Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261225 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0
    WASkydiver wrote:

    I THINK I may be OK here...

    Following the advisory, my SUM is updated, containing javab-jd.ide.

    My policy was set to Update Only, so I deleted my Quarantine.xml from the Update Server.

    Previously, I had turned off desktop notifications, so the end users were not informing us of the problem.

    All false positive alerts were acknowledged.

    MOST endpoints are showing that they have updated and are no longer generating the false positives.

    However, there are a couple that seem to be not updating.  On those, when the users have some downtime, I will attempt to delete the Quarantine.xml file.

    My questions:

    1.  Does the Quarantine.xml file need to be deleted on all Endpoints, even if they have updated, and appear to be all OK?

    2.  If so, how critical is it to perform this action?  If the dust is settled, and everything appears to be OK, can I wait for the weekend?

    My assumption is that I will have to delete Quarantine.xml from all endpoints, since this problem has quarantined a number of non-Sophos processes, and deleting Quarantine.xml will effectively un-quaranteen these items.

    So...

    3.  If deleting Quarantine.xml un-quaranteen's items falsely quaranteened, won't it also release any items that were appropriately quarantined?  It seems that we are essentially releasing all the prisoners, because there may be a few innocent people sent to jail.

    Forgive me if these have been previously addressed.  And, I certainly would like to hear if my assumptions here are incorrect.

    Thanks!

    Following the steps to delete quarantine.xml is only necessary to clear the endpoint quarantine manager. If legitimate items are cleared, they will still be blocked by the Anti-Virus engine, and a new entry in the QM will be generated. If your users don't commonly open their AV client to see that the QM has items listed, then clearing the endpoint QM is not necessary.

    :31661
Reply
  • 0
    WASkydiver wrote:

    I THINK I may be OK here...

    Following the advisory, my SUM is updated, containing javab-jd.ide.

    My policy was set to Update Only, so I deleted my Quarantine.xml from the Update Server.

    Previously, I had turned off desktop notifications, so the end users were not informing us of the problem.

    All false positive alerts were acknowledged.

    MOST endpoints are showing that they have updated and are no longer generating the false positives.

    However, there are a couple that seem to be not updating.  On those, when the users have some downtime, I will attempt to delete the Quarantine.xml file.

    My questions:

    1.  Does the Quarantine.xml file need to be deleted on all Endpoints, even if they have updated, and appear to be all OK?

    2.  If so, how critical is it to perform this action?  If the dust is settled, and everything appears to be OK, can I wait for the weekend?

    My assumption is that I will have to delete Quarantine.xml from all endpoints, since this problem has quarantined a number of non-Sophos processes, and deleting Quarantine.xml will effectively un-quaranteen these items.

    So...

    3.  If deleting Quarantine.xml un-quaranteen's items falsely quaranteened, won't it also release any items that were appropriately quarantined?  It seems that we are essentially releasing all the prisoners, because there may be a few innocent people sent to jail.

    Forgive me if these have been previously addressed.  And, I certainly would like to hear if my assumptions here are incorrect.

    Thanks!

    Following the steps to delete quarantine.xml is only necessary to clear the endpoint quarantine manager. If legitimate items are cleared, they will still be blocked by the Anti-Virus engine, and a new entry in the QM will be generated. If your users don't commonly open their AV client to see that the QM has items listed, then clearing the endpoint QM is not necessary.

    :31661
Children
No Data