This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to install Sophos AV in a virtual desktop environment - instant clones

Hello - I'm hoping someone has some advise on on this.  We're testing out VMware virtual desktops and using instant clones where basically there is a master / base image that is used to make clones from, and users will connect to a pool of these desktops.  They won't have just 1 specific desktop.  And after users log off, the desktops are erased and recreated in the background.

I've found this post https://community.sophos.com/products/server-protection-integration/f/anti-virus-for-vmware-and-vshield/1728/incorporating-sophos-within-a-vmware-template-for-use-with-vmware-view-linked-clone-desktops 

but that refers to linked clones, which is going to be different from instant clones.  I have been tinkering with it and instant clones gets stuck at the templating phase unless the Sophos services are off and disabled.

We're probably going to eventually go the vShield route, but for now I'd just like to put on the standard AV.  Does anyone have some experiences with vmware instant clones and the full SEP client installed? 

 

Thanks!



This thread was automatically locked due to age.
Parents Reply Children
  • Hello Joe Clarke,

    I have no experience with VMware but some with Sophos Endpoint.

    the last VM on is the only one
    it might seem so. If Sophos was fully installed and RMS has registered before you took the image then actually all machines appear as the same. You might notice that there's a computer whose name changes. Depending on the timing of the provisioning a certain name might appear significantly longer than the others.
    Sophos no longer relies on the SID, what makes the machines unique is the registration with the management server. As said, I have no experience with VMware and clones, whether linked or instant. The following should assure individual registration though:

    Before taking the image stop the Sophos Message Router and Sophos Agent services. Delete HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private and HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private. Add HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v CertificationIdentityKey /d CIkey (where CIkey is the value from your mrinit.conf). Also delete %ProgramData%\Sophos\AutoUpdate\data\machine_ID.txt and %ProgramData%\Sophos\AutoUpdate\machine_ID.txt.
    In your ClonePrep script you'd start the two services. This should ensure unique identities for the clones.

    Please note that in the console the computer objects will accumulate as each start of an image will create a new one (in case a computername is "reused" the new instance will "take over" the already existing object). Even if you delete the deceased computers from the console it might, depending on the turn-around, cause considerable database growth. Please see the Purging old virtual machines article. Note that PurgeDB.exe acts globally and might take regular computers along with the VMs. Doable but unsupported is deleting directly from the database (and it'd be possible to clearly indicate VMs that have been powered off but it would significantly increase "destruction time").

    Christian

  • Thanks for the reply Christian! The knowledge that it's not dependent upon a unique SID is clutch, because basically the VM is starting in a state where windows has already booted, and most services are running. I think this is the issue, because I'm not exactly sure when the Sophos service starts up in the process, but I'm guessing on startup. Perhaps putting a mild bit of delay in the service start would fix our issue, so that it starts following the instant clone copy. 

  • Hello Joe Clarke,

    the VM is starting in a state where windows has already booted
    start is automatic for the Sophos services but the question is when the image was taken. It should be when the mentioned keys and files aren't present and the two services stopped. As far as I understand the VMware docs a ClonePrep script can be used to start the services at provisioning time.

    Christian

  • Hi Christian,

     

    I have a similar issue, a machine with a full Sophos client was cloned to another 20. Of course all of them now use the original machine's message router.

     

    Would it be just a case of

    • uninstalling RMS via add-remove programs
    • removing RMS-related reg entries as above
    • allow auto update to reinstall RMS

    Would this also work?

     

    DanZi

     

    EDIT:

    - I uninstalled RMS via add-remove programs

    - deleted the whole branch HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System

    - deleted status.xml and forced an update. 

     

    This seems to resolve it

  • Hello DanZi,

    couldn't reply sooner.

    It's quite simple:

    • stop the Message Router and Agent services
    • delete HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private and
                 HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private
    • delete %ProgramData%\Sophos\AutoUpdate\data\machine_ID.txt and
                 %ProgramData%\Sophos\AutoUpdate\machine_ID.txt
    • start the services

    That's all you need to do

    Christian

  • You are master yet again Sir!

     

    This is indeed easier and faster. Thanks alot Christian!