So one of our tech's came in this morning and noted that this Sophos incident reminds him of Cujo (aka Stephen King)..."the friendly family guard dog that everyon trusted, but one day turned bad and tore the place apart"....here here!
We are having success restoring files using the scripts provided and psexec. Maybe it would be a little sweeter to have altiris or another time saving package, but we seem to be getting by.
Our default Clean Up policy was "deny access and move" so we are able to fix the update issue with the FixUpdate.vbs script, then restore the quarantined files with QuarRestore.vbs, both provided by Sophos. We'd rather being doing something else more productive than cleaning up this mess, but as with some many IT things, it's yet another bit of job security.
Here then is our "fixsophos.cmd" batch file that we launch as such...I'll be fairly rudimentary in case it can help someone else out:
psexec @badComps.txt \\servername\SophosFix\fixsophos.cmd
Where badComps.txt is a text file containing one computer name per line...extracted from the Sophos console and sorted in Excel so that we got all machines that report not having updated since 9/19/2012 (the "bad" time stamp for us). To pull the machine list into Excel, I learned that you can simple select all machines (ctrl-A while in the Endpoints list) then copy (ctrl-C) and paste to a text file. The file then can be opened in Excel as a tab delimited file. Sorted to our timestamp needs, and names then copied to "badcomps.txt"
psexec we grabbed from a quick google search.
Did find out soon after trying this out on a machine or two manually that we needed to "Athorize" psexec as an allowable "spyware / malware" in our Sophos A-V and HIPS policy.
So here's what our fixsophos.cmd file looks like:
net use x: \\ourserver\sophosFix x: cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\ourSidSErver\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true c: net use x: /delete REM not sure it's an issue, but decided to delete the mapped drive REM before the Quarantine restore call, just in case the update REM update process at the end of the FixUpdate.vbs was still at work REM Basically, there is a delay between the two scripts cscript \\ourserver\sophosFix\QuarRestore.vbs
That's it for us. Again, our cleanup setting was "Deny Access and Move to Default Location" ...this combination is working, albeit slowly.
One "performance" note is that it helps to make multiple lists for psexec to read, and launch it multiple times (perhaps even from multiple machines) to speed up the process...otherwise it does the machines in badComps.txt sequentially, one at a time, and it appears to take anywhere from 30 to 90 seconds to complete on each one.
Hope you find time to enjoy a weekend!
PatW
This thread was automatically locked due to age.
