SGN 5.50 policy editor challenge wizard not working!

Hi Matt,

just read through this one and I can tell you that I haven't heard about this so far. This is the first time one reporting this behavior.

Due to the fact that recovery is not possible in this single case please open a ticket so that one can retest your process to confirm that this is not a general issue (which I believe).

Thank you very much

Regards

Dan

Hi Dan,

Looks really easy to reproduce. Take e.g. a 5.40 standalone machine and upgrade the client to 5.50. You now cannot use the keyfiles this client generates in either the 5.40 or 5.50 policy editor. The same is true of a standalone 5.40 policy .msi file. Use that to set policy on a 5.50 client machine and again, the recovery tool cannot use the keyfiles this generates. The only solution is to completely ditch the client prior to installing 5.50 i.e. clean install only, no upgrades and to use a new policy created in 5.50 policy editor. Then, it all seems to work ok.

This might only affect standalone mode, I don't run remote managed mode (don't need to).

Matt

More information:

It turns out that if you're running standalone SGN with a policy.msi file used to apply your configuration, the polciy.msi files generated in previous versions should not be used, even though it installs and encrypts perfectly ok. You won't be aware of the problem until someone locks their machine and your faced with a challenge response using their key files to generate the response.

It doesn't work!  :smileysad:

Best thing to do if you're facing this setup scenario is to uninstall now before it's a problem, generate a new policy.msi file in the latest version 5.50 and then reinstall and re-apply a new 5.50policy.msi

Matt

Any progress or response on this?

I have a similar situation - all the recovery keys created using version 5.50.0.116 do not work with the Recovery tool in Policy Editor version 5.50 or 5.60.

Attempting to use any of them in the Recovery Wizard in either version generates an Error dialog with the text "Invalid key recovery file".

I have a locked workstation stuck at the POA, which generates the Challenge code okay but I cannot generate a Response Code.

Is there anything I can do with the "invalid" XML file?

Hi Gsmdit,

I've not yet seen this issue with 5.50.0.116 to 5.60 . In my scenario, I had a policy created with a 5.40 policy editor then the editor and machines were upgraded to 5.50.0.116 as per Sophos instructions but no new policy was generated or applied to the clients (again, as per Sophos instructions which at the time said you didn't need to). Turns out that this wasn't correct and jumps from 5.40 to 5.50 or any major version jump, need to have the policy uninstalled, a new policy file generated in that version and then reinstalled on the clients and a new key file generated.

In essence, I think you're screwed unless you have a backup of the 5.50.0.116 policy as it was at the point of install and can get the policy editor up and running again to generated the challenge response. You may also be able to generate a PE recovery cd and decrypt the disk to retrieve the data. Not going to hold my breath on that though, Sophos couldn't help me when 5.40 to 5.50 failed this way and I ended up ditching and reinstalling

Talk to Sophos support, it's your best option right now.

Matt

Hi Matt

Thanks for the speedy response, I thought this one dead and forgotten!

I actually do still have the original device I created the policy with; and the original policy, and have tried using that setup to generate the Response code - with the same result unfortunately.

I have also tried the Recovery CD option but despite being able to rebuild the MBR and the boot sectors successfully it still fails as dependent upon the generation of a Response code...

I was hoping for an alternative to recalling all the installed laptops for rebuilding, by maybe a simple fix on the XML file, but will speak to Sophos as you suggest.

Best

Dave

Hi Dave,

AFAIK, updating the clients is as easy as uninstalling the custom policy (which doesn't trigger decryption) and installing the new policy regenerated in 5.60 policy editor.

I'm assuming that the XML files you now have are those generated when the clients were upgraded to 5.60 and not the original key files generated when the clients were 5.50's?

Matt

Hmm... based on what I found through testing, my understanding was that the recovery key is generated at the time of encryption - and any amount of fooling around later with the policy or client version doesn't generate a new recovery key, so a decrypt and a re-crypt would be required.

I compared the key created originally in Feb this year using 5.50, with another key created yesterday using 5.60 and they are the same.

Unless I am missing a trick - is there another way to generate a key recvovery file other than using the systray icon and choosing "Key Backup"?

Dave

Hi Dave,

XML file is generated by key backup only. When you encrypt, it just kicks off the same process so that you effectively have at least one backup performed as you encrypt.

When I compared a 5.40 XML and key file and a 5.50 XML from the same policy MSI (generated in 5.40 policy editor), there is a distinct difference between what 5.50 generates (you'd expect with the same policy that it would be identical but it's not). I suspect that it's the same 5.50 to 5.60, a machine generating an XML generated on a 5.60 client with a 5.50 policy MSI will generate an invalid XML key which is what I think you're seeing and would follow exactly the same problem I had 5.40 to 5.50.

For the clients that are currently running 5.60, I would generate a new policy MSI file and then on each client, uninstall the policy and then install the newly  created 5.60 policy. After that, generate a new key backup by right-clicking the SGN shield and then testing the key backup XML in the recovery wizard. If it generates an error when you load the XML, you'll probably have to completely uninstall and reinstall the entire client.

Anything back from Sophos technical?

Matt