Sophos AutoUpdate: significant files and registry entries

  • N.º del artículo: 36262
  • Actualizado: 22 nov 2013

Note: Where a path is given this may vary according to your operating system, for example, Program Data rather than Program Files, etc.You must ensure that you use the correct path for your operating system.

Significant files

ALsvc.exe ALUpdate.log

ALUpdate.exe

Iconn.cfg

ALMon.exe

Ilog.cfg

SAUConfigDLL.dll

Imon.cfg
AUAdapter.dll Isched.cfg
ALC.log

Significant registry keys - listed below

Significant accounts and groups - listed below


Significant Files

ALsvc.exe

This is the AutoUpdate service, run as 'System User'.

Location: C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

When the service first starts up it performs an update check to the CID.ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.

The following VBScript can be used to call an update via the service:

Dim objALC
Set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1

ALUpdate.exe

ALUpdate.exe is the file responsible for connecting to the network and downloading files.

Location: C:\ProgramFiles\Sophos\AutoUpdate\ALUpdate.exe

At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to:

  • Vista+: C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\ (SAU version 2.7.1.283 and later)
  • XP: C:\Program Files\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\ (SAU version 2.7.1.283 and later)

This allows AutoUpdate to perform an update to itself, if required.

It runs during the update as the system user, but impersonates the local SophosSAU account. See the ‘Significant accounts/groups’section for more details on this user. When ALUpdate.exe is called, it runs with the following parameters: Alupdate.exe -ManualUpdate -NoGUI -RootPath"C:\Program Files\Sophos\AutoUpdate"

ALMon.exe

This file presents the shield icon in the system tray.

Location: C:\Program Files\Sophos\AutoUpdate\ALMon.exe

ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop. It is launched from the following registry key.

HKLM\SOFTWARE\Wow6432Node\ Microsoft\Windows\ CurrentVersion\Run | Sophos AutoUpdate Monitor | STRING | C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe

It runs as the logged on user name.

To launch the configuration dialog using VBScript: (this is the same method that would be used from within Sophos Anti-Virus to launch the configure,updating dialog)

Dim monitor
Set monitor =
createobject("iMonitor.PropertiesDialog.1")
Monitor.displaysheet

To suppress the system tray icon use the following registry key:
HKLM\SOFTWARE\Sophos\AutoUpdate
HideTrayIcon (DWORD) 1/0
SAUConfigDLL.dll

This file provides automatic capabilities for reading and changing the configuration of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\SAUConfig.dll

This example VBScript would change the update path:

Dim obj, addr
Set obj = CreateObject("SAUConfigDLL.SAUConfig")
Set addr = obj.GetAddress(0)
Addr.Address = "http://onetwothree"
Obj.Commit

AUAdapter.dll

This is the adapter as loaded by the Sophos Agent in order for the messaging system to communicate with AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\AUAdpater.dll

This location is specified in DLLPath under the following registry key: HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\Adapters\ALC

ALC.log

This is the log file as used by the log viewer built into AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Logs\alc.log

Alc.log is a text based file. An extract is shown below:

Category Clientname Level Process ID Resource DLL ID String ID Thread ID Timestamp Details
The log ID for AutoUpdate entries. The module that produced the entry. Log level 0=debug, 25=verbose, 50=normal. The process ID as assigned by Windows. The ID of the dll that contains the string ID. The string ID found in the .hdr file.

Details
0x4 ALUpdate 0x32 0xf58

0x1

0x53 0xdb4 0x446d16a4 SAVXP
0x4 ALUpdate 0x32 0xf58

0x1

0x53 0xdb4 0x446d16a4 Sophos AutoUpdate
0x4 ALUpdate 0x32 0xf58

0x1

0x7b 0xdb4 0x446d16a5
0x4 ALUpdate 0x32 0x990

0x1

0x6 0x1e4 0x446d1b51
0x4 CIDUpdate 0x32 0x990

0x1

0x55 0x1e4 0x446d1b52 RMSNT
ALUpdate.log

This is a more verbose log showing the operation of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Logs\ALUpdate.log

Iconn.cfg

This file contains the configuration of AutoUpdate in respect of the update locations and accounts used.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\iconn.cfg

The values are self explanatory and must NOT be edited manually.

[PPI.WebConfig_Primary]
AllowLocalConfig = 0
AutoDialTimeout =
LocalPath =
DownloadGranularity =
ConnectionAddress =\\Connectaddress\InterChk\ESXP\
UserName = Domain\Admin
UserPassword =UserPassword/nyo=
ConnectionType = UNC
UseSophos = 0
AutoDial = 0
BandwidthLimit = 0
PortNumber =

[PPI.ProxyConfig_Primary]
AllowLocalConfig = 0
ProxyPortNumber = 8080
ProxyType = 0

[PPI.WebConfig_Secondary]
AllowLocalConfig = 0
AutoDialTimeout =
LocalPath =
DownloadGranularity =
UseSophos = 0
AutoDial = 0
BandwidthLimit = 0

[PPI.ProxyConfig_Secondary]
AllowLocalConfig =0
ProxyPortNumber = 8080
ProxyType = 0

Ilog.cfg

This file contains the settings of the logging, as configured from the“Logging” tab of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\ilog.cfg

Imon.cfg

This file contains the configuration on ALMon.exe (the shield tray icon).

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\imon.cfg

[Configuration.iMonitor_v1.0]
AllowLocalConfig = 1
AnimateTrayIcon = 1
AllowMonitorToRun = 1
OverrideSecurity = 0
DisallowConfigure = 0
LogErrors = 0
ShowProgress = 0
ShowRebootDialog= 1

Isched.cfg

This file contains the settings of the scheduler, as configured from the“Schedule” tab of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\isched.cfg

The following files can all be found at: C:\ProgramFiles\Sophos\AutoUpdate\

  • Cidsync.upd - Used by alupdate.exe when downloading updates from CIDs. The file is used as the catalogue to determine which files are required by a package.
  • Libeay32.dll - used to verify products downloaded from CIDs have been signed by Sophos.
  • Ps.crl and Ps_rootca.crt - These files are the Certificate revocation list and root certificate used to verify that products downloaded from CIDs have been signed by Sophos.
  • Scf.dat - tells the Sophos Client Firewall to trust AutoUpdate when it connects to the Internet.
  • Swlocale.dll - Provides an algorithm for choosing which language resource should be used.

Significant registry keys

Registry Key Details
32 bit:
HKLM\SOFTWARE\Sophos\AutoUpdate\...
HideConnectionDialog
HideTrayIcon

64 bit:
HKLM\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\
HideConnectionDialog
HideTrayIcon

These two keys are self explanatory. A value of 1 hides the connection dialog and tray icon from the user; whereas a value of 0 (the default value)displays the items.

32 bit:
HKLM\SOFTWARE\Sophos\AutoUpdate\Service\
Download User

64 bit:
HKLM\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\Service\
Download User

The username of the impersonation account created during the install of AutoUpdate. E.g. SophosSAU<machinename>uniqueID>.
If the account, user name and password keys exist prior to installation these will be used.

32 bit:
HKLM\SOFTWARE\Sophos\AutoUpdate\Service\
Download Password

64 bit:
HKLM\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\Service\
Download Password

This is the password of the impersonation account created during the install of AutoUpdate. Note: The password is stored in clear text but protected through the ACL on the key.

32 bit:
HKLM\SOFTWARE\Sophos\AutoUpdate\UpdateStatus\
LastUpdateTime

64 bit: HKLM\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus\
LastUpdateTime

Type: DWORD Eg: 1148044708 (decimal) This contains the time (in UTC) of the last update check.
The following VBScript will read in the above value and display the time:

Dim tZ, uKey, shell, lastUp
tZ = +1 'time relative to GMT
uKey ="HKLM\Software\sophos\AutoUpdate\UpdateStatus\LastUpdate Time"
Set shell =CreateObject("WScript.Shell")
lastUp = shell.RegRead (uKey)
wscript.echoDateAdd ("h",tZ,(DateAdd ("s",lastUp,"01/01/1970 00:00:00")))

This should also be the last update time as shown when hovering the mouse pointer over the Sophos shield system tray icon. NOTE: This is not the last install time.

32/64 bit:
HKLM\SYSTEM\CurrentControlSet\Services\
Sophos AutoUpdateService

The registry key created by registering the AutoUpdate service.

 

Significant accounts/groups

SophosSAU<machinename><uniqueid>
This account is impersonated on every update by alupdate.exe.

The overall account name can be a maximum of 20 characters, therefore the computer name is truncated as necessary. The <uniquieid> value is used for multiple domain controllers, in order to create a unique account for each domain controller in the domain.


thank you for the feedback


 
Si necesita más ayuda, póngase en contacto con soporte técnico.

Valore el artículo

Muy malo Excelente

Comentarios