The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
RouterNT.exe (Windows 2000+)
This is the main executable file for the Message Router on Windows computers.
Location: In Windows 2000+: C:\Program Files\Sophos\Remote Management System\RouterNT.exe In Windows 2000+ 64bit: C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
This is the main executable file for the Agent service on Windows computers.
HKLM\SYSTEM\CurrentControlSet\Services\Sophos Message Router\ImagePath
The value of this entry on 32bit operating systems: "C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
"C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
The value of this entry on 64bit operating systems: "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
"C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
Note: An example of setting the network interface is when configuring a message relay in a public WAN.
HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\Private\Pkc HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\Pkc
The signed certificate as issued by the Certification Manager. This value is required before the Sophos Agent can be officially part of the Remote Management System. In order to obtain the value, the Sophos Agent logs onto the local Message Router’s certification interface (when available) and makes a certification request. This should be received by the Certification Manager and a certificate issued. It is then sent back by the server’s Message Router to the client Message Router and on to the Sophos Agent. It is then able to log on to the client interface on the local Router and become part of the Remote Management System and send messages. This is the same process by which the Sophos AutoUpdate Agent receives its certificate.
HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\Adapters\ HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Adapters\
The above location sets the paths to the adapter. For example, the value of DLLPath under HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\Adapters\SAV is: C:\Program Files\Sophos\Sophos Anti-Virus\\SAVAdapter.dll
HKLM\SOFTWARE\Sophos\Messaging System\Router HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router
The majority of other keys that define the behaviour of the Message Router are under this key.
A selection of the most significant keys are given below. Not all the following values are present by default, but they can be added to override default behavior if required.
This value is set by clientmrinit.exe in conjunction with mrinit.conf, which is copied to the client during the initial bootstrap phase of the client by setup.exe. The value in mrinit.conf is created by the server at install and is based on the source file srcinit.conf, which sets the ports for RMS to use in the very first instance.
In order for a Message Router to publish its services, i.e. interfaces and ports on which it is listening, the Message Router has the concept of an IOR. This registry key defines what port the Message Routers IOR is being hosted on for other components to connect to.
This value is set by clientmrinit.exe in conjunction with mrinit.conf, which is copied to the client during the initial bootstrap phase of the client by setup.exe. The value in mrinit.conf is created by the server at install and is based on the IP addresses of the server, how they are obtained and thehostname.
For a Management Server whose IP address is fixed, the value ParentRouterAddress in mrinit.conf will contain the IP addresses of the management server, plus the FQDN format if a member of a domain and the NETBIOS name. If the Management Server obtains it’s IP(s) through DHCP, only the machine name will be used. It is in this scenario where the client may rely on DNS in order to find its parent server.The value essentially enables the Message Router to find its parent Message Router. The registry value can be changed and the Message Router restarted if required, and may be used when setting up message relays.
Any as accepted by routernt.exe and ultimately the ACE ORB (default: -ORBListenEndpoints iiop://:8193/ssl_port=8194)
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.