Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines

  • Article ID: 12561
  • Rating:
  • 33 customers rated this article 3.9 out of 6
  • Updated: 27 Apr 2016

You can distribute the current versions of Sophos Anti-Virus for Windows 2000+, as part of a disk image. You can also use this to incorporate it in a disk image for cloned virtual machines. This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed,
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image. This prevents performance problems related to high CPU, disk I/O, and network usage during subsequent updates.


  • The procedure given in this knowledgebase article is the recommended one.
  • An alternative procedure is available, but it is not the recommended one, because it requires you to uninstall Sophos Anti-Virus from the template computer. You should only use this alternative procedure (described in article 28591) if absolutely necessary.
  • For Mac OS X which has been imaged without following the recommended guidelines, see 33050 for similar steps

Applies to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control
Sophos Anti-Virus for Windows 2000+

What To Do

Making a disk image

Note: Paths and locations listed here may vary slightly according to which version of Windows you are running, e.g. Windows Vista. Also they may vary depending on what the system drive on the template computer is, and whether Sophos Anti-Virus was installed to the default location.

  1. Install Sophos Anti-Virus on the template computer (the computer from which you are going to take the image). You can perform the installation from Enterprise Console or by running setup.exe from the Central Installation Directory. For more information on how to install Sophos Anti-Virus, refer to the Sophos Anti-Virus Startup guide. Make sure post-installation reboots (if any) are performed already on the template computer.
  2. Choose at what point you want to configure Sophos Anti-Virus and AutoUpdate. You can perform the configuration now, on the template computer. This means that the configuration you set will be conferred on all the computers that are imaged from it. Alternatively, you can perform configuration after the image has been put on the computers and they have been joined to the network, at which stage they will appear in Enterprise Console. If you want to configure the template computer now, do one of the following:
    • use Enterprise Console to apply a policy to the template computer
    • configure Sophos Anti-Virus locally on the template computer.
    For more information on how to perform these configurations, refer to the Sophos Anti-Virus Startup guide and the Enterprise Console User manual.
  3. On the template computer, stop the following services (if they are present):
    • Sophos Message Router
    • Sophos Agent
    • Sophos AutoUpdate Service
    • Sophos Web Intelligence Agent
  4. Read the warning about editing the registry.
  5. On the template computer, in turn, open each of the following registry keys (if they are present):
    • [HKEY_LOCAL_MACHINE\Software\[Wow6432Node]\Sophos\Messaging System\Router\Private]
    • [HKEY_LOCAL_MACHINE\Software\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private]
    and, in each key, delete the following two entries
    • pkc
    • pkp
    Note: These keys must not be removed from a server running Enterprise Console.  However, these keys can be removed from a workstation running the remote Console.
  6. Delete the file machine_ID.txt, if it exists. This file may be present in both the following locations:
    • Versions of Windows prior to Windows Vista: C:\Program Files\Sophos\AutoUpdate\ OR C:\Program
    • Windows Vista and later: C:\ProgramData\Sophos\AutoUpdate\ OR C:\ProgramData\Sophos\AutoUpdate\data\
  7. If you are going to use Web Control then the following registry key should be deleted:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Web Intelligence\Web Control\EndpointId]
  8. If the Sophos Patch Agent is installed:
    1. Stop the Sophos Patch Agent service.
    2. From the folder C:\Program Files\Sophos\Sophos Patch Agent\ remove "ps*.dat"
    3. From the registry HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos Patch Agent" remove the values for "PatchAgentId", "PolicyRevId", "RuntimeCache"
  9. Make the image of your template computer, using your usual imaging software. Then place the image on the target computers as required. On virtual systems, use your usual procedure for cloning virtual machines.
  10. If the target computer does not require any further preparation before it can start with a new computer name, no further action is necessary.
    Conversely, if creating the image involves further preparation, including possibly one or more reboots, for example when using Microsoft Sysprep tool, make sure the services mentioned in the step 3 above (Sophos Message Router, Sophos Agent, Sophos AutoUpdate Service) are kept stopped until the machine changes its name. This can be achieved, for example, by:
    • Disabling those services on the template computer,
    • Re-enabling and starting those services after the imaging has been performed, on both the template computer and on all of the target computers. For example, look for the capabilities of your imaging software to run a custom script at the end of the imaging process, and schedule a script which will re-enable and start the services on the target computers at that point.
  11. When you have put the image on to a computer and joined it to the network, it will automatically appear in the Enterprise Console listed by its new name. Even if the target computer appears in the “Unassigned” group, it will keep the configuration identical to the one of the template computer.
  12. If necessary, and if you did not configure Sophos Anti-Virus on the template computer (see step 2 above), when the newly imaged computers appear in Enterprise Console, you can put them into groups and configure them centrally.

Changed SID values and Sophos Anti-Virus

You could encounter errors in Enterprise Console, or on an individual computer, when using a disk image containing Sophos Anti-Virus for Windows 2000+, if you changed the security identifier (SID) value during the imaging process.

For more information on how to resolve this problem, refer to the related knowledgebase article: Sophos Endpoint Security or Sophos Anti-Virus: local user interface becomes inaccessible.

Note: The above set of instructions are not required if running Endpoint security and control version 10.3.7 and above. Altering the SID value on these versions will cause a Comparison failure to appear in SEC.

Efficient updating of target computers

In some desktop virtualisation scenarios, the target computers are used as virtual desktops and are frequently reverted to their original state (i.e. the state immediately after the imaging process has completed). This means that Sophos Anti-Virus will need to perform an update each time the desktop is reverted to this state and then run again. In order to minimise the security and performance impact of this update, the following steps are recommended:

  1. Create a subscription to a fixed version of Sophos Anti-Virus (rather than the “latest”/“recommended” version).
  2. Set up the updating policy for the template computer to update from that fixed version, and make sure it is fully updated (including any reboots, if necessary). As described before, this can be done in one of the following two ways:
    • use Enterprise Console to apply a policy to the template computer
    • configure Sophos Anti-Virus locally on the template computer.
  3. By implication, all the target computers will then in turn update from this fixed version as well. This means that they will receive virus data updates, but not product updates, so they will always be fully protected, but the size of the updates will be significantly reduced.
  4. When a new product update is available, create a new subscription, switch the updating policy for the template computer to the new subscription, and fully update Sophos Anti-Virus on the template computer (including any reboots, if necessary).
  5. Redo the imaging process – re-create the target computers from the updated template computer.

Note: In Sophos Enterprise Console 5.2.1 and up to version 5.3.1, the ability to subscribe to a fixed version has been removed. In these situations the following steps will allow the use of fixed packages:

  1. Read the warning about editing the registry
  2. On the management server open the following registry key:
    • (32 bit) HKLM\SOFTWARE\Sophos\EE\Management Tools\
    • (64 bit) HKLM\SOFTWARE\wow6432node\Sophos\EE\Management Tools\
  3. Create a new DWORD value called ShowFixedPackages
  4. Modify the data value so it is set to 1.

Opening the Subscriptions dialog after setting this key (no other action required) you will see the current list of fixed packages.

Note: The option to enable the use of fixed packages via the menu, has been made available in Sophos Enterprise Console 5.4.0. Further information can be found in article 117348.

For more information on how to perform these steps, refer to the Enterprise Console User manual and to your visualization solution’s documentation.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent