Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0
    pritchi83 wrote:

    Hi folks,

    Thankfully our policy was set to deny access only already, but I've followed the latest Advisory up until

    4.             Depending on the Cleanup configuration noted in point 1 follow the steps relevant to your configuration:

    Deny access only

    This seems to me to be saying to carry out these steps on each of the endpoints in the organisation. Am I reading it correctly? Why not simply open the EM quarantine and click Clear list? IS there any better way that doesn't involve having to log into each and every machine with the endpoint on it?

    Unfortunately there is no mechanism to centrally clear all the items from the endpoint Quarantine Manager.

    The quarantine manager does not prevent the files from being executed. The scanning engine itself carries out that function, so if you've obtained javab-db.ide but HAVEN'T cleared the items from the QM and HAVEN'T moved or deleted anything, then the files detected and listed in the QM will be allowed to run.

    The actions to delete the quarantine.xml file can be carried out via a batch file pushed using a tool like PSEXEC. Check this thread for some example batch files and PSEXEC commands if you aren't familiar with these tools. I'm working on getting the advisory updated with some of this information.

    :31343
Reply
  • 0
    pritchi83 wrote:

    Hi folks,

    Thankfully our policy was set to deny access only already, but I've followed the latest Advisory up until

    4.             Depending on the Cleanup configuration noted in point 1 follow the steps relevant to your configuration:

    Deny access only

    This seems to me to be saying to carry out these steps on each of the endpoints in the organisation. Am I reading it correctly? Why not simply open the EM quarantine and click Clear list? IS there any better way that doesn't involve having to log into each and every machine with the endpoint on it?

    Unfortunately there is no mechanism to centrally clear all the items from the endpoint Quarantine Manager.

    The quarantine manager does not prevent the files from being executed. The scanning engine itself carries out that function, so if you've obtained javab-db.ide but HAVEN'T cleared the items from the QM and HAVEN'T moved or deleted anything, then the files detected and listed in the QM will be allowed to run.

    The actions to delete the quarantine.xml file can be carried out via a batch file pushed using a tool like PSEXEC. Check this thread for some example batch files and PSEXEC commands if you aren't familiar with these tools. I'm working on getting the advisory updated with some of this information.

    :31343
Children
No Data