Best Practices for replacing Factory Reset Image When Secured by Sophos

After Sophos has been activated and running on Arcserve Appliance, by default you cannot replace factory reset image using the Set Appliance Image Utility. Otherwise, the execution of SetImage.exe will fail as shown in the illustration below.

Before running the SetImage.exe command to replace factory reset image when Sophos is running on Arcserve Appliance, verify if the image has already been mounted.
As given in the illustration, the following prompt appears: A subdirectory or file C:\Program Files\Arcserve\Unified Data Protection\Management\BIN\Appliance\mount already exists.

To unmount the image, follow these steps:

1. To locate the folder, open Windows Explorer, and go to C:\Program Files\Arcserve\Unified Data Protection\Management\BIN\Appliance\mount. Right-click the folder, and then click Properties > Security tab > Advanced.
2. 
2. To change the owner of the mount folder to a local administrator, click the Change link.
3. In the Advanced Security Settings page, to take control of the subfolders inside of the folder and replace the subfolders permissions with the settings from the parent folder, select the check boxes for the following options:
• Replace ownership on subcontainers and object
• Replace all child object permission entries with inheritable permission entries from this object
4. 
5. Apply all the changes. For mount folder, subfolders, and files, make sure the owner is changed to a local administrator.
3. To unmount the image, execute the following command using command prompt:
4. C:\>DISM /unmount-image /mountdir:"C:\Program Files\Arcserve\Unified Data Protection\Management\BIN\Appliance\mount" /discard
5. 

To run SetImage.exe command to replace factory reset image when Sophos runs on Arcserve Appliance, follow these steps:

1. Log into the Arcserve Appliance system as an administrator. Use your email address and password to access the Sophos Central Admin page https://cloud.sophos.com/manage/.
2. 
2. Navigate to Devices > Servers, and then click the server name of your Arcserve Appliance.
3. 
3. On the SUMMARY tab, for the Tamper Protection field, click View details.
4. 
4. For Show Password, select the check box. Make a note of the password that displays in the text field.
5. 
5. Click Disable Tamper Protection.
6. 
7. Tamper Protection is turned off.
8. 
6. Launch Sophos Endpoint, and then click Admin Login.
7. 
7. Type the Tamper Protection password that was noted in Step 4.
8. 
8. On the Settings tab, select the Override Sophos Central Policy for up to 4 hours to troubleshoot check box, and disable the Ransomware Detection and Malicious Behavior Detection (HIPS) options.
9. 
9. To replace factory reset image, run SetImage.exe. SetImage.exe gets executed successfully.

To recover the default configuration of Sophos after the successful execution of SetImage.exe, follow these steps:

1. To enable Tamper Protection in Sophos Central Admin, click Enable Tamper Protection.
2. 
2. Clear the Override Sophos Central Policy for up to 4 hours to troubleshoot checkbox.
3. 
3. To check the status of the Sophos Settings, wait for a few minutes, and then log into Sophos Endpoint with the tamper protection password.
4. 
5. Now the Sophos Settings have been recovered to the default settings.
6.