Virtual machines are often created quickly to fill a temporary need, leading to a proliferation of devices with little regard for asset management and policy structure. This can be particularly annoying when virtual machines are managed alongside physical machines in Enterprise Console -- you may never know which computers are roaming users and which were temporary virtual machines that are no longer in use.
This article explains how you can set up Sophos Enterprise Console to automatically delete machines after a safe period of time.
Applies to the following Sophos product(s) and version(s) Notes
Sophos Anti-Virus for Windows 2000+
Enterprise Console 4.0.0
- This article is best applied when you can move your virtual machines to a specific group to separate them from physical machines, as we describe in Best Practice for running Sophos on virtual systems.
- This article describes PurgeDB which is the database maintenance tool for data in Enterprise Console 4 and Sophos Control Center 4. Unfortunately, PurgeDB.exe does not run on 64-bit operating systems.
- The file can be found at: %programfiles%\Sophos\Enterprise console\Purgedb.exe
Warning: If you choose to use PurgeDB, you must ensure that the database is backed up frequently so that you can restore your data should you mistakenly delete details that you still need access to.
What To Do
Various attributes can be purged using this tool. In the example we outline below, the desired outcome is to delete computers that meet the following conditions:
- Unmanaged computers that were inserted to the database more than ‘x’ days ago
- Managed computers from which Enterprise Console has not received any messages for more than ‘x’ days
This simple command line deletes computers that are over a certain age, in this case 30 days.
PurgeDB.exe -action=delete -category=computers -HistoryLengthInDays=30
Using purgedb.exe with command line parameters to build your own purge command
- Open a command line (Start|Run|type cmd and then press the enter key).
- Browse to the following location:
For 32 bit systems: \Program Files\Sophos\Enterprise Console\
For 64 bit systems: \Program Files (x86)\Sophos\Enterprise Console\
- Type the following command, followed by the Enter key.
The program will return the following information:
PurgeDB [-action=<action>] [-category=<category>] [-HistoryLengthInDays=<LengthInDays>] [-type=<type>] [-code=<code>] [-help]
Command line switches
|<action> ||The action to be performed by the tool. |
|Allowed values: purge (default), delete. ||Purge: |
• Non-managed computer added to the database before the specified history length will be removed.
• Non-managed deleted computer will be removed
• Any managed computer which has not sent a message for longer than the specified history length and has no alerts, events or errors associated with it will be removed.
• Any managed computer which is marked as deleted and has no alerts, events or errors associated with it will be removed.
• Non-managed computer added to the database before the specified history length will be deleted.
• Non-managed deleted computer will be deleted.
• Any Managed computer which has not sent a message for longer than the specified history length will be deleted along with any other entries associated with it (errors, events, alerts, policies, states etc)
The "delete" action should only be used when specifically asked to do so by Sophos Technical Support.
If the "delete" action is used, it requires specifying explicitly both <category> and <type>.
|<category> ||The category qualifier restricts an action to the specified category of entries. |
|Valid categories: "alerts", "errors", "events", "computers". ||By default, the action is performed on all categories. |
If <category> is specified, <history length> must also be specified.
|<history length> ||The oldest entry timestamp to remain after action is performed. It must be specified when either <action> or <category> are specified. |
|The value is the number of days before today, eg. -HistoryLengthInDays=100 |
|<type> ||Optional qualifier that sets a higher granularity filter by type of a particular category. |
|Valid types by category: |
alerts: Virus, PUA, SuspFile, SuspBehaviour
events: DataControl, DeviceControl,
errors: AutoUpdate, SAV, SCF, SUM, SUMAlert
|If this qualifier is specified then the <category> qualifier must be specified too. |
Currently the qualifier is not supported for category "computers".
|<code> ||For the "error" category, <code > is an optional message code qualifier. It allows for specific error codes to be purged/deleted. |
You can find more details on how to manage cloned machine provisioning in Best Practice for running Sophos on virtual systems.
If you need to manage duplicate computer names across multiple virtual infrastructures, see Enterprise Console: changing the description of virtual machine names to aid management