Hello,
I have searched both the web and these forums for a way to kick off a manual update for Sophos Endpoint Security and Control 9.5 via a script or the command line. I can right click on the Sophos tray icon and choose 'Update now' just fine, but need a script or command line to be able to manually force an update on a machine remotely. Is there a way to do that?
Thanks
Hi,
The following piece of VBS will kick off an update:
dim objALC : set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1
CreateObject (http://msdn.microsoft.com/en-us/library/dcw63t7z(v=vs.85).aspx) can take a location as a parameter otherwise PsExec (http://technet.microsoft.com/en-us/sysinternals/bb897553) to run it remotely could be an option.
Regards,
Jak
Hi,
If you take a look in the AutoUpdate trace logs (e.g. "\ProgramData\Sophos\AutoUpdate\Logs \ALUpdate[timestamp].log) you can see the line:
-ScheduledUpdate -NoGUI -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate"
to denote the start of a scheduled update and essentially the command line arguments being passed to Alupdate.exe. The other being -ManualUpdate for a forced update.
Also, if you run something like Process Explorer while kicking off an update, the AutoUpdate service (ALSvc.exe) calls Alupdate.exe with the following parameters:
"C:\Windows\TEMP\sophos_autoupdate1.dir\alupdate.exe" -ManualUpdate -NoGUI -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate"
So Alupdate does take such a parameter, the problem might come however when Alupdate has to update iself if you're running the Alupdate.exe from the current install set as you suggest. As AutoUpdate can update AutoUpdate, this is the reason why it copies the minimum set of files to "\Windows\TEMP\sophos_autoupdate1.di r\" and runs a copy from there.
For that reason I would suggest sticking with the VBS approach as this more closely mirrors what takes place.
Regads,
Jak
Hi,
I know this is an older thread, but this fall inline with what I am trying to accomplish.
I recently updated to the latest version of Sophos (SEC ver: 5.0.0.8 , AntiVirus ver: 10)
In the past, systems have updated, requested restart, and when the users shutdown their PC's at night normally the next morning most requests to restart the computer are cleared.
This time around though I have a higher volume of machines that didn't clear this message.
What I would like to do is to automate the process of clearing this message. I found this KB that explains the process of resolving this issue. I was wondering though, is this the correct course of action?
On most of the machines I have confirmed that they absolutely have been shutdown and restarted since the inital update of the software, but the message requesting a restart still remains. So would using this method be the correct course of action? Or should I be digging more to investigate why these weren't cleared?
Back to the automation part, this is a great little piece of code that I would like to use in conjunction with the KB listed above. I would like to write a VB script (still learning VB so it might take me a while, but that is part of the fun) that will create the reg key with a value of 1, run an update, edit the reg key and give it value of 0, and then run the update again.
Does this sound like a good, or bad idea? My primary goal here is to try and limit the disruption to the users machines and make the process as easy as possible on myself. Using a small script, I think I could accomplish this.
Anyway, thank you for this post it has been helpful!
How about something like this as an idea:
'Script to check if the uptime of a machine is greater than 5 minutes.
' if so it sets the reboot required to 0 and calls update now to force state to SEC.
const HKEY_LOCAL_MACHINE = &H80000002
dim strRegistryKey, strKeyPath, intRestartRequired
intRestartRequired = 0 ' set 0 to clear reboot, set to 1 to mark as reboot required.
if Is64() then
strKeyPath = "SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus"
else
strKeyPath = "SOFTWARE\Sophos\AutoUpdate\UpdateStatus"
end if
if datediff ("n", GetLastBoot(), Date() & " " & Time() ) > 5 then
'The machine has been rebooted
SetKey()
CallUpdate()
end if
'Functions ---------------------------------------------------------------------
'-------------------------------------------------------------------------------
Function GetLastBoot()
on error resume next
set objWMIDateTime = CREATEOBJECT("WbemScripting.SWbemDateTime")
set objWMI = GETOBJECT("winmgmts:\\.\root\cimv2")
set colOS = objWMI.InstancesOf("Win32_OperatingSystem")
for each objOS in colOS
objWMIDateTime.Value = objOS.LastBootUpTime
GetLastBoot = objWMIDateTime.GetVarDate
next
set objWMIDateTime = nothing
set objWMI = nothing
set colOS = nothing
End Function
'-------------------------------------------------------------------------------
'-------------------------------------------------------------------------------
Function Is64()
on error resume next
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT * FROM Win32_Processor")
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc = "32" then
Is64 = false
end if
if strDesc = "64" then
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
End Function
'-------------------------------------------------------------------------------
'-------------------------------------------------------------------------------
Function SetKey()
dim objReg
set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, "RebootRequired", intRestartRequired
set objReg = nothing
End Function
'-------------------------------------------------------------------------------
'-------------------------------------------------------------------------------
Function CallUpdate()
dim objALC
set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1
End Function
'-------------------------------------------------------------------------------
This will set the RebootRequired key to 0 if the machine has been up for more than 5 minutes (adjust as required) then call an update now. At the end of the update the endpoint will send back a message to clear the alert in SEC.
Hope it's useful. I haven't tested it much, just threw together a few functions I had already.
Regards,
Jak
Hey Jak,
Wow you didn't have to go through all the trouble of coding that up!
That looks really good, it probably would have taken me all week to code something half as good as this!
I will give this a try and let you know how it goes, but this looks like it accomplishes exactly what I had in mind!
Thank you for your help!!!!!!
Cheers
No problems. It was quite late at night when I put that together. In the light of day I've just thought, that checking if the uptime is greater than 5 minutes doesn't really help. As a machine that hasn't been rebooted would also match this condition. In some ways you want the opposite. I.e. if the uptime is less than 5 days for example.
Which I guess would make the conditional line:
if datediff ("d ", GetLastBoot(), Date() & " " & Time() ) < 5 then
To be honest, if you role out a similar script as a startup script in AD, you wouldn't even need to test the uptime, you could just set the registry key to 0, optionally call updatenow and you're done as you know the machine has just started.
E.g.
'Script to set the updatestatus to 0 and call update now, could be set as a startup script
const HKEY_LOCAL_MACHINE = &H80000002
dim strKeyPath, intRestartRequired
intRestartRequired = 0 ' set 0 to clear reboot, set to 1 to mark as reboot required.
if Is64() then
strKeyPath = "SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus"
else
strKeyPath = "SOFTWARE\Sophos\AutoUpdate\UpdateStatus"
end if
SetKey()
CallUpdate()
'-------------------------------------------------------------------------------
'Functions
'-------------------------------------------------------------------------------
Function Is64()
on error resume next
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT * FROM Win32_Processor")
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc = "32" then
Is64 = false
end if
if strDesc = "64" then
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
End Function
'-------------------------------------------------------------------------------
'-------------------------------------------------------------------------------
Function SetKey()
dim objReg
set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, "RebootRequired", intRestartRequired
set objReg = nothing
End Function
'-------------------------------------------------------------------------------
'-------------------------------------------------------------------------------
Function CallUpdate()
dim objALC
set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1
End Function
'-------------------------------------------------------------------------------
Jak
Hey Jak,
thanks again for the response.
I see what you are saying about the check for LastBoot. I can see why it might return a false claim that the system had actually been rebooted.
I like the idea of pushing a startup script out through AD. Currently though, our infrastructure is not supported by AD. We are a Samba/OpenLDAP domain so working with our client machines we sometimes have to get creative.
I took the script that you wrote (which worked perfectly I might add!!!!) and combined it with a small batch file.
@ECHO OFF FOR /F %%G IN (<path to text file containing IP>\ipaddr.txt) DO ( copy /y <path to VBscript>\sophosUpdateFix.vbs \\%%G\c$\Windows\System32psexec \\%%G -u <username > C:\Windows\System32\cscript.exe sophosUpdateFix.vbs del /F \\%%G\c$\Windows\System32\sophosUpdateFix.vbs :: pause )
I populated a txt file with the IP addresses of the affected machines.
I then copy the VBscript to the clients computer, then us PsExec to execute the VBscript on the clients machine.
Then follow up by deleting the VBscript off the clients machine.
I realize that this may not necessarily be the preferred way, or the most secure way of doing it, but given the number of machines that were causing issues I decided to go ahead with it and see if it would clear up the issues I was having.
It has successfully cleaned up all the machines that were reporting the error.
Thank you again for your help, I am going to hang onto this in case I require it again in the future.
Cheers