Layer antivirus apps 编辑

This article explains how to deploy each of the most commonly used antivirus products in a layer. You can layer any antivirus software, unless listed below as unsupported. Though we expect newer versions of antivirus software to function properly, this isn’t guaranteed until we have tested them. Check this topic to see if new versions of your antivirus software have been tested.

Some antivirus installation procedures require that you modify the Windows Registry.

Warning:

Back up the registry before you edit it. Using Registry Editor incorrectly can cause serious problems that require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk, and always back up the Registry before you edit it.

You can exclude antivirus files and folders from persisting on the user’s desktop. You create the exclusions in the layer, and they are processed in the image after it is published.

Options for managing Antivirus software updates

This section explains how to layer antivirus software and configure major updates based on how you deploy the images. This applies only to major updates. Daily updates for virus definitions are done no matter what type of image you deploy.

Recommended for all antivirus software

In all cases, we recommend making a new version of the app layer when the antivirus software has a major update. Once the layer has been updated, update all of the templates that use that antivirus app, and redeploy new images to take advantage of the changes in the antivirus software.

Elastic layering NOT enabled

If you are deploying images without elastic layering enabled, consider whether your images are non-persistent or persistent:

• For persistent machines, you probably want to enable auto updates to keep the antivirus software up-to-date.
• For non-persistent machines, you may not want to turn on auto updates, because the updates take place on the images after every reboot. (The non-persistent machine is reverted whenever it reboots.)

Elastic layering enabled, but no user layers

If you are deploying images with elastic layering but no user layers, clear auto updates, since the machines are non-persistent and would be reverted on the reboot. Also, assign the antivirus layer to be deployed in the image and not loaded as an elastic layer, since the antivirus drivers must be loaded at boot time to function correctly. When layers are assigned as elastic layers, they are only loaded once a user logs on to the machine, and therefore the drivers would not be present at boot time.

Elastic layering enabled, with user layers (or user personalization layers)

If you are deploying images with elastic layering and a full user layer (or a User personalization layer), we recommend turning off auto updates. The machines are non-persistent desktops, so they revert when the user logs off. There is also the extra consideration that if the users remain logged on to the machines for several days, the daily updates to the virus definition files may end up in user layers. For most antivirus software this is not a problem. But, if you find that the antivirus software is having some problems running, you may want to determine the directory where they store their definitions and consider adding a registry setting to force these files to reside on the non-persistent image, instead of in the user layer. Make sure that these settings are done in a different layer than the antivirus app, because you would not want those settings to interfere with updates to the antivirus layer.

Before you start

When deploying any antivirus software package in App Layering, the following might be required:

• Start the Remote Registry Service for any of the remote installations.
• Disable the firewall on the desktop before installing to allow the products to install.
• Disable Windows Defender.
• Enable or disable User Account Control (UAC).
• Read the installation instructions for virtual desktop infrastructure (VDI) deployments on the website for the product you are installing.

AVG

You can use a gold image or an Application Layer to deploy the AVG Business Edition antivirus software.

Deployment methods

Use one of the following methods to install the AVG antivirus software:

• Install the software on a gold image of the operating system and import it to a new OS Layer.
• Install the software on an Application Layer and assign the layer to new or existing desktops.

Citrix supports AVG antivirus Business Edition version 13.0.0.x only.

To install the software on a gold image

1. Install the AVG software on the gold image.

2. Open the AVG application and select AVG Settings Manager.

3. Select Edit AVG Settings.

4. Select System Services, and disable all AVG Services.

5. Select AVG Advanced Settings, Anti-Virus, Cache Server, and disable file caching.

6. Delete cache files:

   On Windows 7, delete the following files: C:\ProgramData\AVG2013\Chjw\*.*

7. Enable all the AVG Services again.

8. Shut down the gold image.

9. Create an OS Layer by using the gold image.

10. On newly deployed desktops, enable the Caching option again, which can happen automatically through integration with AVG Remote Administrator.

To install the software on an App Layer

1. Install the AVG software on the App Layer.
2. Deploy the App Layer to desktops.

To enable the Scan files on close option

1. Open Advanced settings (F8).
2. Select Antivirus > Resident Shield.
3. Select the Scan files on close option, and save the setting.

Kaspersky

This section explains how to deploy Kaspersky in a layer. See the Kaspersky documentation for more instructions about installing the software in a VDI environment. Read the Dynamic VDI support section in this article to learn about using Kaspersky for non-persistent desktops in a VDI environment.

The following versions of Kaspersky antivirus software have been tested by Citrix and are verified to work with App Layering:

• Kaspersky Endpoint Security version 10.2.5.3201
• Kaspersky Administration version10.3.407.0
• Kaspersky Administration Server version 8.0.2163
• Kaspersky antivirus for Windows Workstations version 6.0.4.1424
• Kaspersky for VDI Agentless version 3.0
• Kaspersky Endpoint Security version 10.1.0.867(a)
• Kaspersky Endpoint Security version 10.2
• Kaspersky for VDI Agentless version 3.1.0.77

Note:

Encryption with Kaspersky 10.2 is not supported. Kaspersky 10.2 Encryption uses a form of disk virtualization that bypasses App Layering virtualization, and as such is incompatible with App Layering. Before you deploy Kaspersky 10.2, disable the encryption options.

Deployment methods

Use one of the following methods to deploy the Kaspersky antivirus software:

• Install the software on an App Layer or App Layer revision.
• Install the software on the gold image you import into an OS Layer.
• Install the software on an OS Layer revision.

Requirements

• If you deploy the Kaspersky software on a new OS Layer, install the software on the gold image before you install App Layering Machine Tools.

• If you use the Kaspersky Administration Server to manage the desktop, install Kaspersky antivirus for Workstations and NetAgent on the Packaging Machine or a gold image.

• If you do not plan to use the Kaspersky Administration Server, install Kaspersky antivirus for Workstations only on the Packaging Machine or the gold image.

• When you install the Kaspersky NetAgent, clear the selection for the start application during install option.

• When you install the Kaspersky antivirus for Workstations in a stand-alone configuration, do not enable password protection for any of the administrative options. The password you type on the Packaging Machine or gold image does not work on the desktop after you deploy the software.

• After you install the Kaspersky software on a PackagingMachine (for App Layers or layer revisions), a system restart (and desktop image rebuild) is required.

Kaspersky 10.2 special requirement

Add a value to the Unifltr service in the registry before you add Kaspersky 10.2 to the gold image or to a layer.

To edit the registry

1. Click Start, click Run, and then type regedit.
2. Navigate to the HKLM\System\CurrentControlSet\Services\Unifltr key.
3. On the Edit menu, click New, and then click DWORD (32-bit) value.
4. In the right pane, right-click the New value and select Modify.
5. In Value, name, type the name MiniFilterBypass.
6. In Value, type 1 and then click OK.
7. Close Registry Editor.

8. Restart the machine, as the setting is only read at start time.

   Note:

   Attempts to finalize Kaspersky for Virtualization Light Agent 3.0 on Windows 7 32-bit and Windows 7 64-bit packaging machines fail. The failure occurs when layer integrity attempts to restart.

Special steps for installing the software on an App Layer

To install Kaspersky software on an app layer:

1. Install the Kaspersky software on the Packaging Machine. If you deploy nonpersistent desktops running Kaspersky, mark the image as a Dynamic VDI. When you mark the image, the Kaspersky Administration Server considers the clones of this image dynamic. When a clone is disabled, its information is automatically deleted from the database. To mark the image of a dynamic VDI, install the Kaspersky Network Agent with the Enable dynamic mode for VDI parameter enabled. For details, see the section of this article on Dynamic VDI support.

2. Restart the Packaging Machine. When you restart the Packaging Machine, it might display the STOP message 0x75640001 several times. The Packaging Machine restarts normally. No intervention is necessary. When you deploy this layer, the desktops restart normally and the STOP message does not appear.

3. Finalize the layer.

The Kaspersky NetAgent might not start when users log on to the desktop for the first time. This issue occurs when you assign the App Layer with the Kaspersky software to a desktop. Restart the desktop to start the NetAgent software.

Possible issues

The following interoperability issues can occur on App Layering desktops that have Kaspersky antivirus software installed.

Kaspersky NetAgent startup - If you use an App Layer to deploy the Kaspersky NetAgent software to a desktop, the NetAgent software might not start when the desktops restarts. The Windows Event Viewer can show the following error:

#1266 (0) Transport level error while connection to: authentication failure

If the NetAgent software doesn’t start, restart the desktop. Then the NetAgent software starts correctly.

Kaspersky 10 - end-user Pause causes Network Attack Blocker to stop working - When using Kaspersky 10, the end-user Pause causes the Network Attack Blocker to stop working. To fix this issue, restart the Kaspersky software. The Network Attack Blocker continues to run.

McAfee

The following procedures describe how to use an OS Layer or an App Layer to deploy the McAfee antivirus software.

Deployment method

Install the McAfee software on one of the following layers:

• The original OS Layer.
• A new version of the OS Layer.
• An App Layer.

The following versions of McAfee software have been tested by Citrix and are verified to work with App Layering:

• ePolicy Orchestrator (ePO), versions 4.6.4, 5.3.1, and 5.3.2
• McAfee Agent, versions4.8.0.1938, 5.0.2.188, and5.0.4.283
• VirusScan Enterprise, versions8.8.0.1528, 8.8.0.1445, and 8.8.0.1599

If you use the ePolicy Orchestrator 5.3.1 server to create the McAfee Agent installation package, set the Agent Contact Method priority in the following sequence:

• IP Address
• FQDN
• NetBIOS Name to communicate correctly with IM in the workgroup, and disable the ‘Enable self-protection’ for the McAfee Agent policy.

Installation requirements

Installation requirements to install McAfee antivirus on a gold image or App Layer are the same. You can also find the requirements for including the agent on an image in the McAfee ePO product guide.

Important:

You must install McAfee in VDI mode, using the framepkg.exe command with the switches described in the steps below. This allows for the agent to deregister from ePO on shutdown, which in turn prevents duplicate host names from populating in the ePO console. For more about this requirement, see the McAfee KB87654.

Depending on the McAfee version, you might need to remove the Globally Unique Identifier (GUID) for the McAfee Agent after you install it. See the McAfee documentation for the version of the software you are using for more information.

Use the following procedure if you plan to use an OS Layer to deploy the McAfee antivirus software on App Layering desktops.

To install the software on a gold image

1. Install the McAfee Agent software in VDI mode onto the gold image, using the following command:

   framepkg.exe /Install=agent /enableVDImode

   The gold image becomes visible in the ePolicy Orchestrator System Tree systems list.

2. Install the McAfee VirusScan Enterprise software on the gold image:

   1. When prompted to remove Windows Defender, click Yes.

   2. Allow the McAfee Agent Updater to complete the update. This step can take several minutes to complete.

   3. Click Finish to complete the installation.

3. After the installation is complete, a scan starts. Allow the scan to complete.

4. Change the McAfee Start value:

   1. Open the McAfee VirusScan Console, and disable the AccessProtection.

   2. Open the registry editor (regedit), go to the key:

      \[HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\mfehidk\]

   3. Exit Registry Editor.

   4. In the McAfee VirusScan Console, enable the AccessProtection.

5. If McAfee requires it for your VDI setup, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary):

   1. Open registry editor (regedit).

   2. Delete the following registry keys:

      • 32-bit:

        HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

      • 64-bit:

        HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

6. When prompted, restart the gold image to allow McAfee to install its drivers.

7. Shut down the gold image and import it to an OS Layer.

To install the software on a layer

Use this procedure if you plan to use a layer to deploy the McAfee antivirus software on App Layering desktops.

1. In the App Layering management console, create a layer.

2. When prompted to install the software, install the McAfee Agent software in VDI mode using the following command.

   framepkg.exe /Install=agent /enableVDImode

   After completing the installation, the Packaging Machine is visible in the ePolicy Orchestrator System Tree systems list.

3. Install the McAfee VirusScan Enterprise (VSE) software on the Packaging Machine.

   1. If you are prompted to remove Windows Defender, click Yes.

   2. Install the VSE software on the Packaging Machine using files from the McAfee EPO server. Otherwise, allow the McAfee Agent Updater to complete an update. This step can take several minutes to complete.

   3. Click Finish to complete the installation.

4. Change the McAfee Start value:

   1. Open the McAfee VirusScan Console, and disable the AccessProtection.

   2. Open the registry editor, go to the following key, and change the Start value from 0 to a 1:

      [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mfehidk]

   3. In the McAfee VirusScan Console, enable the AccessProtection.

5. If McAfee requires it for your VDI setup, remove the GUID for the Agent (check the McAfee documentation to determine if this step is necessary):

   1. Open the registry editor.

   2. Delete the following registry keys:

      32-bit:

      HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

      64-bit:

      HKEY_LOCAL_MACHINE\SOFTWARE\WoW6432Node\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

6. Finalize the App Layer and deploy the layer in the usual way.

Possible interoperability issues

The following interoperability issues can occur on App Layering desktops with McAfee antivirus software installed.

Delays in opening video files

If you configure the McAfee antivirus software to scan script files, there can be long delays when you open video files in Internet Explorer.

When you try to open these files, the McAfee software and App Layering try to perform operations on these files at the same time. This conflict causes a delay in running the video file. All other windows and applications continue to function normally.

If you encounter this type of delay, wait for the video file to run. Eventually, the McAfee operation times out and the App Layering operation completes.

This issue has no effect on the ability of the antivirus software to check the video files for viruses.

Desktops with McAfee layer are not visible from ePolicy Orchestrator

If you cannot see desktops in the McAfee layer in the ePolicy Orchestrator, fix the issue by using the steps in the following McAffee knowledge base article: How to reset the McAfee Agent GUID if computers are not displayed in the ePolicy Orchestrator directory.

McAfee MOVE

The following procedures describe how to deploy the McAfee MOVE antivirus software in a layer.

Note:

These instructions assume that you installed and configured McAfee MOVE antivirus software on the McAfee ePolicy Orchestrator (ePO).

To deploy the McAfee MOVE antivirus software, install the software on an App Layer and assign the layer to existing desktops.

The following versions of McAfee MOVE antivirus software have been tested by Citrix and are verified to work with App Layering.

• McAfee Agent for Windows, version 4.8.0.1938
• McAfee AV MOVE Multi-Platform client, version 3.6.0.347
• McAfee VirusScan Enterprise, version 8.8.0.1247
• McAfee AV MOVE Multi-Platform Offload Scan Server, version 3.6.0.347
• McAfee VirusScan Enterprise, version 8.8.0.1445 and8.8.0.1599
• McAfee AV MOVE Multi-Platform Offload Scan Server, version 3.6.1.141 and 4.5.0.211

Note:

The McAfee Agent does not start for Remote Desktop sessions.

Installation requirements

Before you install McAfee MOVE, disable Windows Defender in Windows 7.

To create a McAfee Agent MOVE AV CLIENT App Layer

1. In the App Layering management console, navigate to Layers > Application Layer > Create Layer.

2. View the current tasks in the App Layering management console. At first, confirm that there is a “Running” status in the Create Application Layer <layer_name> task. When the status of the Create Application Layer <layer_name> task changes to ‘Action Required’, log on to the Packaging Machine as an administrator.

3. Move the McAfee Agent software to the Packaging Machine by using the McAfee ePolicy Orchestrator. The Packaging Machine becomes visible in the ePO System Tree list and the McAfee icon appears in the taskbar of the Packaging Machine.

4. Use the Product Deployment task on the ePO to install the McAfee MOVE AV [Multi-Platform] Client on the Packaging Machine.

5. Restart the Packaging Machine and then log on as an administrator.

6. On the Packaging Machine, delete the value for the registry key named AgentGUID from one of the following locations:

   • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent

   • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent

7. Shut down the Packaging Machine.

8. Finalize the App Layer.

Microsoft Security Essentials

The following procedures describe how to use an OS Layer or an App Layer to deploy the Microsoft Security Essentials antivirus software in App Layering.

App Layering supports the following versions of Microsoft Security Essentials antivirus software:

Microsoft Security Essentials 2012 version4.10.0209.0

• Antimalware Client Version: 4.2.223.0
• Engine Version: 1.1.9901.0
• Antivirus definition: 1.159.324.0
• Antispyware definition: 1.159.324.0
• Network Inspection System Engine Version: 2.1.9900.0
• Network Inspection System Definition Version: 108.1.0.0

Deployment method

Use one of the following methods to deploy the Microsoft Security Essentials antivirus software:

• Install the software on a gold image that you import into an OS Layer.
• Install the software on an OS Layer version.
• Install the software on an App Layer.

Installation requirements

The Microsoft Security Essentials antivirus software in an App Layering gold image, OS Layer version, or App Layer.

Enable the Windows Update service, but do not use the Windows updates. The updates must remain disabled.

Configure Microsoft Security Essentials for Windows 7 on an App Layering Layer version.

Use these steps to configure Microsoft Security Essentials on Windows 7 (32-bit or 64-bit).

By default, the App Layering Optimization script disables the Windows Update service. To deploy Microsoft Security Essentials as either an OS or App Layer on Windows 7, do the following:

1. Create an OS or App Layer version.
2. Go to C:\windows\setup\scripts and run the App Layering Optimization Script Builder. If the script builder is not available, download it again from the App Layering Machine OS Tools ZIP file.
3. In the App Layering Optimization Script Builder, disable Disable Windows Update Service.
4. Finalize the Layer.

The Update service startup type changes from Disabled to Manual. Windows Updates are not enabled, which is an App Layering requirement.

During installation, check services.msc and ensure that the Windows Update Service startup type is set to Manual. If it’s not, change the Windows Update Service startup type to Manual and restart Windows.

Troubleshooting failed Microsoft Windows Essentials updates

If the Microsoft Security Essentials update fails on a desktop because Windows updates are disabled, try the following.

• Enable Windows Updates in Control Panel. Microsoft Security Essentials can then update automatically on the desktop.
• If you disabled Windows Updates by using the Local Group Policy Editor, edit the registry to remove the Local Group Policy:

1. Run Registry Editor and remove the Local Group Policy.
2. Restart the machine.
3. Enable Windows Updates from Control Panel.

Sophos Cloud (all supported operating systems)

App Layering supports the following versions:

• Sophos Enterprise Console 5.4
• Sophos Endpoint Security and Control 10.6.3.537
• Sophos Endpoint Security and Control 11.5.2 Cloud

Before you start, create and activate your Sophos Cloud account, as described in the Sophos documentation.

To install the Sophos Cloud software on a new version of the OS Layer

1. In the App Layering management console, select Layers > OS Layers > Add Version.

2. When the task status changes to Action Required, prepare your packaging machine according to the General Guidelines for deploying antivirus software. You can find this information at the beginning of this article.

3. Join the packaging machine to the domain.

   Note:

   The Sophos installer creates Groups and puts users into them. Ensure that the packaging machine is in the domain.

4. On the packaging machine, log on to your Sophos Cloud console.

5. Download SophosInstall.exe from your Sophos Cloud account.

   Important:

   Do not use the emailed installer for this installation.

6. Install the Sophos Cloud software on the packaging machine.

7. When the task to install Sophos is complete (or indicates that an Action is required), restart the packaging machine.

8. In your Sophos Cloud console, click Reports > Events. Ensure that Sophos Cloud manages the computer and that it is current before you continue.

9. Stop and disable the following Windows services:

   • Sophos Machine Creation Client
   • Sophos Machine Creation Agent

10. Delete the following files:

    • C:\ProgramData\Sophos\AutoUpdate\cache\rms_cache
    • C:\ProgramData\Sophos\AutoUpdate\cache\savxp_cache
    • C:\ProgramData\Sophos\AutoUpdate\cache\ntp64_cache
    • C:\ProgramData\Sophos\AutoUpdate\cache\sau_cache
    • C:\ProgramData\Sophos\AutoUpdate\cache\ssp_cache
    • C:\Windows\Temp\sophos_autoupdate1.dir

    **In Windows 7

    Windows Server 2008 R2:**

    • C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\Credentials
    • C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt
    • C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist*.xml
    • C:\ProgramData\Sophos\AutoUpdate\data\machine_ID

11. Edit the Sophos configuration:

    1. Navigate to the Sophos configuration folder for your operating system:

       Windows 7

       Windows Server 2008 R

       C:\ProgramData\Sophos\Management Communications System\Endpoint\Config\

    2. Create or open a file called registration.txt, and add the following lines to this file:

       [McsClient]

       Token=value_of_MCS_REGISTRATION_TOKEN where

       value_of_MCS_REGISTRATION_TOKEN is the value of the MCS_REGISTRATION_TOKEN, which identifies your Sophos Cloud account. Extract the value of this token from SophosInstall.exe.

12. Edit the Sophos setup file:

    1. In the following folders, create a file called SophosSetup.cmd.

       Windows 7

       Windows 2008 R2 Datacenter

       C:\Windows\Setup\scripts\kmsdir

    2. Add the following lines to this file, including the double quotes:

       sc config "Sophos MCS Client" start= auto

       sc config "Sophos MCS Agent" start= auto

       net start "Sophos MCS Client"

       net start "Sophos MCS Agent"

13. Edit the commands to run each time Sophos is started:

    1. Edit the file c:\Windows\Setup\scripts\kmsdir\kmssetup.cmd.

    2. Add the following script to the section labeled, Commands to run every boot. This script runs the SophosSetup.cmd file. Script details:

       REM Change Sophos Service to Automatic - once

       If EXIST SophosSetup.cmd (

       echo !date!-!time!-kmssetup.cmd:Call

       SophosSetup.cmd >> SophosSetuplog.txt

       Call SophosSetup.cmd >> SophosSetuplog.txt

       Copy SophosSetup.cmd SophosSetupCMD.txt >> SophosSetuplog.txt

       Del SophosSetup.cmd >> SophosSetuplog.txt

       )

14. Join the Packaging Machine back to the workgroup.

15. Finalize the OS Layer.

Sophos antivirus - Windows 7, and Windows 2008 R2 desktops

This section explains how to deploy Sophos antivirus on new or existing desktops. You can add Sophos antivirus to either the gold image or to a version of the OS Layer.

These procedures are based on the Sophos knowledge base article Sophos antivirus for Windows 2000: Incorporating current versions in a disk image, including for use with cloned virtual machines.

Note:

If Sophos is unable to update the Sophos Auto Update module, updating the virus signature updates also fail. To allow Sophos to update its own updater, edit your OS Layer and delete this directory:

C:\ProgramData\Sophos\AutoUpdate\Cache\sau

Deployment method

Use a gold image or an OS Layer version to deploy Sophos software. You cannot deploy Sophos software as an App layer. Sophos creates a user account that it uses for updates on the desktops it manages. App Layering supports these user accounts in the gold image or OS LayerVersion.

To configure the gold image or the OS Layer version

1. Install the Sophos software on the gold image or OS Layer version.

2. If using a gold image, install the App Layering Tools on the image. If using an OS Layer version, skip this step.

   When prompted, allow the system to restart, but do not shut down the gold image after installation finishes. Complete the rest of this procedure first.

3. Stop and disable only the following Sophos services. When you deploy the desktops, a Mini-Setup runs. Disabling the specified services ensures that the Sophos services do not start until the Mini-Setup is complete.

   • Sophos Agent
   • Sophos AutoUpdate Service
   • Sophos Message Router

4. Open Registry Editor and delete the pkc and pkp values for the following keys:

   Windows 32-bit systems

   HKLM\Software\Sophos\Messaging System\Router\Private\ HKLM\Software\Sophos\Remote Management System\ManagementAgent\Private\

   Windows 64-bit systems

   HKLM\Software\Wow6432Node\Sophos\Messaging System\Router\Private\ HKLM\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\

5. Delete the following files:

   C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml

6. Rename the following directories:

   From: C:\ProgramData\Sophos\AutoUpdate\Cache\savxp

   To: C:\ProgramData\Sophos\AutoUpdate\Cache\savxp.copy

   From: C:\ProgramData\Sophos\AutoUpdate\Cache\rms

   To: C:\ProgramData\Sophos\AutoUpdate\Cache\rms.copy

   Renaming the directories is required because App Layering blocks attempts to rename directories that exist on a gold image. The Sophos update requires it to rename these directories.

7. Create a file named SophosSetup.cmd and place it in the C:\Windows\Setup\scripts\kmsdir folder. (If the folder doesn’t exist, create it).

8. Add the following lines to SophosSetup.cmd. Include the double quotes as shown.

    pushd "c:\ProgramData\Sophos\AutoUpdate\Cache"
    xcopy savxp.copy*.* savxp*.* /s/y
    xcopy rms.copy*.* rms*.* /s/y
    sc config "Sophos Agent" start= auto
    sc config "Sophos AutoUpdate Service" start= auto
    sc config "Sophos Message Router" start= auto
    net start "Sophos Agent"
    net start "Sophos AutoUpdate Service"
    net start "Sophos Message Router"
    cd "c:\Windows\Setup\scripts\kmsdir"
    popd
    <!--NeedCopy-->