Sophos Duplicate IDs

I found my self in a large environment where someone decided to deploy an image with Sophos installed. This resulted in all the computers being seen as 1 single computer in the Sophos Enterprise Console.

This caused me to write the following scripts. sophosFindDuplicate.pl scan the IIS logs looking for duplicate GUIDs from computer. It will output the IPs of the machines. This command will let you remotely fix the machines.(Remeber to whitelist psexec in Sophos)

psexec @hosts.txt -u domain\user -p password -c batchfile.bat

sophosFixDuplicate.cmd

@echo off
net stop "Sophos Message Router"
net stop "Sophos Agent"
net stop "Sophos AutoUpdate Service"

echo y|del "C:\Program Files\Sophos\AutoUpdate\machine_ID.txt"
echo y|del "C:\ProgramData\Sophos\AutoUpdate\machine_ID.txt"

reg delete "HKLM\Software\Sophos\Messaging System\Router\Private" /v pkc /f
reg delete "HKLM\Software\Sophos\Messaging System\Router\Private" /v pkp /f

reg delete "HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f

reg delete "HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkc /f
reg delete "HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkp /f

reg delete "HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f

net start "Sophos Message Router"
net start "Sophos Agent"
net start "Sophos AutoUpdate Service"

sophosFindDuplicate.pl

#Stephen
#Check for Duplicates
use Data::Dumper;

$file = "\\\\sophos-c108-01\\W3SVC1\\u_ex110822.log";
my %hash = ();
my %hDup = ();

open FILE, $file or die $!;

while () {
  @data = ($_ =~ /(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1})/);
	#print $data[0] . "\n";
	if ((exists $hash{$data[2]}) && ($hash{$data[2]} ne $data[1]))
	{
		if(not exists $hDup{$data[1]})
		{
			print $data[1] . "\n";
			$hDup{$data[1]} = $data[1];
		}
	}
	else
	{
		$hash{$data[2]} = $data[1];
	}
}

close(FILE);

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.