Shh/Updater-B: How to run the FixUpdate.vbs script through Active Directory group policy

  • Article ID: 118338
  • Rating:
  • 9 customers rated this article 1.9 out of 6
  • Updated: 13 Jan 2014

Following an unwanted detection the Sophos AutoUpdate component is no longer functioning. This is due to the files needed by Sophos AutoUpdate being deleted or moved as part of the clean-up action related to the false positive.

This article explains how to setup a gpo script for Active Directory, which will allow the FixUpdate.vbs script to run on your network workstations.

Known to apply to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Windows 2000+

Operating systems
Windows 2003 and above

What To Do

To enable this script to run, copy the FixUpdate.vbs script to a shared resource which your workstations can access.
When the workstation starts the gpo startup script will use the FixUpdate script to correct the Sophos AutoUpdate installation.

Windows 2003

  1. Download the FixUpdate.zip (for more information see article 118323), save to the desktop of your domain controller and extract the FixUpdate.vbs file. 
  2. Click Start | All Programs | Administrative Tools | Active Directory Users and Computer.
    Or
    Click Start | Run | Type: dsa.msc | Press return.
  3. Select the domain name from the left-hand tree.
  4. Right-click the domain name and select 'Properties'.
  5. Select the 'Group Policy' tab.
  6. Select 'New'.
  7. Enter a name for the new Group Policy object (GPO).  Example: GPO to deploy Sophos Fixscript.
  8. Select the new GPO and click 'Edit'.  The Group Policy Object Editor window will open.
  9. In the Group Policy Object Editor in the left pane, browse to Computer Configuration | Windows Settings | Scripts.
  10. On the right-hand side, double-click 'Startup'.
  11. In the 'Startup Properties' dialog box, click 'Show Files' which will open a folder location in Windows Explorer. This folder will be located within the sysvol share and we will refer to this location as the 'script folder'. As an example, the path will look something like this:

    \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Scripts\Startup\

  12. Copy the FixUpdate.vbs from your desktop to the script folder. 
  13. Within the script folder right-click and select New | Text Document
  14. Rename this file to 'GPOUpdateFix.bat'.
  15. Right-click on 'GPOUpdateFix.bat' and select 'Edit', which will open 'Notepad'.
  16. Paste in the text below:

    @ECHO OFF
    set SRCFIXDIR=[SCRIPT FOLDER ADDRESS]
    set FIXDIR=C:\FixUtilDir
    if not exist "%FIXDIR%" mkdir "%FIXDIR%"
    xcopy "%SRCFIXDIR%\FixUpdate.vbs" "%FIXDIR%\"
    chdir /d %FIXDIR%
    cscript //nologo "%FIXDIR%\FixUpdate.vbs" /fixIssues:true

    Note: This is a sample script to resolve the issue, depending on your environment the script may need to be altered.

  17. Replace the '[SCRIPT FOLDER ADDRESS]' with the exact folder address. To do this copy the address bar from the script folder window.
  18. Save the changes to GPOUpdateFix.bat and close Notepad.
  19. On the Startup Properties window in the 'Scripts' tab, click 'Add' and in the 'Script Name' field browse to the batch file saved in step 18.
  20. Next time the workstation restarts the script will launch.
  21. Once all workstations have been fixed (e.g., reported to the console as 'up to date') with the script, the GPO can be removed.

Windows 2008

  1. Download the FixUpdate.zip (for more information see article 118323), save to the desktop of your domain controller and extract the FixUpdate.vbs file. 
  2. Click Start | All Programs | Administrative Tools | Group Policy Management.
    Or
    Click Start | Run | Type: gpmc.msc | Press return.
  3. Select the domain name from the left-hand tree.
  4. Right-click the domain name and select 'Create a GPO in this domain, and link it here..'.
  5. Enter a name for the new Group Policy object (GPO).  Example: GPO to deploy Sophos Fixscript and click 'Ok'.
  6. Select the new GPO and click 'Edit'.  The Group Policy Object Editor window will open.
  7. In the Group Policy Object Editor in the left pane, browse to Computer Configuration | Policies | Windows Settings | Scripts.
  8. On the right-hand side, double-click 'Startup'.
  9. In the 'Startup Properties' dialog box, click 'Show Files' which will open a folder location in Windows Explorer. This folder will be located within the sysvol share and we will refer to this location as the 'script folder'. As an example, the path will look something like this:

    \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Scripts\Startup\

  10. Copy the FixUpdate.vbs from your desktop to the script folder. 
  11. Within the script folder right-click and select New | Text Document
  12. Rename this file to 'GPOUpdateFix.bat'.
  13. Right-click on 'GPOUpdateFix.bat' and select 'Edit', which will open 'Notepad'.
  14. Paste in the text below:

    @ECHO OFF
    set SRCFIXDIR=[SCRIPT FOLDER ADDRESS]
    set FIXDIR=C:\FixUtilDir
    if not exist "%FIXDIR%" mkdir "%FIXDIR%"
    xcopy "%SRCFIXDIR%\FixUpdate.vbs" "%FIXDIR%\"
    chdir /d %FIXDIR%
    cscript //nologo "%FIXDIR%\FixUpdate.vbs" /fixIssues:true

    Note: This is a sample script to resolve the issue, depending on your environment the script may need to be altered.

  15. Replace the '[SCRIPT FOLDER ADDRESS]' with the exact folder address. To do this copy the address bar from the script folder window.
  16. Save the changes to GPOUpdateFix.bat and close Notepad.
  17. On the Startup Properties window in the 'Scripts' tab, click 'Add' and in the 'Script Name' field browse to the batch file saved in step 16.
  18. Next time the workstation restarts the script will launch.
  19. Once all workstations have been fixed (e.g., reported to the console as 'up to date') with the script, the GPO can be removed.

Note: FixUpdate.vbs attempts to repair the Sophos AutoUpdate component by running a repair on the installed MSI. This process can encounter issues if other MSIs are running when it is called. Please take this into account if you have other scripts running as part of the GPO that may launch MSIs.

Further information

Other methods for deploying the script to resolve your workstations are available.  You may wish to consider:

  • PsExec see article 118337.
  • Enterprise Console see article 118351.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments