The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
IssueA new Sophos Enterprise Console is installed on a different physical system and the Sophos Anti-Virus endpoint client is pushed to the endpoints from the new server. However, the client machines fail to report back to the new Enterprise Console server. Reviewing the endpoint client's C:\Program Files\Sophos\Remote Management System\mrinit.conf reveals that the endpoint is still configured to report to the old Enterprise Console server. This is caused by the presence of the file C:\Program Files\Sophos\Remote Management System\mrinit.conf.orig on the endpoint machine when it was reprotected from the new Enterprise Console server.
The RMS sub-directory of the original update location used by the endpoint computer contained a copy of mrinit.conf. This could be done to implement a message relay in the environment, or as a quick way to permit an IP address or hostname change of the original Enterprise Console Server. The mrinit.conf file may not even exist in the original update location any longer, but had been used in the past. When the endpoint applies an mrinit.conf file found the RMS sub-directory, it renames the original c:\Program Files\Sophos\Remote Management System\mrint.conf to mrint.conf.orig. If the update location no longer contains an mrinit.conf file in the RMS sub-directory, the client reverts back to the information in mrinit.conf.orig. Prior to Sophos Anti-Virus v9.7, the mrinit.conf.orig file was left behind even when installing a new version of the Sophos Anti-Virus client over the top of a previous installation.
This article should not be used to avoid re-protecting the endpoint computers when migrating the Enterprise Console to a different host.
Sophos Anti-Virus 9.7 and earlier
Operating systemWindows Platforms
There are two options:
1. Use a machine start-up script to delete the file C:\Program Files\Sophos\Remote Management System\mrinit.conf.orig and then reprotect the endpoints again.
2. Put a copy of the new mrinit.conf in the RMS sub-folder of the update location. Doing this will force the client to reconfigure the Remote Management System of all endpoints updating from this update location to use the values in the new mrinit.conf file. The directions below outline this process.
To force the endpoint computers to reconfigure their Remote Management System to use the new mrinit.conf file used by the new Enterprise Console server:
1. On the new Enterprise Console Server, locate the file C:\Program Files\Sophos\Enterprise Console\MRInit.conf.
2. Copy this file to the RMS sub-folder of each of the updating locations used by the endpoint computers. Typically, the default is %allusersprofile%\Application Data\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP\rms\ and can usually be accessed by using \\ServerName\SophosUpdate\CIDs\S000\SAVSCFXP\rms as well. To ensure you are copying the file to the correct update location, look at the updating location used by the machines in the Enterprise Console showing up as "Not yet managed".
3. Once the file is copied to the update location, it needs to be added to the catalog files so that the endpoints will know to download the new file. Use configcid per KB Article 13112 to accomplish this.
4. Once the endpoint client updates from the modified update locations the client will download the new mrinit.conf file and reconfigure the Remote Management System to point to the correct server.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.