Using ExportConfig.exe to create XML configuration files

  • Article ID: 13111
  • Rating:
  • 13 customers rated this article 3.1 out of 6
  • Updated: 04 Sep 2015

The command-line utility ExportConfig.exe enables you to retrieve policies from the Console and save them as XML configuration files. These XML configuration files can be used to centrally configure unmanaged computers, or to implement features not available from the console.

This article explains how to use the utility to extract/export the existing console policies and then advises what you must do to re-apply the exported policies to a distribution point (CID) so the endpoint computers can implement the new configuration.

Note: The user account you run the ExportConfig.exe utility as must be a member of the Sophos Console Administrators Windows security group. Check that you are a member of this group before attempting the instructions below.

Known to apply to the following Sophos product(s) and version(s)
Sophos Enterprise Manager 4.7.0
Enterprise Console 5.0.0
Enterprise Console 4.7.0
Enterprise Console 4.5.0

What to do

Locate the utility

  1. Open a command prompt (Start | Run | Type: cmd.exe | Press return).
  2. Change directory (cd) to the folder containing the utility:
    • Enterprise Console 4.x and above: C:\Program Files\Sophos\Enterprise Console\
    • Enterprise Manager 4.x: C:\Program Files\Sophos\Enterprise Manager\

Note: On a 64-bit system change 'Programs Files' folder to 'Program Files (x86)'.

Review the usage options

To show the usage options type: exportconfig.exe

The usage options shown are:

Command line:
ExportConfig.exe -type <AU, SAV, SCF, SAC, DATC, DEVC, TP or LEGAU> [-policy <policy>] [-output <filePath>] [-backwardsCompatable]
Where policy is the name of the policy or not specified for Default.
-backwardsCompatable : Use a format backwards compatable with SAV 5

Types of policy you can export

The table below lists each policy type and its short name which can be used after the -type parameter.

 Policy Type  Short name
Updating au
Anti-Virus sav
Firewall1 scf
Application Control2 sac
Data Control datc
Device Control devc
Tamper Protection3 tp
Legacy updating legau
Patch4 n/a
Web control4 n/a

1Can only be exported this way in Enterprise Console 4 and later, or in Enterprise Manager.
2Not available in Enterprise Manager.
3Only available in endpoint software 9 or later and Enterprise Console 4.5 or later or Enterprise Manager.
4It is not possible to export these policy types.

Naming of the output files

The naming of the output file is important.  The table below shows what each policy's output file must be called.

Note: The output file names are case sensitive.

 Policy Type  Output file name
Updating sauconf.xml
Anti-Virus savconf.xml
Firewall SCFCidConfig.conf
Application Control savconfappc.xml
Data Control savconfdatac.xml
Device Control savconfdevc.xml
Tamper Protection savconftp.xml
Legacy updating updating.xml

Example usage options

The table below show some examples of common usage.

I want to... Command Comments
Export the 'Default' updating policy exportconfig.exe -type au -output C:\sauconf.xml Exports the 'Default' (i.e., reserved) updating policy, which is always included in the console, to the root of the C:\ drive into a file called sauconf.xml
Export the 'Default' Anti-Virus policy exportconfig.exe -type sav -output C:\savconf.xml Exports the 'Default' (i.e., reserved) Anti-Virus policy, which is always included in the console, to the root of the C:\ drive into a file called savconf.xml
Export an Anti-Virus policy called 'my av policy' (i.e., the policy name has spaces in it) exportconfig.exe -type sav -policy "my av policy" -output C:\savconf.xml Exports an anti-virus policy called 'my av policy' to the root of the C:\ drive into a file called savconf.xml
Export a data control policy called 'HRDataControlPolicy' (i.e., the policy name has upper and lowercase characters. exportconfig.exe -type datc -policy HRDataControlPolicy -output C:\savconfdatac.xml Exports a data control policy called HRDataControlPolicy (i.e., case sensitive policy name) to the root of the C:\ drive into a file called savconfdatac.xml

If the policy is successfully exported you will seen the following shown on screen: Policy successfully exported.

Common errors

 Error seen...  Cause
Policy named "Default" does not exist in database. You have attempted to specify the the reserved 'Default' policy after the -policy parameter.  If you need to export the Default policy remove the -policy Default section of your command.  See the Example usage options section above.
Policy named "mypolicy" does not exist in database. You have specified a policy name that is incorrect.  Check that the name entered is typed correctly and, as policy names are case sensitive make sure the names matches exactly what you see in the console (e.g., mypolicy is not the same as myPolicy).  If there a space in the policy name (e.g., 'my policy') make sure you enclose the name in double quotes (e.g., "my policy") in the command.

You will also see this error message if you have a space at the end of the policy name (i.e., 'myPolicy ' - space after the name).  You can still enclose the name in double quotes so the end space is included.  Check your policy names carefully and re-type them in the console without spaces to simplify the command.
Error: Invalid command line at:
The 'at:...' is followed by the part of the command that is incorrect.  Check the command at that section.  If the error mentions a single quote mark (') make sure you have not enclosed your policy name with single quote marks - you must use double quote marks.
Error: Type must be AU, SAV, SCF, SAV, DEVC, DATC or LEGAU.
The type parameter is incorrect.  Note: Though the AutoUpdate policy is shorten to 'AU' the Anti-Virus policy is not 'AV' but 'SAV'.  Check the type parameter you entered against the Types of policy table above.

Force endpoint computers to use the new configuration files

In order for an endpoint computer to copy down and implement the configuration in the exported policy you must:

  1. Copy the exported policy to the correct distribution point sub-folder.
  2. Update the distribution point's catalog files with a special utility.

Move policy export to the correct folder

You must copy the output configuration file to the correct sub-folder in the distribution point.  Use the table below to see which policy file needs to be copy to which folder.

Note: The main (parent) folder of the sub-folders is:
 \\SERVER\SophosUpdate\CIDs\[serial number]\

 Output file name Folder
Windows XP+ Windows NT Windows 9x
sauconf.xml SAVSCFXP\sau\ ESNT\sau\ ES9X\sau\
savconf.xml SAVSCFXP\savxp\
ESNT\sav\ ES9X\SAV9x\
SCFCidConfig.conf SAVSCFXP\scf\
n/a n/a
savconfappc.xml SAVSCFXP\savxp\
n/a n/a
savconfdatac.xml SAVSCFXP\savxp\
n/a n/a
savconfdevc.xml SAVSCFXP\savxp\
n/a n/a
savconftp.xml SAVSCFXP\savxp\ n/a n/a
updating/xml SAVSCFXP\sau\ ESNT\sau\ ES9X\sau\

Use ConfigCID.exe to update the distribution point

The special utility called ConfigCID.exe has been made available so that a distribution point (or CID - Central Installation Directory) can be programmed to recognize new configuration files.  For more information in using ConfigCID.exe see article 13112.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent