Endpoint Security and Control: fixing endpoint computers that use outdated security certificates

As described in Endpoint Security and Control: updated software components to facilitate new security certificates on 16 January 2009, your endpoint computers must download updates from a Central Installation Directory that was created or updated after December 11, 2008.

If the endpoint computers haven't downloaded and installed these updates before January 16, 2009, you will need to repair certain Sophos components on each endpoint computer in order to re-establish their functionality.

Depending on which Sophos components you have installed, there are different procedures to use to resolve the problem. Please view the information provided below for each type of supported operating system.

Windows

See also: Linux/UNIX | MAC OS X

Sophos Anti-Virus only

Note: these options are only available on endpoint computers that do not have Sophos Client Firewall or Sophos NAC for Endpoint Security and Control installed, as these two products will block the Sophos products installed from accessing the network until the correct update is installed. For instructions on fixing computers with Sophos Client Firewall or Sophos NAC installed, see the appropriate sections below.

Update from Sophos

Updates that are downloaded directly from Sophos are not affected by the certificate problem, so setting the endpoint's Primary update location to Sophos will allow the new software to be downloaded and installed. You will need to do this manually for endpoint computers that are not managed by Enterprise Console.

Managed computers

If the computer is managed by Enterprise Console, create a temporary updating policy to apply to your affected computers. Specify an invalid address as the Primary updating address and specify Sophos on the Secondary server by typing Sophos or by selecting it from the drop-down list. Enter the download credentials that you use in EM Library. Also, set up proxy information, if required.

Once normal service is resumed on your network, be sure to cancel the temporary updating policy and revert all client computers back to their normal updating policy.

Standalone computers

If the computer is not managed by Enterprise Console, you will need to manually edit the configuration file of each affected computer to set the Primary update server to Sophos.

1. Browse to C:\Program Files\Sophos\AutoUpdate\config\iconn.cfg.
2. Open iconn.cfg in a standard text editor, such as TextPad, and edit the setting 'AllowLocalConfig', giving it a value of 1.
3. Save the file iconn.cfg.
4. Right-click the Sophos shield in the system tray, and select 'Configure updating...'
5. On the Primary server tab, type Sophos or select it from the drop-down list.
6. Enter the download credentials that you use in EM Library and set up proxy information, if required.
7. Right-click the Sophos shield in the system tray and select 'Update now'.
8. Open C:\Program Files\Sophos\AutoUpdate\config\iconn.cfg and change the setting 'AllowLocalConfig', back to 0.

Re-protect Computers

Another option is to re-deploy Sophos Anti-Virus to your endpoint computers. Before doing this, in EM Library, check the 'last successful download' date and time. If the last successful download was on or after 16 January, use the Protect Computers wizard in Enterprise Console to re-install the latest version of Sophos Anti-Virus on your endpoint computers.

Reinstall Sophos AutoUpdate

If your endpoint computers update from a CID and switching the update location to Sophos is not possible or desirable, then it’s possible to reinstall Sophos AutoUpdate to resolve the issue. You can do this using a Sophos installation CD or network copy of the latest installation programs, or you can use a cached version on the endpoint computer.

Installing from the Sophos AutoUpdate cache folder

Before doing this, in EM Library, check the 'last successful download' date and time. If the last successful download was on or after 16 January, the endpoint computer will have a copy of the latest version of Sophos AutoUpdate in its cache folder.

To run the installer, open a command prompt and type the following command all on one line:

Msiexec /i “c:\program files\sophos\autoupdate\cache\sau\sophos autoupdate.msi” REINSTALLMODE=vdmus REINSTALL=ALL

If you need to run the command in 8.3 format, type the following:

Msiexec /i c:\progra~1\sophos\autoupdate\cache\sau\sophos~1.msi REINSTALLMODE=vdmus REINSTALL=ALL

This installs the fixed version of Sophos AutoUpdate, which will then successfully install updates for Sophos Anti-Virus.

Sophos Anti-Virus and Sophos Client Firewall

Reinstall Sophos Client Firewall

If Sophos Client Firewall is active and is blocking updates due to expired certificates, you will need to re-install the latest version from the CID.

Open a command prompt and type the following command all on one line:

Msiexec /i "[path to CID]\scf\sophos client firewall.msi" REINSTALLMODE=vomus REINSTALL=ALL

Sophos Anti-Virus and Sophos NAC for Endpoint Security and Control

Reinstall Sophos NAC for Endpoint Security and Control

If Sophos NAC is active and is blocking updates due to expired certificates, you will need to re-install the latest version from the CID.

Open a command line and type the following:

msiexec /i "[path to CID]\sophos nac agent.msi"

All Windows-based products

If none of the methods described above are appropriate, or you tried them and they failed, you can try the following.

Set the clock back

The certificate expiry date is 16 January, 2009, so setting the clock on the endpoint computer to a date earlier than this will allow you to download the correct updates and deploy to the affected computer before changing the clock back to the correct date and time.

Overwrite new files

Sophos AutoUpdate can be forced to download updates by copying the files that were updated to incorporate the new certificates into its installation folder. This would obviously be a slow task, and is only recommended when all else fails.

The list of files that need changing can be found in Endpoint Security and Control: updated software components to facilitate new security certificates.

Additional Information

If you see error [VE_BADCERT]:7 or [0x00000017] after attempting to resolve the problem using the procedures detailed above, please see  Enterprise Console: error [VE_BADCERT]:7 or [0x00000017] when installing Sophos Anti-Virus.

Linux/UNIX

Reinstall

Ensure that the CID is up to date, and then manually run the installation program (install.sh) on endpoints with the following command:

install.sh --update /opt/sophos-av

Set the clock back

The certificate expiry date is 16 January, 2009, so setting the clock on the endpoint computer to a date earlier than this will allow you to download the correct updates and deploy to the affected computer before changing the clock back to the correct date and time.

Mac OS X

Reinstall

Ensure that the CID is up to date, and then manually run the installation program (Sophos Anti-Virus.mpkg) on endpoints.

Set the clock back

The certificate expiry date is 16 January, 2009, so setting the clock on the endpoint computer to a date earlier than this will allow you to download the correct updates and deploy to the affected computer before changing the clock back to the correct date and time.