Live Response - Force an update from the command line and checking status

Given that Live Response is now live!  This might be a useful command to initiate an "update now" from the command line:

powershell -command $(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1)

You can monitor the progress by watching the SophosUpdate.exe process as spawned by Alsvc.exe.  If an update is already in progress, you might get back error 0x80042F05.

Tip 1: To return the value of the "LastUpdateTime" registry key maintained by AutoUpdate which is the time of the last update stored in Epoch time, you can run, for a 64-bit computer:

powershell -command "$(Get-Date '1970-01-01 00:00:00.000Z')+([TimeSpan]::FromSeconds($(Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus "LastUpdateTime").LastUpdateTime))"

Note: This is in UTC so you may need to convert to your local time.

Tip 2: The status of the components AutoUpdate manages are stored in SophosUpdateStatus.xml, to view this file in a sensible way, from a Powershell prompt you could run:

([xml]$(gc "$env:programdata\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml")).State.SelectNodes("ComponentState")

This command will display, for each package, the short name and the "installedThumbprint" and "downloadedThumbprint" values along with a number of other attributes. The logic being, AutoUpdate will not attempt to run an install for the component if these two values match.  It is for this reason, deleting SophosUpdateStatus.xml will force AutoUpdate to run the setup plugins of all the management components.  Likewise, changing say the "installedThumbprint" value in the XML for any given component will force AutoUpdate to re-install just that component. 

Therefore to get a list of components where the installedThumbprint and downloadedThumbprint are different, and display the component (name):

([xml]$(gc "$env:programdata\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml")).State.SelectNodes("ComponentState") | %{if ($_.InstalledThumbprint -ne $_.DownloadedThumbprint){write-host $_.name "Needs update. Installed version:" $_.InstalledVersion "Downloaded version:" $_.DownloadedVersion }}

Additionally while on the subject of updating - restarting the "Sophos AutoUpdate Service" and waiting 5 minutes will also initiate an update. 

This 5-minute delay can be changed with a custom registry key:

  • 32-bit machines:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate]
    "StartupDelay"=dword:0000000a
  • 64-bit machines:
    [HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Sophos\AutoUpdate]
    "StartupDelay"=dword:0000000a

With this set, the SophosUpdate.exe process would kick off 10 seconds after the "Sophos AutoUpdate Service" (alsvc.exe) starts following the next restart of the service.

Regards,
Jak