home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2005 February
/
CMCD0205.ISO
/
Software
/
Demo
/
Sophos
/
angz.exe
/
READNTG.TXT
< prev
next >
Wrap
Text File
|
2004-11-18
|
23KB
|
601 lines
Sophos Anti-Virus for Windows NT/2000/XP/2003 Release Notes
-----------------------------------------------------------
Product version : 3.88.0
Virus engine version : 2.26.0
Virus data version : 3.88, December 2004
www.sophos.com
Contents
--------
1 New in this version
2 Important information for MailMonitor users
3 General notes
4 Additional information
5 Information from previous versions
6 Known problems
7 Troubleshooting
8 Compatibility issues
1 New in this version
---------------------
* A fix has been made to Sophos Anti-Virus to correctly report the names of
files and folders that have associated Alternate Data Streams (ADS) with
viruses in them. This only affects NTFS filesystems.
To learn more about the ADS feature of NTFS, see:
http://support.microsoft.com/kb/105763
By default, the ADS scanning feature is disabled in the product. To enable
it, create the following registry value:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\ADVANCED
Value Name: Scan Streams
Type: REG_DWORD
Data: 0x00000001
* The Sophos Anti-Virus setup program has been altered to delete any files
named DELST??.TXT created in the system and user TEMP folders as part
of an update.
Note that this fix affects only temporary files created in the future.
Existing DELST??.TXT files must be removed manually.
* A fix has been made to address a problem with scanning folders containing
double byte characters in their name. This only applies to such folders when
they are specified for an immediate or scheduled scan.
* New virus information
2 Important information for MailMonitor Users
---------------------------------------------
MailMonitor users should take the steps described below after updating to the
new version of Sophos Anti-Virus.
a) MailMonitor for SMTP
Users of MailMonitor for SMTP using version 1.2.0 (or later) need take no
action following an update to this version of Sophos Anti-Virus. Users
running earlier versions of MailMonitor are advised to update to the
current version.
Users who choose not to update MailMonitor must restart the MailMonitor for
SMTP service after updating to this version of Sophos Anti-Virus.
b) MailMonitor for Exchange
Users of MailMonitor for Exchange 2000 should ensure that they are using
version 1.0.1 (or above) of the product before updating to this version of
Sophos Anti-Virus.
c) MailMonitor for Notes/Domino
At the Domino server window type the following
tell savdb quit
tell savmail quit
load savdb
load savmail
3 General notes
---------------
a) Archive types
Archives are not scanned by default. To enable archive scanning, in Sophos
Anti-Virus, tick the 'Scan inside archives' box. Depending on the number of
archives present, scanning time may be increased.
Selecting archive scanning enables the scanning of ARJ, CMZ, GZIP, RAR,
RAR3, TAR, UUE, ZIP, LHA, LZH, BZip2, Stuffit, self-extracting archives of
these types, zipmail files, compressed help and files compressed with MS
Compress.
Self-extracting archives are only scanned as archives if archive handling
has been switched on for that archive type. Otherwise they will be scanned
only as executables.
If both archive scanning and Macintosh virus scanning are selected BinHex
and MacBinary files will also be scanned.
Unix ELF files are scanned either when their file extension is in the
executables list, or if 'All files' is selected.
b) Extension list
The following file extensions are scanned for by default in immediate and
scheduled scans.
..., 386, 3GR, ADD, ASP, BAT, CHM, CMD, COM, CPL, DBX, DLL, DMD, DOC, DOT,
DRV, EML, EXE, FLT, FON, FOT, HLP, HT?, HTA, HTML, I13, IFS, INI, JS, JSE,
LNK, MOD, MPD, MPP, MPT, MSO, NWS, OCX, OV?, PDF, PDR, PIF, PL, POT, PPS,
PPT, PRC, RTF, SCR, SH, SHB, SHS, SRC, SWF, SYS, VB?, VXD, WBK, XL?,
4 Additional information
------------------------
The following suggestions may require the use of the Registry Editor
(REGEDT32.EXE). Microsoft have issued the following warning with respect to
the Registry Editor:
"Using Registry Editor incorrectly can cause serious, system-wide
problems that may require you to re-install Windows NT to correct
them. Microsoft cannot guarantee that any problems resulting from
the use of Registry Editor can be solved. Use this tool at your own
risk."
a) System requirements
This version of Sophos Anti-Virus for Windows NT/2000/XP requires Windows
NT 4.0 or later. It will not run on Windows NT 3.51.
b) Restarting after an InterCheck upgrade
If the InterCheck driver has been upgraded, after upgrading from a previous
version of Sophos Anti-Virus for Windows NT/2000/XP, the system must be
restarted before the new InterCheck driver is activated. Restarting your
system immediately after the upgrade is not necessary. InterCheck will
continue to operate correctly, and the new features will be activated next
time the system is restarted.
c) Setup
'SETUP /UPDATE' has priority over workstation installations,
i.e. 'SETUP /UPDATE' will not fail because a workstation is in the process
of establishing the need to upgrade or is in the process of upgrading.
Several command line qualifiers have been added to the setup program:
-a non-interactive install
-updaccount=domain\username\password update account info
-ni non-interactive setup
-in invisible setup program
-inl invisible loader
Running Setup in a terminal client session:
If you want to run Setup in a terminal client session, you must ensure that
no other instance of Setup is running in any session.
d) 'Terminal Server' and 'Citrix MetaFrame'
If you are running Terminal Server or Citrix MetaFrame, you can run the
Sophos Anti-Virus window and InterCheck Monitor in a terminal client
window. Only one user at a time can run Sophos Anti-Virus, and must be
logged in with Administrator rights.
SAV Interface applications running in a terminal client session are
correctly suspended and restarted by the Sophos Anti-Virus setup program.
e) Messaging sub-system
It is possible to inhibit the display of a desktop message issued by the
InterCheck Client as it shuts down. To do this add the following value to
the registry:
Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\Desktop.smm
Value Name: Shutdown Message Action
Type: REG_DWORD
Data: 0x0000000F
It is possible to force the SMTP SMM to send its reports as MIME-encoded
attachments. To do this add the following value to the registry:
Key: HLM\SOFTWARE\Sophos\SweepNT\SMMs\SMTP.smm
Value Name: Mime Encode
Type: REG_DWORD
Data: 0x00000001
Files in off-line storage are reported. To suppress these messages add the
following value to the registry:
Key: HLM\SOFTWARE\Sophos\ADVANCED
Value Name: REPORT_OFF_LINE_FILES
Type: REG_DWORD
Data: 0x00000000
Encrypted files are reported. To suppress these messages add the following
value to the registry:
Key: HLM\SOFTWARE\Sophos\ADVANCED
Value Name: REPORT_PASSWORD_ENCRYPTED
Type: REG_DWORD
Data: 0x00000000
f) Interaction with files held in off-line storage
By default, during immediate and scheduled scans, Sophos Anti-Virus will
not retrieve files marked as being held in off-line storage for scanning.
This default behaviour can be over-ridden by setting the following value in
the registry:
Key: HLM\Software\Sophos\ADVANCED\
Value Name: SCAN_FILES_IN_HSM
Type: REG_DWORD
Data: 0x00000001
By default, during immediate and scheduled scans, Sophos Anti-Virus will
reset a file's last accessed time. This default behaviour can be over-
ridden by setting the following value in the registry:
Key: HLM\Software\Sophos\ADVANCED\
Value Name: RESET_LAST_ACCESSED_TIME
Type: REG_DWORD
Data: 0x00000000
g) Log file handling
The log file may become very large. It is not possible to delete SWEEP.LOG
while the service is running. However, if the location of SWEEP.LOG file is
changed the original can then be deleted.
h) SNMP Notification
There is a messaging module for SNMP trap generation. Four types of traps
are possible. They are assigned OIDs (object identifiers) as follows:
1.3.6.1.4.1.2604.2.1.1.1.1 Virus warning
1.3.6.1.4.1.2604.2.1.1.1.2 Error message
1.3.6.1.4.1.2604.2.1.1.1.3 Informational message
1.3.6.1.4.1.2604.2.1.1.1.4 Test trap
Each trap carries a SAV version string and an informational string giving
the nature of the alert.
Data are assigned OIDs as follows:
1.3.6.1.4.1.2604.2.1.1.2.1.1 Virus warning text
1.3.6.1.4.1.2604.2.1.1.2.1.2 Error message text
1.3.6.1.4.1.2604.2.1.1.2.1.3 Informational message text
1.3.6.1.4.1.2604.2.1.1.2.1.4 Test trap string
1.3.6.1.4.1.2604.2.1.1.2.2 Version string
Note: it is impossible to remotely query the Management Information Base.
The data is only available from the contents of the trap.
i) Virus information
When requesting information on viruses, users are directed towards the
Sophos web site for the most accurate up to date information.
5 Information from previous versions
------------------------------------
November 2004 (3.87)
* Improved Zip file handling
* An improvement has been made to address the situation where an application
attempts to shut down Windows during a Sophos Anti-Virus update. This
attempt is now prevented so that the update can complete successfully.
* If SAV32CLI is running when the Sophos Anti-Virus setup program begins,
SAV32CLI is now automatically shut down to prevent it from causing the setup
program to hang.
* A fix has been made to the setup program. If a central installation
directory is created on a server, then when Sophos Anti-Virus is installed
on a workstation, by default only "InterCheck Client" (and not "InterCheck
Server") is selected for installation.
* A very minor change has been made to the configuration dialog box. If "Scan
mailboxes" is deselected, "Disinfect mailboxes" is disabled.
* The on-access scanner includes a fix for a problem with saving Microsoft
Office documents to NetWare shares. The problem occurred when the scanner
was set to scan files "on write".
You must reboot after updating Sophos Anti-Virus to this version, to enable
this change to become effective. This applies to automatic updating as well.
After updating Sophos Anti-Virus, if you experience performance degradation,
or errors are reported when you try to save Excel spreadsheets to Windows
shares, follow the workaround detailed in section 6g.
October 2004 (3.86)
* The filename extension .MD? has been removed from the list of file types
scanned by default.
* A fix has been made to address a problem whereby the version of Sophos
Anti-Virus was recorded in the Windows registry as 0.0.0, causing SAVAdmin
to report the computer as having Sophos Anti-Virus version 0.0.0 installed.
The registry and SAVAdmin should now correctly report 3.86.2 as the version.
* Version numbering
Formerly the version number of the virus data was used as the overall
product version number of Sophos Anti-Virus. For example:
Product version: 3.85, September 2004
There is now a distinct overall product version number, so the virus data
can be updated without altering the product version number. For example:
Product version: 3.86.0
Virus data version: 3.86, October 2004
* Improved Outlook Express handling
* Fix for SMTP email alerts
A fix has been made to address a problem that occurred when changing the
name of a Windows computer that didn't have Client for Microsoft Networks
installed. Previously this caused the wrong computer name to be used as the
subject of SMTP email alerts.
* A fix has been made to the setup program so that when it is run with the
command line qualifier "config=4" (don't restart the service on setup
completion), SAV Interface is correctly re-registered on completion.
* If you downgrade the on-access scanner to an earlier version, an improvement
made to the setup program minimises the chance of an incompatibility between
the version already installed and the downgrade version.
* A fix has been made to the setup program to fix a problem whereby Windows
Security Console in Windows XP occasionally did not correctly represent the
installation status of Sophos Anti-Virus.
* On-access scanning of Citrix client drive mappings
If users of Citrix Metaframe have local drives mapped within a session,
these drives are now scanned by the server's copy of Sophos Anti-Virus. This
means you don't have to have Sophos Anti-Virus installed on the client
computer.
* Fix for a possible problem with interaction between SAV Interface objects
and the setup program, which can cause the setup program to fail in rare
circumstances.
* Fix for problem with locked DLLs affecting setup program
Occasionally, the setup program was unable to run successfully because of
locked DLLs. Changes have been made to the setup program and Sophos
Anti-Virus to reduce the chance of this happening.
September 2004 (3.85)
* Improved PDF, RAR and HTML file handling
* Improved Access database scanning
* When the "bypass traverse checking" user right is removed, Sophos Anti-Virus
still functions correctly on Windows XP.
* The Exclusion list can now contain up to 126 entries.
* Improved on-access scanner
The on-access scanner includes a fix to address a performance degradation
when scanning infected files across a network. This issue only affects users
of Windows XP Service Pack 2.
The on-access scanner also includes a fix for a problem that may be
encountered during logoff when roaming profiles are stored on a NetApp
filer. The error has been seen in (but may not be limited to)
Data ONTAP 6.4.3 and 6.4.4R1 versions of NetApp. It occurs only on
Windows XP workstations running a specific Microsoft Redirector Hotfix
(KB321936), and when the on-access scanner is set to scan "on write".
You must reboot after updating Sophos Anti-Virus to this version, to enable
these changes to become effective. This applies to automatic updating as
well.
6 Known problems
----------------
a) NetWare server and Windows 2000 workstation
This problem affects only the running of the setup /update program on
Windows 2000 computers when the Central Installation Directory is based on
a NetWare server.
When it is necessary to place a new IDE file in a Central Installation
Directory (CID) based on a NetWare Server and to run setup /update on a
Windows 2000 workstation, the following command line should be used instead
of the documented command:
setup /update /srcpath=\\netwareserver\cidpath
where \\netwareserver\cidpath is the full UNC path to the CID.
b) SAV32CLI and Setup
If SAV32CLI is running when Setup is started, Setup will fail. To work
around this, close SAV32CLI before running Setup.
c) InterCheck server and Windows 2000
InterCheck server is selected by default on Windows 2000 installations. It
should be deselected during installation when not required.
d) If it is necessary to install InterCheck Server on the terminal server,
InterCheck Client should also be installed. Subsequent installations of
InterCheck Server will not require InterCheck Client to be installed at the
same time.
e) Sophos Anti-Virus update on Windows XP
On a single Windows XP computer that has not been in a Windows domain, if
you try to install, or update to, this version of Sophos Anti-Virus,
installation or update does not succeed if all the following conditions are
met:
* A user is running the September 2003 (3.73) version or earlier of Sophos
Anti-Virus and/or InterCheck Monitor.
* While this user is logged on, a second user logs on to the computer.
* The second user installs this version of Sophos Anti-Virus, or updates
Sophos Anti-Virus from the September 2003 (3.73) version or earlier to
this version.
In this case, when the setup program starts copying installation files, it
displays the following message:
"Error creating file C:\Program Files\Sophos SWEEP for NT\SHRDRES.DLL"
Click 'Abort'. The setup program displays the following message:
"Sophos Setup could not complete this installation."
Click 'Exit'.
To enable installation or update to succeed, do as follows: for all users
on the computer that are running the September 2003 (3.73) version or
earlier of Sophos Anti-Virus and/or InterCheck Monitor, close Sophos Anti-
Virus and/or InterCheck Monitor. Then continue with installation or update.
f) If a non-interactive setup is started on the terminal server when the
Sophos Anti-Virus window or InterCheck Monitor are running a terminal
client session, Setup may freeze or fail to re-run the Sophos Anti-Virus
window or InterCheck Monitor on setup completion. Setup will have completed
the update, so the user can close Setup via Task Manager, and/or manually
open the Sophos Anti-Virus window or InterCheck Monitor.
g) If you are using Windows 2000 or later, and you configure the on-access
scanner to scan files "on write", you may experience slowness when saving
Microsoft Office documents to Windows network shares. To work around this
problem, you should turn off client-side caching in Windows. This can be
done in one of two ways:
* Disable opportunistic locking on the workstation.
* Disable opportunistic locking on the server where the share is located.
For details on how to do this, see Microsoft knowledge base article 296264:
"Configuring Opportunistic Locking in Windows"
(http://support.microsoft.com/default.aspx?scid=kb;en-us;296264).
You must reboot the computer to enable these changes to become effective.
7 Troubleshooting
-----------------
a) Errors accessing network shares from remote computers
After installing Sophos Anti-Virus for Windows NT/2000/XP, you may
encounter difficulties accessing network shares from remote computers. You
may also receive one of the following error messages:
"Not enough server storage is available to process this command."
"Not enough memory to complete transaction. Close some applications
and retry."
Additionally, the Windows NT server may log one or both of the following
event messages in the system log:
Event ID : 2011
Source : Srv
Description : The server's configuration parameter "IRPStackSize"
is too small for the server to use a local device. Please increase
the value of this parameter.
Event ID : 0
Source : Srv
Description : Description for Event ID 0 could not be found. It
contains the insertion string \device\LanManServer.
This is a restriction imposed by the default Windows NT server
configuration. The following registry entry is required to solve the
problem.
Key: HLM\SYSTEM\CurrentControlSet\Services\LanmanServer\
Parameters\
Value Name: IrpStackSize
Type: REG_DWORD
Data: 0x6
You can use REGEDT32 to modify or create this entry in the registry. You
will need to restart the system before the change will take effect. If you
still experience problems, a larger value can be selected. The valid range
for this parameter is 0x1 to 0xC (1 to 12). Please see the Microsoft
knowledge base article ID Q198386 for further information.
b) SWEEP for Windows NT Update service
To function correctly, the auto-update service must be installed as the
'LocalSystem' account and have 'Allow Service to Interact with Desktop'
selected.
c) InterCheck logging
For InterCheck logging to work correctly, the SWEEP for Windows NT Network
Service must use an account that is able to see the InterCheck Server
share. This may not be the case if the auto-update option was not selected
during installation.
If InterCheck logging fails to work correctly, a suitable account may be
selected as follows:
* Go to Control Panel|Services.
* Select the SWEEP for Windows NT Network Service.
* Click the 'Startup...' button.
* Under 'Log on As:', select the field 'This Account'.
* Enter an account in the form DOMAIN\User with access to the relevant
InterCheck Server share.
* Fill in the password field as appropriate.
* Click 'OK' to confirm the change.
* Stop and then restart the service.
d) Terminal services
To function correctly, the user must be running the Sophos Anti-Virus
window and InterCheck Monitor as terminal clients or on the console, with
administrator rights.
8 Compatibility issues
----------------------
a) Banyan VINES support
Please note that InterCheck will not check files on remote Banyan VINES
drives unless the Banyan VINES network support was started at start up.
b) PATHWORKS Version 4 server
Windows NT clients which use a PATHWORKS 4 server for the central
installation directory may repeatedly auto-update. This problem only occurs
on PATHWORKS 4 not on later PATHWORKS versions.
c) Bay Networks (Performance Technologies) Instant Internet
A conflict between the version of the WinSock client installed by the
Instant Internet application and the Sophos SMTP.SMM module can lead to the
Sophos Anti-Virus service not starting or stopping correctly.
As a work-around, add the following value to the registry.
Key: HLM\Software\Sophos\SweepNT\SMMS\SMTP\
Value Name: No Startup Check
Type: REG_DWORD
Data: 0x1
This work-around will prevent the SMTP module checking for the appropriate
network transport protocols during startup.