Patch assessment reports from endpoints fail to be processed by server after changing database account

  • N°Id de l'article : 116385
  • Mis à jour : 13 janv. 2014

Issue

After re-running the installer to change the "database" account the Patch server side component stops processing client requests.  The "PatchEndpointCommunicator.log" file contains errors such as:

Severity:     
error | Failed to retrieve required file list. Internal exception information supplied. Version:100 Architecture:X64 Agent Version:1.0.239.0
Agent ID:a6f78bd1-e081-475b-9aca-6a48aec8f2e4 User Agent:SophosAgent/1.0
(type="spa"; mid="a6f78bd1-e081-475b-9aca-6a48aec8f2e4";
host="PC1")  Internal Exception:System.Security.Cryptography.CryptographicException: The handle is invalid.

 

First seen in

 


Sophos Patch Agent 1.0
Enterprise Console 5.2.0
Enterprise Console 5.1.0
Enterprise Console 5.0.0

 

Cause

 

The patch service: "Sophos Patch Endpoint Communicator" (PatchEndpointCommunicator.exe) is unable to read files written when the service was running under the previous account.

 

This has been assigned the defect ID: DEF77628 and will be fixed in a future version of Enterprise Console. 

 

What To Do

On the Sophos management server:

 

Stage 1 - Locate the file(s) you need to edit the permissions on 

 

The permissions of the file(s) are only accessible to the built-in 'Local System' account and the original 'database' account that created the file.  To find the relevant file(s) perform the following steps:

 

  1. Stop the 'Sophos Patch Endpoint Communicator' service.

  2. Open a Command Prompt window running as 'Local System'. 

    To do so you can create a temporary service which runs cmd.exe as 'Local System':
    1. In a command prompt running as administrator run the following command:
      sc create "LocalSystem Command Prompt" binpath= "cmd.exe /K start" type= own type= interact

      NOTE: You can safely ignore any warnings that may appear.  This command creates a temporary service with Local System privileges. The Local System account is a powerful account that has full access to the system, including the directory service on domain controllers.

    2. Type:
      sc start 'LocalSystem Command Prompt'
      This should launch a new command prompt in the console session running as 'Local System'.

  3. In the new command prompt window running as 'Local System', change to the following directory:
    Windows XP/2003/2003 R2:
    "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\"

    Windows 7/2008/2008 R2:
    "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"

    By typing:
    cd [above path]

  4. Type the following command:
    findstr /M "SophosPatchSrv" * > C:\SophosPatchKeys.txt

    This will write the names of all the files that you need to update the file permissions on to the file C:\SophosPatchKeys.txt.

  5. When you have finished identifying the files, at the command prompt, delete the temporary service by typing:

    sc delete "LocalSystem Command Prompt"

  6. Close the Command Prompt window.

Stage 2 - Take ownership of the file(s) identified in 'Stage 1'

 

  1. In Windows Explorer navigate to the directory mentioned above, I.e.

    Windows XP/2003/2003 R2:
    "C:\Documents and Settings\All Users\Application
    Data\Microsoft\Crypto\RSA\MachineKeys\"

    Windows 7/2008/2008 R2:
    "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"

  2. Right-click the file(s) identified in 'Stage 1' and select 'Properties'.
  3. Select the 'Security' tab.
    NOTE: The file that gives a permissions warning message when the 'Security' tab is selected.
  4. Select the 'Advanced' button.
  5. Select the 'Owner' tab.
  6. Under 'Change owner to:' select your account.
  7. Select 'Apply', 'OK', and 'OK' again.

Stage 3 - Assign the new database account access to the identified files

 

NOTE: If you're unsure which is the new database account you can check in Windows services (Start | Run | Type: services.msc | Press return).  The account listed under the 'Log on' tab for the service 'Sophos Patch Endpoint Communicator'.

 

  1. Right click on the file(s) you have identified in 'Stage 1'.
  2. Select 'Properties'.
  3. Select the 'Security' tab. 
  4. Click 'Add'.
  5. In the 'Select Users, Computers, or Groups' dialog enter the new database account.
  6. Select 'OK', and 'OK' again.

Once you have completed the above steps you should be able to start the 'Sophos Patch Endpoint Communicator' service.  The errors in the log should stop.

 

 

 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires