Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0

    Sophos know's their code and software better than me.

    However after looking at the script it doesn't look like it would address one problem.

    For us the ALMon.exe or (system tray shield) process was hung or non-responsive, often multiple times in memory and keeping file handles open on both the folder 

    C:\Program Files(x86)\Sophos\Autoupdate

    and files within that folder.

    We had to make sure to "kill" ALMon.exe in memory using the windows taskmanager, or we could not regain control to replace the directory for autoupdate

    The script appears more targeted and "might" better address the problem by specifically replacing missing pieces, or even enable the current in memory process ALMon.exe to start working.

    But we were concerned the files might not match up version wise, and chose to replace the entire directory and restart the process from the services.msc mmc control panel, and then manually restart the "ALMon.exe" shield process to get something we knew to be consistent.

    The UNC path only works with windows network shares, as far as I know.

    We also use an http:// repository because we are spread out between a local campus LAN and a wider WAN backed by the Internet.

    So multiple file copies could appear brittle in that scripting has issues with being a general purpose http:// transport.

    Two suggestions there:

    1. Update the script to use the Windows Bitsadmin process to download the pieces as a job, if you can't build a script that uses the Windows API, then download the Win2003 bitsadmin.exe from the Windows resource kit -- I'm pretty sure the oldest version from Win2003 will work on Vista, 7, Windows 2008, r2 - and use that to perform the downloads and notify you when done

    2. 7zip is a scriptable Zip compression and extraction tool. Windows has a Zip subsystem API, but does not appear to have a corresponding Unzip API.. mix an matching wouldn't be a great idea.. so just use 7zip

    Lastly, for less than 100 machines, use some form of remote VPN tunnel system, to enable the UNC path to work.

    But the only universal approach will probably be to use Bitsadmin

    :32029
Reply
  • 0

    Sophos know's their code and software better than me.

    However after looking at the script it doesn't look like it would address one problem.

    For us the ALMon.exe or (system tray shield) process was hung or non-responsive, often multiple times in memory and keeping file handles open on both the folder 

    C:\Program Files(x86)\Sophos\Autoupdate

    and files within that folder.

    We had to make sure to "kill" ALMon.exe in memory using the windows taskmanager, or we could not regain control to replace the directory for autoupdate

    The script appears more targeted and "might" better address the problem by specifically replacing missing pieces, or even enable the current in memory process ALMon.exe to start working.

    But we were concerned the files might not match up version wise, and chose to replace the entire directory and restart the process from the services.msc mmc control panel, and then manually restart the "ALMon.exe" shield process to get something we knew to be consistent.

    The UNC path only works with windows network shares, as far as I know.

    We also use an http:// repository because we are spread out between a local campus LAN and a wider WAN backed by the Internet.

    So multiple file copies could appear brittle in that scripting has issues with being a general purpose http:// transport.

    Two suggestions there:

    1. Update the script to use the Windows Bitsadmin process to download the pieces as a job, if you can't build a script that uses the Windows API, then download the Win2003 bitsadmin.exe from the Windows resource kit -- I'm pretty sure the oldest version from Win2003 will work on Vista, 7, Windows 2008, r2 - and use that to perform the downloads and notify you when done

    2. 7zip is a scriptable Zip compression and extraction tool. Windows has a Zip subsystem API, but does not appear to have a corresponding Unzip API.. mix an matching wouldn't be a great idea.. so just use 7zip

    Lastly, for less than 100 machines, use some form of remote VPN tunnel system, to enable the UNC path to work.

    But the only universal approach will probably be to use Bitsadmin

    :32029
Children
No Data