Sophos Anti-Virus for Windows NT/2000/XP Release Notes ------------------------------------------------------ January 2003 (3.65) www.sophos.com Contents -------- 1. New in this version 2. General notes 3. Additional information 4. Information from previous versions 5. Known problems 6. Troubleshooting 7. Compatibility issues 1. New in this version ---------------------- All Sophos Anti-Virus versions have been updated with new virus information. 2. General notes ---------------- a) Archive types Archives are not scanned by default. To enable archive scanning, select it within Sophos Anti-Virus. Depending on the number of archives present, scanning time may be increased. Selecting archive scanning enables the scanning of ARJ, CMZ, GZIP, RAR, TAR, UUE, ZIP, LHA, LZH archives, self-extracting archives of these types, zipmail files, and files compressed with MS Compress. Self-extracting archives are only scanned as archives if archive handling has been switched on for that archive type. Otherwise they will be scanned only as executables. If both archive scanning and Macintosh virus scanning are selected BinHex and MacBinary files will also be scanned. Unix ELF files are scanned either when their file extension is in the executables list, or if 'All files' is selected. The scanning of Microsoft Cabinet files is not enabled when archive file handling is enabled. It can be enabled individually. b) Extension list The following file extensions are scanned for by default in immediate and scheduled scans. ..., 386, 3GR, ADD, ASP, BAT, CHM, CMD, COM, CPL, DBX, DLL, DMD, DOC, DOT, DRV, EML, EXE, FLT, FON, FOT, HLP, HT?, HTA, HTML, I13, IFS, INI, JS, JSE, LNK, MOD, MPD, MPP, MPT, MSO, NWS, OCX, OV?, PDF, PDR, PIF, PL, POT, PPS, PPT, PRC, RTF, SCR, SH, SHB, SHS, SRC, SWF, SYS, VB?, VXD, WBK, XL?, 3. Additional information ------------------------- The following suggestions may require the use of the Registry Editor (REGEDT32.EXE). Microsoft have issued the following warning with respect to the Registry Editor: "Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk." a) System requirements This version of Sophos Anti-Virus for Windows NT/2000/XP requires Windows NT 4.0 or later. It will not run on Windows NT 3.51. b) Restarting after an InterCheck upgrade If the InterCheck driver has been upgraded, after upgrading from a previous version of Sophos Anti-Virus for Windows NT/2000/XP, the system must be restarted before the new InterCheck driver is activated. Restarting your system immediately after the upgrade is not necessary. InterCheck will continue to operate correctly, and the new features will be activated next time the system is restarted. c) Setup 'SETUP /UPDATE' has priority over workstation installations, i.e. 'SETUP /UPDATE' will not fail because a workstation is in the process of establishing the need to upgrade or is in the process of upgrading. Several command line qualifiers have been added to the setup program: -a non-interactive install -updaccount=domain\username\password update account info -ni non-interactive setup -in invisible setup program -inl invisible loader d) Compatible with 'Terminal Server' and 'MetaFrame' This version of Sophos Anti-Virus for Windows NT/2000/XP will run on versions of the Windows NT operating system which support multi-user emulation. To provide this functionality, the graphical elements (Sophos Anti-Virus Graphical User Interface and InterCheck monitor) should only be run on the main console. This behaviour is automatically enforced when NT 4 service pack 4, or later, has been installed on the server. e) Messaging sub-system It is possible to inhibit the display of a desktop message issued by the InterCheck Client as it shuts down. To do this add the following value to the registry: Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\Desktop.smm Value Name: Shutdown Message Action Type: REG_DWORD Data: 0x0000000F It is possible to force the SMTP SMM to send its reports as MIME-encoded attachments. To do this add the following value to the registry: Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\SMTP.smm Value Name: Mime Encode Type: REG_DWORD Data: 0x00000001 Files in off-line storage are reported. To suppress these messages add the following value to the registry: Key: HLM\SOFTWARE\Sophos\ADVANCED Value Name: REPORT_OFF_LINE_FILES Type: REG_DWORD Data: 0x00000000 Encrypted files are reported. To suppress these messages add the following value to the registry: Key: HLM\SOFTWARE\Sophos\ADVANCED Value Name: REPORT_PASSWORD_ENCRYPTED Type: REG_DWORD Data: 0x00000000 f) Interaction with files held in off-line storage By default, during immediate and scheduled scans, Sophos Anti-Virus will not retrieve files marked as being held in off-line storage for scanning. This default behaviour can be over-ridden by setting the following value in the registry: Key: HLM\Software\Sophos\ADVANCED\ Value Name: SCAN_FILES_IN_HSM Type: REG_DWORD Data: 0x00000001 By default, during immediate and scheduled scans, Sophos Anti-Virus will reset a file's last accessed time. This default behaviour can be over- ridden by setting the following value in the registry: Key: HLM\Software\Sophos\ADVANCED\ Value Name: RESET_LAST_ACCESSED_TIME Type: REG_DWORD Data: 0x00000000 g) Log file handling The log file may become very large. It is not possible to delete SWEEP.LOG while the service is running. However, if the location of SWEEP.LOG file is changed the original can then be deleted. h) SNMP Notification There is a messaging module for SNMP trap generation. Four types of traps are possible. They are assigned OIDs (object identifiers) as follows: 1.3.6.1.4.1.2604.2.1.1.1.1 Virus warning 1.3.6.1.4.1.2604.2.1.1.1.2 Error message 1.3.6.1.4.1.2604.2.1.1.1.3 Informational message 1.3.6.1.4.1.2604.2.1.1.1.4 Test trap Each trap carries a SAV version string and an informational string giving the nature of the alert. Data are assigned OIDs as follows: 1.3.6.1.4.1.2604.2.1.1.2.1.1 Virus warning text 1.3.6.1.4.1.2604.2.1.1.2.1.2 Error message text 1.3.6.1.4.1.2604.2.1.1.2.1.3 Informational message text 1.3.6.1.4.1.2604.2.1.1.2.1.4 Test trap string 1.3.6.1.4.1.2604.2.1.1.2.2 Version string Note: it is impossible to remotely query the MIB. The data are only available from the contents of the trap. i) Virus information When requesting information on viruses, users are directed towards the Sophos web site for the most accurate up to date information. 4. Information from previous versions ------------------------------------- December 2002 (3.64) * An installation and updating problem on Windows 2000 with Novell IntraNetWare Client version 4.8x has been resolved * InterCheck has improved support for roaming profiles on Windows 2000. The change to version 2.19 of InterCheck will prompt for a reboot of the computer, but a reboot is only necessary if you are affected by the roaming profile issue * MailMonitor for Exchange 2000 will install correctly with this version * SAV Interface has some minor compatibility fixes October 2002 (3.62) * InterCheck monitor icon colour change indicates InterCheck inactivity The InterCheck Monitor arrow will now change from its usual red to grey to indicate that InterCheck is disabled. * Alternative data stream scanning Alternative data stream scanning is now featured in on-demand immediate and scheduled scanning. It is already provided by InterCheck on-access scanning. * SAVI DLL now runs on both Windows NT/2000/XP and Windows 95/98/Me SAV Interface (SAVI) developers will now be able to write products that can be used on Windows 95/98/Me to complement those already available on Windows NT/2000/XP. * Running SAV Interface third-party applications SAV Interface (SAVI) has been modified to allow third-party SAV Interface applications to be run as non-administrators. * Ability for Setup to remove unwanted shortcuts from the Start menu Sophos items that no longer exist on the computer but appear in the Start menu will now be removed. * Purging checksums on restart Due to the frequency of virus updates InterCheck's checksums are now automatically purged after each computer restart. * Autoupdate frequency settings Information on autoupdating and its frequency is now transferred to local installations during updating as well as during installation. * New information pages There are new information pages available on this CD. You can view these pages from any computer with an internet browser installed. They include installing and updating advice, product information, documentation, and contact information. Windows (Intel) users To view these pages, let the CD autorun or run 'LAUNCHCD.EXE' from the root of the CD. If Internet Explorer 4.0 or above is installed on your computer, the information pages are displayed in a special Sophos application that enables you to install or update directly from the information pages. Windows (Alpha) users LAUNCHCD.EXE will run Internet Explorer as a browser only if autorun is enabled. You will not be able to install or update directly from the information pages. Other browsers With other browsers open 'index.htm' from the root of the CD. You will not be able to install or update directly from the information pages. If you have any difficulties viewing the CD's information pages, email sophoscd@sophos.com. September 2002 (3.61) The checksum file is now purged on restart. Auto-updating has been improved for non-English workstations. 5. Known problems ----------------- a) SAV Interface (SAVI) Developers may set the maximum recursion depth configuration option. Re-configuring SAV Interface client applications while they are active fails. b) NetWare server and Windows 2000 workstation This problem affects only the running of the setup /update program on Windows 2000 computers when the Central Installation Directory is based on a NetWare server. When it is necessary to place a new IDE file in a Central Installation Directory (CID) based on a NetWare Server and to run setup /update on a Windows 2000 workstation, the following command line should be used instead of the documented command: setup /update /srcpath=\\netwareserver\cidpath where \\netwareserver\cidpath is the full UNC path to the CID. c) InterCheck server and Windows 2000 InterCheck server is selected by default on Windows 2000 installations. It should be deselected during installation when not required. 6. Troubleshooting ------------------ a) Errors accessing network shares from remote computers After installing Sophos Anti-Virus for Windows NT/2000/XP, you may encounter difficulties accessing network shares from remote computers. You may also receive one of the following error messages: "Not enough server storage is available to process this command." "Not enough memory to complete transaction. Close some applications and retry." Additionally, the Windows NT server may log one or both of the following event messages in the system log: Event ID : 2011 Source : Srv Description : The server's configuration parameter "IRPStackSize" is too small for the server to use a local device. Please increase the value of this parameter. Event ID : 0 Source : Srv Description : Description for Event ID 0 could not be found. It contains the insertion string \device\LanManServer. This is a restriction imposed by the default Windows NT server configuration. The following registry entry is required to solve the problem. Key: HLM\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters\ Value Name: IrpStackSize Type: REG_DWORD Data: 0x6 You can use REGEDT32 to modify or create this entry in the registry. You will need to restart the system before the change will take effect. If you still experience problems, a larger value can be selected. The valid range for this parameter is 0x1 to 0xC (1 to 12). Please see the Microsoft knowledge base article ID Q198386 for further information. b) SWEEP for Windows NT Update service To function correctly, the auto-update service must be installed as the 'LocalSystem' account and have 'Allow Service to Interact with Desktop' selected. c) InterCheck logging For InterCheck logging to work correctly, the SWEEP for Windows NT Network Service must use an account that is able to see the InterCheck Server share. This may not be the case if the auto-update option was not selected during installation. If InterCheck logging fails to work correctly, a suitable account may be selected as follows: * Go to Control Panel|Services. * Select the SWEEP for Windows NT Network Service. * Click the 'Startup...' button. * Under 'Log on As:', select the field 'This Account'. * Enter an account in the form DOMAIN\User with access to the relevant InterCheck Server share. * Fill in the password field as appropriate. * Click 'OK' to confirm the change. * Stop and then restart the service. 7. Compatibility issues ----------------------- a) Banyan VINES support Please note that InterCheck will not check files on remote Banyan VINES drives unless the Banyan VINES network support was started at start up. b) PATHWORKS Version 4 server Windows NT clients which use a PATHWORKS 4 server for the central installation directory may repeatedly auto-update. This problem only occurs on PATHWORKS 4 not on later PATHWORKS versions. c) Bay Networks (Performance Technologies) Instant Internet A conflict between the version of the WinSock client installed by the Instant Internet application and the Sophos SMTP.SMM module can lead to the Sophos Anti-Virus service not starting or stopping correctly. As a work-around, add the following value to the registry. Key: HLM\Software\Sophos\SweepNT\SMMS\SMTP\ Value Name: No Startup Check Type: REG_DWORD Data: 0x1 This work-around will prevent the SMTP module checking for the appropriate network transport protocols during startup. ----------------