Sophos Anti-Virus for Windows NT and 2000 Release Notes ------------------------------------------------------- March 2001 (3.43) www.sophos.com New in this version ------------------- All Sophos Anti-Virus versions have been updated with new virus information. A list of new viruses detected by Version 3.43 can be found in 'What's New' or in the READNEWS.TXT file on the Release CD, or in the READNEWS.TXT file on the SWEEP for DOS Version 3.43 Installation Disk. * The scanning of Office 2001 files is now turned on by default. * The scanning of Palm pilot binary files (PRC file extention) is supported and enabled by default. * The scanning of ActiveMime files (MSO file extention) is supported and enabled by default. * The scanning of both LZH/LHA archives and MS Compressed files is supported. Recent Improvements ------------------- * The scanning of Microsoft Cabinet files is no longer enabled when archive file handling is enabled. It can be individually enabled. Additional information ---------------------- 1. InterCheck Client The following important facilities have been added to the InterCheck Client driver: * Support for the option to copy, rename, delete and purge infected files via the 'Action' page on the Sophos Anti-Virus GUI. * Ability to scan inside archive files configured via the 'Mode' page in the Sophos Anti-Virus interface is enabled. Note that this may have adverse effects on system performance. A number of optimisations have been made to the InterCheck Client including: * Problem with the InterCheck Client support for the latest version of Chameleon NFS client (NetManage) has been resolved. * Changes have been made to the InterCheck Client driver to improve performance with Windows 2000 - particularly Hierarchical Storage Manager (HSM) and off-line file-handling. Note that after upgrading from a previous version of Sophos Anti-Virus for Windows NT, the system must be restarted before the new InterCheck driver is activated. Restarting your system immediately after an upgrade is not necessary. InterCheck will continue to operate correctly, and the new features will be activated next time the system is restarted. 2. Setup The setup program has been enhanced in a number of significant ways: * When Sophos Anti-Virus is being installed, a new splash screen is displayed. * It is possible to disable the 'Did you know' CD splash screen behaviour by adding the following setting in the registry: Key: HKEY_CURRENT_USER\Software\Sophos\Autorun Value Name: No Prelaunch Type: REG_DWORD Data: 0x00000001 * 'Setup /update' now has priority over workstation installations, i.e. 'setup /update' will not fail because a workstation is in the process of establishing the need to upgrade or is in the process of upgrading. * Several new command line qualifiers have been added to the setup program: -a non-interactive install -updaccount=domain\username\password update account info -ni non-interactive setup -in invisible setup program -inl invisible loader * Improvements have been made to the optimised file updating routines to transfer fewer files during the update process. * New setup configuration screens now offer the option to add network account information when configuring Sophos Anti-Virus to update from a central installation held on a NetWare sever. This facility supersedes the registry work-around previously published in the Readme. 3. Compatible with 'Terminal Server' and 'MetaFrame' This version of Sophos Anti-Virus for Windows NT will run on versions of the Windows NT operating system which support multi-user emulation. To provide this functionality, the graphical elements (Sophos Anti-Virus Graphical User Interface and InterCheck monitor) should only be run on the main console. This behaviour is automatically enforced when NT 4 service pack 4, or later, has been installed on the server. 4. Messaging sub-system Significant improvements have been implemented to allow multiple language support. * All interface resources are held in a shared file accessible by Sophos Anti-Virus for Windows 95/98/Me and Windows NT/2000. * Some resource inconsistencies between languages have been fixed. * The messages displayed when Sophos Anti-Virus is unable to copy, move, delete, or rename viral files have been improved and the error counts now accurately reflect these conditions. * The ability to inhibit the display of a desktop message issued by the InterCheck Client as it shuts down has been implemented. To do this add the following value to the registry: Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\Desktop.smm Value Name: Shutdown Message Action Type: REG_DWORD Data: 0x00000000 -> 0x00000003 The range of values has the following effects: 0x0000000: no suppression of InterCheck summary messages. 0x0000001: suppress the InterCheck Client summary if errors were encountered during the time InterCheck was running. 0x0000002: suppress the InterCheck Client summary if viruses were encountered during the time InterCheck was running. 0x0000003: suppress all InterCheck Client summary messages. * Forcing the SMTP SMM to send its reports as MIME-encoded attachments is now possible. To do this add the following value to the registry: Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\SMTP.smm Value Name: Mime Encode Type: REG_DWORD Data: 0x00000001 * Files in off-line storage will be reported. To suppress these messages add the following value to the registry: Key: HLM\SOFTWARE\Sophos\ADVANCED Value Name: REPORT_OFF_LINE_FILES Type: REG_DWORD Data: 0x00000000 * Encrypted files will be reported. To suppress these messages add the following value to the registry: Key: HLM\SOFTWARE\Sophos\ADVANCED Value Name: REPORT_PASSWORD_ENCRYPTED Type: REG_DWORD Data: 0x00000000 5. Sophos Anti-Virus Graphical User Interface * Increased limit on number of extensions in executables list. * Horizontal scrollbar in log interface window if needed. * Virus library viewer now an external application. * InterCheck Client can now be configured to scan inside archives. * InterCheck Client can now be configured to perform actions on disinfection failure. * InterCheck Server can now be configured to scan inside archives. * On Terminal Server, the interface will run on the console only. * Exclusion of specified directories from scanning is possible. This affects both on-access and on-demand scans. * Immediate and scheduled jobs may now be created, copied and configured via a right button menu. 6. Virus library viewer * This is now a stand-alone application that is launched from the main interface (or Explorer / Command prompt). Two command line qualifiers can be used: Usage: SVL.EXE [/d=] [/v=] /d= - Specifies the Virus Library Data file to use. /v= - Specifies the Virus Information to display. * Improved online help. * Multiple instances can be run simultaneously and independently of the Sophos Anti-Virus interface application. * SVL.EXE will not launch in a terminal client session. * Changes to the font and the colours in the virus information dialog are possible -- these settings will be used for printing. * Copying the details of a virus to the clipboard and pasting the details into another application, either as plain text or in rich text format is now possible. * The virus library viewer application stores your user preferences for when you relaunch it. * The virus library viewer application now displays information relating to script file viruses. 7. SAVI * Developers may now set the maximum recursion depth configuration option. 8. Addition of wildcard specification to SAV32CLI.EXE * The SAV32CLI.EXE program has been modified to allow specification of wildcard parameters (* and ?). * Non-administrators can also use the SAV32CLI program if InterCheck is inactive. 9. Improved interaction with files held in off-line storage By default, during immediate and scheduled scans, Sophos Anti-Virus will not retrieve files marked as being held in off-line storage for scanning. This default behaviour can be over-ridden by setting the following value in the registry: Key: HLM\Software\Sophos\ADVANCED\ Value Name: SCAN_FILES_IN_HSM Type: REG_DWORD Data: 0x00000001 By default, during immediate and scheduled scans, Sophos Anti-Virus will reset a files' last accessed time. This default behaviour can be over-ridden by setting the following value in the registry: Key: HLM\Software\Sophos\ADVANCED\ Value Name: RESET_LAST_ACCESSED_TIME Type: REG_DWORD Data: 0x00000000 10. Improved log file handling Improved handling of the SWEEP.LOG file allows Sophos Anti-Virus for Windows NT to run considerably faster if the log file is large. Note that it is no longer possible to delete SWEEP.LOG while the service is running. However, users can change the location of SWEEP.LOG file and then delete the original. 11. New utilities ICSTATUS and UPDCHECK ICSTATUS is a console application which reports the current InterCheck status of the computer on which it is run. It may be used as part of a login script ensuring that InterCheck is active on a client workstation prior to granting network access. It is designed to be used with Windows 95, Windows 98, Windows Me, Windows NT and Windows 2000. UPDCHECK is a console application which indicates whether or not the Sophos Anti-Virus installation on a client workstation is up to date relative to its server Central Installation Directory (CID). It is designed to be used with Windows 95, Windows 98, Windows Me, Windows NT and Windows 2000. ICSTATUS.EXE and UPDCHECK.EXE can be found in the TOOLS\ICSTATUS and TOOLS\UPDCHECK directories on the CD. 12. Archive scanning The following archive types: ARJ, CMZ, GZIP, RAR, TAR, ZIP, LHA, LZH and files compressed with MS Compress are additionally scanned when the 'Scan inside archives' box is ticked. Self extracting archives of known archive types are scanned as archives if archive handling has been switched on for that type. Otherwise they will be scanned only as executables. The Macintosh archives MacBinary and BinHex can also be scanned by ticking the 'Include Macintosh viruses' box. Known problems -------------- * Re-configuring SAVI client applications while they are active fails. * NetWare server and Windows 2000 workstation This problem affects only the running of the setup /update program on Windows 2000 computers when the Central Installation Directory is based on a NetWare server. When it is necessary to place a new IDE file in a Central Installation Directory (CID) based on a NetWare Server and to run setup /update on a Windows 2000 workstation, the following command line should be used instead of the documented command: setup /update /srcpath=\\netwareserver\cidpath where \\netwareserver\cidpath is the full UNC path to the CID. Troubleshooting --------------- The following problems may require the use of the Registry Editor (REGEDT32.EXE). Microsoft have issued the following warning with respect to the Registry Editor: "Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk." 1. Errors accessing network shares from remote computers After installing Sophos Anti-Virus for Windows NT, you may encounter difficulties accessing network shares from remote computers. You may also receive one of the following error messages: "Not enough server storage is available to process this command." "Not enough memory to complete transaction. Close some applications and retry." Additionally, the Windows NT server may log one or both of the following event messages in the system log: Event ID : 2011 Source : Srv Description : The server's configuration parameter "IRPStackSize" is too small for the server to use a local device. Please increase the value of this parameter. Event ID : 0 Source : Srv Description : Description for Event ID 0 could not be found. It contains the insertion string \device\LanManServer. This is a restriction imposed by the default Windows NT server configuration. The following registry entry is required to solve the problem. Key: HLM\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters\ Value Name: IrpStackSize Type: REG_DWORD Data: 0x6 You can use REGEDT32 to modify or create this entry in the registry. You will need to restart the system before the change will take effect. If you still experience problems, a larger value can be selected. The valid range for this parameter is 0x1 to 0xC (1 to 12). Please see the Microsoft knowledge base article ID Q198386 for further information. 2. SWEEP for Windows NT Update service To function correctly, the auto-update service must be installed as the 'LocalSystem' account and have 'Allow Service to Interact with Desktop' selected. 3. InterCheck logging For InterCheck logging to work correctly, the SWEEP for Windows NT Network Service must use an account that is able to see the InterCheck Server share. This may not be the case if the auto-update option was not selected during installation. If InterCheck logging fails to work correctly, a suitable account may be selected as follows: * Go to Control Panel|Services. * Select the SWEEP for Windows NT Network Service. * Click the 'Startup...' button. * Under 'Log on As:', select the field 'This Account'. * Enter an account in the form DOMAIN\User with access to the relevant InterCheck Server share. * Fill in the password field as appropriate. * Click 'OK' to confirm the change. * Stop and then restart the service. Compatibility issues -------------------- 1. Banyan VINES support Please note that InterCheck will not check files on remote Banyan VINES drives unless the Banyan VINES network support was started at start up. 2. PATHWORKS Version 4 server Windows NT clients which use a PATHWORKS 4 server for the central installation directory may repeatedly auto-update. This problem only occurs on PATHWORKS 4 not on later PATHWORKS versions. 3. Bay Networks (Performance Technologies) Instant Internet A conflict between the version of the WinSock client installed by the Instant Internet application and the Sophos SMTP.SMM module can lead to the Sophos Anti-Virus service not starting or stopping correctly. As a work-around, add the following value to the registry. Key: HLM\Software\Sophos\SweepNT\SMMS\SMTP\ Value Name: No Startup Check Type: REG_DWORD Data: 0x1 This work-around will prevent the SMTP module checking for the appropriate network transport protocols during startup. 4. Windows NT Service Pack 6 and 6a Microsoft have confirmed that a bug in csrss.exe, introduced in service pack 6, will cause the update process to fail if a desktop message is active. To help customers experiencing this problem Sophos have produced a work-around dll. On machines affected by this problem add the file accessdt.dll to the installed set. This DLL can be found in compressed form on the Sophos CD in the Win32 NT\DATA subdirectory. To install this optional component copy the file into the local Sophos installation directory and decompress it by running the command "expand accessdt.dl_ accessdt.dll" from a DOS box. The fix will become effective immediately. ----------------