Is any one else seing this alert - Shh/Updater-B False positives

I thought I would share how I ended up fixing it. We had the on access set to deny and move.

After fixing the SEC and confirmed update manager was up to date.

I did all the servers manually because we only had 15. So just ran the vb script and restarted sophos agent and update services and then ran "C:\Program Files\Sophos\AutoUpdate\ALMon.exe" and did an update by right clicking on the systray icon and going to update.

For the clients, select all the affected clients in the SEC. To get the affected pcs I sorted by the last contact date and the ones that had not been contacted since 23:33 19th were the problem clients. Go to edit -> copy or ctrl+c. Download notepad++ paste the list of computers in to notepad++. Hold down alt and select to only select the computer names from the list. There are other ways to make a pc list but this was pretty easy and you can pin point only the broken ones.

Download psexec. Save the pc list you made earlier to c:\pcs.txt. You might be able to create a script that does it all in one go but this is just how i did it. First step was to run the quarrestore.vbs

psexec @c:\pcs.txt -u DOMAIN\USERNAME -p PASSWORD cscript \\PATH\TO\QuarRestore.VBS

I did notice when running the quarrestore.vbs it did leave some files sometimes in the INFECTED folder. after reading the logfile and scratching my head for a while, it appeared that it was working but leaving behind some files due them already being copied back somehow. Also some of the files were moved to INFECTED from the SEC share that were fixed when fixing the SEC so it left those in the client INFECTED folder.

Once that has run through each pc you might need to stop and start the services.

create a bat file with the following command:

net stop "Sophos Agent" & net stop "Sophos AutoUpdate Service" & net start "Sophos Agent" & net start "Sophos AutoUpdate Service" & exit

psexec @c:\pcs.txt -u DOMAIN\USERNAME -p PASSWORD \\PATH\TO\SERVICES.BAT

Once that has run through on the SEC select the affected pcs and chose update now. This should resolve it.

I thought I would share how I ended up fixing it. We had the on access set to deny and move.

After fixing the SEC and confirmed update manager was up to date.

I did all the servers manually because we only had 15. So just ran the vb script and restarted sophos agent and update services and then ran "C:\Program Files\Sophos\AutoUpdate\ALMon.exe" and did an update by right clicking on the systray icon and going to update.

For the clients, select all the affected clients in the SEC. To get the affected pcs I sorted by the last contact date and the ones that had not been contacted since 23:33 19th were the problem clients. Go to edit -> copy or ctrl+c. Download notepad++ paste the list of computers in to notepad++. Hold down alt and select to only select the computer names from the list. There are other ways to make a pc list but this was pretty easy and you can pin point only the broken ones.

Download psexec. Save the pc list you made earlier to c:\pcs.txt. You might be able to create a script that does it all in one go but this is just how i did it. First step was to run the quarrestore.vbs

psexec @c:\pcs.txt -u DOMAIN\USERNAME -p PASSWORD cscript \\PATH\TO\QuarRestore.VBS

I did notice when running the quarrestore.vbs it did leave some files sometimes in the INFECTED folder. after reading the logfile and scratching my head for a while, it appeared that it was working but leaving behind some files due them already being copied back somehow. Also some of the files were moved to INFECTED from the SEC share that were fixed when fixing the SEC so it left those in the client INFECTED folder.

Once that has run through each pc you might need to stop and start the services.

create a bat file with the following command:

net stop "Sophos Agent" & net stop "Sophos AutoUpdate Service" & net start "Sophos Agent" & net start "Sophos AutoUpdate Service" & exit

psexec @c:\pcs.txt -u DOMAIN\USERNAME -p PASSWORD \\PATH\TO\SERVICES.BAT

Once that has run through on the SEC select the affected pcs and chose update now. This should resolve it.