Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0 
    sqlcmd -E -S .\sophos -d sophos51 -Q "SELECT distinct (c.Name) FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t inner join [SOPHOS51]
.[dbo].[ComputersAndDeletedComputers] as c on c.ID = t.ComputerID where t.ThreatName like 'Shh/%'" > computers.txt

     You can post process it in Excel. 

    Note: This is for SEC 5.1, change the database names as per: http://www.sophos.com/en-us/support/knowledgebase/17323.aspx

    If the computer doesn't have:  javab-jd.ide this should list them:

    SELECT distinct (c.ComputerName)
FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t
inner join [SOPHOS51].[dbo].[ComputerListData2] as c
inner join [SOPHOS51].[dbo].[IDELists] as i on i.ID = c.IDEListID
on c.ComputerID = t.ComputerID
where i.idelist not like '%javab-jd.ide%'

     SO:

    sqlcmd -E -S .\sophos -d sophos51 -Q "SELECT distinct (c.ComputerName) FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t inner join [SOPHOS51].[dbo].[ComputerListData2] as c inner join [SOPHOS51].[dbo].[IDELists] as i on i.ID = c.IDEListID on c.ComputerID = t.ComputerID  where i.idelist not like '%javab-jd.ide%'" > noidejavab-jd.txt

    Regards,

    Jak

    :32041
Reply
  • 0 
    sqlcmd -E -S .\sophos -d sophos51 -Q "SELECT distinct (c.Name) FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t inner join [SOPHOS51]
.[dbo].[ComputersAndDeletedComputers] as c on c.ID = t.ComputerID where t.ThreatName like 'Shh/%'" > computers.txt

     You can post process it in Excel. 

    Note: This is for SEC 5.1, change the database names as per: http://www.sophos.com/en-us/support/knowledgebase/17323.aspx

    If the computer doesn't have:  javab-jd.ide this should list them:

    SELECT distinct (c.ComputerName)
FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t
inner join [SOPHOS51].[dbo].[ComputerListData2] as c
inner join [SOPHOS51].[dbo].[IDELists] as i on i.ID = c.IDEListID
on c.ComputerID = t.ComputerID
where i.idelist not like '%javab-jd.ide%'

     SO:

    sqlcmd -E -S .\sophos -d sophos51 -Q "SELECT distinct (c.ComputerName) FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t inner join [SOPHOS51].[dbo].[ComputerListData2] as c inner join [SOPHOS51].[dbo].[IDELists] as i on i.ID = c.IDEListID on c.ComputerID = t.ComputerID  where i.idelist not like '%javab-jd.ide%'" > noidejavab-jd.txt

    Regards,

    Jak

    :32041
Children
No Data