Remotely re-installing Sophos endpoint

HI RogueViper

There are a few things which you can try remotely.

What could be happening is the following:

            Updating doesnt pull down the RMS Component

            RMS is not installing

            Firewall is Stopping the communication

Below are some ways you can fix them remotely

Alternatively, you can use a login script.

Here are some remote fix ideas:

UPDATING DOESNT PULL DOWN THE RMS COMPONENT

            Copy the following file from a working machine at the same branch:

            XP:         C:\Program Files\Sophos\AutoUpdate\Config\iconn.cfg

            To the not working machine: (If you have access to the C$ Share, copy it remotely)

            XP:                              C:\Program Files\Sophos\AutoUpdate\Config\

Once the next update completes it will rule out updating being the cause.

** This can be scripted

RMS NOT INSTALLING PART 1

            RMS sometimes fails to install if Sophos was on it previously and was joined to another server, or permissions with copying files.

            Navigate to:

            \\servername\SophosUpdate\CIDs\S000\SAVSCFXP\

            (replace servername with the name or IP address of the server)

            Copy the following two files:

            cac.pem

            mrinit.conf

            To the following local directory: (Remotely you can access the persons C$ Share if you have rights)

            C:\Program Files\Sophos\Remote Management system

            If the folder doesn’’’’t exist, create it.

After another update it should come online or rule out one section of RMS not working

**This can be scripted.

RMS NOT INSTALLING PART 2

            This will probably require you to go to the machine, however, you can remotely access the computer management viewer from your machine and see the error code being displayed.

FIREWALL IS STOPPING COMMUNICATION

            If the windows firewall is on and Sophos exceptions haven’’’’t been allowed it could be influencing the communication. 

            Most notable in the 'View Network Communications Report' in Start | Programs | Sophos or doing a simple telnet test to the ip on the below ports.

            Ports 8192, 8193, and 8194 TCP and UDP need to be open.

**This can be scripted or if you are in a domain environment, can be done via the group policy.

On a side note, there are two other less regular influencing factors.

1. Is file and printer sharing enabled

2. Is the Simple file sharing (They are different) disabled on XP?

If you need help with the scripting let us know :)

Thank you wickedkittenz

Brilliant guide. Manually updating the iconn.cfg file with the correct updating parameters has worked for 15 of the affected laptops and they have successfully appeared in SEC. 

The others have the correct iconn.cfg file, mrinit.conf and cac.pem files. However, they still do not appear. I am concerned as the affected laptops were previously managed by another SEC in a regional office but it was decided to start managing remote laptop users directly for the Sophos server at HQ. This transition hasn't exactly gone to plan. 

To confirm the Sophos ports 8192, 8193, and 8194 are all open on the windows firewall which is enforced with a GPO. I can connect to all remote C$ shares. File and printer sharing is enabled. Endpoint 9.5.5 and the SEC is version 4.5.

Is there a particular process that needs to be followed for migrating endpoints over to a different SEC (same version etc)?

Hello RogueViper,

if the previous management server had a different certificate you need to reinit RMS. As the necessary files seem to be in place it should be sufficient to run ClientMRIniti.exe from the RMS directory.

HTH

Christian

Hi Christian .

Is there a way of remotely running the ClientMRIniti.exe without the user knowing?

One thing I have noticed which is interesting, when using the protect function in SEC the scheduled install task appears, the endpoint software is reinstalled. But the updating details are incorrect in the iconn file even though the machine is in the correct SEC group and should have the same updating settings as the updating policy. So I have to manually copy the iconn file from a working laptop and hey presto it updates. But yet still doesn't appear in SEC even though the RMS components are all installed. 

The above sceniario is occuring with a laptop that has never been managed by the other SEC and resides on the HQ LAN. 

I appologise for my lack of knowledge; coming out of Uni straight into my first IT security job and learning lots of new things. After 8 months of using Sophos I must say I am pretty impressed with it and end up defending it when users start moaning. 

Hi,

As you say, when you protect a machine in SEC, the Sophos Management Service (on the management server machine) creates the scheduled task on the remote machine to run setup.exe from the deployment share.  There are a number of switches passed to setup.exe (a full list can be found here: http://www.sophos.com/support/knowledgebase/article/12570.html ).  The management service constructs the command based on the subscription and SEC group, from which it takes its updating policy. 

If you monitor the scheduled tasks on the client when you deploy to it, you can look at the properties of the Sophos install task and view the exact command line being run.  It might be worth you checking that the paths in there are correct.  This command is possibly worth saving for the future.

In terms of how RMS works, the following post:

http://community.sophos.com/t5/Sophos-Endpoint-Protection/RMS-client-not-reporting/m-p/7881#M4142

might be worth a read.

Also I wrote a tool a while ago:

http://community.sophos.com/t5/Sophos-Endpoint-Protection/Enterprise-console4-5-client9-5-all-PCs-greyed-out-and-won-t/m-p/8939#M4482

that will generate a VBScript that can be run on clients to re-initialize them from an RMS point of view.  It was designed to help move clients from one SEC server to another but can be used to just re-initialize the machine in terms of RMS.

You can run the HTA on any machine, you choose the correct cac.pem and mrinit.conf file from the distribution share.  This will generate you a VBS file you can run on the client.  This will, remove any existing config and certificates from the client and re-run ClientMRInit.exe to set it up again.  

You could deploy this remotely to the machine in a variety of way but it would need to run with administrative rights on the client machine.  If you need to run it on many machines I would opt for AD startup scripts, if it's just a handful you could use psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553 ), or possibly even remotely create a scheduled task on the remote machine to run it once

Hope it helps,

Regards

Jak

Thanks Jak for the speedy reply.

Very informative information. Although I am trying to understand it all piece by piece; although it feels like I'm back at Uni learning machine code! I'm sure it will start sinking in eventually. 

With the VBScript do I just copy the code into notepad and save it as what you call the HTA? My proposed method would be to either use psexcec or just create a scheduled task. Sorry if I sound very noobish; I've never used any scripts before or even PSExec for that matter!

I may just have to pass this back to the infrastrucuture team to do rather than attempt it myself as I don't want to break anything. 

don't know if this will be helpful but here are the command lines i use for remotely & silently installing/reinstalling on one offs (using pstools psexec)

Install RMS from specified SUM

psexec \\<machinename> -u <username> -p <password> msiexec /i "\\<SUMservername>\<path to savscfxp>\rms\sophos remote management system.msi" /qn

Install AutoUpdate from specified SUM

psexec \\<machinename> -u <username> -p <password> msiexec /i "\\<SUMservername>\<path to savscfxp>\sau\sophos autoupdate.msi" /qn

Force reinstall of AV from local cache (forget if i stole this one from an article or a post)

psexec \\<machinename> -u <username> -p <password> msiexec /i "c:\Program Files\Sophos\AutoUpdate\cache\savxp\Sophos Anti-Virus.msi" REINSTALL=ALL REINSTALLMODE=voums UPDATEDRIVERS=0 /l*v c:\msi.log /qb

Install FW from specified SUM

psexec \\<machinename> -u <username> -p <password> msiexec /i "\\<SUMservername>\<path to savscfxp>\scf\sophos client firewall.msi" /qn

Install FW from local cache

psexec \\<machinename> -u <username> -p <password> msiexec /i "c:\Program Files\Sophos\AutoUpdate\cache\scf\Sophos client firewall.msi" /qn

The code I pasted into the post is a HTA (mixture of HTML and VBScript in this case), you can copy it all from the post, paste it into Notepad and save the file as something like "reinitsophos.hta".  Do ensure that the files extension is .hta, rather than hta.txt, saving the file with double quotes around the name will ensure it has the extension you want. :)

Hope it is useful.

I wouldn't recommend running the MSI's directly, let Sophos AutoUpdate install the components.  AutoUpdate does more than just run the MSIs when it installs them.

Regards,

Jak