In this section

• Home
• Support
• Knowledgebase
• Articles

• Global support information
• Contact support
• Knowledgebase
• Virus disinfection
• Downloads and updates
• Documentation
• Software lifecycle
• Send a sample

• Global Support Services
• Technical Support
• Professional Services
• Technical Training

Endpoint Security and Control: upgrading from earlier versions of Sophos products

This article describes how to upgrade from EM Library version 1.1, SAVAdmin and Sophos Anti-Virus for Windows obsolete versions (version 4.1x and below) to Enterprise Console version 3, EM Library version 1.3 and Sophos Anti-Virus for Windows current versions. You can download the upgraded versions from the Sophos website.

Mac OS 8/9 users who have upgraded to OS X should follow the instructions in the Mac OS X upgrade article.

For earlier versions of the above products, do as follows:

• If you are running Enterprise Manager version 1.0x
  • read the advice about preserving your existing settings
  • uninstall that version of Enterprise Manager
  • uninstall your old versions of Sophos Anti-Virus
  • install the new ones using the network startup guide.
• If you are running only SAVAdmin
  • read the advice about preserving your existing settings
  • uninstall your old versions of Sophos Anti-Virus
  • install the new ones using the network startup guide.
• If you are using the Sophos Anti-Virus versions in maintenance without any of the above
  • uninstall your old versions of Sophos Anti-Virus
  • install the new ones using the network startup guide.
• If you use Remote Update on your network
  • uninstall it before installing the new versions of Sophos Anti-Virus
  • install the new versions using the network startup guide.

Note: Enterprise Console is best suited to Windows 2000 server or Windows 2003 server. It cannot be installed on any version of Windows NT.

What to do

Warning: On Windows 2000 server you will need to reboot during the upgrade.

Before you start

• Refer to the knowledgebase article on preserving your existing settings.
• Use the information in chapters 1 and 2 of the Sophos Anti-Virus network startup guide on planning your upgrade and on system requirements.
• Refer to the knowledgebase article on Sophos Client Firewall.

Monitoring the upgrade

• While you upgrade, you can monitor the progress of the Sophos Anti-Virus upgrade on your network with SAVAdmin, and later Enterprise Console.
• To access SAVAdmin once Enterprise Console has been installed, browse to C:\Program Files\Sophos\Enterprise Console\EMConsole\Console\Bin and double-click SAVAdmin.

1. Installing Enterprise Console

1. Log on as an administrator at the computer where EM Library 1.1 is installed.
2. Close all open Sophos applications, if any.
3. If you are using the Sophos Network Install CD:
   • Insert the CD. It should auto-run. (If it does not auto-run, browse to the CD and double-click Launchcd.exe.)
   • On the Welcome page, click 'Install'.
   Alternatively:
   • Download the 'Sophos Anti-Virus and Sophos Client Firewall Network Installer' from the Sophos website.
   • Run it.
   If you upgrade on Windows 2003, you may see a security warning saying that the publisher could not be verified. Click 'Run' to continue.
4. On the Welcome page of the Sophos Enterprise Console InstallShield Wizard, click 'Next'.
5. On the License Agreement page, read and accept the license terms to continue. Click 'Next'.
6. On the Destination Folder page, you see the folder where Enterprise Console will be installed. Click 'Next'.
7. On the Setup Type page, leave 'Complete' selected and click 'Next'.
8. On the Ready to Install page, click 'Install'.
9. If the computer is in a domain, and you are logged in as domain administrator, you will now see the Enterprise Console user group page where you can specify who can use Enterprise Console.
   • Select an existing global group or enter the name of a new global group.
   • Click 'Next'.
10. Click 'Finish' to exit the InstallShield wizard.
11. When upgrade is complete, you are prompted to log off or (on Windows 2000) restart. Click 'Yes' or 'Finish'.

You have now upgraded EM Library, and installed all Sophos Enterprise Console components: the management server, management console, and database.

Note: If you subsequently replace your file server, the replacement must have the same name and IP address, so that Enterprise Console can continue to manage your computers.

2. Upgrading EM Library

When you log on to the computer again as the same user, the EM Library console is displayed. You may need to click 'Next' to open the console.

Check to see if all of your libraries are visible in the console.

• Reconnecting to libraries
  If you do not see your existing library in the EM Library console tree (the library is shown as 'not connected') read the knowledgebase article that describes how to reconnect to it.
• Remote libraries
  Another knowledgebase article describes how to reconnect to remote libraries.
• Upgrading child libraries
  All child libraries should be upgraded in order to use the new versions of Sophos Anti-Virus and a frequent updates schedule. A knowledgebase article describes how to upgrade any remaining child libraries.
  Any child libraries dependent on a library with a Frequent updates schedule must be upgraded to version 1.3 before they are configured to download new packages from the parent library.

EM Library version 1.3 allows you to update every few minutes, instead of once an hour. Even if you want to retain your previous schedule, you should check that it is still active.

To move to a Frequent updates schedule:

1. If necessary, open the EM Library console.
2. Click 'Schedule Downloads'.
3. Highlight your schedule.
4. Click 'Edit schedule'.
5. Click the Schedule tab.
6. In the 'Schedule type' dropdown, select 'Frequent updates'.
7. Click 'OK'.
8. Click 'OK' again to confirm your schedule edits.

You can now install the new anti-virus and (if your license includes it) firewall software.

3. Downloading new anti-virus and firewall software

To install Sophos Anti-Virus version 6 and (if your license includes it) Sophos Client Firewall, you must change your EM Library downloads location (the 'primary parent') and subscribe to the relevant package. You can subscribe to the new versions of Sophos Anti-Virus for Windows 95/98/Me and Windows NT at the same time.

1. In the EM Library console tree, right-click 'EM Library' and select 'Properties'. A set of tabbed pages is displayed.
2. Select the 'Primary parent' tab. In the dropdown menu, select http://es-latest-2.sophos.com/update. This databank contains all of the packages that you will need. The download may take some time. If you receive an error message about the library being modified by another user or task, check that your details are correct, and re-enter them if necessary.
3. Click 'Apply', and then click 'OK'.
4. In the EM Library console tree, click 'EM Library'.
5. In the Configuration pane, click 'Select Packages'. EM Library will fetch the list of packages from the parent.
6. In the EM Library console tree, under EM Library, Packages, click 'Unsubscribed'.
7. In the list of software packages, highlight the 'Latest (SAV + IDEs)' version of the following package:
   • If your license includes Sophos Client Firewall, highlight 'Sophos endpoint security for Windows 2000/XP/2003 v6.0.'
   • If your license is for Sophos Anti-Virus without Sophos Client Firewall, highlight 'Sophos Anti-Virus for Windows 2000+ v6.*.'
   Sophos recommends that you subscribe to the 'Latest' packages. These automatically update your network with the latest version each month, as well as with new virus identity (IDE) files.
8. Right-click the selection to display a menu and select 'Subscribe'.
9. In the message box asking you to confirm the subscription, click 'Yes'.
10. In the message box asking you whether you want to add a central installation directory (CID) for this package, click 'Yes'. A wizard guides you through specifying a CID into which the software will be placed.
    • The default directory name for a CID with the Sophos Client Firewall is SAVSCFXP.
    • The default directory name for a CID with Sophos Anti-Virus version 6 only is ESXP.
    For more information about completing the wizard, see 'How do I download the software for new platforms?' in the EM Library help file and user manual.
11. Select and subscribe to any other packages, as described in steps 7-10 above:
    • For Windows 95/98/Me, highlight 'Sophos Anti-Virus for Windows 95/98/Me v4.6.*'.
    • For Windows NT, highlight 'Sophos Anti-Virus for Windows NT v4.6.*'.
    • Subscribe to any other necessary packages (e.g. for UNIX, Linux or NetWare)
    • To check which packages you are subscribed to, in the EM Library console tree, under EM Library, Packages, click 'Subscribed'.
12. In the EM Library console tree, click 'EM Library'. In the Configuration view, click 'Download Packages'.
13. In the message box asking you to confirm the download, click 'Yes'. The 'Updating packages from the parent' progress bar is displayed.

When downloading is complete, the 'Updating your central installations' progress bar is displayed. Both your old and new packages will have been updated. Any updates from your old packages will have been deployed to your network.

After your new packages have been downloaded from the parent and placed in your central installation directories (CIDs), you can pre-configure your anti-virus and firewall software and deploy it to your networked computers.

• If you have a remote management console you want to upgrade, read the knowledgebase article that details how to do this.

Now click 'Start Enterprise Console' in the Configuration view to open Enterprise Console.

4. Creating groups for your computers

Before you protect your computers, you must set up groups for them and establish anti-virus and updating policies for those groups.

The computers in a group use the same anti-virus and firewall settings, and update from the same location. You can mix operating systems within a group, provided that their policy settings are identical.

Groups can be used to place together computers with a particular configuration. Examples include:

• The servers on a network where Sophos Client Firewall is used on workstations.
• Exchange servers on which you do not want to run on-access scanning.

Creating groups:

1. To create a group, click 'Create group'.
2. Your group 'New Group' is added in the left-hand pane, with its name highlighted.
3. Type in the name you want to use for the group.

To create further groups, go to the left-hand pane and repeat this process.

Note: If you are using Sophos Client Firewall on your workstations, you must set up separate groups for your servers and workstations, e.g. 'servers' and 'users'.

• To create a second top level group, highlight your server's name and create a new group.
• You can also create subgroups within groups.

5. Setting up an updating policy

• You should set up your updating and anti-virus policies now.
• Do not set up a firewall policy until after you have installed your network.

A policy is a collection of settings that can be applied to all of the computers in one or more groups.

1. You can either edit the default policy or create a new policy.
   • To edit the default policy which has been applied to your new group, in the Policies pane (bottom left-hand side of the window), double-click 'Updating' and then double-click 'Default'.
   • To create a new policy, right-click 'Updating' and select 'Create policy'.
2. In the Updating policy dialog, select an operating system used by computers in that group, e.g. Windows 2000 and above. Click 'Configure'.
3. Click the 'Primary server' tab. In the Address field, click the drop-down arrow and select the directory from which computers will fetch updates, (e.g. \\Servername\InterChk\ESXP for Windows 2000 computers without the firewall).
   Enter the User name and Password for an account that
   • can run on the computers in the group
   • has read access to the address you have just entered.
   In a domain the 'User name' should be in the form domain\username.
   Computers that are not always on the network, e.g. laptops, can be configured to update from an alternative source such as the Sophos website, or from customized updates on your own website.
4. To apply the policy to your new groups:
   • If you edited the Default policy, it will be automatically applied to the new groups.
   • If you created a new policy, drag and drop the updating policy onto the group(s) you want to apply it to.
   Computers will not be updated unless a valid updating policy is applied to the group they are in.
5. If you are asked if you want to apply the policy to your group(s), click 'OK'.
6. Now set up policies for any other operating systems and apply them to the relevant groups.
7. Click 'Close'.

6. Setting up an anti-virus policy

When you first create a group, it uses the default anti-virus policy. This means that Sophos Anti-Virus will

• scan all files that are vulnerable to viruses
• deny access to any file that contains a virus
• display an alert on the desktop of any computer where a virus is found.

You can change this policy. For example, you could

• configure Sophos Anti-Virus to send email alerts when a virus is found
• turn off on-access scanning on Exchange servers, or on other servers where performance might be affected
• scan computers for potentially unwanted applications.

Note: If you turn off on-access scanning on a server, you should set up scheduled scans on that server.

To change the anti-virus policy, do as follows.

1. In the Policies pane, double-click 'Anti-virus'. Then do one of the following
   • Double-click 'Default' to edit the default policy.
   • Create a new policy. Right-click 'Anti-Virus' and select 'Create policy'.
2. The 'Anti-virus policy' dialog box is displayed. Here you can configure on-access and scheduled scanning, and set up alerts.
   For more information, see 'How do I change the anti-virus settings?' in the Enterprise Console help files or user manual.

You are recommend to also set up email alerts.

7. Search for computers on the network

You must search for computers on the network so that Enterprise Console can protect and manage them.

1. Click the drop-down arrow beside the Find icon in the toolbar.
2. Select the method you will use to search for computers on your network.
   • Where possible, Sophos recommends that you use Active Directory.
   • Otherwise, use 'Find computers on the network'.
3. You are prompted to enter a username and password. This is for computers (e.g. Windows XP Service Pack 2) that cannot be accessed without account details. You must use a domain administrator's account (with a user name in the form domain\user), or another account that has full administrative rights over the target computers.
4. In the 'Find computers' dialog box, select the domains or workgroups where you want to search for computers.
5. Click 'OK'.

The console searches for computers and adds them to the Unassigned folder.

8. Protect computers

Now you put the computers into groups and protect them.

Note: Do not yet install Sophos Client Firewall on to any of your workstations. Place them in the 'servers' group for now.

1. Click the Unassigned folder.
2. Select the computers you want and drag and drop them onto your chosen group in the Groups pane.
   • For the present, place any computers that will use Sophos Client Firewall in your 'servers' folder.
   • You can put computers with different operating systems in the same group (e.g. Windows XP and Windows Me workstations).
   • To select several computers at once, hold down the Control key and click the computer names.
3. A wizard is launched to help you install anti-virus software on the computers. (This will only happen once you have set an updating policy for your computers.)
4. In the Welcome dialog box, click 'Next'.
5. In the 'Select security software' dialog box, select the software you want. Leave 'Install Sophos Client Firewall' unselected for the present.
6. Click 'Next'.
7. In the 'Protection summary' dialog box, any problems with installation are shown in the Protection issues column. Common problems are
   • Automatic installation is not possible on that operating system. Perform a manual installation.
   • The operating system could not be determined. Check the username format that you used when searching for your computers.
   • The computers are running a firewall (this often happens on Windows XP SP2 computers).
   Click 'Next'.
8. In the 'Protect computers credentials' dialog box, enter details of an account that can be used to install software on the computers. This would usually be a domain administrator account. It must
   • have local administrator rights on computers you want to protect
   • be able to log on to the computer where you installed the management server
   • have read access to the 'Primary server' location you specified when you set up updating.
9. Click 'Finish'. Installation is staggered, so that the process may not be complete on all the computers for some time.
10. When installation is complete, look at the list of computers again. In the 'On-access column', you should see the word 'Active': this shows that the computer is running on-access virus scanning.

Repeat the above steps for each group of computers.

Notes:

• You will need to restart computers that access files on DFS (Windows 2000/XP) or via non-Microsoft file systems (Windows 2000), so that those files are scanned.
• In Sophos Anti-Virus version 4.1x, on-access scanning is disabled by default on servers. This policy may be carried over during the upgrade. If it is, right-click that server, and select 'Comply with' and 'Group Anti-virus policy'.

9. Computers that must be installed manually or with a script

Once all computers that can be installed automatically (this will usually be Windows NT/2000/XP/2003 computers) have been installed, you can upgrade your other computers.

While Windows NT/2000/XP/2003 computers will uninstall the old version of Sophos Anti-Virus automatically when installing the new one, on other operating systems the old version must be removed before the new one is installed.

Knowledgebase articles describe these processes:

• Scripted upgrading on Windows 95/98/Me computers
• Uninstalling old versions of Sophos Anti-Virus
• Manually installing Sophos Anti-Virus.

Note: If you used SAVAgent on your Windows 95/98/Me computers, either follow the scripted upgrade instructions mentioned above, or remove SAVAgent from those computers, and any line referring to it in your login script. If you do not do this, your old version of Sophos Anti-Virus may be reinstalled.

For instructions on performing maintenance tasks, see the 'Maintenance tasks' sections of the Sophos Anti-Virus and Sophos Client Firewall Network Startup Guide.

---

Installing the Sophos Client Firewall

Note: If you want to use Sophos Client Firewall, install it on only a few sample computers first. The firewall initially prevents network access and must be configured before you install it on all computers. For details, see the administrator rollout guidelines and section 12, 'Setting up firewall policies', of the Sophos Anti-Virus network upgrade guide.

• Sophos Client Firewall version 1.0 is designed to run on workstations connected to a LAN (local area network) or the internet. It should not be installed on a computer where EM Library is installed. You should include such computers in a separate Enterprise Console group and apply a separate firewall policy to the group, with the firewall disabled.
• You should include your servers in a separate Enterprise Console group and apply a separate firewall policy to the group, with the firewall disabled.

---

After the upgrade

Once you are satisfied that the upgrade has completed successfully, you can remove your old CIDs and products.

Removing EM Library packages
To remove your old EM Library packages:

1. Open the EM Library console.
2. In the EM Library console tree, select 'Central Installations'.
3. Right-click your old CIDs and select 'Delete'.
   These were probably:
   \\[servername]\InterChk\NTInst\i386
   \\[servername]\InterChk\W95Inst
4. In the EM Library console, on the Library menu, click 'Select Packages'.
5. Deselect the checkbox next to your old packages. These were probably:
   'Sophos Anti-Virus for Windows NT/2000/XP/2003' - any version
   'Sophos Anti-Virus for Windows 95/98/Me v4.1x'
6. Click 'Yes' when asked if you want to unsubscribe.
7. Click 'OK'.

Note: If you unsubscribe from your packages before you delete the CID, you will receive the following error message:

Warning: You have a package in use to which you are not currently subscribed. Click "Select Packages" and subscribe to it.

It this happens, delete the CID as described above. The error message should disappear.

Removing other files and programs

This is not strictly necessary, but will recover disk space.

• SAVAdmin
  If you used the copy of SAVAdmin in C:\Program Files\Sophos\Enterprise Console\EMConsole\Console\Bin, leave it alone. It is part of your Enterprise Console installation. Otherwise you can uninstall your old copy.
• Old CIDs on your server
  You can delete the files belonging to the old CIDs on your server. These are the folders and subfolders here:
  \\[server]\Program files\Sophos SWEEP for NT\NTInst\i386
  \\[server]\Program files\Sophos SWEEP for NT\W95Inst
  Do not delete any other folders.
• SAVAgent
  If you have not already done so, delete SAVAgent from your Windows 95/98/Me workstations.

If you need more information or guidance, then please contact technical support.

• Article ID: 16009
• Created: 3 Jul 2006
• Last updated: 17 Apr 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement