06 April 2011

Sophos Endpoint Protection create new SID script for virtual machine templates and cloned machines

If you are duplicating or cloning or deploying form a template image with Sophos preinstalled you will need to clear the existing SID and generate a new one.  If this is not done the machine will not be managable from the Sophos Central Administration Console

The steps required to do this is outlined in:
http://www.sophos.com/support/knowledgebase/article/12561.html

I have put these into a VBScript just to speed things up a little.  To run it you will need to open as command prompt "Run as Administrator"  the run cscript yourscriptname.vbs

I have included the registry and file paths to cover both the x86 and x64 OS version deployments.


'################################################################################
'# Sophos EndPoint Security 9.5                                                 #
'# This script will create a new SID for this machine as per the steps listed   #
'#  at http://www.sophos.com/support/knowledgebase/article/12561.html           #
'# This will remove the currently SID and create a new unique SID on restart    #                                                                              #
'#                                                                              #
'#                                                Etienne Liebetrau - April 2011#
'################################################################################


on error resume next


wscript.echo "Post Clone Cleanup Starting"
wscript.echo "Initiating Script Objects"




'create Script Shell Object


Set WshShell = WScript.CreateObject("WScript.Shell")




'Set values Sophos Services


SMR = """Sophos Message Router"""
SA =  """Sophos Agent"""
SAUS = """Sophos AutoUpdate Service"


wscript.echo "Stopping Services"


'Stop Sophos Services


wshshell.run "net stop " & smr,2,True 
wshshell.run "net stop " & sa,2,True
wshshell.run "net stop " & saus,2,True


wscript.echo "Removing Registry Entries"


'Set Registry Keys to be removed (x86 OS)


Regkey1 = "HKEY_LOCAL_MACHINE\Software\Sophos\Messaging System\Router\Private\pkc"
RegKey2 = "HKEY_LOCAL_MACHINE\Software\Sophos\Messaging System\Router\Private\pkp"
Regkey3 = "HKEY_LOCAL_MACHINE\Software\Sophos\Remote Management System\ManagementAgent\Private\pkc"
Regkey4 = "HKEY_LOCAL_MACHINE\Software\Sophos\Remote Management System\ManagementAgent\Private\pkp"


'Set Registry Keys to be removed (x64 OS)


X64Regkey1 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Messaging System\Router\Private\pkc"
X64RegKey2 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Messaging System\Router\Private\pkp"
X64Regkey3 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkc"
X64Regkey4 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkp"


'Delete Registry Keys


WshShell.RegDelete Regkey1
WshShell.RegDelete Regkey2
WshShell.RegDelete Regkey3
WshShell.RegDelete Regkey4
WshShell.RegDelete X64Regkey1
WshShell.RegDelete X64Regkey2
WshShell.RegDelete X64Regkey3
WshShell.RegDelete X64Regkey4


Wscript.echo "Removing Files"


'Remove machine_ID.txt files


Set FSO = CreateObject("scripting.filesystemobject")


File1 = """c:\Program Files\AutoUpdate\machine_ID.txt"""
File2 = """c:\Program Files\AutoUpdate\datamachine_ID.txt"""
File3 = """c:\Program Files(x86)\AutoUpdate\machine_ID.txt"""
File4 = """c:\Program Files(x86)\AutoUpdate\data\machine_ID.txt"""
File5 = """C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt"""


FSO.deletefile File1
FSO.deletefile File2
FSO.deletefile File3
FSO.deletefile File4
FSO.deletefile File5


wscript.echo "Post Clone Cleanup Completed"
wscript.sleep 10000


wscript.quit


After the script has been run and the machine is rebooted it should show up in the Sophos Management Console with the current computer name.

#### Update 1 ###

Normally you would run this script before making the machine a template or running sysprep etc.
After having run sysprep the SID of the machine will now be different. This prevent you from opening the Sophos console on the machine because the local security groups is no longer valid for the Sophos AV as per the machine.xml file.  When you attempt to open the console you get the following error.

You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application.
You are not a member of any of the Sophos groups. To launch this application, you must be a member of SophosAdministrator, SophosPowerUser or SophosUser group. Please contact your administrator.


One more step that is required for everything to work properly is to execute the following


MsiExec.exe /i "c:\ProgramData\Sophos\AutoUpdate\cache\savxp\Sophos Anti-Virus.msi" REINSTALL=ALL REINSTALLMODE=voums UPDATEDRIVERS=0 /l*v c:\msi.log /qb

This repairs the msi recreating the machine.xml file.

Sophos does give a fix here http://www.sophos.com/support/knowledgebase/article/113207.html but it is not something I could automate easily.

Thanks to the anonymous commenter for raising this question.

#### Update2 ###

Per request I have also added the steps to fix the SID issue in a new script.  This should be run after the machine has finished being cloned.  This does what is highlighted in update 1 above. Please note: For Windows XP and 2003 installations change


C:\ProgramData to C:\Documents and Settings\All Users\Application Data 







'################################################################################
'# Sophos EndPoint Security 9.5                                                 #
'# This script will Update the machine.xml with NEW SIDs as  the steps listed   #
'# at http://www.sophos.com/support/knowledgebase/article/113207.html           #
'# Will update the original SIDS with the updated SIDS required after clone     #                                                                              #
'#                                                                              #
'#                                                Etienne Liebetrau - April 2011#
'################################################################################




On Error Resume Next


' Retrive new SID values


wscript.Echo "Post Clone Security Fix Starting"
wscript.echo "Retrieving new group SID values"


strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Localaccount = True and Name ='SophosUser'",,48)
For Each objItem in colItems
    SU = objItem.SID
Next


Set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Localaccount = True and Name ='SophosPowerUser'",,48)
For Each objItem in colItems
    SPU = objItem.SID
Next


Set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Localaccount = True and Name ='SophosAdministrator'",,48)
For Each objItem in colItems
    SADM = objItem.SID
Next


'create Script Shell Object


Set WshShell = WScript.CreateObject("WScript.Shell")




'Set values Sophos Service


SAV = "SAVService"


wscript.echo "Stopping Service"


'Stop Sophos Services


wshshell.run "net stop " & SAV,2,True 


' Write new SID values to machine.xml file


wscript.echo "Writing new group SID Values to machine.xml file"


dim oXml
dim oNode


SET oXML = CreateObject("MSXML2.DomDocument")
oXml.Load "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml"


Set oNode = oXml.SelectSingleNode("//role[@name='SophosAdministrator']/SID")
oNode.Text = SADM




Set oNode = oXml.SelectSingleNode("//role[@name='SophosPowerUser']/SID")
oNode.Text = SPU


Set oNode = oXml.SelectSingleNode("//role[@name='SophosUser']/SID")
oNode.Text = SU




oXml.Save "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml"




wscript.echo "Updated file."
wscript.echo "Starting Service"


'Start Sophos Service


wshshell.run "net start " & SAV,2,True 


wscript.echo "SID Security Fix Applied"


To summarise then.:

Step 1 Runs the first script before cloning the machine
Step 2 After the clone is completed run the second script.  No reboot is required after this script.

15 comments:

Anonymous said...

Thank you very much! I just don´t understand why Sophos doesn´t provide a script like this (beside the fact that it is so complicated to create a reference image with sophos av preinstalled).
But will the script really update the existing SID values to the new ones in the machine.xml (not machine_ID.txt)?
http://www.sophos.com/support/knowledgebase/article/113207.html

Etienne Liebetrau said...

I will double check and get back to you, but as far as I know that this script should force the SID to be updated. Will also check with Sophos directly and let you know.

Etienne Liebetrau said...

See the ### Update### section for a follow up on the comments

Anonymous said...

Hello, it´s me again ;)
Thank you for looking at the SID-issue. You wrote:
"Sophos does give a fix here http://www.sophos.com/support/knowledgebase/article/113207.html but it is not something I could automate."
Well, i think an automation is possible! First you have to retrieve the computer`s SID. I found a vbs-code snippet at http://www.ssl-vpn.de/wiki/Default.aspx?Page=Computer%20SID%20detection%20script&AspxAutoDetectCookieSupport=1 (thank you guys):

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colAccounts = objWMIService.ExecQuery _
("Select * From Win32_UserAccount Where LocalAccount=True")

Result = ""
For Each objAccount in colAccounts
If Left (objAccount.SID, 6) = "S-1-5-" and Right(objAccount.SID, 4) = "-500" Then
CompSID=Left (objAccount.SID,len(objAccount.SID)-4)
Result = CompSID
End If
Next
'Results ("Computer_SID") = Result
MsgBox "Computer SID is: " & Result

I just commented out the line "Results ("Computer_SID") = Result" because it throws an error.

Then you have to obtain the SID´s of the sophos groups (it´s possible to write another vbscript or to use psgetsid or wmic, as described in the sophos article).

And finally you would have to edit the machine.xml and replace the SID`s. As i said before: it is quite complicated to create a reference image with sophos av preinstalled.
But this way you can avoid the ugly msiexec-reinstall command.

Before starting with the creation of the script, it is advisable to test the whole process manually.

Etienne, maybe you have the time and knowledge to provide such a script?

Etienne Liebetrau said...

Okay you twisted my arm - see Update 2 in the article for the second script to fix the SID security issue.

Anonymous said...

Thumbs up, Etienne,

the script works perfect. The MSXML2.DomDocument-object was new to me.
Shame on Sophos for only providing a half-baked (msiexec-reinstall) and a manual solution.
Thank you again!

Shane said...

Thanks Etienne. Used both of these scripts yesterday and they worked perfectly!

Anonymous said...

Hello Etienne,

the script doesnt run as a startup-script under the local system account. The script itselfs finishes, but the SIDs in the machine.xml will be filled with a null-string. Any ideas?

Etienne Liebetrau said...

Not 100% sure what you are trying to do using it as a startup script, the timing of running the script is very important, so I would do it manually. But drop me an email and we can go from there. Included OS and the imaging process your are following.

TeeH@l2D said...

script can run as startup-script.
I use this method before i run sysprep windows7. "Fix sophos Error after Change SID.vbs" is script fix error SID.It run once.
1. I create folder in C:\Program Files . Name is "Fixsophos" inside folder have "runFixSophos.bat" and "Fix sophos Error after Change SID.vbs".
2.Regedit > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce > Create new String Value and path "C:\Program Files\Fixsophos\runFixSophos.bat"


*inside runFixSophos.bat
echo off
cls
cscript "C:\Program Files\Fixsophos\Fix sophos Error after Change SID.vbs"

Etienne Liebetrau said...

Thanks for the feedback!

TeeH@l2D said...

sorry for my english language. it's bad ;P

Anonymous said...

Hi,

there is an error in the following lines (script 1):
File1 = """c:\Program Files\AutoUpdate\machine_ID.txt"""
File2 = """c:\Program Files\AutoUpdate\datamachine_ID.txt"""
File3 = """c:\Program Files(x86)\AutoUpdate\machine_ID.txt"""
File4 = """c:\Program Files(x86)\AutoUpdate\data\machine_ID.txt"""

Correct is:

File1 = """c:\Program Files\Sophos\AutoUpdate\machine_ID.txt"""
File2 = """c:\Program Files\Sophos\AutoUpdate\datamachine_ID.txt"""
File3 = """c:\Program Files(x86)\Sophos\AutoUpdate\machine_ID.txt"""
File4 = """c:\Program Files(x86)\Sophos\AutoUpdate\data\machine_ID.txt"""

Anonymous said...

Theres another typo:
File2 = """c:\Program Files\Sophos\AutoUpdate\datamachine_ID.txt"""
Correct is:
File2 = """c:\Program Files\Sophos\AutoUpdate\data\machine_ID.txt"""

Thanks for sharing the script!

Anonymous said...

Great help indeed. I am a little bit confused since there are 2 scripts. at which stage should I runt each script ?

Thanks in advance.

Post a Comment