Sophos for Marshal

Version: 1.1, Last Revision: February 28, 2022

Sophos for Marshal is a configuration and update tool that allows the Sophos anti-virus scanner to be used with Trustwave SEG, ECM, and WebMarshal products.

These notes are additional to the Help or other documentation.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20635.

Supported Trustwave Products

Sophos for Marshal 1.1.5 is released only in a 64-bit version. This release supports the following Trustwave content scanning product releases:

For Trustwave ECM 7.X, use Sophos for Marshal 1.1.2 (32 bit). Release 1.1.2 also works with the last 32-bit releases of Trustwave SEG and WebMarshal; however note that these releases are no longer officially supported by Trustwave.

New Features in Version 1.1.0

Hardware and Software Prerequisites

Sophos for Marshal 1.1 requires Windows Server 2008 (SP2) or above, with a supported Trustwave product (SEG, ECM, or WebMarshal).

The LiveProtection feature requires DNS connectivity (port 53) to a local DNS server that can forward queries to Sophos. The DNS server address will be populated automatically based on server settings. You can override the automatic setting if required.

The updater requires access to the following website:  (HTTPS is required; this is a change from version 1.0). For details of required ports and destinations see Knowledge Base article 11906.


Sophos for Marshal is licensed and purchased through Trustwave as a module with the supported content scanning products.

Installing Sophos for Marshal

To install Sophos for Marshal, run the installer package. Immediately after installation, the Sophos for Marshal updater attempts to retrieve the latest virus scanning Engine and IDE (signature) files.

If you need to configure proxy settings, you should do so immediately and then start an update manually.

To configure settings and start an update, start "Sophos for Marshal Configuration" from the Start menu. (Installation creates shortcuts in the submenu for each installed Trustwave product that supports Sophos for Marshal). For details of the fields in the configuration tool, see Help.


To use Sophos for Marshal with a supported Trustwave product:

Upgrading Sophos for Marshal

To upgrade from an earlier version, run the installer package.

Note: This upgrade migrates the data from the previous version and then installs the new version. You will be informed that the data is being moved. Settings, Engine, and IDE files are retained.

If a processing engine service (such as the SEG Engine) is under load, the installer may not be able to stop the service. The installer will notify you.

To complete the upgrade when the installer cannot stop a service:

  1. Manually stop the product engine service(s).
  2. Run the upgrade installation.
  3. Manually start the product engine service(s).

Uninstalling Sophos for Marshal

To uninstall Sophos for Marshal:

  1. Remove the Sophos for Marshal scanner from all SEG, ECM, and/or and WebMarshal scanning rules.
  2. Delete the Sophos for Marshal scanner from the list of scanners in each installed product.
  3. Restart the Engine services for each product. If the server has not been restarted since Sophos for Marshal was installed, you may need to restart the Controller services as well.
  4. Close the SEG or ECM Configurator and/or WebMarshal Console.
  5. Use the Add/Remove Programs control panel to uninstall Sophos for Marshal.

Change History

1.1.5 (February 28, 2022)

SFM-156 To shorten the time needed for initialization, all scanner threads share a single copy of signature data.
SFM-165 Versions of third party helpers included have been updated. (August 3, 2021)

SFM-134 On initialization, if CXMail is disabled this fact is logged.
SFM-144 Initialization of CXMail resulted in excess usage of memory and handles over time. Fixed.
SFM-153 The number of instances of the scanner available in a running application is increased to support more engine instances and larger numbers of rules.
SFM-154 IDE updates were not immediately applied to the running engine in some circumstances. (November 3, 2020)

SFM-137 Scanner initialization in SEG was inefficient due to configuration being re-read unnecessarily. Fixed. (November 9, 2017)

SFM-125 Discovery of SEG and ECM license keys is improved. (August 14, 2017)

SFM-116 Sophos for Marshal now uses libcurl instead of WinInet for access to updates, to avoid issues with certificate validation when using a proxy. (June 6, 2017)

SFM-8 The Sophos SDK used by Sophos for Marshal has been updated to the latest version that provides additional capabilities.
SFM-10 Sophos for Marshal implements the CXMail scanning option for enhanced checking of files.
SFM-11 Sophos for Marshal implements the LiveProtection scanning option for enhanced checking of files.
SFM-13 The product has been rebranded for Trustwave.
SFM-15 Installation and registry locations are updated to the default Trustwave locations.
SFM-41 MSXML4 is no longer used by Sophos for Marshal. The related DLLs are removed on upgrade.
SFM-54 Engine and IDE updates require valid maintenance for the scanning product (SEG, ECM, or WebMarshal).
SFM-67 The available frequencies for IDE checks have changed. You can choose to check as often as every 10 minutes. The default check is hourly.
SFM-71 Service executable paths were not quoted. Fixed. (November 11, 2010)

SFM-1 Sophos for Marshal now supports MailMarshal Exchange 7.0 (March 23, 2010)

VS-386 Update to the install logic was required due to change in the MailMarshal SMTP registry location.
VS-387 Update to the install logic was required due to change in the MailMarshal Exchange registry location.
VS-391 Files are now digitally signed to ensure authenticity.
VS-393 The product has been rebranded for M86 Security.
VS-396 The installer checked for the presence of a parent product on uninstall. Fixed. (August 26, 2009)

VS-365 Updated Sophos engines were not installed when MailMarshal was under heavy load. Fixed.
VS-372 The upgrade installation has been modified to minimize the number of manual service restarts required.
VS-373 Sophos for Marshal installation now creates a menu shortcut in the MailMarshal Exchange program group (if MailMarshal Exchange is present). (July 17, 2008)

VS-263 Sophos for Marshal now supports MailMarshal Exchange 5.2 (November 28, 2007) - Initial Release

Legal Notice

Copyright © 2022 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit