Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
This article provides an overview of the Sophos for Virtual Environments product and answers to some generally asked questions.
Applies to the following Sophos products and versions Sophos For Virtual Environments
Sophos for Virtual Environments provides an off-box anti-malware scanning solution for Microsoft Hyper-V and VMware ESXi virtualization platforms. The product reduces the performance overhead on Guest Virtual Machines (GVMs) by performing off board scanning on a centralized Sophos Security Virtual Machine (SVM).
You can manage Sophos for Virtual Environments either via Sophos Central (recommended) or Sophos Enterprise Console (on premise).
Sophos for Virtual Environments is currently included in all Sophos Server Protection licenses. If you have a Server Protection license, you can download and install the product. If you have any questions about licencing entitlement, we recommend you contact your Account Manager. If your license includes Sophos for Virtual Environments, you can download the installers by following the processes outlined below, depending on your management console. We recommend that you follow the Sophos for Virtual Environments Startup Guide throughout this process.
Log into the Sophos Central Admin console and select Protect Devices from the left hand menu.Then, choose the relevant SVM installer for your hypervisor from the Virtual Environment Protection box. The SVM installer will guide you through the installation process and provide details of the guest agent to be installed on each guest virtual machine.
Log into mySophos with your Sophos ID and download the SVM installer for your hypervisor from the Endpoint and Server protection section.
Additional Notes for Sophos Enterprise Console customers:
Sophos for Virtual Environments comprises of two components - the Security Virtual Machine (SVM) and a thin agent on the Guest Virtual Machine (GVM). Please find below the supported platforms for both of these components:
The Sophos Security VM (SVM) supports the following hypervisors:
Note. Installations on to ESXi servers must be completed within a VMware vCenter environment. Installation directly on to standalone ESXi is not currently supported.
Note. Hyper-V servers are supported in both standalone and server-role configurations.
The Sophos Guest VM Agent supports the following operating systems:
* Currently installing on Windows Server if it is hosting Microsoft Exchange Server 2016 requires some changes to be made as documented here in Sophos for Virtual Environments - Installation of the Guest VM Agent May hang on Windows Servers running Exchange.
^ Installing on Windows 7 SP1 and Windows Server 2008 R2 SP1 require the following patches to be installed:
More details about these patches can be found at Sophos for Virtual Environments - Guest VM agent install fails with 'CustomAction SetScanningServiceSidToDriverRegistry returned actual error code 1603'
System requirements are documented in the Sophos for Virtual Environments Startup Guide.
Sophos Antivirus for vShield is no longer available for new deployments as it was retired on 30 March 2018 (see Sophos Antivirus for vShield: Product Retirement March 2018). Customers still using SAV for vShield should transition to an alternative solution. A migration process is published in the Sophos for Virtual Environments Startup Guide. In order to continue protecting the Guest VMs you will need to uninstall Sophos Antivirus for vShield from your estate and then install either Sophos for Virtual Environments or Windows Server Protection.
Sophos for Virtual Environments is a full anti-virus, anti-malware and anti-spyware product and therefore there should be no need to run third-party antivirus alongside it, including Windows Defender. Running third-party antivirus alongside Sophos for Virtual Environments may result in unexpected behaviour and degraded performance for the end user. Running alongside and therefore interactions with third-party antivirus software are not supported.
Once you have installed the Security Virtual Machine (SVM) and the Sophos Guest Agent on each guest VM, your machines should be protected by Sophos for Virtual Environments. You can check this by following the steps below depending on your management console:
Log into Sophos Central and select Server Protection. Select Servers from the left hand menu and then choose the relevant SVM from the list.
The SVM will state the number of Connected Guest VMs. Click the number to view details of the connected guest VMs. The guest VM details are searchable by machine name and can also be filtered to show Servers or Desktops.
To see the list of protected GVMs navigate to the ProtectedGVMs.log file on the SVM. Enter the username sophos and the Support password that you specified during the SVM installation wizard, when requested:
\\<SVM IP ADDRESS>\logs\ProtectedGVMs.log
\\<SVM IP ADDRESS>\logs\ProtectedGVMs.log
Note. Please replace <SVM IP ADDRESS> with the static IP address of the primary SVM network card specified during the installation.
This file will list all of Guest Virtual Machines currently protected by the SVM as well as the last time this list was repopulated.
Further information is provided in Information on installing Sophos products alongside a competitor's software - Information on installing Sophos products alongside another vendor's software
Note: Windows Defender can be disabled by Group Policy on server platforms that do not support Windows Security Center. The following is an example of this:
[Computer configuration\Policies\Administrative Templates\Windows Components\Windows Defender: Turn off Windows defender]
Sophos for Virtual Environments is unsupported when running alongside a number of other Sophos products. The products listed below are incompatible and we therefore recommend that they be uninstalled from the client machine before proceeding with the installation of the Sophos Guest VM agent:
Note. This is only required if you wish to protect guest VMs hosting these Sophos applications with Sophos for Virtual Environments. There is no issue with running these on the same ESXi or Hyper-V host as Sophos for Virtual Environments.
Further information can be found in Sophos for Virtual Environments and VMware NSX
Applies to Sophos Enterprise Console customers only.
Yes, you can configure Sophos for Virtual Environments to update from a WebCID. For further information please see the below knowledge base articles:
Configuring Microsoft Internet Information Services for endpoint updating
Sophos for Virtual Environments - Updating Using IIS / WebCIDs
To fully uninstall Sophos for Virtual Environments you will need to remove both the Sophos Guest Agent from the Guest Virtual Machines (GVMs) and the Security Virtual Machine from your Hypervisor Host. Full steps for this are provided in the Sophos for Virtual Environments Startup Guide.
There are a number of reasons why the Guest VM may not show up in the ProtectedGVMs.log. A selection, but not an exhaustive list, is shown below:
Further information on common issues and troubleshooting steps are covered in Sophos for Virtual Environments - Machines not showing in ProtectedGVMs.log.
The Security Virtual Machine requires a static IP to allow the Sophos Guest Agents to communicate reliably and to provide the most stable off-box scanning solution.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.