Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261644 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0

    Morning BlackDiamond, I am looking into this now, are you working in a domain environment? I am currently presuming so, if so, what type of admin account are you using for this, local admin, domain admin or forest admin?

    To answer your query:

    How is it possible to have two of the same system in the SEC? If you re-protect the endpoint and its UID has changed for any reason, you may end up with multiple system entries in the DB. I have heard of this behaviour previously but as i am not a DBAdmin am not able to expand much further on the root cause of this, but we may be able to get a script to help remove the duplicate machine ID's, if i recall correctly though this will require re-protecting the system to re-add it to the DB as the operation would delete the system information and its associated UID records.

    Could you clarify the statement "remove the items from quarantine and rerun Protect Computers from SEC", are you referring to acknowledging the alerts from the console or on the endpoint? As this behaviour seems a little odd and has not been seen so far in our testing, if we can get a root cause we should be able to get the script working for you, which should hopefully reduce the pain threshold a bit for the rollout to your remaining systems.

    [Edit] Just spoke to my colleagues, could you confirm if the duplicates are split between Managed and unmanaged? If so select the unmanaged systems and delete them from the console, this should resolve the issue regarding those. [/Edit]

    :33323
Reply
  • 0

    Morning BlackDiamond, I am looking into this now, are you working in a domain environment? I am currently presuming so, if so, what type of admin account are you using for this, local admin, domain admin or forest admin?

    To answer your query:

    How is it possible to have two of the same system in the SEC? If you re-protect the endpoint and its UID has changed for any reason, you may end up with multiple system entries in the DB. I have heard of this behaviour previously but as i am not a DBAdmin am not able to expand much further on the root cause of this, but we may be able to get a script to help remove the duplicate machine ID's, if i recall correctly though this will require re-protecting the system to re-add it to the DB as the operation would delete the system information and its associated UID records.

    Could you clarify the statement "remove the items from quarantine and rerun Protect Computers from SEC", are you referring to acknowledging the alerts from the console or on the endpoint? As this behaviour seems a little odd and has not been seen so far in our testing, if we can get a root cause we should be able to get the script working for you, which should hopefully reduce the pain threshold a bit for the rollout to your remaining systems.

    [Edit] Just spoke to my colleagues, could you confirm if the duplicates are split between Managed and unmanaged? If so select the unmanaged systems and delete them from the console, this should resolve the issue regarding those. [/Edit]

    :33323
Children
No Data