Some of you will know that Sophos is my, ahem, favourite 
anti-virus product. However it was the product of choice at the time (they are now moving to McAfee) for a large school district I deal with hence I had no choice but to remain acquainted with it irrespective of it’s poor performance (Sophos have advised to leave real-time scanning *off* for performance reasons?!?), it’s poor management console (customer had to write their own deployment scripts for reliable deployment) and poor customer service from Sophos.
I wrote a small script to prepare Sophos for PVS deployment on XenApp and XenDesktop machines, run this script just prior to shutting down your Private mode image and switching back to Standard.
@echo off REM Script by Daniel Marsh REM run at shutdown to prep Sophos on Citrix XenApp/VDI machines. REM refer to https://www.sophos.com/en-us/support/knowledgebase/12561.aspx net stop "Sophos Agent" net stop "Sophos Anti-Virus" net stop "Sophos Anti-Virus status reporter" net stop "Sophos AutoUpdate Service" net stop "Sophos Message Router" net stop "Sophos Web Control Service" net stop "Sophos Web Intelligence Service" del C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkp /f reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkc /f
When I have a spare few minutes I may even see if I can another feature – it could be run via GPO as a machine shutdown script that only executes if the image is in private mode, which would save you having to run it manually. I haven’t figured out how to do this yet, if you do know please drop me a comment below.
Refer to https://www.sophos.com/en-us/support/knowledgebase/12561.aspx for more detail on what each key/service etc does.
Hi this works like a dream on our PVS XenApp environment
hello, do you have any experience installing sophos central server on an PVS Master Template( W2012 R2)? i made a new Version and launched the SophosInstaller but then my Master crashes. is it a requirement that my vDisk is in private Mode?not just a new Version with maintenance Mode?
kind regards,
sebastian
No sorry – a new version should normally be fine. I’ve been lucky enough not to have to touch Sophos again since I wrote this original post. Regards, Dan
Thanks for this article. I’ve written something similar in our environment. Wish id come across this earlier.
Is there a way to redirect the Sophos updates & signatures directory to the write cache drive?
I also make sure the services are reconfigured to auto start below:
PowerShell Set-Service ‘Sophos Agent’ -startuptype “”Automatic””
sc config “SAVService” start= auto
sc config “SAVAdminService” start= auto
sc config “Sophos AutoUpdate Service” start= auto
sc config “Sophos Message Router” start= auto
sc config “Sophos Web Control Service” start= auto
sc config “swi_service” start= auto
We’ve been using this WMI query on GPPs to determine if a vDisk is in private/maintenance mode versus test/production to prevent Windows Update and other services from being enabled where they don’t make sense, but it’s easily translatable to PowerShell scripting. This is a WMI class intended for ConfigMgr, but it seems to work irrespective of if you have it installed or not.
Private/Maintenance mode:
NameSpace: Root\citrix\desktopinformation
Query: SELECT * FROM Citrix_VirtualDesktopInfo WHERE OSChangesPersist=TRUE
Test/Production mode:
NameSpace: Root\citrix\desktopinformation
Query: SELECT * FROM Citrix_VirtualDesktopInfo WHERE OSChangesPersist=FALSE