Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260840 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0

    GOT A REPLY FROM SOPHOS SUPPORT!

    FOLLOW TO THE T, ALL WORKS MINT!!!!!

    Please see the messaging below from SophosLabs regarding this issue:

    Detections of ssh/updater-B made today are false positives and not an outbreak.

    If you have Live Protection enabled, you should stop seeing these detections as the files are now marked ‘‘‘‘clean’’’’ in the cloud. If you do not have Live Protection enabled you will stop seeing the new detections once javab-jd.ide has been downloaded by your endpoints (released at Wed, 19 Sep 2012 18:48:35 +0000).

    There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘‘‘‘deny access’’’’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.

    An advisory has been published here:

    http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

    SUM unable to update

    If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.

    To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:

    1.  Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\  [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]

    2.  Restart the 'Sophos Anti-Virus Service'

    3.  Update SUM via the Sophos Enterprise Console

    Endpoints unable to update

    If endpoints are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:

    1.  Centrally disable On-Access scanning via policy in SEC

    2.  Select Groups in SEC and select 'Update Now'

    3.  Once a group has updated re-enable On-Access scanning via policy in SEC

    :30713
Reply
  • 0

    GOT A REPLY FROM SOPHOS SUPPORT!

    FOLLOW TO THE T, ALL WORKS MINT!!!!!

    Please see the messaging below from SophosLabs regarding this issue:

    Detections of ssh/updater-B made today are false positives and not an outbreak.

    If you have Live Protection enabled, you should stop seeing these detections as the files are now marked ‘‘‘‘clean’’’’ in the cloud. If you do not have Live Protection enabled you will stop seeing the new detections once javab-jd.ide has been downloaded by your endpoints (released at Wed, 19 Sep 2012 18:48:35 +0000).

    There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘‘‘‘deny access’’’’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.

    An advisory has been published here:

    http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

    SUM unable to update

    If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.

    To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:

    1.  Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\  [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]

    2.  Restart the 'Sophos Anti-Virus Service'

    3.  Update SUM via the Sophos Enterprise Console

    Endpoints unable to update

    If endpoints are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:

    1.  Centrally disable On-Access scanning via policy in SEC

    2.  Select Groups in SEC and select 'Update Now'

    3.  Once a group has updated re-enable On-Access scanning via policy in SEC

    :30713
Children
No Data