Sophos Duplicate IDs

On August 23, 2011, in Uncategorized, by admin

I found my self in a large environment where someone decided to deploy an image with Sophos installed. This resulted in all the computers being seen as 1 single computer in the Sophos Enterprise Console.

This caused me to write the following scripts. sophosFindDuplicate.pl scan the IIS logs looking for duplicate GUIDs from computer. It will output the IPs of the machines. This command will let you remotely fix the machines.(Remeber to whitelist psexec in Sophos)

psexec @hosts.txt -u domain\user -p password -c batchfile.bat

sophosFixDuplicate.cmd

@echo off
net stop "Sophos Message Router"
net stop "Sophos Agent"
net stop "Sophos AutoUpdate Service"

echo y|del "C:\Program Files\Sophos\AutoUpdate\machine_ID.txt"
echo y|del "C:\ProgramData\Sophos\AutoUpdate\machine_ID.txt"

reg delete "HKLM\Software\Sophos\Messaging System\Router\Private" /v pkc /f
reg delete "HKLM\Software\Sophos\Messaging System\Router\Private" /v pkp /f

reg delete "HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f

reg delete "HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkc /f
reg delete "HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkp /f

reg delete "HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f

net start "Sophos Message Router"
net start "Sophos Agent"
net start "Sophos AutoUpdate Service"

sophosFindDuplicate.pl

#Stephen
#Check for Duplicates
use Data::Dumper;

$file = "\\\\sophos-c108-01\\W3SVC1\\u_ex110822.log";
my %hash = ();
my %hDup = ();

open FILE, $file or die $!;

while () {
  @data = ($_ =~ /(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1})/);
	#print $data[0] . "\n";
	if ((exists $hash{$data[2]}) && ($hash{$data[2]} ne $data[1]))
	{
		if(not exists $hDup{$data[1]})
		{
			print $data[1] . "\n";
			$hDup{$data[1]} = $data[1];
		}
	}
	else
	{
		$hash{$data[2]} = $data[1];
	}
}

close(FILE);
Facebook Twitter Delicious Mixx StumbleUpon Digg

Tagged with:  

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>