Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0

    I deleted the quarantine .xml files (see /search?q= 30335 ) with a batch file, combined with removing the IDE for those that were broken.  We decided to do it manually but could have ran down a list of computers with a for loop.

    Wish I'd found the knowledgebase article before I dug around looking for where it was stored mind!

    Steve

    http://www.dragon-it.co.uk/

    This was one of the other batch files I used ... looped through asking for computer names, stopped services, swapped file for a known good empty one in the same dir as the batch, restarted services.

    @echo off
    REM Script to clear Sophos quarantine
    :loop
     set name=
     set /p name=Enter name (blank to end):
     if "%Name%"=="" exit /b
     call :fixpc %name%
    rem  pause
    goto loop

    exit /b

    :fixpc
    set fixpc=%~1

    set find=\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config
    if not exist "%find%\quarantine.xml" set find=\\%fixpc%\c$\ProgramData\Sophos\Sophos Anti-Virus\config

    sc \\%fixpc% stop "SAVService"
    sc \\%fixpc% stop "SAVAdminService"
    sc \\%fixpc% stop "Sophos Agent"

    echo Waiting....
    ping 127.0.0.1 -n 5 > Nul

    rename "%find%\Quarantine.xml" *.old
    copy /y "quarantine.xml" "%find%\quarantine.xml"

    sc \\%fixpc% start "Sophos Agent"
    sc \\%fixpc% start "SAVAdminService"
    sc \\%fixpc% start "SAVService"

    set /p x=%fixpc%:  <NUL
    dir "%find%\quarantine.xml" | find /i "quarantine"

    :31339
Reply
  • 0

    I deleted the quarantine .xml files (see /search?q= 30335 ) with a batch file, combined with removing the IDE for those that were broken.  We decided to do it manually but could have ran down a list of computers with a for loop.

    Wish I'd found the knowledgebase article before I dug around looking for where it was stored mind!

    Steve

    http://www.dragon-it.co.uk/

    This was one of the other batch files I used ... looped through asking for computer names, stopped services, swapped file for a known good empty one in the same dir as the batch, restarted services.

    @echo off
    REM Script to clear Sophos quarantine
    :loop
     set name=
     set /p name=Enter name (blank to end):
     if "%Name%"=="" exit /b
     call :fixpc %name%
    rem  pause
    goto loop

    exit /b

    :fixpc
    set fixpc=%~1

    set find=\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config
    if not exist "%find%\quarantine.xml" set find=\\%fixpc%\c$\ProgramData\Sophos\Sophos Anti-Virus\config

    sc \\%fixpc% stop "SAVService"
    sc \\%fixpc% stop "SAVAdminService"
    sc \\%fixpc% stop "Sophos Agent"

    echo Waiting....
    ping 127.0.0.1 -n 5 > Nul

    rename "%find%\Quarantine.xml" *.old
    copy /y "quarantine.xml" "%find%\quarantine.xml"

    sc \\%fixpc% start "Sophos Agent"
    sc \\%fixpc% start "SAVAdminService"
    sc \\%fixpc% start "SAVService"

    set /p x=%fixpc%:  <NUL
    dir "%find%\quarantine.xml" | find /i "quarantine"

    :31339
Children
No Data