blocked.

In the Message text box, you can type a message that will beadded to the end of the standard desktop message.

Select the Enable email alerting check box to enable SophosAnti-Virus to send email alerts.

Select the Enable SNMP messaging check box to enableSophos Anti-Virus to send SNMP messages.

Your anti-virus and HIPS policy settings determine emailand SNMP messaging configuration and recipients.

Console alerting

By default, an alert is displayed in the console the first time anindividual application is detected.

If you only want to see an alert every time the application is

122


detected on a computer, clear the Display an alert for the firstdetection only check box.

Set up network status email alerts

You can set up email alerts to be sent to your chosen recipients whena warning or critical level has been exceeded for a dashboard section.

1. On the Tools menu, select Configure email alerts. TheConfigure email alerts dialog box is displayed.

2. If SMTP settings have not been configured, or if you want toview or change the settings, click Configure. In the ConfigureSMTP settings dialog box, enter the details as describedbelow.

In the Server address text box, type the host name or IP addressof the SMTP server.

In the Sender text box, type an email address to which bouncesand non-delivery reports can be sent.

Click Test to test the connection.

3. In the Recipients panel, click Add. The Add a new email alertrecipient dialog box appears.

4. In the Email address field, enter the address of your recipient.

5. In the Language field, select the language in which email alertsshould be sent.

6. In the Subscriptions pane, select "warning level exceeded" and"critical level exceeded" email alerts you want to send to thisrecipient.

"Warning level exceeded" email alerts:

§ Alerts

§ Errors

§ Out-of-date computers

§ Computers that differ from policy


123

"Critical level exceeded" email alerts:

§ Alerts

§ Errors

§ Out-of-date computers

§ Computers that differ from policy

§ Time since last update from Sophos

Set up Active Directory synchronization email alerts

You can also set up email alerts to be sent to your chosen recipientsabout new computers and groups discovered during synchronizationswith Active Directory. If you choose to protect computers insynchronized groups automatically, you can also set up alerts aboutautomatic protection failures.

1. On the Tools menu, select Configure email alerts. TheConfigure email alerts dialog box is displayed.

2. If SMTP settings have not been configured, or if you want toview or change the settings, click Configure. In the ConfigureSMTP settings dialog box, enter the details as describedbelow.

In the Server address text box, type the host name or IP addressof the SMTP server.

In the Sender text box, type an email address to which bouncesand non-delivery reports can be sent.

Click Test to test the connection.

3. In the Recipients panel, click Add. The Add a new email alertrecipient dialog box appears.

4. In the Email address field, enter the address of your recipient.

5. In the Language field, select the language in which email alertsshould be sent.

6. In the Subscriptions pane, select "Active Directorysynchronization" email alerts you want to send to this recipient.

124


"Active Directory synchronization" email alerts:

§ New groups discovered

§ New computers discovered

§ Automatic computer protection has failed

Configure event logging

To enable Sophos Anti-Virus to add alerts to the Windows 2000 orlater event log when an item is found or an error occurs, do asfollows:



3. In the Messaging dialog box, click the Event log tab. Set theoptions as described below.

Enable event logging

Select this to enable Sophos Anti-Virus to send messages to theWindows event log.

Messages to send

Select the events for which you want Sophos Anti-Virus to sendmessages. Scanning errors include instances when SophosAnti-Virus is denied access to an item that it attempts to scan.

How do I deal with alerts?

125

17 How do I deal with alerts?

This section describes how to deal with alerts.

It includes:

· What do the alert icons mean?

· Deal with virus and spyware alerts

· Deal with suspicious behavior alerts

· Deal with suspicious file alerts

· Deal with firewall alerts

· Deal with adware/PUA alerts

· Deal with controlled application alerts

· Clear alerts from the console

What do the alert icons mean?

If a virus or spyware, a suspicious item, an adware or otherpotentially unwanted application is detected, alert icons are displayedon the Status page in Enterprise Console.

Below is a key to the alert icons. In the other pages in this section,you can find advice on dealing with alerts.

Warnings are also displayed in the console if software is disabledor out of date. For information on this see How do I checkwhether my network is protected?

Alert icons

Sign Explanation

A red warning sign displayed in the Alerts and errorscolumn means that a virus, worm, Trojan, spyware, orsuspicious behavior has been detected.

126


Sign Explanation

A yellow warning sign displayed in the Alerts and errorscolumn indicates one of the following problems:

· A suspicious file has been detected.

· An adware or other potentially unwanted applicationhas been detected.

· A controlled application has been detected.

· The firewall has blocked an application.

· An error has occurred.

A yellow warning sign displayed in the Anti-virus andHIPS policy, Firewall policy, Updating policy, orApplication control policy column means that thecomputer is not using the same policies as other computersin its group.

If there are multiple alerts or errors on a computer, the icon of analert that has the highest priority will be displayed in the Alerts anderrors column. Alert types are listed below in descending order ofpriority.

Priority of alerts

1. Virus/spyware alerts

2. Suspicious behavior alerts

3. Suspicious file alerts

4. Firewall alerts

5. Adware/PUA alerts

6. Controlled application alerts

7. Sophos Anti-Virus, updating, and Sophos Client Firewall errors

Deal with virus and spyware alerts

If a virus or spyware is detected, you see a red warning triangle


127

and the words "Virus/spyware detected" on the Status page.

For more details, click the Alert and error details tab. To deal withthe virus or spyware, follow the instructions in Clean up computersnow.

Deal with suspicious behavior alerts

If suspicious behavior or buffer overflow is detected during runtimebehavior analysis, you see a red warning triangle and the words"Suspicious behavior detected" on the Status page.

For more details, click the Alert and error details tab. To removethe suspicious item, follow the instructions in Clean up computersnow. If you want to authorize it, see Authorize suspicious items.

Deal with suspicious file alerts

If a suspicious file is detected, you see a yellow warning triangle and the words "Suspicious file detected" on the Status page.

For more details, click the Alert and error details tab. The name ofthe file is shown in the Item detected column.

To remove the file, see Clean up computers now.

To authorize the file, follow the instructions in Authorize suspiciousitems.

Deal with firewall alerts

If the firewall blocks an application, you see a yellow warningtriangle and the words "Firewall alert" on the Status page.

This icon can also indicate an adware/PUA alert from SophosAnti-Virus. Then the words "Adware/PUA detected" aredisplayed next to the icon.

For more details, click the Alert and error details tab. The name of

128


the application blocked by the firewall is shown in the Item detectedcolumn.

If you want to allow the application, or to make a new rule for it,follow the instructions in Allow applications that have been blocked.

Deal with adware/PUA alerts

If an adware or other potentially unwanted application (PUA) isdetected, you see a yellow warning triangle and the words"Adware/PUA detected" on the Status page.

This icon can also indicate a firewall alert. Then the words"Firewall alert" are displayed next to the icon.

For more details, click the Alert and error details tab. The name ofthe application is shown in the Item detected column.

To remove the application, see Clean up computers now.

To authorize the application, follow the instructions in Authorizeadware/PUA.

Deal with controlled application alerts

If a controlled application is detected, you see a yellow warningtriangle and the words "Controlled application detected" on theStatus page.

For more details, click the Alert and error details tab. The name ofthe application is shown in the Item detected column.

To remove the application, see Uninstall controlled applications youdo not want.

Clear alerts from the console

If you are taking action to deal with alerts, or are sure that a computeris safe, you can clear the alerts sign displayed in the console.


129

You cannot clear alerts about installation errors. These arecleared only when Sophos Anti-Virus is installed successfully onthe computer.

1. Select the computer(s) for which you want to clear alerts.Right-click and select Acknowledge alerts and errors.

2. The Acknowledge alerts and errors dialog box is displayed.

To clear alerts from the console, in the Acknowledge alerts anderrors dialog box, on the Alerts tab, select the alerts you wantto clear and click OK. Acknowledged (cleared) alerts are nolonger displayed in the console.

To clear Sophos product errors from the console, in the Acknowledge alerts and errors dialog box, go to the SophosAnti-Virus errors or Firewall errors tab, select the errors youwant to clear from the console and click OK.

130


18 How do I clean up computers?

This section describes how to clean up computers that are infectedwith a virus or have unwanted applications on them.

You can:

· Clean up computers now

· Deal with detected items if cleanup fails

· Set up automatic cleanup

Clean up computers now

From Enterprise Console, you can immediately clean up computersthat are infected with a virus or have unwanted applications on them.

This option applies only to Windows 2000 and later computersrunning Sophos Anti-Virus 6 or later.

To clean up Windows 95/98/Me and NT4, Mac, Linux or UNIXcomputers, you can either set up automatic cleanup from the consoleor clean up the computers individually as described in Deal withdetected items if cleanup fails.

Sophos Anti-Virus may report that an item (e.g. a Trojan orpotentially unwanted application) is "partially detected". Thismeans that it has not found all the component parts of thatapplication. Before you can clean up the item, you will need tofind its other components by carrying out a full system scan ofthe computer(s) affected. For more information, see Partiallydetected item.

1. In the list of computers, right-click the computer(s) that youwant to clean up. Select Clean up detected items.

2. In the Clean up detected items dialog box, select the checkbox for each item you want to clean up, or click Select all.

3. Click OK to clean the computer(s).

4. If the cleanup is successful, the alert(s) shown in the list of


131

computers will no longer be displayed.

If any alerts remain, you should clean up computers manually. See Deal with detected items if cleanup fails.

Deal with detected items if cleanup fails

If you cannot clean up computers from the console, you can performthe cleanup manually as follows:

1. In the computer list, click the Alert and error details tab. Inthe Item detected column, look for the name of the item.

2. On the Help menu, click View item information. Thisconnects you to the Sophos website, where you can search forthe item and find advice on how to clean up the computer.

3. Go to each computer and carry out the cleanup manually.

The Sophos website provides special downloadable disinfectorsfor certain viruses and worms.

Set up automatic cleanup

You can have computers cleaned up automatically as soon as a virusor other item is found. To do this, you change the settings for on-access scanning and scheduled scanning as follows:

On-access scanning cannot clean up adware and other potentiallyunwanted applications (PUAs). You should deal with these asdescribed in Clean up computers now or enable automaticcleanup of adware/PUA for scheduled scans.


2. In the Policies pane, double-click Anti-virus and HIPS. Thendouble-click the policy you want to change. The Anti-virusand HIPS policy dialog box is displayed.

On-access scanning

132


In the Configure Sophos Anti-Virus and HIPS panel, clickthe On-access scanning button. In the On-access scan settingsdialog box, click the Cleanup tab. Set the options as describedbelow.

Viruses/spyware

Select Automatically clean up items that contain a virus/spyware. You can also specify what should be done with theitems if cleanup fails:

§ Do nothing (default)

§ Delete

§ Move to default location

§ Move to <specified UNC path>

None of the settings specifying what should be done ifcleanup fails apply to Windows 95, 98, or Me computers.

If you select Move to and specify a location, Mac OS Xcomputers will still move infected items to the default location.

The Move to default location and Move to settings do notapply to Linux or UNIX computers and will be ignored by them.

Suspicious files

The "suspicious files" settings apply only to Sophos Anti-Virus 7 and later for Windows 2000 and later.

You can specify what should be done with suspicious files whenthey are detected:


§ Delete



Scheduled scanning


133

In the Anti-virus and HIPS policy dialog box, in theScheduled scanning panel, highlight the scan and click Edit.Then in the Scheduled scan settings dialog box, clickConfigure. In the Scanning and cleanup settings dialog box,click the Cleanup tab. Set the options as described below.

Viruses/spyware

Select Automatically clean up items that contain a virus/spyware. You can also specify what should be done with theitems if cleanup fails:


§ Delete



If you select Move to and specify a location, Windows 95,98, and Me computers will still move infected items to thedefault location.

Adware/PUA

Select Automatically clean up adware/PUA, if you want to.

The "adware/PUA" setting applies only to Sophos Anti-Virus 6 and later for Windows 2000 and later.

Suspicious files

The "suspicious files" settings apply only to Sophos Anti-Virus 7 and later for Windows 2000 and later.

You can specify what should be done with suspicious files whenthey are detected:


§ Delete



134


19 How do I generate reports?

You can generate reports about alerts on your network.

To do this, you click the Reports icon on the toolbar and then usethe Reporting options as described in this section.

You can:

· Generate a report

· Display a report as a table

· Display a report as a chart

· Show the number of alerts per item name

· Show the number of alerts per location

· Show the rate of alerts

· Show history of alerts

· Print a report

· Export a report to a file

· Change the report layout

Generate a report

To create a report, do as follows:

1. In Enterprise Console, open the Tools menu and select ViewReports. The Reporting dialog box is displayed.

2. In the drop-down menu, click the type of report that you want.

§ Alerts by item name shows the number of alerts for eachitem (such as a virus or unwanted application) detected onyour network.

§ Alerts per location shows the number of alerts for eachcomputer or group of computers.

§ Alerts by time shows the rate of alerts occurring during a set

How do I generate reports?

135

time.

§ Alert History shows full details of each alert.

On the Configuration tab, you can customize the report.

Then click the Table or Chart tab to view the report.

Display a report as a table

1. In the Sophos Enterprise Console, open the Tools menu andselect View Reports.

2. In the Reporting dialog box, in the drop-down menu, select thetype of report you want to create. On the Configuration tab,configure the report. Then click the Table tab.

3. The table is displayed. The Report Description summarizesthe criteria (e.g. the length of time covered) used to create thereport.

Display a report as a chart

The chart view is not available for 'Alert history' reports.


2. In the Reporting dialog box, in the drop-down menu, select thetype of report you want to create. On the Configuration tab,configure the report. Then click the Chart tab.

3. The chart is displayed. The Report Description summarizesthe criteria (e.g. the length of time covered) used to create thereport.

Show the number of alerts per item name

1. In the Sophos Enterprise Console, click the Reports icon onthe toolbar.

136


2. In the Reporting dialog box, in the drop-down menu, selectAlerts by item name.

3. On the Configuration tab, you can select the options describedbelow. When you have finished, click one of the other tabs todisplay the report as a chart or table.

Reporting Period

In the Period text box, click the drop-down arrow and select atime period. You can either select a fixed period, e.g. Lastmonth, or select Custom and specify your own time period inthe Start and End boxes.

Location

Click Group of computers or Individual computer. Then clickthe drop-down arrow to specify a group or computer name.

Filter

By default, the report shows all alerts and the number ofoccurrences for each. You can change the types of alert shown toone of the following:

§ All (except controlled applications)

§ Viruses/spyware only

§ Suspicious behavior only

§ Suspicious files only

§ Firewall only

§ Adware/PUA only

§ Controlled applications only

You can also configure the report to show only:

§ the top n alerts (where n is a number you specify), or

§ alerts with m occurrences or more (where m is a number youspecify).

Sort by


137

By default, the report lists alerts in order of decreasing numberof occurrences. Select Alert name if you want them listed byname in alphabetical order.

Show the number of alerts per location

1. In the Sophos Enterprise Console, click the Reports icon onthe toolbar.

2. In the Reporting dialog box, in the drop-down menu, selectAlerts per location.


Reporting Period


Location

Click Computers to show alerts per computer or Group toshow alerts for each group of computers.

Filter






§ Firewall only

138


§ Adware/PUA only


Alternatively, you can configure the report to show onlylocations that have reported a particular alert. To specify a singlealert, click the drop-down arrow and click an alert name in thelist. To specify more than one alert, type a name in the text box,using wildcards. Use ? for any single character in the name, and* for any string of characters. For example, W32/* wouldspecify all viruses with names beginning W32/.

By default, the report shows all computers or groups (dependingon the selection made for Location). However, you canconfigure it to show only:

§ the top n locations that have recorded the most alerts (where nis a number you specify), or

§ locations with m alerts or more (where m is a number youspecify).

Sort by

By default, the report lists locations in order of decreasingnumber of alerts per location. Select Location if you want themsorted by name in alphabetical order.

Show the rate of alerts

1. In Sophos Enterprise Console, click the Reports icon on thetoolbar.

2. In the Reporting dialog box, in the drop-down menu, selectAlerts by time.


Reporting Period

In the Period text box, click the drop-down arrow and select a


139

time period. You can either select a fixed period, e.g. Lastmonth, or select Custom and specify your own time period inthe Start and End boxes.

Location

Click Group of computers or Individual computer. Then clickthe drop-down arrow to specify a group or computer name.

Filter






§ Firewall only

§ Adware/PUA only


If you want the report to show statistics only for a particularalert or group of alerts, use the Show only alerts like text box.To specify a single alert, click the drop-down arrow and click analert name in the list. To specify more than one alert, type aname in the text box, using wildcards. Use ? for any singlecharacter in the name, and * for any string of characters. Forexample, W32/* would specify all viruses with names beginningW32/.

Intervals at which the rate is measured

To specify the intervals of time at which the rate of alerts ismeasured, e.g. each hour or each day, click the drop-down arrowand select an interval.

140


Show history of alerts


2. In the Reporting dialog box, in the drop-down menu, selectAlert History.

3. On the Configuration tab, you can select the options describedbelow. When you have finished, click the Table tab to displaythe report.

Reporting period


Location

Select Group of computers or Individual computer. Thenclick the drop-down arrow to specify a group or computer name.

Filter






§ Firewall only

§ Adware/PUA only


If you want the report to show statistics only for a particularalert or group of alerts, use the Show only alerts like text box.


141

To specify a single alert, click the drop-down arrow and click analert name in the list. To specify more than one alert, type aname in the text box, using wildcards. Use ? for any singlecharacter in the name, and * for any string of characters. Forexample, W32/* would specify all viruses with names beginningW32/.

Sort by

By default, alert details are sorted according to Alert name.However, reports can also be sorted by Computer name,computer Group name, or Date and time.

Print a report

To print a report, click the Print icon in the toolbar at the top of thereport.

Export a report to a file

To export a report to a file:

1. Click the Export icon in the toolbar at the top of the report.

2. In the Export report dialog box, select the type of document orspreadsheet you would like to export the report to. The optionsare:

§ PDF (Acrobat)

§ HTML

§ Microsoft Excel

§ Microsoft Word

§ Rich Text Format (RTF)

142


§ Comma separated values (CSV)

§ XML

3. Click the File Name browse button to select a location. Thenenter a name. Click OK.

Change the report layout

You can change the page layout used for reports. For example, youcan display a report in landscape (wide-page) format.

1. Click the page layout icon in the toolbar at the top of the report.

2. In the Page Setup dialog box, specify page size, orientationand margins. Click OK. The report is then displayed with thesepage settings.

These page settings are also used when you print or export thereport.

How can another user use Enterprise Console?

143

20 How can another user use EnterpriseConsole?

Only members of the Sophos Console Administrators group canuse Enterprise Console.

If you want to enable another user to use Enterprise Console, useWindows tools to add that user to the group.

144


21 How do I turn reporting to Sophos on oroff?

You can choose to allow Sophos Enterprise Console to report toSophos the number of managed computers and information about thetypes and versions of operating systems and Sophos products in useeach week. Sophos will use this information to provide a bettersupport service and also to increase our understanding of howcustomers use our products. Any information reported to Sophosabout your computers will not identify individuals or specificcomputers. Sophos will not use the information reported to Sophos toidentify your company unless you provide us with your EMdownload username and/or a contact email address.

You are given the option of enabling reporting to Sophos wheninstalling or upgrading the console, in the Sophos Enterprise Consoleinstallation wizard.

If you want to turn reporting to Sophos on or off after installation, dothe following:

1. On the Tools menu, select Reporting to Sophos.

2. The Reporting to Sophos dialog box is displayed.

If you want to enable reporting to Sophos, read the agreementand select the I agree check box if you agree to the terms.

If you want to enable Sophos customer support to contact youdirectly, e.g. if there is a platform or version issue, enter yourEM download username and/or contact email address.

You need not provide the username or email address if you arehappy to report this information but would like to remainanonymous.

If you want to disable reporting to Sophos, clear the I agreecheck box.

3. Click OK.

Troubleshooting

145

22 Troubleshooting

This section describes how to deal with problems that might arisewhen using Enterprise Console.

· Cannot protect computers in Unassigned folder

· Sophos Anti-Virus installation failed

· Computers are not updated

· Anti-virus settings do not take effect on Macs

· Anti-virus settings do not take effect on Linux

· Linux computer does not comply with policy

· On-access scan settings do not take effect

· New scan appears unexpectedly on 2000 or later

· Connectivity and timeout problems

· Adware/PUAs are not detected

· Partially detected item

· Frequent alerts about potentially unwanted applications

· Cleanup failed

· Recover from virus side-effects

· Recover from application side-effects

· Technical support

Cannot protect computers in Unassigned folder

The Unassigned folder is only for holding computers that are not yetin groups. You cannot protect computers until you place them in agroup.

146


Sophos Anti-Virus installation failed

If the Protect computers wizard fails to install Sophos Anti-Virus oncomputers, it could be because:

· Enterprise Console does not know which operating system thecomputers are running. This is probably because you did notenter your username in the format domain\user when findingcomputers.

· The computers are running a firewall (usually this is the case onWindows XP SP2 and Windows Vista computers).

· "Simple File Sharing" hasn't been turned off on Windows XPcomputers.

For a full list of requirements for the anti-virus and firewall software,see the Sophos Endpoint Security and Control Network StartupGuide.

Computers are not updated

If a computer has out-of-date anti-virus software, a clock icon isdisplayed in the Up to date column on the Status page. The textindicates how long the computer has been out of date.

A computer can be out of date for one of two reasons:

· That computer has failed to fetch an update from the server.

· The server itself does not have the latest Sophos software.

This section tells you how to diagnose the problem and update thecomputers.

1. Select the group where you want to find out-of-date computers.

2. On the Status tabbed page, click on the Up-to-date column tosort computers by up-to-dateness.

3. Click the Update details tab and look in the Primary servercolumn. This shows you the directory that each computerupdates from.

Troubleshooting

147

4. Now look at the computers that update from one particulardirectory.

If some are out of date, but others are not, the problem is withindividual computers. Select them, right-click and select Updatecomputers now.

If all are out of date, the problem could be with the directory.Click the Libraries icon in the toolbar. In the EM Libraryconsole, click the library name (in the left-hand pane), thenclick Central Installations. Select the directory that you suspectto be out of date. Right-click and select Update CID. Then goback to the Enterprise Console, select the out-of-date computers,right-click and select Update computers now.

Anti-virus settings do not take effect on Macs

Some anti-virus settings cannot be applied to Mac computers. In thiscase, there is a warning on that page of settings.

You can change anti-virus settings on Mac computers with SophosUpdate Manager, a utility supplied with Sophos Anti-Virus for Mac.To open Sophos Update Manager, on a Mac computer, in a Finderwindow, browse to the Sophos Anti-Virus:ESOSX folder. Double-click Sophos Update Manager. For further details, see SophosUpdate Manager Help.

Anti-virus settings do not take effect on Linux or UNIX

Some anti-virus settings cannot be applied to Linux or UNIXcomputers. In this case, there is a warning on that page of settings.

You can change anti-virus settings on Linux computers using thesavconfig and savscan commands as described in the Sophos Anti-Virus for Linux user manual. You can change anti-virus settings onUNIX computers using the savscan command as described in theSophos Anti-Virus for UNIX user manual.

148


Linux or UNIX computer does not comply with policy

If you use a corporate configuration file in the CID, and the filecontains a configuration value which conflicts with the policy, thecomputer will be shown as not complying with the policy.

Selecting the Comply with policy option will bring the computer incompliance only temporarily, until the CID-based configuration isreapplied.

To resolve the problem, review the corporate configuration file and,where possible, replace by console-based configuration.

On-access scan settings do not take effect

For Windows NT, 95, 98, and Me computers, changing certainsettings on the on-access scan settings pages has no effect. There is awarning about this on the relevant pages.

In these cases, changes you make in the scheduled scan settingspages apply to both scheduled and on-access scanning. This is due tothe design of Sophos Anti-Virus for these earlier versions ofWindows.

New scan appears unexpectedly on 2000 or later

If you look at the local copy of Sophos Anti-Virus on Windows 2000or later computers, you may see that a new "Available scan" is listed,even though the user has not created one.

This new scan is actually a scheduled scan that you have set up fromthe console. You should not delete it.

Connectivity and timeout problems

If the communications between Enterprise Console and a networkedcomputer become slow or the computer becomes unresponsive, theremay be a connectivity problem.

Troubleshooting

149

Check the Sophos Network Communications Report that presents anoverview of the current state of communications between a computerand Enterprise Console. To view the report, go to the computerwhere the problem occurred. On the taskbar, click the Start button,select All Programs|Sophos|Sophos Anti-Virus, and then clickView Sophos Network Communications Report.

The report shows possible problem areas and, if a problem isdetected, remedial actions.

Adware/PUAs are not detected

If adware and other potentially unwanted applications (PUAs) are notdetected, you should check that:

· Detection has been enabled. See Scan for adware/PUA.

· The applications are on a computer running Sophos Anti-Virus 6or later on Windows 2000 or later.

Partially detected item

Sophos Anti-Virus may report that an item (e.g. a Trojan orpotentially unwanted application) is "partially detected". This meansthat it has not found all the component parts of that application.

To find the other components, you need to carry out a full systemscan of the computer(s) affected. On computers running SophosAnti-Virus 7 for Windows 2000/XP/2003/Vista, you can do this byselecting the computer(s), right-clicking and selecting Full systemscan. You can also set up a scheduled scan for adware and otherpotentially unwanted applications.

If the application has still not been fully detected, it may be because:

· you have insufficient access rights

· some drives or folders on the computer, containing theapplication's components, are excluded from scanning.

If the latter is the case, check the list of items excluded from

150


scanning. If there are some items on the list, remove them from thelist and scan your computer again.

Sophos Anti-Virus may not be able to fully detect or remove adwareand other potentially unwanted applications with componentsinstalled on network drives.

For advice, contact Sophos technical support.

Frequent alerts about potentially unwantedapplications

You may receive very large numbers of alerts about potentiallyunwanted applications, including multiple reports of the sameapplication.

This can occur because some types of potentially unwantedapplication "monitor" files, trying to access them frequently. If youhave on-access scanning enabled, Sophos Anti-Virus detects eachfile access and sends an alert.

You should do one of the following:

· Disable on-access scanning for adware/PUA. You can use ascheduled scan instead.

· Authorize the application (if you want to have it running on yourcomputers).

· Clean up the computer(s), removing applications that you havenot authorized.

Cleanup failed

If Sophos Anti-Virus fails in an attempt to clean up items ("Cleanupfailed"), the reason could be:

· It has not found all the components of a multi-component item.Run a full system scan of the computer(s) to find the othercomponents.

· Some drives or folders that contain item components are

Troubleshooting

151

excluded from scanning. Check the items excluded fromscanning. If there are some items on the list, remove them fromthe list.

· You have insufficient access rights.

· It cannot clean up that type of item.

· It has found a virus fragment, rather than an exact virus match.

· The item is on a write-protected floppy disk or CD.

· The item is on a write-protected NTFS volume (Windows 2000or later).

Recover from virus side-effects

Cleanup can remove a virus from computers, but it cannot alwaysreverse the side-effects.

Some viruses leave no side-effects. Others may make changes orcorrupt data in ways that are hard to detect. To deal with this, youshould:

· On the Help menu, click View item information. This connectsyou to the Sophos website, where you can read the virusanalysis.

· Use backups or original copies of programs to replace infectedprograms. If you did not have backup copies before theinfection, create them now in case of future infections.

Sometimes you can recover data from disks damaged by a virus.Sophos can supply utilities for repairing the damage caused by someviruses. Contact Sophos technical support for advice.

Recover from application side-effects

Cleanup can remove unwanted applications, but it cannot alwaysreverse the side-effects.

Some applications modify the operating system, e.g. by changing

152


your internet connection settings. Sophos Anti-Virus cannot alwaysrestore all settings. For example, if an application changed thebrowser home page, Sophos Anti-Virus cannot know what theprevious home page setting was.

Some applications install utilities, such as .dll or .ocx files, on yourcomputer. If a utility is harmless (that is, does not possess thequalities of a potentially unwanted application), e.g. a languagelibrary, and is not integral to the application, Sophos Anti-Virus maynot detect it as part of the application. In this case, cleanup won'tremove the file from your computer.

Sometimes an application, such as adware, is part of a program thatyou intentionally installed, and needs to be there for the program torun. If you remove the application, the program may stop running onyour computer.

You should:

· On the Help menu, click View item information. This connectsyou to the Sophos website, where you can read the applicationanalysis.

· Use backups to restore your system settings or programs youwant to use. If you did not have backup copies before, createthem now in case of future incidents.

For more information or advice on recovering from an adware/PUA'sside-effects, contact Sophos technical support.

Technical support

For technical support, visit www.sophos.com/support.

If you contact technical support, provide as much information aspossible, including the following:

· Sophos software version number(s)

· Operating system(s) and patch level(s)

· The exact text of any error messages

Glossary

153

23 Glossary

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T |U | V | W | X | Y | Z

-A-

Active Directory synchronization

A one-way synchronization of Sophos Enterprise Console groupswith Active Directory containers.

adware

A program that displays advertising - such as pop-up messages -which affects user productivity and system efficiency.

Application Control

A feature in Sophos Anti-Virus that enables you to block orauthorize execution of legitimate applications, according to yourorganization's policy.

Top of page

-C-

comma-separated values (CSV)

Another name for the comma-delimited format, a type of dataformat in which each piece of data is separated by a comma. Thisis a popular format for transferring data from one application toanother, because most database systems are able to import andexport comma-delimited data. For example, a .csv file can beimported into Microsoft Excel for further analysis.

controlled application

A legitimate application that is not a security threat, but that you

154


decide is unsuitable for use in your office environment. Controlledapplications may include games, instant messaging (IM) clients,Voice over Internet Protocol (VoIP) clients, digital imagingsoftware, media players, or browser plug-ins.

Top of page

-D-

dashboard

An at-a-glance view of the network's security status.

Top of page

-H-

Host Intrusion Prevention System (HIPS)

Security technology that protects computers from suspicious files,unidentified viruses, and suspicious behavior.

Top of page

-M-

malware

Short for malicious software, software designed specifically todamage or disrupt a system, such as a virus, worm, Trojan, orspyware.

Top of page

-N-

Network Access Control (NAC)

A system that reduces the security threat from unauthorized, non-

Glossary

155

compliant, or infected computers by restricting their access tonetwork resources.

Top of page

-P-

potentially unwanted application (PUA)

A program that is not inherently malicious, but is generallyconsidered unsuitable for the majority of business networks.Potentially unwanted applications perform actions such asdisplaying advertising, tracking web sites visited, or changing theconfiguration of a computer. They include a wide range ofprograms such as adware, dialers, remote administration tools, andhacking tools.

Top of page

-R-

runtime behavior analysis

Dynamic analysis of the behavior of the programs running on thesystem performed by the "suspicious behavior detection" and"buffer overflow detection" features.

Top of page

-S-

spyware

A program that installs itself onto a user's computer by stealth,subterfuge or social engineering and sends information from thatcomputer to a third party without the user's permission orknowledge. Spyware includes key loggers, backdoor Trojans,password stealers, and botnet worms, which cause corporate datatheft, financial loss and network damage.

156


suspicious behavior

Behavior normally attributed to malware, exhibited by anapplication that had not been identified as malicious before it wasrun.

suspicious file

A file that contains certain characteristics that are common tomalware but not sufficient for the file to be identified as a newpiece of malware (for example, a file containing dynamicdecompression code commonly used by malware).

synchronization point

An Enterprise Console group that points to a container (or subtree)in Active Directory.

synchronized group

A subgroup of a synchronization point, imported from ActiveDirectory.

Top of page

-U-

unidentified virus

A virus for which there is no identity; an unknown virus.

Top of page

-V-

virus

A program which can spread across computers and networks byattaching itself to another program and making copies of itself.

Top of page

Index

157

Index

Aacknowledge alerts 128acknowledge errors 128Active Directory synchronization 43Active Directory synchronizationalerts 123Active Directorysynchronization:overview 43Active Directory:import from 38Active Directory:synchronize with 46add computers to a group 28adware 149adware alerts 128adware/PUA:authorize 92alerts 73alerts:controlled applications 121allow file and print sharing 108anti-virus and HIPS policy 16anti-virus policy 103anti-virus protection 60application control 103application control alerts 121application control policy 16archive files 96authorize suspicious items 90authorize:suspicious items 90automatic cleanup 131automatic disinfection 131automatic updating 77

Bblock controlled applications 103buffer overflow 88

Ccleanup 150cleanup:automatic 131cleanup:failed 150cleanup:manual 131clear alerts 128clear errors 128connectivity problems 148console GUI 13controlled application alerts 128controlled applications 104controlled applications:uninstall 105create a group 27create a policy 35cut and paste a group 28

Ddashboard 65dashboard:configure 69dashboard:overview 65default NAC settings 113delete a group 29delete a policy 36desktop alerts 120disable firewall 109disable synchronization 51


158

disconnected computers 76disinfection 115disinfection:automatic 131disinfection:manual 131

Eedit a policy 35email alerts 123enable firewall 109enable synchronization 51Enterprise Console:overview 13event logging 124exclude items from scanning 100exclusions 100export report 141extensions 93

Ffailed cleanup 150file and print sharing:allow 108file types scanned 93find computers 38find computers:Active Directory 40find computers:import from file 41find computers:IP range 41find computers:network 40firewall 73firewall alerts 127firewall policy 16full system scan 115

Gget further help 152getting started 20glossary 153group 16group policy 37group policy:enforce 37group:add computers 28group:apply policy 35group:create 27group:cut and paste 28group:delete 29group:import from Active Directory 38group:remove computers 28group:rename 29group:synchronize with ActiveDirectory 46group:Unassigned 16group:which policies are used 29

HHIPS 87HIPS alerts 120Host Intrusion Prevention System 87

Iicons 17immediate scan 115initial installation source 84

Index

159

interactive firewall 109interface 13

Llibraries 17

MMac viruses 97Macintosh files 97Macintosh viruses 97manual cleanup 131manual disinfection 131manual installation 57manual updating 82messaging 116

NNAC 114NAC Manager 112NAC policy 114NAC server URL 111NAC URL 111network access control 114network status alerts 122new computers 63new user 143non-interactive firewall 109

Oon read 98

on rename 98on write 98on-access scanning 148on-access scanning:cleanup 131out-of-date computers 146outstanding alerts 73

Ppartially detected 149policy 32policy:apply to a group 35policy:create 35policy:default 33policy:delete 36policy:edit 35policy:rename 36policy:which groups use 36potentially unwanted applicationalerts 128potentially unwanted applications 149primary server 79print report 141protect computers 56protect computers:automatically 63protect computers:firewall 61protect computers:manually 57protect computers:with login script 60protected computers 70protected network 65proxy server 83PUA 149PUA:side-effects 151


160

Rremove 63remove computers from a group 28rename a group 29rename a policy 36report 134report:display as chart 135report:display as table 135report:export 141report:generate 134report:history of alerts 140report:layout 142report:print 141report:rate of alerts 138report:show alerts per item name 135report:show alerts per location 137reporting to Sophos 144rootkits 95runtime behavior analysis 88runtime behavior analysis alerts 127

SSAV policy 103scan now 115schedule updates 81scheduled scanning 99secondary server 80select controlled applications 103SNMP alerts 118Sophos Anti-Virus installation failure 146

Sophos Endpoint Security andControl 10Sophos technical support 152sort computers 76spyware 87spyware alerts 126start NAC Manager 112suspicious behavior 88suspicious behavior alerts 127suspicious file alerts 127suspicious files 89synchronization 51synchronization point 45synchronization properties:edit 49synchronization properties:view 49synchronization with Active Directory 43synchronization:automatic protection 48synchronization:properties 49synchronize with Active Directory 46synchronized group 46

Ttechnical support 152timeout 148Trojans 87troubleshooting 145troubleshooting:Linux 148troubleshooting:Mac 147troubleshooting:UNIX 148troubleshooting:Windows 2000 148Troubleshooting:WindowsNT/95/98/Me 148

Index

161

UUnassigned folder 145uninstall 63uninstall controlled applications 105unmanaged computers 75unprotected computers 72update source 80updating 77updating policy 16updating:advanced settings 83updating:automatic 77updating:bandwidth 83updating:logging 85updating:manual 82updating:on dial-up 82updating:primary server 79updating:schedule 81updating:secondary server 80updating:via a proxy 83up-to-date computers 71

Vvirus alerts 126virus:side-effects 151viruses 87

Wwarning signs 17worms 87

Copyright © 2005-2008 Sophos Group. All rights reserved. No part of thispublication may be reproduced, stored in a retrieval system, or transmitted, inany form or by any means, electronic, mechanical, photocopying, recording orotherwise unless you are either a valid licensee where the documentation can bereproduced in accordance with the licence terms or you otherwise have the priorpermission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc andSophos Group. All other product and company names mentioned are trademarksor registered trademarks of their respective owners.


162

sophos manual

Documents

group policy

default policies

sophos endpoint security

user manual document

contents contents1

unassigned folder