Over the past few days I’ve been working on a puzzle. Sophos Enterprise needed to be migrated to Sophos cloud – This had to occur since clients became more disconnected from the corporate network, working from home and other sites besides the office.

The migration provided by Sophos rejected the migration of the clients due to the Sophos firewall product being installed. Sophos has moved away from that firewall in favor of utilizing the Windows Firewall and hooking into it. There was no easy option to uninstall the firewall during migration so one had to be developed. To do this, I leveraged, powershell and the power of group policy.

Things we had to accomplish – add the user to a local group “Sophos administrator” (giving the ability to uninstall, which Sophos locked to the group), Shutdown Sophos AV, Uninstall the firewall, Start Sophos AV and ensure Windows Firewall took over. I also threw in a quick bit for logging. You could likely get more creative on logging and send it to a network share where IT could monitor results.

Lets take a look at the overall configuration first.

First, in AD – added an OU to test the group policy and dragged a few machines into it. In this case the OU is called SophosFirewallRemoval

Second, copy your powershell to the netlogin folder. The path on the domain controller is C:\Windows\SYSVOL\domain. I created a folder called scripts to make it pretty. This folder replicates to other domain controllers via either FRS or DFSR, depending on your domain and if you ever did the upgrade. See https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/

Third, Open up group policy manager, configure the policy. Mine runs against the computer configuration. In policies, Windows settings, Scripts (startup/Shutdown) I apply a startup script on the powershell scripts tab. Note that running a script here runs as the machine’s service account and bypasses local powershell run policies and elevated access requirements, so you don’t have to worry about changing UAC or powershell run environment.

Next, apply the policy to the domain and wait for it to bake. Depending on your domain this could take 30 or so minutes.

Now, you can motivate the computers along. A couple of useful command prompts “gpupdate /force”, “gpresult /r /scope computer” also fun, gpresult /h gpreport.html for an easily readable report. These commands have to be run as an administrator elevated command prompt, or you’ll get a nasty message. When you read the result, it will list which policies have applied to the machine. You can also use group policy manager to model results, but why model when you can play with the real thing?

Next, we’ll reboot the computer, knowing the policy is applied and look for some results. The log file, the event viewer, and notable lack of the Sophos firewall service equals success.



Ok… so that was cool… you’ll likely need this other thing… the sample powershell script that does all this magic.


# Script to remove Sophos Firewall to prep for cloud migration
# Author - Gregory Van Den Ham  28 Dec 2016
# Version - 0.2 - Execute build.

#  Issue Log:
#  None

#######
# Variables
#######

$Computer = $env:COMPUTERNAME
$GroupName = 'SophosAdministrator'
$User = $env:USERNAME
$SophosFWServiceName = "Sophos Client Firewall"
$SophosAVServiceName = "Sophos Anti-Virus"
$WindowsFWService = "Windows Firewall"

#Date Time info
$startDTM = (Get-Date)
#Specify the path of the excel file and logs
$testpath = "C:\Temp\"
$path = Split-Path -parent "C:\Temp\*.*"
$logfile = $path + "\SophosFWRemovallogfile.txt"

#Prime Log File
If(!(test-path $path))
{
New-Item $testpath -type Directory 
}
If(!(test-path $logfile))
{
New-Item $logfile -type File
}
"Script Processing Sophos Firewall Removal, Ran from: "+ $env:computername + " By: " + $env:USERNAME| Out-File $logfile -Append
"Script started executing at: "+ $StartDTM | Out-File $logfile -Append
"+-+-" | Out-File $logfile -Append



###########################
Function AddUserToGroup(){

$ADSI = [ADSI]("WinNT://$Computer")

$Group = $ADSI.Children.Find($GroupName, 'group')

$Group.Add(("WinNT://$computer/$user"))

$user + " Added to " + $Group | Out-File $logfile -Append

}
#End Function
###########################

###########################
Function StopAVService(){

$servicePrior = Get-Service $SophosAVServiceName
$SophosAVServiceName +" was " + $servicePrior.status | Out-File $logfile -Append
Stop-Service $SophosAVServiceName

$serviceAfter = Get-Service $SophosAVServiceName
$SophosAVServiceName +" is now " + $serviceAfter.status | Out-File $logfile -Append

}
#End Function
###########################

###########################
Function StartWindowsFirewall(){

$servicePrior = Get-Service $WindowsFWService
$WindowsFWService +" was " + $servicePrior.status | Out-File $logfile -Append
Start-Service $WindowsFWService

$serviceAfter = Get-Service $WindowsFWService
Set-Service $WindowsFWService -startuptype "Automatic" 
$WindowsFWService +" is now " + $serviceAfter.status | Out-File $logfile -Append

}
#End Function
###########################

###########################
Function CheckWindowsFirewall(){

$serviceStatus = Get-Service $WindowsFWService
$WindowsFWService +" Status is " + $serviceStatus.status | Out-File $logfile -Append

If ($serviceStatus.status -ne "Running"){
	$WindowsFWService +" Not Running, Attempting to Start..." | Out-File $logfile -Append
	StartWindowsFirewall
}  



}
#End Function
###########################


###########################
Function SophosAVStart(){
# Start AV Back Up
Start-Service $SophosAVServiceName

$serviceAfter = Get-Service $SophosAVServiceName
$SophosAVServiceName +" starting up - is now " + $serviceAfter.status | Out-File $logfile -Append
}
#End Function
###########################


###########################
Function FirewallRemoval(){
# Firewall removal

$IsFirewallInstalled = Get-WmiObject -Class "WIN32_Product" -Filter "Name='$SophosFWServiceName'" -ErrorAction SilentlyContinue

if($IsFirewallInstalled)
    {
		$SophosFWServiceName + " Detected as Installed, processing removal..." | Out-File $logfile -Append
        AddUserToGroup
		StopAVService
		($IsFirewallInstalled).Uninstall()
		StartWindowsFirewall
        SophosAVStart
    } 
	Else {
	$SophosFWServiceName + " Not found, checking " + $WindowsFWService + " health..."  | Out-File $logfile -Append
	CheckWindowsFirewall
	}
}	
# End Function	
##########################

#
# Start 
#

FirewallRemoval

#
# Finish
#
# Get End Time
$endDTM = (Get-Date)

# Echo Time elapsed
"Elapsed Time: $(($endDTM-$startDTM).totalseconds) seconds" | Out-File $logfile -Append
"Elapsed Time: $(($endDTM-$startDTM).totalminutes) minutes" | Out-File $logfile -Append

$CompletedRun = (Get-Date)

"Completion Time: "+$CompletedRun | Out-File $logfile -Append
"+-+-" | Out-File $logfile -Append