"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
When you install a new Enterprise Console (i.e., management server) you must redirect Windows endpoint computers to the new server. Under many circumstances, you can re-protect your computers from the new console or run Setup.exe on existing endpoint computers with the necessary switches. This can either be done manually or as part of a scripted approach.
This article describes how to use the Sophos endpoint migration utility to create a VBScript file that you use to redirect Windows endpoint computers to a new Enterprise Console. It should be used where either of the above options is undesirable.
Important: if you are following this procedure for Enterprise Console v 4.5 or 4.7, you must not apply the section to run the Patch. This cannot be done on these versions.
Reasons for using a scripted method in preference to a re-protect from Enterprise Console may include:
Reasons for using the 'Sophos endpoint migration utility' as outlined below include:
First seen in Enterprise Console 4.5.0
Where possible, you should run the Sophos endpoint migration utility from the new management server, although it can be run on any Windows computer with access to the new management server. Avoid running it from a network share to prevent any security warnings associated with running HTA files remotely.
Before deploying to a large number of computers, test the script file you create on a couple of endpoint computers to ensure it is configured with the correct options. The script creates a log on the computer which can be used to troubleshoot if the script should fail. The default location for this is: C:\windows\temp\SophosReInit.txt
Note: You should confirm that the address in the mrinit.conf file is that of the new management server.
Selecting this option will force a reconfigure of RMS even when a previous redirection has taken place. When RMS is reconfigured by the script a 'marker' DWORD registry key is created called 'ReInitRMSMarker' under: HKLM\Software\[wow6432node]\Sophos\. This is set to 1 to indicate a redirection on the endpoint has occurred. The script checks to see if this is present and if it is, exits unless the force configuration option is set. This aims to prevent the script running each time if used in a start-up script for example.
WARNING: This can damage the SEC Server or a Relay if run with this option. This script should not be run with force on either of these two servers as it can cause high amounts of damage.
Enabling the force configuration option will also force a reconfigure to take place if the computer is a message relay or SEC server as indicated by the ConnectionCache registry key value being anything other than 10 as found under: HKLM\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router. This check prevents accidental reconfiguration of a SEC server or message relay. For this reason this option should be used with caution.
Selecting this option will force a reconfigure of the Sophos Patch Agent regardless of the DWORD registry key 'marker': 'ReInitPatchMarker' being set to 1 under: HKLM\Software\[wow6432node]\Sophos\. This is set by a previous run of the tool and should prevent the script repeatedly re-initializing the computer when deployed as a start-up script for example.
Refer to the Migration Guide for more information on decommissioning the old server.
Todos los comentarios enviados son leídos (por una persona), pero no podemos contestar a preguntas técnicas específicas. Si necesita soporte técnico, publique una pregunta en nuestra comunidad. Como alternativa, en el caso de los productos con licencia, abra una solicitud de soporte.