The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Note: Where a path is given this may vary according to your operating system, for example, Program Data rather than Program Files, etc.You must ensure that you use the correct path for your operating system.
This is the AutoUpdate service, run as 'System User'.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Alsvc.exe
When the service first starts up it performs an update check to the CID. ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.
The following VBScript can be used to call an update via the service:
Dim objALC Set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1") objALC.UpdateNow 1,1
ALUpdate.exe is the file responsible for connecting to the network and downloading files.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\ALUpdate.exe
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\ALUpdate.exe
At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to:
This allows AutoUpdate to perform an update to itself, if required.
It runs during the update as the system user, but impersonates the local SophosSAU account. See the ‘Significant accounts/groups’section for more details on this user. When ALUpdate.exe is called, it runs with the following parameters: Alupdate.exe -ManualUpdate -NoGUI -RootPath"C:\Program Files\Sophos\AutoUpdate"
This file presents the shield icon in the system tray.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\ALMon.exe
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop. It is launched from the following registry key.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | Sophos AutoUpdate Monitor | STRING | C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
It runs as the logged on user name.
To launch the configuration dialog using VBScript: (this is the same method that would be used from within Sophos Anti-Virus to launch the configure,updating dialog)
Dim monitor Set monitor = CreateObject("iMonitor.PropertiesDialog.1") Monitor.displaysheet
This file provides automatic capabilities for reading and changing the configuration of AutoUpdate.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\SAUConfig.dll
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\SAUConfig.dll
This example VBScript would change the update path:
Dim obj, addr Set obj = CreateObject("SAUConfigDLL.SAUConfig") Set addr = obj.GetAddress(0) Addr.Address = "http://onetwothree" Obj.Commit
This is the adapter as loaded by the Sophos Agent in order for the messaging system to communicate with AutoUpdate.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\AUAdpater.dll
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\AUAdapter.dll
This location is specified in DLLPath under the following registry key: HKLM\SOFTWARE\(Wow6432Node)\Sophos\Remote Management System\ManagementAgent\Adapters\ALC
This is the log file as used by the log viewer built into AutoUpdate.
Alc.log is a text based file. An extract is shown below:
This is a debug log for the Auto Update session
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Logs\
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Logs\
This is a debug log for the Auto Update service
This is a more verbose log showing the operation of AutoUpdate.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Logs\ALUpdate.log
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Logs\Alupdate.log
This file contains the configuration of AutoUpdate in respect of the update locations and accounts used.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\iconn.cfg
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\iconn.cfg
The values are self explanatory and must NOT be edited manually.
[PPI.WebConfig_Primary] AllowLocalConfig = 0 AutoDialTimeout = LocalPath = DownloadGranularity = ConnectionAddress =\\Connectaddress\InterChk\ESXP\ UserName = Domain\Admin UserPassword =UserPassword/nyo= ConnectionType = UNC UseSophos = 0 AutoDial = 0 BandwidthLimit = 0 PortNumber = [PPI.ProxyConfig_Primary] AllowLocalConfig = 0 ProxyPortNumber = 8080 ProxyType = 0 [PPI.WebConfig_Secondary] AllowLocalConfig = 0 AutoDialTimeout = LocalPath = DownloadGranularity = UseSophos = 0 AutoDial = 0 BandwidthLimit = 0 [PPI.ProxyConfig_Secondary] AllowLocalConfig =0 ProxyPortNumber = 8080 ProxyType = 0
This file contains the settings of the logging, as configured from the“Logging” tab of AutoUpdate.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\ilog.cfg
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\ilog.cfg
This file contains the configuration on ALMon.exe (the shield tray icon).
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\imon.cfg
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\imon.cfg
[Configuration.iMonitor_v1.0] AllowLocalConfig = 1 AnimateTrayIcon = 1 AllowMonitorToRun = 1 OverrideSecurity = 0 DisallowConfigure = 0 LogErrors = 0 ShowProgress = 0 ShowRebootDialog= 1
This file contains the settings of the scheduler, as configured from the“Schedule” tab of AutoUpdate.
Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\isched.cfg
64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\isched.cfg
The following files are also used by Auto Update
These two keys are self explanatory. A value of 1 hides the connection dialog and tray icon from the user; whereas a value of 0 (the default value)displays the items.
The username of the impersonation account created during the install of AutoUpdate. E.g. SophosSAU<machinename>uniqueID>. If the account, user name and password keys exist prior to installation these will be used.
This is the password of the impersonation account created during the install of AutoUpdate. Note: The password is stored in clear text but protected through the ACL on the key.
Type: DWORD Eg: 1148044708 (decimal) This contains the time (in UTC) of the last update check. The following VBScript will read in the above value and display the time:
Dim tZ, uKey, shell, lastUp tZ = +1 'time relative to GMT uKey ="HKLM\Software\sophos\AutoUpdate\UpdateStatus\LastUpdate Time" Set shell =CreateObject("WScript.Shell") lastUp = shell.RegRead (uKey) wscript.echoDateAdd ("h",tZ,(DateAdd ("s",lastUp,"01/01/1970 00:00:00")))
This should also be the last update time as shown when hovering the mouse pointer over the Sophos shield system tray icon. NOTE: This is not the last install time.
The registry key created by registering the AutoUpdate service.
SophosSAU<machinename><uniqueid> This account is impersonated on every update by alupdate.exe.
The overall account name can be a maximum of 20 characters, therefore the computer name is truncated as necessary. The <uniquieid> value is used for multiple domain controllers, in order to create a unique account for each domain controller in the domain. The accounts password can be a maximum of 50 characters
The account requires “Log on as Service” rights. The right to log on as a service is automatically added to the computers local security policy during the installation.
If Sophos AutoUpdate is installed on a Domain Controller where the “Log on as Service” right has already been modified in the Default Domain Controllers Policy then the installer will add the account to the Default Domain Controllers Policy instead.
Jeder hier hinterlassene Kommentar wird von einem Mitarbeiter gelesen, wir antworten jedoch nicht auf spezifische technische Fragen. Wenn Sie technischen Support benötigen, posten Sie bitte eine Frage in unserer Community. Alternativ können Sie für lizenzierte Produkte auch ein Support-Ticket öffnen.