Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261534 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0
    kurbycar32 wrote:

    Unfortunately the instructions there say that if the script returns SAU files missing, i need to manually copy over the AutoUpdate CID to the client.  With 2,000 machines infected this is kind of a problem.  What would be nice is if Sophos released a new client with the fix enabled in the exe, then we could just reprotect the clients from the console.  By the way the removal tool was old and doesnt yank out version 10 clients.

    Hi,

    I'll get that KBA updated with some better information for this scenario.
    I don't think copying the SAU files locally will work here. If the UNC path is entered correctly after the /cid: switch, then the likely reason the files would be missing is if they had been deleted/moved from the CID due to the false positive. I was just working with another customer that had that exact scenario, where the SAU files were missing from the CID due to a scheduled scan that deleted them.

    What you need to do first is get your Sophos Update Manager working correctly. Once that is done and the CID is complete, then you can successfully run the script. You can confirm if this is your issue by checking to see if alsvc.exe is in the CID or not. HTH
    :32503
Reply
  • 0
    kurbycar32 wrote:

    Unfortunately the instructions there say that if the script returns SAU files missing, i need to manually copy over the AutoUpdate CID to the client.  With 2,000 machines infected this is kind of a problem.  What would be nice is if Sophos released a new client with the fix enabled in the exe, then we could just reprotect the clients from the console.  By the way the removal tool was old and doesnt yank out version 10 clients.

    Hi,

    I'll get that KBA updated with some better information for this scenario.
    I don't think copying the SAU files locally will work here. If the UNC path is entered correctly after the /cid: switch, then the likely reason the files would be missing is if they had been deleted/moved from the CID due to the false positive. I was just working with another customer that had that exact scenario, where the SAU files were missing from the CID due to a scheduled scan that deleted them.

    What you need to do first is get your Sophos Update Manager working correctly. Once that is done and the CID is complete, then you can successfully run the script. You can confirm if this is your issue by checking to see if alsvc.exe is in the CID or not. HTH
    :32503
Children
No Data