Sophos Endpoint Security and Control: components and services

  • Article ID: 13029
  • Rating:
  • 8 customers rated this article 3.1 out of 6
  • Updated: 05 Sep 2014

This article describes the components that make up Endpoint Security and Control, and the related services which it uses. Some of these are located on the server, some on the endpoint computers, and some on both.

Certain components are not available for older console versions (version 4.x) and will require you to upgrade your management server and/or your license to use them.

For details on logs used by the various components see the following articles:
Server-Side logs: Article 116523
Client-Side logs: Article 43391 

Known to apply to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control

Components

Server components

The following components are located on one or more servers.

Component Description
Sophos Management Console (SEC) Is the main management console. Use this to download software and updates to your threat detection data, specify policies, including updating, scanning, and anti-virus management on client computers.  The console can either be locally installed on the management server or remote.
Sophos Management Database Stores all the information that the management server requires. This includes alerts, configuration options, the status of Sophos Anti-Virus, and computer lists. If it is removed, all computer information will be lost from the console.
Different versions of the management server have different database names and the later versions may have more than one database (depending on the server components you choose to install).  For more information on database names see article 17323.
Sophos Management Server Is the main application, which coordinates database updates, software updates and messaging throughout the system. By default, the Management Server is installed on the same server as Enterprise Console; however it can be installed on its own with Enterprise Console installed on any computer capable of connecting to the Management Server. This installation of Enterprise Console is called a 'remote console'.
Remote Management System (RMS) Provides the communications channel between the server and the client computers, enabling them to be centrally managed.  The server's (and message relay server's) RMS installation is essentially the same as endpoint computers except for certain registry variables have their values increased to handle higher message volumes.
Sophos Update Manager (SUM) Manages data and update distribution from Sophos.

Endpoint components

The following components are located on the endpoint computers (clients/ workstations). Some of these components can also be installed on the server.

Component Description
Sophos Anti-Virus (SAV) Scans files for viruses, suspicious files and behaviors, spyware, adware, and unauthorized software. Sophos Anti-Virus provides all the detection, disinfection and reporting features on the workstations.
Sophos AutoUpdate (SAU) Keeps endpoint components (including malware IDEntity files) up to date, including itself, whenever there are newer versions available. Will also download when the local AutoUpdate cache is incomplete or the catalog in the share has changed.
Remote Management System (RMS) RMS on endpoint computers receives messages from the server (or message relay) and routes them to other components for implementing.  It also sends messages back to the server regarding the health and configuration of the endpoint installation.
Sophos Client Firewall (SCF) Stops zero-day threats and prevents intrusion by hackers by blocking the computer against unauthorized network traffic. Note: The client firewall is for endpoint computers only and cannot be installed on servers.  We do not currently offer a server-side firewall component.
Sophos Application Control (SAC) Application Control enables you to block certain legitimate consumer applications from running on workplace computers.
Sophos Device Control Allows you to manage the use of storage devices and network interfaces connected to all endpoints computers. For more information see 64174.
Sophos Data Control Data Control can be configured to monitor file types, names or content when a user is copying (transferring) or uploading files to another computer or device.
Sophos Patch Agent (Patch) Patching can prevent as much as 90% of vulnerabilities. With our Patch Assessment you can prioritize the most critical patches for your network by tying them to the actual threats they will prevent.
Sophos Encryption Agent Integrated full-disk encryption makes sure only the right people have access to sensitive information.  If a computer (e.g., laptop) is lost you'll know your data (and your customer's data) hasn't fallen into the wrong hands.

Services

A number of services are used on both the server and on endpoint computers. The following lists the services, together with the filename (process name) of each and their dependencies.

Server services

The following services run on the server.

Note: Additional Sophos services will be shown on your server if you have chosen to install endpoint components.  See the endpoint section for further details.

Service name Process Description
Sophos Agent ManagementAgentNT.exe This manages the Sophos Anti-Virus service on the client computers. The Sophos Agent sends and receives messages to the Sophos Management Service via the Remote Management System.
Sophos Certification Manager CertificationManagerServiceNT.exe This service issues client computers with certificates. Certificates are used to digitally sign messages to assert that messages sent between Sophos Message Routers are genuine. When a client computer becomes managed, it requests a certificate from the Sophos Certification Manager.
Sophos Management Host Sophos.FrontEnd.Service.exe Host Sophos management components.
Sophos Management Service MgntSvc.exe This service manages the status of the system, sending information via the Remote Management System. Network computers send information about themselves to the Sophos Management Service which records it in the database.
The Sophos Management Service also sends information to network computers, instructing them (for example) to update, install or change their configuration.
Dependencies: RPC service.
Sophos Message Router RouterNT.exe This service provides communication between various components. Its main purpose is to send and receive information between the server and managed computers. It also queues messages if the network goes down. Sophos Message Router is also used by client computers.
Sophos Patch Endpoint Communicator PatchEndpointCommunicator.exe Receives assessment results from endpoint patch agents.
Dependencies: Message Queuing.
Sophos Patch Endpoint Orchestrator PatchEndpointOrchestrator.exe Processes endpoint reports of missing patches.
Dependencies: Message Queuing.
Sophos Patch Server Communicator PatchServerCommunicator.exe Provides patch assessment results to the Enterprise Console.
Sophos Update Manager SUMService.exe Manages data and update distribution from Sophos.
Dependencies: RPC service.
SQLServer(SOPHOS) Sqlservr.exe -s SOPHOS Microsoft related.  Provides storage, processing and controlled access of data, and rapid transaction processing.
SQLAgent$SOPHOS Sqlagent.exe -i SOPHOS Microsoft related.  This service controls the SQL database where all the data is stored.
Dependencies: SQLServer(SOPHOS)
Message Queuing Mqsvc.exe Microsoft related.  Provides a messaging infrastructure and development tool for creating distributed messaging applications for Windows-based networks and programs. This service is required if you have installed the patch server component.
Dependencies: Message Queuing Access Control, RPC, Windows Event log.

Endpoint services

The following services run on the endpoint computer.

Service name Process Description
Sophos Agent ManagementAgentNT.exe Sophos Agent provides the interface between Sophos Anti-Virus (SAV) and the local message router. It sends SAV messages to the server and receives SAV configurations from the server through the Remote Management System.
Sophos Anti-Virus SAVService.exe This service starts and runs anti-virus software components, including the on-access scanner.
Dependencies: RPC service.
Sophos Anti-Virus status reporter SAVAdminService.exe Where available it reports to the Windows Security Center (WSC) providing information about Sophos Anti-Virus. On computers without the WSC, the service runs but does nothing.
Sophos AutoUpdate Service ALSvc.exe Monitors a distribution folder (share) and updates endpoint components (including malware IDEntity files) whenever there are newer versions available. Will also download when the local AutoUpdate cache is incomplete or the catalog in the share has changed.
Sophos Cleanup Service
SophosBootTasks.exe Performs advanced cleanup on boot-up, this is a temporary service that will only install and run on demand, once complete it will be removed. Produces the log SophosBootTasks.txt
Sophos Client Firewall SCFService.exe Protects the computer against unauthorized traffic.
Dependencies: RPC service, Sophos Client Firewall Manager.
Sophos Client Firewall Manager SCFManager.exe Controls security rights and access to configuration options.
Dependencies: RPC service.
Sophos Compliance Agent API AgentAPI.exe Provides Sophos Compliance Agent detection capabilities.
Dependencies: RPC service.
Sophos Device Control Service Sdcservice.exe Performs device control functions such as detecting and blocking unauthorized USB device attached to the computer.
Dependencies: RPC service.
Sophos Message Router RouterNT.exe
This service provides communication between various components. Its main purpose is to send and receive information between the server and managed computers. It also queues messages if the network goes down.
Sophos Patch Agent Spa.exe Provides support for Sophos Patch management.
Dependencies: RPC service.
Sophos Web Control Service Swc_service.exe
Manages Web Control policies.
Dependencies: RPC service.
Sophos Web Intelligence Service Swi_service.exe
Protects against threats from malicious websites.
Sophos Web Intelligence Update Swi_update_64.exe
Reconfigures the Sophos Web Intelligence components.

Can I use all of the components listed above?

Availability of components is controlled with your Sophos Update Manager subscription.  In turn available subscriptions are controlled by your Sophos license. If you would like further information, want to take a product trial, or upgrade your license click here for further information.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments