Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
This is the last time I will post this script...... It works trust me. I have around half of my machines fixed so far.
1. Make sure your staging server is updated first with the correct IDEs (AutoUpdate folder on your server)
2. Temporarily roll out a policy that has On-Access disabled, or modify your policy by adding these exceptions within On-Access scanning:
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\programdata\sophos\
2. Replace the UNC path in the script to match the hostname of your staging server. (My server hostname is SHIELDV2 for reference).
3. Use PSEXEC to run this script remotely with the correct priveledges on as many computers as you need using the command below (replace with your own credentials. Machinlist.txt should be a list of hostnames. The script should be made into a BAT and placed in the same directory):
psexec @C:\temp\machinelist.txt -d -u domainadmin -p password -c C:\temp\script.bat
@echo off echo. echo --------------------------------------------------?------------------ ECHO Sophos Bad-Update Fixer Batch File - ECHO removes bad definition and rebuilds the auto-updater ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd. Echo Version 1.0.1 - 20-Sept-2012 - Fixed for 32bit and 64bit detection echo --------------------------------------------------?------------------ echo. REM This script is for Sophos, Sophos Agents and their customers only and is to be used at your own RISK. REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to REM any damages done by this script REM REM Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a copy of the REM autoupdater which you have placed into a staging area. REM REM The autoupdater folder in the staging area is the entire folder copied from the CIDs REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\s?au\program files\Sophos\AutoUpdate" REM REM History: 1.0.1 Fixed the script because it thought all Windows 7 machines were 64 bit! REM REM Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved. REM All copyright information needs to remain as it is. REM http://www.accumulo.co.za/ Echo Stopping Services NET STOP "Sophos Agent" NET STOP "Sophos Anti-Virus" NET STOP "Sophos Anti-Virus status reporter" NET STOP "Sophos AutoUpdate Service" NET STOP "Sophos Message Router" NET STOP "Sophos Web Control Service" NET STOP "Sophos Web Intelligence Service" REM Operating System Detection to copy to the right location REM Windows 5.1 is Windows XP ver | findstr /i "5\.1\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Server 2003 has the same paths as Windows XP REM Windows 5.2 is Windows 2003 server ver | findstr /i "5\.2\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Ok so only Windows Vista, Windows 7 and Server 2008 have made it to here REM Now we need to work out if we are 32 bit or 64 bit Windows. We use the registry and read the REM attributes of the first logical CPU. If it contains the characters "x86" it is 32 bit. REG.exe Query "HKLM\Hardware\Description\System\CentralProc?essor\0" | Find /i "x86" > nul If %ERRORLEVEL% == 0 Goto Windows732Bit goto Windows764bit :Windows732Bit :WindowsXp echo Processing for 32bit operating systems or Windows XP xcopy "\\shieldv2\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C echo Deleting offending definition cd \"program files\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 32bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. "C:\program files\sophos\AutoUpdate\ALMON.EXE" goto DoneStartServices :Windows764bit echo Processing for 64bit operating systems (Windows Vista, Windows 7 and Server 2008) xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K echo Deleting offending definition cd \"program files (x86)\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 64bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE :exit
This is the last time I will post this script...... It works trust me. I have around half of my machines fixed so far.
1. Make sure your staging server is updated first with the correct IDEs (AutoUpdate folder on your server)
2. Temporarily roll out a policy that has On-Access disabled, or modify your policy by adding these exceptions within On-Access scanning:
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\programdata\sophos\
2. Replace the UNC path in the script to match the hostname of your staging server. (My server hostname is SHIELDV2 for reference).
3. Use PSEXEC to run this script remotely with the correct priveledges on as many computers as you need using the command below (replace with your own credentials. Machinlist.txt should be a list of hostnames. The script should be made into a BAT and placed in the same directory):
psexec @C:\temp\machinelist.txt -d -u domainadmin -p password -c C:\temp\script.bat
@echo off echo. echo --------------------------------------------------?------------------ ECHO Sophos Bad-Update Fixer Batch File - ECHO removes bad definition and rebuilds the auto-updater ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd. Echo Version 1.0.1 - 20-Sept-2012 - Fixed for 32bit and 64bit detection echo --------------------------------------------------?------------------ echo. REM This script is for Sophos, Sophos Agents and their customers only and is to be used at your own RISK. REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to REM any damages done by this script REM REM Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a copy of the REM autoupdater which you have placed into a staging area. REM REM The autoupdater folder in the staging area is the entire folder copied from the CIDs REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\s?au\program files\Sophos\AutoUpdate" REM REM History: 1.0.1 Fixed the script because it thought all Windows 7 machines were 64 bit! REM REM Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved. REM All copyright information needs to remain as it is. REM http://www.accumulo.co.za/ Echo Stopping Services NET STOP "Sophos Agent" NET STOP "Sophos Anti-Virus" NET STOP "Sophos Anti-Virus status reporter" NET STOP "Sophos AutoUpdate Service" NET STOP "Sophos Message Router" NET STOP "Sophos Web Control Service" NET STOP "Sophos Web Intelligence Service" REM Operating System Detection to copy to the right location REM Windows 5.1 is Windows XP ver | findstr /i "5\.1\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Server 2003 has the same paths as Windows XP REM Windows 5.2 is Windows 2003 server ver | findstr /i "5\.2\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Ok so only Windows Vista, Windows 7 and Server 2008 have made it to here REM Now we need to work out if we are 32 bit or 64 bit Windows. We use the registry and read the REM attributes of the first logical CPU. If it contains the characters "x86" it is 32 bit. REG.exe Query "HKLM\Hardware\Description\System\CentralProc?essor\0" | Find /i "x86" > nul If %ERRORLEVEL% == 0 Goto Windows732Bit goto Windows764bit :Windows732Bit :WindowsXp echo Processing for 32bit operating systems or Windows XP xcopy "\\shieldv2\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C echo Deleting offending definition cd \"program files\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 32bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. "C:\program files\sophos\AutoUpdate\ALMON.EXE" goto DoneStartServices :Windows764bit echo Processing for 64bit operating systems (Windows Vista, Windows 7 and Server 2008) xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K echo Deleting offending definition cd \"program files (x86)\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 64bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE :exit
