Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0

    Following the instructions in the KB article 118311 I managed to get both the servers and all affected workstations updated correctly (verified presence of javab-jd.ide and definitions), however the false positives remain in quarantine on the workstations.  I ran the following on several test machines which clears the local quarantine list. 

    net stop "sophos anti-virus"
    del /f /q "%allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    del /f /q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    net start "sophos anti-virus"

    I then modified and updated the policy so the following directories would once again be scanned by on-access scanning.

    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\

    Scans of the previously falsely detected files returned clean.  I then scanned non-sophos update agents which were quarantined, Flash Player and Google updater in this case.  They returned clean.  I verified that the update functions of these applications worked.

    However, before I push this batch file to 2,000 computer I want to understand how the quarantine works.  By deleting the XML file are the files truely being un-quarantined, unlocked and returned to their original locations?  Just browsing through all the detections i'm seeing dozens of different applications on the quarantine lists.  I do not want to cause an even bigger problem, and I do not have the resources to manually remove items from quarantine on each PC.      Anybody have a clue on this?  

    Thanks!

    :31689
Reply
  • 0

    Following the instructions in the KB article 118311 I managed to get both the servers and all affected workstations updated correctly (verified presence of javab-jd.ide and definitions), however the false positives remain in quarantine on the workstations.  I ran the following on several test machines which clears the local quarantine list. 

    net stop "sophos anti-virus"
    del /f /q "%allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    del /f /q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    net start "sophos anti-virus"

    I then modified and updated the policy so the following directories would once again be scanned by on-access scanning.

    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\

    Scans of the previously falsely detected files returned clean.  I then scanned non-sophos update agents which were quarantined, Flash Player and Google updater in this case.  They returned clean.  I verified that the update functions of these applications worked.

    However, before I push this batch file to 2,000 computer I want to understand how the quarantine works.  By deleting the XML file are the files truely being un-quarantined, unlocked and returned to their original locations?  Just browsing through all the detections i'm seeing dozens of different applications on the quarantine lists.  I do not want to cause an even bigger problem, and I do not have the resources to manually remove items from quarantine on each PC.      Anybody have a clue on this?  

    Thanks!

    :31689
Children
No Data