Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
We use Sophos Central and a couple of endpoints are reporting some components as not running or policy compliance is not met, and the recommendation is to "Re-deploy the client". When I click that button it takes me to a page to download the installer exes, not (re)push it out!
Is there anyway of automating this in a clean way. At the moment we are disabling tamper protection, manually removing all Sophos components and then re-installing. This involves kicking the currently logged in user out.
Could this be done from a remote PowerShell session, without disturbing the logged in user?
Hi Lanky Doodle
You can automate the deployment method, please check this article. Furthermore, there might be a couple of issues, where it reports one or more services missing, kindly check this link which would be helpful to see what is causing the issue.
In reply to Shweta:
I take it there is no proper "push" install then, like is found in Symantec's equivalent?
In reply to Lanky Doodle:
Unfortunately, this particular feature is not available in the Sophos Central. Push feature is available in the On-premise Sophos Endpoint solution.
Have you tried restarting the devices before re-installing them?
Quite often the errors are related to a Windows update that requires a restart. When updates are applied, there are often files that need to be replaced, and this can only happen during a restart. These files are listed under the registry key HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
When the Sophos installation is run it checks to see if the system needs a restart and suggests you restart the computer first. If you don't restart first, some of the Sophos components may not successfully install because they need to link some of the files in PendingFileRenameOperations. Until the system is restarted that link cannot be made. From my experience, 95% of the installation issues are resolved after restarting the device.
As for deploying from Central, in order to be able to setup a process to do this you would have to open additional holes on your FW that would be very high risk as it would also open these holes to the bad actors. The Sophos Enterprise Console would allow for this because it is an on-premise solution. Last I checked you could only do SEP deployments from their on-premise solution too, you can't do so from the SEP Cloud prodiuct.
There are many ways that you can automate deployment including using a GPO or SCCM as outlined in the Sophos KB https://community.sophos.com/kb/en-us/120611 or by using other tools such as PDQ Deploy (a free version is available).
If AutoUpdate component is functioning, there is really no benefit to performing a new install as Sophos AutoUpdate performs pretty much the same role as the installer, i.e. downloading an installing components.
If you delete the status file of AutoUpdate C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml then on the next update AutoUpdate will re-run all the setup plugins of each component. This is one option that may resolve your issue. You can even edit the install or download x-sum values in this file to force just certain components to re-run the setup plugin if really needed.
The other option, which does the same thing is to change the value of the registry value "PlatformRelease" under:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate
When the OS updates, then AutoUpdate will re-run the setup plugins of each component as well. AutoUpate checks this value and updates it when the OS changes. So just change it to 1, for example, will be different to the current OS version and force the update.
To change either of these, Tamper Protection will need to be disabled of course. You can initiate an update via COM using VBS/PowerShell if needed. For example:
(New-Object -ComObject "activelinkclient.clientupdate.1").updatenow($true,1)
I also understand that a RepairKit component is being added to AutoUpdate shortly which will attempt repairs of components prior to each update to minimize interactions and to maintain good health.
In reply to GIJoe:
Yes that's true. I'm talking specifically of on-premise SEP(M).