The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
The local user interface of the product becomes inaccessible, and when access is attempted, it reports an error similar to this:
You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application. You are not a member of any of the Sophos groups. To launch this application, you must be a member of SophosAdministrator, SophosPowerUser or SophosUser group. Please contact your administrator.
When you check the local group membership of the account attempting to open the main application it is a member of one or more of the mentioned groups.
Note: The computer can still be managed from the console and protection is not diminished however you may see a 'Comparison Failure' error for certain policies.
First seen in Sophos Anti-Virus for Windows 2000+ 7.6.21
As of Sophos Anti-Virus (SAV) 10.3.2, the SID values of the Sophos groups are no longer recorded in 'machine.xml'. The config file now references the groups by their name to avoid issues relating to changing of the SID values. The fixed SID of the system user, i.e. S-1-5-18, is also added to the 'SophosAdministrator' role to enable services such as the Sophos Agent, which runs as 'Local System' to manage SAV.
The security identifier (SID) value of the computer has changed. Reasons for the SID value changing include:
The new SID values of the Sophos-related groups must be determined and entered into an XML configuration file. Shown below are two methods for performing this on the endpoint computer; one is via an automatic script. If you prefer you can perform the steps manually.
The SID values have now been updated and the main application should be able to launch without error.
Note: Rebooting the computer now can help if the problem persists.
If the issue still exists follow the manual process below.
wmic /node:localhost group where (localaccount=true and name like 'sophos%') GET Caption, SID > SophosLocalGroups.txt
Once you have run this open the file SophosLocalGroups.txt using Notepad.exe to obtain the new SIDs of the Sophos groups.
C:\documents and settings\All users\Application data\sophos\Sophos Anti-Virus\Config\machine.xml
At the top of the file, locate the "Security" section. Using the ID values you obtained above, for each of the roles, update the SID values to the new SID value for the local groups, for example,
<role name="SophosAdministrator"><SID>S-1-5-21-3575766963-4128555015-3935694525-1029</SID></role> <role name="SophosPowerUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1028</SID></role> <role name="SophosUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1027</SID></role> Where: S-1-5-21-3575766963-4128555015-3935694525 is the new SID of the machine, the last number is the unique group identifier. Note: There may be more than one SID value for each account. In this case you can add an additional line using the new SID value. Example:
<role name="SophosAdministrator"><SID>S-1-5-21-3575766963-4128555015-3935694525-1029</SID></role> <role name="SophosPowerUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1028</SID></role> <role name="SophosUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1027</SID></role>
<role name="SophosAdministrator"> <SID>S-1-5-21-286604240-1627713736-1734124843-1234</SID> <SID>S-1-5-21-286604240-1627713736-1734124843-2345</SID> <SID>S-1-5-21-286604240-1627713736-1734124843-3456</SID> </role>
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.