11-07-2007 02:27 AM - edited 03-09-2019 07:16 PM
Hi,
We run CSA v4.5.1 on all our servers and desktops. We also run Sophos Anti-virus agent. Recently we upgraded to the latest version of Sophos (7.0.4) but noticed that it wasn't installing correctly. Further investigation confirmed that CSA was preventing Sophos from accessing a registry key called appinit_dlls. Sophos technical support confirmed this was necessary for the application to install correctly.
The CSA logs report nothing (even with the Log Deny overrride option), so we can't step through a wizard as we normally do when CSA prevents a legitimate application from behaving correctly. Also, putting the agent group into test mode has no effect either. What does work is manually disabling the CSA service while in Windows Safe Mode, restarting the PC, applying the Sophos application update, and then turning the CSA service back on again. Sophos is then able to carry out its ide file updates ok. Its just the initial update of the actual application that it runs into trouble with.
I have nearly 700 PC's I would have to apply this workaround to, so I'd appreciate if anyone had come across a more easily applied fix than this one.
12-18-2007 12:56 PM
I have created the registry exception for MSIEXEC and have verified that it is being matched and allowed.
That is a good idea to remove them from all groups except the base and add them slowly.
I will try that this afternoon.
Thanks,
-Landon
12-18-2007 01:50 PM
TAC finally got back to me with something more concrete, here it is as an FYI.
Hopefully they will work with Sophos to resolve this issue permanently going forward.
Thanks for all of the thoughts and ideas!
This AppInit_DLLs entry is an important piece of CSA as it provides a hook into all applications as they load. The csauser.dll is loaded when an application runs, and provides, in our dll, buffer overflow protection and COM+ Component checks. What is happening is that Sophos apparently wants to hook the same way, however, we will not allow changes to the AppInit_DLLs string. And this protection is done by the agent w/o any true rules on the MC, which is why there is not a log.
Based upon the information I have there are two options. And only two options, both of which require specific coordination between the Sophos Rollout and CSA. I am checking with development for another option, but the two options are.
1) Testmode.
2) Stop the agent or turn the security level to Off then install.
Major bummer since it affects all point releases as well!! :(
12-18-2007 02:15 PM
Hi Landon, thanks for posting back.
My previous thought was that CSA was protecting the registry string because it loaded a CSA dll.
I thought that if you allowed MSIEXEC access to the string when the Sophos install kicked off and removed it a few minutes later, it would allow the update to occur.
I don't know if the other poster resolved the issue but thought is was worth a shot.
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide