Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Folks,
I've been following this thread on-and-off since the "fun" started (there were only 9 pages in the thread when I first found it... seems like a lifetime ago!) and since I'm a Kaseya admin as well as the manager of an MSP-model Sophos deployment, it's been quite valuable along the way as I figure out the best way to deal with this "situation."
With the updated files I'm not seeing new infections, and I've cleaned the infection status flags via EC, but getting rid of the local Quarantine status indicators on end-user machines has proved trickier. If you want to test a machine to see if it "caught" the false-positive (thus populating Quarantine.XML) and then wipe out that XML to clear out the Quarantine... here's a Kaseya 6.x script to do that. It's a one-time job; running it repeatedly may not actually hurt but it won't help, either. Kaseya gurus may want to add some kind of way to flag this on a given system so it doesn't get re-run by accident.
(Note that I'm not checking the XML directly: I found the hard way that some XML files aren't listing the Updater-B items, even though the items show up in the client GUI! Frustrating.)
This script relies on 'grep.exe' which is part of the UnxUtils package: UnxUtils
<?xml version="1.0" encoding="utf-8"?> <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting"> <Procedure name="Sophos Updater-B Cleanup - kk" treePres="3" id="2015816798" folderId="42742512225121243118194173"> <Body description="After Sophos released their broken update that found all "updater" processes to be "viruses", now we have to clean up each and every Quarantine file on each affected endpoint.

If we can."> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\grep.exe" /> <Parameter xsi:type="EnumParameter" name="Condition" value="NotExists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write the selected file to the machine at the path specified - full path required." name="WriteFile" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\grep.exe" /> <Parameter xsi:type="StringParameter" name="ManagedFile" value="VSASharedFiles\UnxUtils\grep.exe" /> <Parameter xsi:type="BooleanParameter" name="DeleteAfter" value="False" /> </Statement> </Then> </If> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos quarantine file exists in ProgramData" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Command" value="type "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt" | #vAgentConfiguration.agentTempDir#\grep.exe -i "updater-b" >> #vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Contains" /> <Parameter xsi:type="StringParameter" name="Value" value="Updater-B" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos: Updater-B false-positive detected in AV logs" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net stop SAVService /y" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Delete the specified file - full path to the filename required." name="DeleteFile" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Path" value="C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net start savservice" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Issues a Stop command to a Windows Service" name="Stop Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> </Statement> <Statement description="Issues a start command to a Windows service" name="Start Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> <Parameter xsi:type="StringParameter" name="Parameter2" value="false" /> </Statement> </Then> </If> </Then> </If> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos quarantine file exists in D&S\All Users" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Command" value="type "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt" | #vAgentConfiguration.agentTempDir#\grep.exe -i "updater-b" >> #vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Contains" /> <Parameter xsi:type="StringParameter" name="Value" value="Updater-B" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos: Updater-B false-positive detected in AV logs" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net stop SAVService /y" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Delete the specified file - full path to the filename required." name="DeleteFile" continueOnFail="false" osType="None"> <Parameter xsi:type="StringParameter" name="Path" value="C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net start savservice" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Issues a Stop command to a Windows Service" name="Stop Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> </Statement> <Statement description="Issues a start command to a Windows service" name="Start Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> <Parameter xsi:type="StringParameter" name="Parameter2" value="false" /> </Statement> </Then> </If> </Then> </If> </Body> </Procedure> </ScriptExport>
Make of this what you will. Share and enjoy.
Folks,
I've been following this thread on-and-off since the "fun" started (there were only 9 pages in the thread when I first found it... seems like a lifetime ago!) and since I'm a Kaseya admin as well as the manager of an MSP-model Sophos deployment, it's been quite valuable along the way as I figure out the best way to deal with this "situation."
With the updated files I'm not seeing new infections, and I've cleaned the infection status flags via EC, but getting rid of the local Quarantine status indicators on end-user machines has proved trickier. If you want to test a machine to see if it "caught" the false-positive (thus populating Quarantine.XML) and then wipe out that XML to clear out the Quarantine... here's a Kaseya 6.x script to do that. It's a one-time job; running it repeatedly may not actually hurt but it won't help, either. Kaseya gurus may want to add some kind of way to flag this on a given system so it doesn't get re-run by accident.
(Note that I'm not checking the XML directly: I found the hard way that some XML files aren't listing the Updater-B items, even though the items show up in the client GUI! Frustrating.)
This script relies on 'grep.exe' which is part of the UnxUtils package: UnxUtils
<?xml version="1.0" encoding="utf-8"?> <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting"> <Procedure name="Sophos Updater-B Cleanup - kk" treePres="3" id="2015816798" folderId="42742512225121243118194173"> <Body description="After Sophos released their broken update that found all "updater" processes to be "viruses", now we have to clean up each and every Quarantine file on each affected endpoint.

If we can."> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\grep.exe" /> <Parameter xsi:type="EnumParameter" name="Condition" value="NotExists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write the selected file to the machine at the path specified - full path required." name="WriteFile" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\grep.exe" /> <Parameter xsi:type="StringParameter" name="ManagedFile" value="VSASharedFiles\UnxUtils\grep.exe" /> <Parameter xsi:type="BooleanParameter" name="DeleteAfter" value="False" /> </Statement> </Then> </If> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos quarantine file exists in ProgramData" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Command" value="type "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt" | #vAgentConfiguration.agentTempDir#\grep.exe -i "updater-b" >> #vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Contains" /> <Parameter xsi:type="StringParameter" name="Value" value="Updater-B" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos: Updater-B false-positive detected in AV logs" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net stop SAVService /y" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Delete the specified file - full path to the filename required." name="DeleteFile" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Path" value="C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net start savservice" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Issues a Stop command to a Windows Service" name="Stop Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> </Statement> <Statement description="Issues a start command to a Windows service" name="Start Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> <Parameter xsi:type="StringParameter" name="Parameter2" value="false" /> </Statement> </Then> </If> </Then> </If> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos quarantine file exists in D&S\All Users" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Command" value="type "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt" | #vAgentConfiguration.agentTempDir#\grep.exe -i "updater-b" >> #vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Contains" /> <Parameter xsi:type="StringParameter" name="Value" value="Updater-B" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos: Updater-B false-positive detected in AV logs" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net stop SAVService /y" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Delete the specified file - full path to the filename required." name="DeleteFile" continueOnFail="false" osType="None"> <Parameter xsi:type="StringParameter" name="Path" value="C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net start savservice" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Issues a Stop command to a Windows Service" name="Stop Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> </Statement> <Statement description="Issues a start command to a Windows service" name="Start Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> <Parameter xsi:type="StringParameter" name="Parameter2" value="false" /> </Statement> </Then> </If> </Then> </If> </Body> </Procedure> </ScriptExport>
Make of this what you will. Share and enjoy.
