duplicate – Stephen's Space on the Web

Sophos Duplicate IDs

I found my self in a large environment where someone decided to deploy an image with Sophos installed. This resulted in all the computers being seen as 1 single computer in the Sophos Enterprise Console.

This caused me to write the following scripts. sophosFindDuplicate.pl scan the IIS logs looking for duplicate GUIDs from computer. It will output the IPs of the machines. This command will let you remotely fix the machines.(Remeber to whitelist psexec in Sophos)

psexec @hosts.txt -u domain\user -p password -c batchfile.bat

sophosFixDuplicate.cmd

@echo off
net stop "Sophos Message Router"
net stop "Sophos Agent"
net stop "Sophos AutoUpdate Service"

echo y|del "C:\Program Files\Sophos\AutoUpdate\machine_ID.txt"
echo y|del "C:\ProgramData\Sophos\AutoUpdate\machine_ID.txt"

reg delete "HKLM\Software\Sophos\Messaging System\Router\Private" /v pkc /f
reg delete "HKLM\Software\Sophos\Messaging System\Router\Private" /v pkp /f

reg delete "HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f

reg delete "HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkc /f
reg delete "HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkp /f

reg delete "HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f

net start "Sophos Message Router"
net start "Sophos Agent"
net start "Sophos AutoUpdate Service"

sophosFindDuplicate.pl

#Stephen
#Check for Duplicates
use Data::Dumper;

$file = "\\\\sophos-c108-01\\W3SVC1\\u_ex110822.log";
my %hash = ();
my %hDup = ();

open FILE, $file or die $!;

while () {
  @data = ($_ =~ /(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1})/);
	#print $data[0] . "\n";
	if ((exists $hash{$data[2]}) && ($hash{$data[2]} ne $data[1]))
	{
		if(not exists $hDup{$data[1]})
		{
			print $data[1] . "\n";
			$hDup{$data[1]} = $data[1];
		}
	}
	else
	{
		$hash{$data[2]} = $data[1];
	}
}

close(FILE);

Fix Duplicate WSUS Ids

If you have an environment that that does not use SYSPREP you have a good chance that you will have duplicate WSUS IDs on your network and alot of system not patching properly.

These pair of scripts will query your WSUS DB and if the computer name does not match the WSUS id in the database it will reset the WSUS ID on the workstation.

wsusclientid.asp -> install on WSUS server

<%
susid = Request.QueryString("susid")
suscname = Request.QueryString("suscname")
connstring = "Driver={SQL Native Client};Server=localhost;Database=SUSDB;UID=wsusid;PWD=DBPASSWORD"
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.ConnectionString = connstring
objConn.Open

Set rs = objConn.execute ("select COUNT(ComputerTargetId) AS records from PUBLIC_VIEWS.vComputerTarget where (ComputerTargetID = '" & susid & "' and Name Like '" & suscname & "%');")

response.write rs("records")

rs.close

%>

susCLientID.vbs -> run as Startup Script

'stephen

'Check and correct duplicate sus client ids on the network

'this has a sister script on the wsus server to talk to.



'get susclientid

Set objRegistry = CreateObject("Wscript.shell")

Set WshNetwork = WScript.CreateObject("WScript.Network")

set oxmlhttp=createobject("msxml2.xmlhttp")



suscname = WshNetwork.ComputerName

susclientid = objRegistry.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientID")



oxmlhttp.open "GET", "http://wsus.SERVER.local/wsusclientid.asp?susid=" & susclientid & "&suscname=" & suscname, false

oxmlhttp.send ""

response = oxmlhttp.responseText

if (response = 0 ) then

 objRegistry.regdelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientID"

 objRegistry.regdelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientIdValidation"

 WScript.Sleep 10000

 objRegistry.run "net stop wuauserv"

 WScript.Sleep 10000

 objRegistry.run "net start wuauserv"

 WScript.Sleep 10000

 objRegistry.run "wuauclt /resetauthorization /detectnow"

 WScript.Sleep 10000
 objRegistry.run "wuauclt /r /reportnow"
 WScript.Sleep 10000
end if

Netgear GS105E Switch Duplicate Packets

If you have a Netgear GS105E or one of the family switches and you are getting responses from the internal ip address of the switch, it is a bug. Netgear has a unpublished beta firmware that fixes the problem.