prepare Endpoint Security and Control to be part of a ghost image

Hi,

The key points to including SAV in an image as far as I can see are:

1. If the SID of the machine will change as part of the imaging process. 

If SAV is installed and the machine has SID 1 for example. The local Sophos groups will be created with SIDs of SID1-1, SID1-2, SID-3, for example.  These SID values are then stored in the configuration of SAV (machine.xml).

If the machine is given a new SID, then the SID values in the machine.xml will not map with the local groups as the local groups will have changed.

2. The Remote Management System (RMS) information.

When a client is protected and RMS gets installed, a certifcation handshake takes place.  This includes the machine get a unique token and certificates for both the Router and Agent.

If a machine is imaged when the machine already has this token and certificates, when it is "duplicated" the new machines will also have the same token and certificates and it will therefore have the same RMS address.

It is therefore better to remove the certificates of the machine prior to taking the image, that way when the new machine appears the first thing it does is request new certiificates.

The key reg keys that need to be removed from the client priot to taking the image being:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkc

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkp

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkc

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkp

If you delete these and stop the router and agent service before taking the image (to ensure new ones aren't requested), when the new client is created from the image the router and agent service will start up and you should see new values created.

I hope this helps explain the pitfalls of incuding SAV in an image.

Regards,

Jak