Sophos v9 Enterprise for OS X

evanmellichampe
New Contributor III

We've just stood up our management server as well as a series of update manager servers to use the new version of Sophos. It doesn't overwrite v8, so we've managed to just use a simple command to kick off the Remove Sophos Anti-Virus.pkg and then run our v9 script that mounts the smb share and installs from the correct update manager.

Because everything is virtual, we elected to build out an entirely new environment for v9 with SMC 5.2. We used our existing copy of WebDirector to export all of our groups from the existing SMC 5.1 console and import them into the new environment. We have smart groups in Casper that detect the presence of either version as well any situation where the software title doesn't exist at all. Our policies then respond to the various smart groups by either removing v8 and installing v9, or just installing v9 on machines that have nothing in place.

One important item of note: the OEM removal script, /Library/Sophos Anti-Virus/remove_v9.sh contains a typo on line 169.

delete_from_filesystem "/Library/Caches/com.sophos.sxl"
should actually be
delete_from_filesystem "/Library/Caches/com.sophos.sxld"

Also, if you decide to host this script in your JSS, be advised that it was written in WordPad, which throws an error due to the ^M bad interpreter.

11 REPLIES 11

yan1212
Contributor

This is good info. Many thanks for sharing.

vanilla2
New Contributor

May have to look around for more items to delete that the sophos script may leave behind...
On a 10.6 box, sophos 8.0.20 had stored many 1000's of tiny files in /Library/Caches/com.sophos.sau (as well as sxld). Cleaning the cache with applejack deleted them nicely, but since Applejack writes the name of each item deleted to the screen, had to wait few minutes! Upon reboot, there were 1500 or so sophos items in /Library/Caches/com.sophos.* before un-installing sophos.

P.S. If the sophos folks cannot write a shell script correctly, due to rookie mistakes, why trust them running launch items as root??? I mean for crying out loud: Wordpad, really? And see

http://eromang.zataz.com/2012/05/13/10-of-10-malwares-detected-by-mac-sophos-anti-virus-are-false-po...

evanmellichampe
New Contributor III

I apologize for not updating this thread earlier, but... There's something else to be made aware of. If you're using WebDirector, this will be of particular interest to you. In our environment, much of what we do is dependent on the naming of machines. With Sophos 8.0.15 and newer, they've changed how the installer identifies the machine name. By default, the install will now look at the NetBIOS name as opposed to the localhost name. This can really cause problems if the user has named their machine, "DEPT01-LabCart-32," as the NetBIOS name will default something like "MACBOOK93B086," because the localhost name exceeds the 15 character limitation.

Sophos was kind enough to send a script that will correct this on the client machines, but in order for it to be effective during the initial install, the script needs to run immediately after so that WebDirector will see the localhost name when the machine first checks in.

#!/bin/bash

overridename=`sudo scutil --get ComputerName`
echo ""ComputerNameOverride"="$overridename"" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

sudo launchctl unload /Library/LaunchDaemons/com.sophos.managementagent.plist /Library/LaunchDaemons/com.sophos.messagerouter.plist
sudo launchctl load /Library/LaunchDaemons/com.sophos.managementagent.plist /Library/LaunchDaemons/com.sophos.messagerouter.plist

scottb
Valued Contributor III

@evanmellichampe: The newest version of the script seems to have fixed the line #169 (now #170) but I keep getting errors running this in JSS, although looking at the results show Sophos 9 has been removed. Even the logs show it completed, but it still reports with errors in JSS and sends associated emails. Can you possibly shed some light if you're using the Sophos 9 removal .sh in JSS? Thanks!

scottb
Valued Contributor III

...No emails from this thread. Sorry to "bump" but all others are working...

*Edit. Well this one worked. Odd.

rtrouton
Valued Contributor III

I've been using this preinstall script as part of a custom-built Sophos 9.x for Enterprise installer package, to uninstall any and all possible installs of Sophos prior to installing a fresh copy of Sophos 9.x for Enterprise. Seems to work pretty well.

#!/bin/bash

LOGGER="/usr/bin/logger"

# Determine working directory
install_dir=`dirname $0`

# Uninstall existing copy of Sophos 8.x by checking for the
# Sophos Antivirus uninstaller package in /Library/Sophos Anti-Virus.
# If present, the uninstallation process is run.

if [ -d "$3/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
    ${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy."
    /usr/sbin/installer -pkg "$3/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target "$3"
        killall SophosUIServer
elif [ -d "$3/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
    ${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy."
    /usr/sbin/installer -pkg "$3/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target "$3"
        killall SophosUIServer

else
    ${LOGGER} "Sophos Anti-Virus 8.x Uninstaller Not Present"
fi

# Uninstall existing copy of Sophos 9.x by checking for the InstallationDeployer application
# in the following locations:
#
# /Library/Application Support/Sophos/he/Installer.app/Contents/MacOS
# /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS
# /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS
#
# If the InstallationDeployer application is present, the uninstallation process is run.

if [[ -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]]; then
    ${LOGGER} "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy."
    "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" --remove
else
    ${LOGGER} "Sophos Anti-Virus 9.x Home Edition Uninstaller Not Present"
fi

if [[ -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]]; then
    ${LOGGER} "Sophos AV Standalone present on Mac. Uninstalling before installing new copy."
    "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" --remove
else
   ${LOGGER} "Sophos Anti-Virus 9.x Standalone Uninstaller Not Present"
fi

if [[ -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" ]]; then
    ${LOGGER} "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy."
    "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" --remove
else
   ${LOGGER} "Sophos Anti-Virus 9.x Enterprise Uninstaller Not Present"
fi

exit 0

scottb
Valued Contributor III

@rtrouton][/url: Thank you! Looks like it does the job as needed! Thank you much.
Now I have to figure out why the Symantec software removal scripts keep failing.

scottb
Valued Contributor III

@rtrouton: I hate to ask this stupid question, but when I ran this locally via terminal, it worked great. I then uploaded to the JSS and created a policy to run it. I got no errors, but it also didn't remove anything this way. What on earth could I be missing? It might be the same thing I'm doing wrong with the SEP removal scripts. Thank you for your help.

rtrouton
Valued Contributor III

@boettchs][/url

You may need to remove the $3 entries from the script. Those variables are in there because I wrote this script as a preinstall package and was using Installer to pass along what $3 means. In the case of Installer, $3 returns the target volume. For a script run by Casper, $3 returns the username.

For more information on Installer-passed values, please see this post:

http://derflounder.wordpress.com/2014/06/01/understanding-payload-free-packages

scottb
Valued Contributor III

Phenomenal! Thank you for guiding me. Made a pkg using your utility and it works a charm! I'm sure the stockpile is large, but I do in fact owe you a beer - or bacon - or both.

stas
New Contributor

tried creating a package while including this as Preinstall script (prior to installing new version of Sophos) using PackageMaker; however, the install fails. How can I test it locally like a previous post stated?