Sophos AutoUpdate: significant files and registry entries

ALUpdate.exe

ALMon.exe

SAUConfigDLL.dll

This is the AutoUpdate service, run as 'System User'.

Location: C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

When the service first starts up it performs an update check to the CID.ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.

The following VBScript can be used to call an update via the service:

Dim objALC
Set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1

ALUpdate.exe is the file responsible for connecting to the network anddownloading files.

Location: C:\ProgramFiles\Sophos\AutoUpdate\ALUpdate.exe

At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to: %windir%\temp\sophos_autoupdate1.dir\ALUpdate.exe.

This allows AutoUpdate to perform an update to itself, if required.

It runs during the update as the system user, but impersonates the local SophosSAU account. See the ‘Significant accounts/groups’section for more details on this user. When ALUpdate.exe is called, it runs with the following parameters: Alupdate.exe -ManualUpdate -NoGUI -RootPath"C:\Program Files\Sophos\AutoUpdate"

This file presents the shield icon in the system tray.

Location: C:\Program Files\Sophos\AutoUpdate\ALMon.exe

ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop. It is launched from the ‘All Users’ Start-up menu (C:\documents andSettings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk), and it runs as the logged on user name.

To launch the configuration dialog using VBScript: (this is the same method that would be used from within Sophos Anti-Virus to launch the configure,updating dialog)

Dim monitor
Set monitor =
createobject(“iMonitor.PropertiesDialog.1”)
Monitor.displaysheet

This file provides automatic capabilities for reading and changing the configuration of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\SAUConfig.dll

This example VBScript would change the update path:

Dim obj, addr
Set obj = CreateObject("SAUConfigDLL.SAUConfig")
Set addr = obj.GetAddress(0)
Addr.Address = http://onetwothree
Obj.Commit

This is the adapter as loaded by the Sophos Agent in order for the messaging system to communicate with AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\AUAdpater.dll

This location is specified in DLLPath under the following registry key: HKLM\SOFTWARE\Sophos\Remote Management System\ManagementAgent\Adapters\ALC

This is the log file as used by the log viewer built into AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Logs\alc.log

Alc.log is a text based file. An extract is shown below:

0x1

0x1

0x1

0x1

0x1

This is a more verbose log showing the operation of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Logs\ALUpdate.log

This file contains the configuration of AutoUpdate in respect of the update locations and accounts used.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\iconn.cfg

The values are self explanatory and must NOT be edited manually.

[PPI.WebConfig_Primary]
AllowLocalConfig = 0
AutoDialTimeout =
LocalPath =
DownloadGranularity =
ConnectionAddress =\\Connectaddress\InterChk\ESXP\
UserName = Domain\Admin
UserPassword =UserPassword/nyo=
ConnectionType = UNC
UseSophos = 0
AutoDial = 0
BandwidthLimit = 0
PortNumber =

[PPI.ProxyConfig_Primary]
AllowLocalConfig = 0
ProxyPortNumber = 8080
ProxyType = 0

[PPI.WebConfig_Secondary]
AllowLocalConfig = 0
AutoDialTimeout =
LocalPath =
DownloadGranularity =
UseSophos = 0
AutoDial = 0
BandwidthLimit = 0

[PPI.ProxyConfig_Secondary]
AllowLocalConfig =0
ProxyPortNumber = 8080
ProxyType = 0

This file contains the settings of the logging, as configured from the“Logging” tab of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\ilog.cfg

This file contains the configuration on ALMon.exe (the shield tray icon).

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\imon.cfg

[Configuration.iMonitor_v1.0]
AllowLocalConfig = 1
AnimateTrayIcon = 1
AllowMonitorToRun = 1
OverrideSecurity = 0
DisallowConfigure = 0
LogErrors = 0
ShowProgress = 0
ShowRebootDialog= 1

This file contains the settings of the scheduler, as configured from the“Schedule” tab of AutoUpdate.

Location: C:\ProgramFiles\Sophos\AutoUpdate\Config\isched.cfg

The following files can all be found at: C:\ProgramFiles\Sophos\AutoUpdate\

• Cidsync.upd - Used by alupdate.exe when downloading updates from CIDs. The file is used as the catalogue to determine which files are required by a package.
• Libeay32.dll - used to verify products downloaded from CIDs have been signed by Sophos.
• Ps.crl and Ps_rootca.crt - These files are the Certificate revocation list and root certificate used to verify that products downloaded from CIDs have been signed by Sophos.
• Scf.dat - tells the Sophos Client Firewall to trust AutoUpdate when it connects to the Internet.
• Swlocale.dll - Provides an algorithm for choosing which language resource should be used.