Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261247 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0
    Pec wrote:

    Following the instructions in the KB article 118311 I managed to get both the servers and all affected workstations updated correctly (verified presence of javab-jd.ide and definitions), however the false positives remain in quarantine on the workstations.  I ran the following on several test machines which clears the local quarantine list. 

    net stop "sophos anti-virus"
    del /f /q "%allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    del /f /q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    net start "sophos anti-virus"

    I then modified and updated the policy so the following directories would once again be scanned by on-access scanning.

    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\

    Scans of the previously falsely detected files returned clean.  I then scanned non-sophos update agents which were quarantined, Flash Player and Google updater in this case.  They returned clean.  I verified that the update functions of these applications worked.

    However, before I push this batch file to 2,000 computer I want to understand how the quarantine works.  By deleting the XML file are the files truely being un-quarantined, unlocked and returned to their original locations?  Just browsing through all the detections i'm seeing dozens of different applications on the quarantine lists.  I do not want to cause an even bigger problem, and I do not have the resources to manually remove items from quarantine on each PC.      Anybody have a clue on this?  

    Thanks!

    The QM is just a list of items that the engine detected on. Clearing the QM doesn't take any action on the files, so if for example the files were moved to the INFECTED folder and you cleared the QM, the files would still be in the INFECTED folder.

    If legitmately infected files are cleared from the QM, the engine will detect them again the next time they are accessed and add a fresh entry to the QM for them.

    :31703
Reply
  • 0
    Pec wrote:

    Following the instructions in the KB article 118311 I managed to get both the servers and all affected workstations updated correctly (verified presence of javab-jd.ide and definitions), however the false positives remain in quarantine on the workstations.  I ran the following on several test machines which clears the local quarantine list. 

    net stop "sophos anti-virus"
    del /f /q "%allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    del /f /q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    net start "sophos anti-virus"

    I then modified and updated the policy so the following directories would once again be scanned by on-access scanning.

    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\

    Scans of the previously falsely detected files returned clean.  I then scanned non-sophos update agents which were quarantined, Flash Player and Google updater in this case.  They returned clean.  I verified that the update functions of these applications worked.

    However, before I push this batch file to 2,000 computer I want to understand how the quarantine works.  By deleting the XML file are the files truely being un-quarantined, unlocked and returned to their original locations?  Just browsing through all the detections i'm seeing dozens of different applications on the quarantine lists.  I do not want to cause an even bigger problem, and I do not have the resources to manually remove items from quarantine on each PC.      Anybody have a clue on this?  

    Thanks!

    The QM is just a list of items that the engine detected on. Clearing the QM doesn't take any action on the files, so if for example the files were moved to the INFECTED folder and you cleared the QM, the files would still be in the INFECTED folder.

    If legitmately infected files are cleared from the QM, the engine will detect them again the next time they are accessed and add a fresh entry to the QM for them.

    :31703
Children
No Data