Jan 302014
 

When you install Sophos in a vDisk, the ID of the client will be the same for all your provisioning servers.  Only one of the servers will appear in the Sophos Enterprise Console. The following guide will help you change the ID at startup and make sure all your server are managed.

Fist, put the vDisk in private mode. Install Sophos from the Enterprise Console and push it to your server. Log in the the Endpoint/Citrix Server. Stop the following services and change them to manual.

Sophos Agent
Sophos AutoUpdate Service
Sophos Message Router

Remove all values in the following registry keys:

HKEY_LOCAL_MACHINE\Software\Sophos\Messaging System\Router\Private\pkc
HKEY_LOCAL_MACHINE\Software\Sophos\Messaging System\Router\Private\pkp
HKEY_LOCAL_MACHINE\Software\Sophos\Remote Management System\ManagementAgent\Private\pkc
HKEY_LOCAL_MACHINE\Software\Sophos\Remote Management System\ManagementAgent\Private\pkp

Delete the following files:

C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt
C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml

De machine_id.txt holds the unique computer ID. Deleting the status.xml makes sure the endpoint will be updated when the services start again.

Close the vDisk and put it back into standard mode.
Make a startup script and let it run at boot. This can be through a GPO for example.
Use the following code:

REM Start Sophos
echo 36edb108-f39d-4a36-8bbd-99bddc%COMPUTERNAME% > "C:\programdata\Sophos\AutoUpdate\data\machine_ID.txt"
NET START "Sophos Agent"
NET START "Sophos AutoUpdate Service"
NET START "Sophos Message Router"

the echo wil create a new machine ID with the computername in it. So it will be unique. My example make use of a computername of 6 characters. If you use a longer name, just trim characters at the end accordingly. If you have shorter names, add a random character before %COMPUTERNAME%. Boot all servers and move them in de Sophos Enterprise Console to the correct folder.

 

If you’re searching for other anti-virus solutions check the following posts:

Installing the McAfee agent (Framework Service) in a Citrix vDisk
Installing Trend Micro OfficeScan in a vDisk

  12 Responses to “Installing Sophos in a vDisk”

  1. Hey Rick, you saved my day. Thanks a lot for your excellent post.

    I created the following script for sealing my vDisk Images, just had to add Wow6432Node registry path, because i´m using x64 machines

    net stop “Sophos Agent”
    net stop “Sophos AutoUpdate Service”
    net stop “Sophos Message Router”

    sc config “Sophos Agent” start= demand
    sc config “Sophos AutoUpdate Service” start= demand
    sc config “Sophos Message Router” start= demand

    reg delete “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Messaging System\Router\Private” /v pkc /f
    reg delete “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Messaging System\Router\Private” /v pkp /f
    reg delete “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private” /v pkc /f
    reg delete “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private” /v pkp /f

    del “C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt” /f
    del “C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml” /f

  2. Glad to be of some help. If you delete the machine_id the server will add itself multiple times to the console. So I’ve created it myself based on the computername.

    • Hi Rick,

      I use Sophos with citrix provisioning server vdisks and have noticed another issue with the combination and am wondering if this is also effecting you or you had already found a solution. I thought your startup script would fix this particular issue but it doesn’t seem to.

      The issue is that every time a vm using the vdisk boots up, it will add itself again to the servers router table (c:\ProgramData\Sophos\Remote Management System\3\Router\table_router.txt). Each managed computer should only be listed in this file once. When you have many virtual machines that reboot often it will cause the table router to grow to an incredible size (our file had 97,000 lines but we only have 1300 managed devices). Some machines were listed over 300 times.

      This ends up causing a huge workload on the server using the WmiPrvSE.exe process. Our AV server is a virtual machine and only had 1 vcpu. This issue caused 100% cpu usage on that process making the entire server unusable. I needed to add another vcpu just to be able to open the console.

      I worked with Sophos technical support previously in determining this. They gave me the steps on how to properly clear out and reset that router table to make the server usable again. Since that reset I implemented the startup script that would guarantee that each vm would use the same machine ID after each boot. However everyday I check the table_router.txt file I still see the same VM’s adding themselves again. This will eventually (probably in a few months) cause the wmiprvse.exe issue again and the table will need to be reset.

      Below is an example of the issue. This server rebooted 16 times since the last table router reset and I implemented the startup script. Do you see many duplicate names in your table_router.txt file of your citrix pvs virtual machines?

      Router$d158xa20:506721.1..
      Router$d158xa20:513049.1..
      Router$d158xa20:513074.1..
      Router$d158xa20:513225.1..
      Router$d158xa20:513380.1..
      Router$d158xa20:513550.1..
      Router$d158xa20:513594.1..
      Router$d158xa20:513944.1..
      Router$d158xa20:514093.1..
      Router$d158xa20:514109.1..
      Router$d158xa20:514271.1..
      Router$d158xa20:514438.1..
      Router$d158xa20:514501.1..
      Router$d158xa20:522070.1..
      Router$d158xa20:522322.1..
      Router$d158xa20:522682.1..
      Router$d158xa20:522731.3.IOR:010000002700000049444c3a536f70686f734d6573736167696e672f4e6f74696679436f6e73756d65723a312e3000000100000000000000800000000101024b0d00000031302e312e3130352e323434002001202300000014010f004e535409eaac5482850d000100000001000000000000000100000001000000000300000000000000080000000153ee00004f415401000000140000000153ee000100010000000000090101000000000014000000080000000153a60086000220.

      The servers machine ID was the same (below) for each of those reboots

      36edb108-f39d-4a36-8bbd-99bdD158XA20

  3. This script is not 100% correct. The KBA http://www.sophos.com/kb/12561 shows all necessary steps.

    The Line
    del “C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml” /f
    causes the Sophos Anti-Virus to be full re-installed every time the script is called.

  4. REM Start Sophos
    echo 36edb108-f39d-4a36-8bbd-99bddc%COMPUTERNAME% > “C:\programdata\Sophos\AutoUpdate\data\machine_ID.txt”

    is wrong.
    The machine_ID.txt must not contain %COMPUTERNAME. It only consists of the ID.

    Regards

    • I needed to generate an unique ID for computers as this is a provisioned environment. If I let sophos generate an ID it will create a new id with every boot.

      • The reboot script you provided. Does not contain a unique ID. Every Computer needs it’s own ID. So the way I see to provide that is unique ID in the machine_id.txt is to provide a boot script per machine with a unique ID echoed in it.

        • The part echo 36edb108-f39d-4a36-8bbd-99bddc%COMPUTERNAME% > “C:\programdata\Sophos\AutoUpdate\data\machine_ID.txt” generates an unique id and i have this in production for almost a year without problems.

          • Can you elaborate on this. I’m not sure where and how you apply this

  5. Has anyone figured out how to redirect the updates Directory to the write cache drive?
    Im trying to move the signatures from C:\Program Files (x86)\Sophos\Sophos Anti-Virus
    to the write cahce drive (in our case D:\ drive)

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)