Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 12491 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disabling Tamper Protection in AWS

Keith Konecke

I had a few Sophos Server Protection agents deployed to AWS instances.  I created images of those instances, launched them in a new VPC, and deleted the originals.  Once the images were launched in a new VPC they lost their connectivity with Central.  I'm unable to do anything with them because I can't disable tamper protection, and it's my understanding that I cannot boot an EC2 instances into Safe Mode without losing connectivity.  What can I do?



This thread was automatically locked due to age.
  • 0

    I was able to resolve this with help from AWS support.

    1. Shutdown instance and detach root volume.

    2. Attach root volume to a separate, temp instance running a DIFFERENT VERSION of Windows Server.

    3. Bring disk online in Disk Management on temp instance.

    4. Load hive in registry and make necessary changes as you would in safe mode.

    5. Unload hive.

    6. Stop temp instance.

    7. Detach volume from temp instance.

    8. Attach volume to original instance, naming it /dev/sda1

  • 0 in reply to Keith Konecke

    Thanks for the information Keith, very helpful.

    I've had a quick look into the same sort of problem on Azure and as far as I can tell safe-mode is not a supported scenario but there seems to be guides suggesting a very similar approach. 

    Regards,

    Jak

  • 0

    We have created the below article to outline steps on how to recover both AWS and Azure instances.

     

    community.sophos.com/.../127602

  • 0 in reply to WomboCombo

    Is this still the only way? 

     Just attempted out first AWS server installation and of course it failed with no explanation (typical) and now I cant disable tamper protection from the console, because it just doesn't work. I also cant use the local password to get into the admin settings, because it also just doesn't work. Not sure the point of it.

     

     

  • 0 in reply to LRB

    Hi Lance,

    Can you confirm what is remaining on the machine after the failed installation? Can you open up SophosUI.exe from C:\Program Files\Sophos\Sophos UI

    If this exists you can then view the tamper protection password in central and manually authenticate using the "Admin Logon" section.

  • 0 in reply to WomboCombo

    Hey WomboCombo,

     

    Found the problem was due to how long the product takes to install.

    The current sequence of spinning up, installing all other required software, joining domain and then rebooting doesn't allow enough time for Sophos to install (by far the longest)

     

    Not really sure what our options are now. 

Unfiltered HTML