This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not all systems appear in the console as managed

Hi, 

I am having a problem where not all systems appear in the dashboard.  I am stuck at 45 managed systems although there are 54 systems with the software installed and the correct information in "%ProgramData%\Sophos\Remote Management System\3\Router\NetworkReport\ReportData.xml".

If I restart the agent on one of the servers that does not appear in the dashboard it will appear, but another system will drop from the dashboard.  So although there are 45 managed systems, they change.

I have checked the "C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt" on all systems to verify there are no duplicate machine IDs.

Does anyone have any ideas on what I could look at next?

Thank you



This thread was automatically locked due to age.
Parents
  • Hello provisional Identity,

    it looks  like some machines are clones, please follow the steps in the appear to update the same record article. It does no harm and should eventually "untangle" the endpoints.

    Christian

  • Thank you for the quick response QC.  That appears to be the problem. 

    Do you know how the Machine ID is derived and whether or not it will always be unique?  As mentioned in my previous post all of the systems on my domain have different Machine IDs although there are duplicate PKC values.

    I am trying to think of a way to automate the fix action for this in the future.  I do not have control of what gets cloned.  At the moment I am thinking of having a startup script applied via GPO that gets the Machine ID and the PKC value, hashes them into a string, and then writes that as a registry key.  At startup the script will verify that registry key matches the value it comes up with, if not it executes the fix action.  I would like to use the Machine ID over the system SID, InstanceID, or IP.  Is there any reason I should not?

    Here is what I executed on the systems to gather the data for compare:

     

    #jongurgul.com/.../
    Function Get-StringHash([String] $String,$HashName = "SHA256")
    {
    $StringBuilder = New-Object System.Text.StringBuilder
    [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
    [Void]$StringBuilder.Append($_.ToString("x2"))
    }
    $StringBuilder.ToString()
    }

    $key1 = "HKLM:\Software\wow6432node\Sophos\Messaging System\Router\Private\"
    $key2 = "HKLM:\Software\wow6432node\Sophos\Remote Management System\ManagementAgent\Private\"
    $key3 = "HKLM:\Software\wow6432node\Sophos\Messaging System\Router\"

    $routerPKC = (Get-ItemProperty -Path $key1 -Name pkc).pkc
    $routerPKP = (Get-ItemProperty -Path $key1 -Name pkp).pkp
    $ManagementAgentPKC = (Get-ItemProperty -Path $key2 -Name pkc).pkc
    $ManagementAgentPKP = (Get-ItemProperty -Path $key2 -Name pkc).pkc
    $notifyClientUpdate = (Get-ItemProperty -Path $key3 -Name NotifyClientUpdate).NotifyClientUpdate

    $machineID1 = get-content "C:\Program Files\Sophos\AutoUpdate\machine_ID.txt" -ErrorAction SilentlyContinue
    $machineID2 = get-content "C:\Program Files\Sophos\AutoUpdate\data\machine_ID.txt" -ErrorAction SilentlyContinue
    $machineID3 = get-content "C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt" -ErrorAction SilentlyContinue

    $instanceID = (Invoke-WebRequest -Uri 169.254.169.254/.../instance-id).Content
    $machineIdPkcHash = Get-StringHash ($machineID3 + $ManagementAgentPKC)


    $hash = [ordered]@{

    "Hostname" = ""
    "RouterPKC" = ""
    "RouterPKP" = ""
    "ManagementAgentPKC" = ""
    "ManagementAgentPKP" = ""
    "NotifyClientUpdate" = ""
    "MachineID1" = ""
    "MachineID2" = ""
    "MachineID3" = ""
    "InstanceID" = ""
    "Hash" = ""
    }

    $newObject = New-Object PSObject -Property $hash
    $newObject.hostname = $env:COMPUTERNAME
    $newObject.RouterPKC = [System.Text.Encoding]::Unicode.GetBytes($routerPKC) -join ""
    $newObject.RouterPKP = [System.Text.Encoding]::Unicode.GetBytes($routerPKP) -join ""
    $newObject.ManagementAgentPKC = [System.Text.Encoding]::Unicode.GetBytes($ManagementAgentPKC) -join ""
    $newObject.ManagementAgentPKP = [System.Text.Encoding]::Unicode.GetBytes($ManagementAgentPKP) -join ""
    $newObject.NotifyClientUpdate = $notifyClientUpdate
    $newObject.MachineID1 = $machineID1
    $newObject.MachineID2 = $machineID2
    $newObject.MachineID3 = $machineID3
    $newObject.InstanceID = $instanceID
    $newObject.Hash = $machineIdPkcHash
    $newObject
    #$newObject | ConvertTo-Csv -NoTypeInformation

     

  • The AutoUpdate machine ID is based on a hash of the set of MAC addresses on the computer.  So I guess if you have multiple NICs and you disable one, it will be different, then as you add it back it will then be the same.

  • Thank you Jak.  I assume that is why whatever is in the PKC value is used for the dashboard identification.  

    This is probably something you have already considered, but it may be useful for the dashboard to show systems with different Machine IDs and the same PKC.  Either that or a way for the endpoint to realize its PKC already exists in Enterprise Console and reset itself.  This is probably far more complicated to do than it sounds and I understand if it is not possible.

    Thank you again for the help.  I am very impressed with how quickly my questions were answered.

  • Hello provisional Identity,

    SEC, the management, aims to identify "the same" endpoint in various scenarios:

    • the endpoint is renamed
    • SAV is reinstalled
    • the endpoint is reimaged keeping its name
    • the hardware is changed
    • the hardware is replaced

    The algorithm has been developed and refined over time but it has (still) its shortcomings. It's all but impossible though to get rid of all of them. Won't give all the finicky details here.

    show systems with different Machine IDs and the same PKC
    When RMS doesn't find a certificate upon starting it requests one for the subject Router$computername:number (AFAIK number is a more or less random value) - this is the MessageSystemAddress attribute of the endpoint in the database. If two computers with a different name have the same certificate this suggests they have been "derived" from the same image (on which RMS was already initialized). From SEC's POV they appear as the same computer that has been renamed (that this computer changes its name frequently makes no difference - Macs "could do it all the time").
    a way for the endpoint to realize its PKC already exists
    The endpoint has (and can have) no idea that someone else uses the same certificate. It requested and obtained a certificate in the past and it's not even aware of other endpoints. Why should it say: Hey, this is my unique certificate, is it really still unique?

    Mind you, if SAV - as recommended - is only installed on a machine that has obtained its "final identity" these things don't happen. Furthermore, once the machines have been "untangled" they don't fall back to using the same identity. 

    Christian

Reply
  • Hello provisional Identity,

    SEC, the management, aims to identify "the same" endpoint in various scenarios:

    • the endpoint is renamed
    • SAV is reinstalled
    • the endpoint is reimaged keeping its name
    • the hardware is changed
    • the hardware is replaced

    The algorithm has been developed and refined over time but it has (still) its shortcomings. It's all but impossible though to get rid of all of them. Won't give all the finicky details here.

    show systems with different Machine IDs and the same PKC
    When RMS doesn't find a certificate upon starting it requests one for the subject Router$computername:number (AFAIK number is a more or less random value) - this is the MessageSystemAddress attribute of the endpoint in the database. If two computers with a different name have the same certificate this suggests they have been "derived" from the same image (on which RMS was already initialized). From SEC's POV they appear as the same computer that has been renamed (that this computer changes its name frequently makes no difference - Macs "could do it all the time").
    a way for the endpoint to realize its PKC already exists
    The endpoint has (and can have) no idea that someone else uses the same certificate. It requested and obtained a certificate in the past and it's not even aware of other endpoints. Why should it say: Hey, this is my unique certificate, is it really still unique?

    Mind you, if SAV - as recommended - is only installed on a machine that has obtained its "final identity" these things don't happen. Furthermore, once the machines have been "untangled" they don't fall back to using the same identity. 

    Christian

Children