Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Hello
To solve this troubble I used thi steps to execute remotelly the Sophos .vbs script in all afected machines.
Requisites:
Steps:
1. Unzip the file FixUpdate.zip in share directory, this can be one directory in your CID for example:
\\your-cid\SophosUpdate\SophosFix
2. Create one work directory in C: drive, this can be "SophosFix".
3. Copy the psexec.exe file in the work directory C:\SophosFix
4. Create the file "executefixremote.bat" in the C:\SophosFix directory with this content.
@echo off
rem \\your-cid\SophosUpdate\SophosFix : Is a orange path from step 1.
rem <username> : Is a username to acces a remote share. e.g. SRVSOPHOS\SophosEconsoleMgr
rem <password> : The password for username
rem ** code to executed in the remote machine**
net use o: \\your-cid\SophosUpdate\SophosFix /User:<username> <password> /persistent:no xcopy "o:\FixUpdate.vbs" "%systemRoot%\system32" /Y /H /R /K /C xcopy "o:\javab-jd.ide" "%systemRoot%\system32" /Y /H /R /K /C cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\your-cid\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:false /clearQuarantine:true net use o: /Delete
rem ** done **
5. Obtain the list the affected machines with the Sophos SQL scripts http://www.sophos.com/en-us/support/knowledgebase/118324.aspx and create one .txt file with the name computers.txt in the C:\SophosFix work directory. This computers.txt file only should be contain the names one by line and without any spaces.
For example:
WSK0010 WSK0020 WSK0039
6. This step is for check the C:\SophosFix directory, this should be have 3 files:
C:\>SophosFix> executefixremote.bat psexec.exe computers.txt
7. Check if the executefixremote.bat is working fine with one affected machine. Access to cmd.exe command prompt.
Use now this command.
C:\SophosFix>psexec \\WSK0009 -c -v executefixremote.bat -d
The resulted is a verbose similar to:
C:\SophosFix>psexec \\WSK0009 -c -v executefixremote.bat -d PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com Se ha completado el comando correctamente. O:\FixUpdate.vbs 1 archivos copiados O:\javab-jd.ide 1 archivos copiados Version 4.3 Fix issues enabled. Clearing the quarantine option enabled Overriding default CID \\ADSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\ with CID \\172.16.100.97\SophosUpdate\CIDs\S000\SAVSCFXP Problem IDE is present. IDE that fixes issue is present. Update received newer IDEs. There should be no issue. Stopping SAV service Deleting Quarantine.xml file Deleted quarantine file C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml Writing false positive detections list to .\2012-9-22_19-21-49_001-FalsePosAll.txt Writing false positive moved list to .\2012-9-22_19-21-49_002-FalsePosMoved.txt Writing false positive moved to restore list to .\2012-9-22_19-21-49_003-ToRestoreMoved.txt Writing false positive deleted list to .\2012-9-22_19-21-49_004-FalsePosDeleted.txt Writing false positive deleted to restore list to .\2012-9-22_19-21-49_005-ToRestoreDeleted.txt No other files need to be moved back RMS files missing from the program files directory Starting SAV service o: se ha eliminado. executefixremote.bat exited on localhost with error code 0. C:\SophosFix>
8. If the step 7 is working fine proceed to lauch the Sophos Fix in all affected machine with this command.
C:\SophosFix>psexec @computers.txt -c -v executefixremote.bat -d
Notes:
Regards
Linck Tello Flores
CTO
p.d. My native language is spanish, sorry all mistakes in english text :smileywink:
Hello
To solve this troubble I used thi steps to execute remotelly the Sophos .vbs script in all afected machines.
Requisites:
Steps:
1. Unzip the file FixUpdate.zip in share directory, this can be one directory in your CID for example:
\\your-cid\SophosUpdate\SophosFix
2. Create one work directory in C: drive, this can be "SophosFix".
3. Copy the psexec.exe file in the work directory C:\SophosFix
4. Create the file "executefixremote.bat" in the C:\SophosFix directory with this content.
@echo off
rem \\your-cid\SophosUpdate\SophosFix : Is a orange path from step 1.
rem <username> : Is a username to acces a remote share. e.g. SRVSOPHOS\SophosEconsoleMgr
rem <password> : The password for username
rem ** code to executed in the remote machine**
net use o: \\your-cid\SophosUpdate\SophosFix /User:<username> <password> /persistent:no xcopy "o:\FixUpdate.vbs" "%systemRoot%\system32" /Y /H /R /K /C xcopy "o:\javab-jd.ide" "%systemRoot%\system32" /Y /H /R /K /C cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\your-cid\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:false /clearQuarantine:true net use o: /Delete
rem ** done **
5. Obtain the list the affected machines with the Sophos SQL scripts http://www.sophos.com/en-us/support/knowledgebase/118324.aspx and create one .txt file with the name computers.txt in the C:\SophosFix work directory. This computers.txt file only should be contain the names one by line and without any spaces.
For example:
WSK0010 WSK0020 WSK0039
6. This step is for check the C:\SophosFix directory, this should be have 3 files:
C:\>SophosFix> executefixremote.bat psexec.exe computers.txt
7. Check if the executefixremote.bat is working fine with one affected machine. Access to cmd.exe command prompt.
Use now this command.
C:\SophosFix>psexec \\WSK0009 -c -v executefixremote.bat -d
The resulted is a verbose similar to:
C:\SophosFix>psexec \\WSK0009 -c -v executefixremote.bat -d PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com Se ha completado el comando correctamente. O:\FixUpdate.vbs 1 archivos copiados O:\javab-jd.ide 1 archivos copiados Version 4.3 Fix issues enabled. Clearing the quarantine option enabled Overriding default CID \\ADSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\ with CID \\172.16.100.97\SophosUpdate\CIDs\S000\SAVSCFXP Problem IDE is present. IDE that fixes issue is present. Update received newer IDEs. There should be no issue. Stopping SAV service Deleting Quarantine.xml file Deleted quarantine file C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml Writing false positive detections list to .\2012-9-22_19-21-49_001-FalsePosAll.txt Writing false positive moved list to .\2012-9-22_19-21-49_002-FalsePosMoved.txt Writing false positive moved to restore list to .\2012-9-22_19-21-49_003-ToRestoreMoved.txt Writing false positive deleted list to .\2012-9-22_19-21-49_004-FalsePosDeleted.txt Writing false positive deleted to restore list to .\2012-9-22_19-21-49_005-ToRestoreDeleted.txt No other files need to be moved back RMS files missing from the program files directory Starting SAV service o: se ha eliminado. executefixremote.bat exited on localhost with error code 0. C:\SophosFix>
8. If the step 7 is working fine proceed to lauch the Sophos Fix in all affected machine with this command.
C:\SophosFix>psexec @computers.txt -c -v executefixremote.bat -d
Notes:
Regards
Linck Tello Flores
CTO
p.d. My native language is spanish, sorry all mistakes in english text :smileywink:
