Deploying Sophos Anti-Virus for Windows NT using SWHIVE and SWSERV ------------------------------------------------------------------ Version 1.36, April 1998 Copyright (c) 1998, Sophos Plc, Oxford, England www.sophos.com 1. Introduction --------------- Normally, Sophos Anti-Virus for Windows NT is installed onto an NT server or workstation using its own SETUP program. Because the installation involves the creation of privileged NT services, it must be executed by a user with sufficient privilege - typically the Administrator or a member of the group Administrators. When the Sophos Anti-Virus SETUP program is run, it performs three important operations: A. It decompresses the software files and places them in the selected directory; B. It creates a default set of configuration information in the system registry; C. It installs and starts a set of NT services to take care of virus detection, network operation and auto-upgrading. As NT does not have a remote-control utility like NetWare's RCONSOLE, it is not possible to run programs remotely across the network. Additional tools are therefore required to deploy Sophos Anti-Virus from a central location. SWHIVE and SWSERV, together with a command such as COPY or XCOPY, can be used to carry out steps A, B and C above across an NT network. 2. Creating a master configuration ---------------------------------- The first step towards automatic deployment of Sophos Anti-Virus is to create a master configuration. To do this, you will need to install Sophos Anti-Virus for Windows NT onto one machine (we shall call this the "template" computer) and then to set it up, using SWEEP's built-in configuration tools, with exactly the configuration you want for all machines installed from this template. For example, for a template workstation installation, you might first perform a file-server central installation (with auto-upgrades and the InterCheck client enabled), and then install onto your template computer from this central installation. You could then further configure your template workstation with SWEEP itself. Typical things to consider include: when to perform scheduled sweeps; what action to take if a virus is found; and where to report viruses to. Remember that ordinary users cannot change the configuration of scheduled sweeps, the InterCheck Client, or the reporting mechanisms - the relevant options within the SWEEP for Windows NT GUI program are either missing or greyed out. This level of control cannot be matched under Windows 3.1x or Windows 95/98/Me, where the operating system is intrinsically wide-open, allowing determined users unrestricted access to the resources on the computer. Once Sophos Anti-Virus is set up on your template workstation according to taste, you can take a "snapshot" of its configuration from the registry using the utility SWHIVE. This configuration can then be replicated across the network. 3. Saving and restoring Sophos Anti-Virus configurations -------------------------------------------------------- Sophos Anti-Virus for Windows NT saves its configuration information in the registry. Although a number of "hives", or registry sub-trees, are created during setup, only two need to be replicated across the network. These are the sub-keys: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT HKEY_USERS\.DEFAULT\Software\Sophos\SweepNT You need to copy each of these hives in its entirety. The product maintains a checksum of all its keys and subkeys in order to guard against inadvertent external changes to its configuration. To snapshot the necessary information on the target workstation, issue commands such as: SWHIVE SAVE C:\SWCONFIG\SWNTHKLN HKLM\SOFTWARE\Sophos\SweepNT SWHIVE SAVE C:\SWCONFIG\SWNTHKU HKU\.DEFAULT\Software\Sophos\SweepNT In the command lines above, "HKLM\" is an abbreviation for "HKEY_LOCAL_MACHINE\", which is inconvenient to type, and "HKU\" is an abbreviation for "HKEY_USERS\". This saves the Sophos Anti-Virus configuration information from the local machine into two hive files. Remember that hive filenames are not allowed to have extensions, that they must not already exist, and that they will be placed in the system directory unless you specify an explicit path. The information in the saved hive files can now be "injected" into the registry on a remote machine, effectively pre-configuring that computer for a later "injection" of Sophos Anti-Virus. When restoring a hive file on a remote machine, the hive file *must exist on that machine*, and the filename you specify is relative to that machine, so it is necessary to copy your saved file across first. This will not usually be a problem: if you have the right to manipulate a remote computer's registry, then you will typically also have the right to access local drives on that machine via the default administrative shares such as C$. Assuming that you have saved the Sophos Anti-Virus configuration using the commands above, the following sequence of commands, suitable for inclusion in a batch file, could be used to install that configuration on a remote machine named \\ENTABENI: NET USE V: \\ENTABENI\C$ COPY C:\SWCONFIG\SWNTHKLM V:\ COPY C:\SWCONFIG\SWNTHKU V:\ SWHIVE RESTORE C:\SWNTHKLM HKLM\SOFTWARE\Sophos\SweepNT \\ENTABENI SWHIVE RESTORE C:\SWNTHKU HKU\.DEFAULT\SOFTWARE\Sophos\SweepNT \\ENTABENI DEL V:\SWNTHKLM DEL V:\SWNTHKU NET USE V: /DEL 4. Copying the Sophos Anti-Virus files to a remote machine ---------------------------------------------------------- The files and directories in and below the SWEEP for NT installation directory must be replicated onto the remote machine. Since the registry configuration includes a record of SWEEP's location on the template computer, you will need to use the same directory name on the remote machine. Assuming the default installation directory for Windows NT 4.0, the following command sequence could be used: NET USE V: \\ENTABENI\C$ MD "V:\Program Files\Sophos SWEEP for NT" CD "V:\Program Files\Sophos SWEEP for NT" XCOPY "C:\Program Files\Sophos SWEEP for NT\*.*" V: /S /E NET USE V: /DEL Note the quotes around NT directory names which include spaces. Although not always necessary under NT, it is an excellent idea to quote file names to prevent ambiguity. For example, although the command CD \PROGRAM FILES would change to the directory "\PROGRAM FILES", the command MD \PROGRAM FILES would create two directories, one named "\PROGRAM" and the other named "FILES". If you are replicating files from a machine on which Sophos Anti-Virus is currently active, you will receive an "Unable to access" error while copying the file INTERCHK.CHK. This is the InterCheck checksum database, and is locked for use by InterCheck while InterCheck is active. Simply ignore the error. The remote machine will transparently build up its own checksum database. 5. Installing Sophos Anti-Virus services on a remote machine ------------------------------------------------------------ Once you have injected a Sophos Anti-Virus configuration onto a remote machine, and have copied over the program files, you are ready for the final stage in deployment: kicking off the SWEEP services on that machine. There are three SWEEP services: A. SWEEPSRV.SYS (file name SWEEPSRV.SYS) This is the engine responsible for the anti-virus functionality within SWEEP for NT. This service is required for SWEEP and InterCheck to function. B. SweepNet (file name SWNETSUP.EXE) This handles the network interaction of SWEEP and InterCheck. It is not required, but without it you will not be able to deliver virus reports back to the InterCheck server, and auto-upgrades will not be possible. C. SweepUpdate (file name SWUPDATE.EXE) This provides the auto-update functionality of SWEEP. It depends on the SweepNet service. Before an NT service can be started, it must be installed (or "created", in NT terminology). SWSERV allows you to create and start services in one operation. To start the first service, you will need a service configuration file. A sample file, SWEEPSRV.400, is provided, and looks like this: [SWEEPSRV.SYS] DisplayName = SWEEP for Windows NT FileName = "C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS" StartOnInst = Yes Issuing a command such as: SWSERV CREATE @SWEEPSRV.400 \\ENTABENI will attempt to create the SWEEPSRV service on the machine \\ENTABENI. Because of the "StartOnInst = YES" line in the configuration file, SWSERV will also attempt to start the service if it was correctly created. Again, note the quotes around the file name entry. For the SWEEP for NT Network service, see the sample file SWEEPNET.400: [SweepNet] DisplayName = SWEEP for Windows NT Network FileName = "C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE" AccountName = DOMAIN\AccName StartOnInst = Yes This service needs access to network resources in order to fetch files and to send virus reports, so it cannot be installed under the default service account of LocalSystem (which allows the service access to local resources only). The account name specified must be a domain account specified as indicated above. You will probably want to give this account no password, switch off password expiry, and inhibit it from regular user logons. If you do give the account a password, it must be specified in the configuration file on a "Password = " line. Remember that NT passwords are case-sensitive. For the auto-update service, see the sample file SWEEPUPD.400: [SweepUpdate] DisplayName = SWEEP for Windows NT Update FileName = C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE ServiceType = WIN32_OWN_PROCESS, INTERACTIVE_PROCESS DependentOn = SWEEPNET StartOnInst = Yes The update service needs to be able to write to the Windows NT desktop, so it needs the INTERACTIVE_PROCESS flag set. It also requires the network service to be loaded in order to do its job, so it is marked as dependent on it. 6. Putting it all together -------------------------- A sample batch file is provided (SWDEPLOY.BAT) which glues all the above operations together. This batch file is also presented below. Although both SWHIVE and SWSERV can operate on multiple machines in one invocation (using an @LISTFILE parameter in place of a \\MACHINENAME), and although SWSERV can install multiple services at one time (by placing multiple service configuration entries in the configuration file), the example works on one machine at a time, one operation at a time. This is done for the sake of clarity. It is also assumed that the template computer in the example is a workstation, set up with InterCheck active (generally speaking, InterCheck's on-access virus detection will not be required on network servers) and auto-updates enabled. This means that all three SWEEP for Windows NT services are required. @ECHO OFF REM Set up global parameters for use in this file. REM For NT 3.51 machines, you will probably want REM "SweepDir=\SWEEP" and "XxxFname=SWEEPxxx.351". REM Note this file assumes that everything will REM end up on the C: drive of the target machine. SET LocalDrv=C: SET HiveFstr=SWNT SET SweepDir=\Program Files\Sophos SWEEP for NT SET SrvFname=SWEEPSRV.400 SET NetFname=SWEEPNET.400 SET UpdFname=SWEEPUPD.400 REM Check that there's a machine name parameter... IF "%1" == "" GOTO NOPARAM REM Now, check that we can actually get at the REM C: drive of the target machine... NET USE %1\C$ IF ERRORLEVEL 1 GOTO NOMAP REM Also confirm that we have the hive files we REM need to inject configuration info. These should REM be called SWNTHKLM and SWNTHKU. You need to REM create them first with SWSERV SAVE... IF NOT EXIST %HiveFstr%HKLM GOTO NOHIVEFILE IF NOT EXIST %HiveFstr%HKU GOTO NOHIVEFILE REM Next, copy over the files we need... MD "%1\C$%SweepDir%" XCOPY "%LocalDrv%\XXX\*.*" "%1\C$%SweepDir%" /S /E /C REM We need a hive file for config injection, and REM we'll put in the remote root dir, for ease... COPY %HiveFstr%HKLM %1\C$\ COPY %HiveFstr%HKU %1\C$\ REM Now we can inject the configuration remotely... SWHIVE RESTORE C:\%HiveFstr%HKLM HKLM\SOFTWARE\Sophos\SweepNT %1 IF ERRORLEVEL 1 GOTO NOHIVE SWHIVE RESTORE C:\%HiveFstr%HKU HKU\.DEFAULT\Software\Sophos\SweepNT %1 IF ERRORLEVEL 1 GOTO NOHIVE REM And then we just start up the services... SWSERV CREATE @%SrvFname% %1 IF ERRORLEVEL 1 GOTO NOSRV SWSERV CREATE @%NetFname% %1 IF ERRORLEVEL 1 GOTO NONET SWSERV CREATE @%UpdFname% %1 IF ERRORLEVEL 1 GOTO NOUPD REM If we get here, the remote workstation is protected! ECHO Successfully deployed SWEEP on %1 GOTO END :NOPARAM ECHO Usage: %0 \\MACHINENAME GOTO END :NOMAP ECHO Unable to map to C: drive of remote machine %1 GOTO END :NOHIVEFILE ECHO Unable to locate local hive config files %HiveFstr%HKLM and %HiveFstr%HKU GOTO END :NOHIVE ECHO Unable to inject registry configuration info into %1 GOTO END :NOSRV ECHO Unable to create/start basic SWEEP for NT service on %1 GOTO END :NONET ECHO Unable to create/start SWEEP for NT Network service on %1 GOTO END :NOUPD ECHO Unable to create/start SWEEP for NT Update service on %1 GOTO END :END REM Tidy up the environment... SET LocalDrv= SET SweepDir= SET HiveFstr= SET SrvFname= SET NetFname= SET UpdFname= You can tailor this batch file to suit your own requirements. You will probably want to set up one template computer for your servers, and another for your workstations. On servers, you will probably not need to install the network and update services. 7. Reconfiguring workstations ----------------------------- You can also use SWHIVE and SWSERV to reconfigure workstations at any time. Simply change your template configuration, "snapshot" the modified registry information with SWHIVE SAVE, and use SWHIVE RESTORE to inject this new configuration onto the desired machines. When deploying the new configuration to a destination workstation, you should stop the "SWEEP for Windows NT" service with SWSERV, inject the new configuration hives with SWHIVE, and then restart the service with SWSERV. Use a sequence of commands such as: SWSERV STOP SWEEPSRV.SYS \\MACHINENAME SWHIVE RESTORE C:\SWNTHKLM HKLM\SOFTWARE\Sophos\SweepNT \\MACHINENAME SWHIVE RESTORE C:\SWNTHKU HKU\.DEFAULT\Software\Sophos\SweepNT \\MACHINENAME SWSERV START SWEEPSRV.SYS \\MACHINENAME 8. Support ---------- For assistance, please contact Sophos technical support. support@sophos.com ----------------