Sophos AutoUpdate: significant files and registry entries

  • ID dell'articolo: 36262
  • Valutazione:
  • 31 di clienti ha valutato questo articolo 3.9 su 6
  • Aggiornato il: 10 nov 2015

Note: Where a path is given this may vary according to your operating system, for example, Program Data rather than Program Files, etc.You must ensure that you use the correct path for your operating system.

Significant files

ALsvc.exe ALUpdate.log






AUAdapter.dll Isched.cfg

Significant registry keys - listed below

Significant accounts and groups - listed below

Significant Files


This is the AutoUpdate service, run as 'System User'.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Alsvc.exe

When the service first starts up it performs an update check to the CID.  ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.

The following VBScript can be used to call an update via the service:

Dim objALC
Set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1


ALUpdate.exe is the file responsible for connecting to the network and downloading files.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\ALUpdate.exe

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\ALUpdate.exe

At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to:

  • Vista+: C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\ (SAU version and later)
  • XP: C:\Program Files\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\ (SAU version and later)

This allows AutoUpdate to perform an update to itself, if required.

It runs during the update as the system user, but impersonates the local SophosSAU account. See the ‘Significant accounts/groups’section for more details on this user. When ALUpdate.exe is called, it runs with the following parameters: Alupdate.exe -ManualUpdate -NoGUI -RootPath"C:\Program Files\Sophos\AutoUpdate"


This file presents the shield icon in the system tray.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\ALMon.exe

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe

ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop. It is launched from the following registry key.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | Sophos AutoUpdate Monitor | STRING | C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe

It runs as the logged on user name.

To launch the configuration dialog using VBScript: (this is the same method that would be used from within Sophos Anti-Virus to launch the configure,updating dialog)

Dim monitor
Set monitor =

To suppress the system tray icon use the following registry key:
HideTrayIcon (DWORD) 1/0

This file provides automatic capabilities for reading and changing the configuration of AutoUpdate.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\SAUConfig.dll

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\SAUConfig.dll

This example VBScript would change the update path:

Dim obj, addr
Set obj = CreateObject("SAUConfigDLL.SAUConfig")
Set addr = obj.GetAddress(0)
Addr.Address = "http://onetwothree"


This is the adapter as loaded by the Sophos Agent in order for the messaging system to communicate with AutoUpdate.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\AUAdpater.dll

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\AUAdapter.dll

This location is specified in DLLPath under the following registry key: HKLM\SOFTWARE\(Wow6432Node)\Sophos\Remote Management System\ManagementAgent\Adapters\ALC


This is the log file as used by the log viewer built into AutoUpdate.


  • Vista+: C:\ProgramData\Sophos\AutoUpdate\Logs\alc.log
  • XP: C:\Program Files\Sophos\AutoUpdate\Logs\alc.log

Alc.log is a text based file. An extract is shown below:

Category Clientname Level Process ID Resource DLL ID String ID Thread ID Timestamp Details
The log ID for AutoUpdate entries. The module that produced the entry. Log level 0=debug, 25=verbose, 50=normal. The process ID as assigned by Windows. The ID of the dll that contains the string ID. The string ID found in the .hdr file.

0x4 ALUpdate 0x32 0xf58


0x53 0xdb4 0x446d16a4 SAVXP
0x4 ALUpdate 0x32 0xf58


0x53 0xdb4 0x446d16a4 Sophos AutoUpdate
0x4 ALUpdate 0x32 0xf58


0x7b 0xdb4 0x446d16a5
0x4 ALUpdate 0x32 0x990


0x6 0x1e4 0x446d1b51
0x4 CIDUpdate 0x32 0x990


0x55 0x1e4 0x446d1b52 RMSNT

This is a more verbose log showing the operation of AutoUpdate.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Logs\ALUpdate.log

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Logs\Alupdate.log


This file contains the configuration of AutoUpdate in respect of the update locations and accounts used.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\iconn.cfg

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\iconn.cfg

The values are self explanatory and must NOT be edited manually.

AllowLocalConfig = 0
AutoDialTimeout =
LocalPath =
DownloadGranularity =
ConnectionAddress =\\Connectaddress\InterChk\ESXP\
UserName = Domain\Admin
UserPassword =UserPassword/nyo=
ConnectionType = UNC
UseSophos = 0
AutoDial = 0
BandwidthLimit = 0
PortNumber =

AllowLocalConfig = 0
ProxyPortNumber = 8080
ProxyType = 0

AllowLocalConfig = 0
AutoDialTimeout =
LocalPath =
DownloadGranularity =
UseSophos = 0
AutoDial = 0
BandwidthLimit = 0

AllowLocalConfig =0
ProxyPortNumber = 8080
ProxyType = 0


This file contains the settings of the logging, as configured from the“Logging” tab of AutoUpdate.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\ilog.cfg

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\ilog.cfg


This file contains the configuration on ALMon.exe (the shield tray icon).

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\imon.cfg

                64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\imon.cfg

AllowLocalConfig = 1
AnimateTrayIcon = 1
AllowMonitorToRun = 1
OverrideSecurity = 0
DisallowConfigure = 0
LogErrors = 0
ShowProgress = 0
ShowRebootDialog= 1


This file contains the settings of the scheduler, as configured from the“Schedule” tab of AutoUpdate.

Location: 32-bit - C:\Program Files\Sophos\AutoUpdate\Config\isched.cfg

      64-bit - C:\Program Files (x86)\Sophos\AutoUpdate\Config\isched.cfg

The following files are also used by Auto Update

  • Cidsync.upd - Used by alupdate.exe when downloading updates from CIDs. The file is used as the catalogue to determine which files are required by a package.
  • Libeay32.dll - used to verify products downloaded from CIDs have been signed by Sophos.
  • Ps.crl and Ps_rootca.crt - These files are the Certificate revocation list and root certificate used to verify that products downloaded from CIDs have been signed by Sophos.
  • Scf.dat - tells the Sophos Client Firewall to trust AutoUpdate when it connects to the Internet.
  • Swlocale.dll - Provides an algorithm for choosing which language resource should be used.

Significant registry keys

Registry Key Details
32 bit:

64 bit:

These two keys are self explanatory. A value of 1 hides the connection dialog and tray icon from the user; whereas a value of 0 (the default value)displays the items.

32 bit:
Download User

64 bit:
Download User

The username of the impersonation account created during the install of AutoUpdate. E.g. SophosSAU<machinename>uniqueID>.
If the account, user name and password keys exist prior to installation these will be used.

32 bit:
Download Password

64 bit:
Download Password

This is the password of the impersonation account created during the install of AutoUpdate. Note: The password is stored in clear text but protected through the ACL on the key.

32 bit:

64 bit: HKLM\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\UpdateStatus\

Type: DWORD Eg: 1148044708 (decimal) This contains the time (in UTC) of the last update check.
The following VBScript will read in the above value and display the time:

Dim tZ, uKey, shell, lastUp
tZ = +1 'time relative to GMT
uKey ="HKLM\Software\sophos\AutoUpdate\UpdateStatus\LastUpdate Time"
Set shell =CreateObject("WScript.Shell")
lastUp = shell.RegRead (uKey)
wscript.echoDateAdd ("h",tZ,(DateAdd ("s",lastUp,"01/01/1970 00:00:00")))

This should also be the last update time as shown when hovering the mouse pointer over the Sophos shield system tray icon. NOTE: This is not the last install time.

32/64 bit:
Sophos AutoUpdateService

The registry key created by registering the AutoUpdate service.


Significant accounts/groups

This account is impersonated on every update by alupdate.exe.

The overall account name can be a maximum of 20 characters, therefore the computer name is truncated as necessary. The <uniquieid> value is used for multiple domain controllers, in order to create a unique account for each domain controller in the domain. The accounts password can be a maximum of 50 characters

The account requires “Log on as Service” rights. The right to log on as a service is automatically added to the computers local security policy during the installation.

If Sophos AutoUpdate is installed on a Domain Controller where the “Log on as Service” right has already been modified in the Default Domain Controllers Policy then the installer will add the account to the Default Domain Controllers Policy instead.

Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente