Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Yesterday i was able to download the new Sophos files using the Update Manager in EC, however today when i try to force an update it does not work and the server icon appears greyed out. I have not download updates since yesterday morning. Has anybody else seen this or have a solution. I have tried restarting a number of services.

    :32177
  • 0
    Zatol wrote:

    Is there any way to export a list of computer names that have the virus from the console? It's appearing like I'm going to need to reinstall Sophos on a large number of computers via SCCM or KACE, as touching each computer that's been affected by this would be an assanine amount of time, something that our department currently does not have with the start of the school year, and the very large number of computers in our district that have been rendered useless to the Sophos console.

    If there's any tool or way that could export computer names from the virus database, that'd be incredibly helpful for creating a collection to push an updated version of Sophos to. 

    Thanks for any help.

    In the SEC, organize the machines you want to redeploy to, then select all of them and do a CTRL+c
    Paste it into a text pad, then you can just cut out all of the computer names.

    I did it in Linux using AWK to get the first column of computers names.

    :32181
  • 0

    Give this a shot.

    SELECT Computername

    FROM ComputerListData2 (nolock)

    where ThreatName LIKE '%Updater-B%'

    Hope it helps.

    :32185
  • 0

    Would it be possible to also return the Status Tab Group - information for each computer?

    :32187
  • 0

    I thought I would share how I ended up fixing it. We had the on access set to deny and move.

    After fixing the SEC and confirmed update manager was up to date.

    I did all the servers manually because we only had 15. So just ran the vb script and restarted sophos agent and update services and then ran "C:\Program Files\Sophos\AutoUpdate\ALMon.exe" and did an update by right clicking on the systray icon and going to update.

    For the clients, select all the affected clients in the SEC. To get the affected pcs I sorted by the last contact date and the ones that had not been contacted since 23:33 19th were the problem clients. Go to edit -> copy or ctrl+c. Download notepad++ paste the list of computers in to notepad++. Hold down alt and select to only select the computer names from the list. There are other ways to make a pc list but this was pretty easy and you can pin point only the broken ones.

    Download psexec. Save the pc list you made earlier to c:\pcs.txt. You might be able to create a script that does it all in one go but this is just how i did it. First step was to run the quarrestore.vbs

    psexec @c:\pcs.txt -u DOMAIN\USERNAME -p PASSWORD cscript \\PATH\TO\QuarRestore.VBS

    I did notice when running the quarrestore.vbs it did leave some files sometimes in the INFECTED folder. after reading the logfile and scratching my head for a while, it appeared that it was working but leaving behind some files due them already being copied back somehow. Also some of the files were moved to INFECTED from the SEC share that were fixed when fixing the SEC so it left those in the client INFECTED folder.

    Once that has run through each pc you might need to stop and start the services.

    create a bat file with the following command:

    net stop "Sophos Agent" & net stop "Sophos AutoUpdate Service" & net start "Sophos Agent" & net start "Sophos AutoUpdate Service" & exit

    psexec @c:\pcs.txt -u DOMAIN\USERNAME -p PASSWORD \\PATH\TO\SERVICES.BAT

    Once that has run through on the SEC select the affected pcs and chose update now. This should resolve it.

    :32189
  • 0

    the Quarantine only shows unhandled detections. A move to the INFECTED folder is considered a successful remedy and thus the item isn't on the list. Please have a look at Restoring Files Moved by Sophos Anti-Virus Due To A False Positive

    Christian 

    I was OK with that until I just saw a colleague who HAS the whole list of self-quarantined Sophos files (68) !  :smileywink:

    EDIT : he had the Cleanup option only, not "move"... sorry...

    :32191
  • 0

    Nice, Hambone

    If alerts have already been acknowledged the computers will not appear in the ComputerListData2 view.

    Thought of something like

    SELECT DISTINCT
            c.Name
            FROM
              (SELECT ComputerID, Threatname FROM Threatsarchive

              UNION SELECT ComputerID, Threatname FROM Threats) as t
            JOIN Computersanddeletedcomputers as c ON t.ComputerID= c.ID 

            WHERE t.ThreatName LIKE 'SHH/%'

    seems to give correct results on my system (don't criticize my SQL skills - there are none :smileywink:)

    Christian

    :32193
  • 0

    Hi everyone,

    I don't see any unanswered questions in this thread at the moment, so I'll just hang back for now. Just wanted to drop in and express my thanks to the contributors on this thread that are providing answers and example scripts. Everyone here in Support appreciates the help, and I'm certain those that have been helped by posts in this thread appreciate it even more. Keep up the good work!

    :32195
  • 0

    This is what i get:

    C:\Users\user\Desktop\sophos>psexec \\machinename -u domain\adminaccount  \\server\share\sophos\repairsau.bat

    PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com

    Password:

    C:\WINDOWS\system32>cscript.exe //nologo \\server\share\sophos\FixUpdate.vbs  /fixIssues:true /cid:\\srv-sophos\sophosupdate\cids\s003\savscfxp /updateNow:true

    Version 1.4 Trigger update option enabled

    javab-jd.ide is missing

    \\server\share\sophos\repairsau.bat exited on appli1 with error code 1.

    What could be this error code 1 because the script should copy the missing file am I right?

    :32197
  • 0
    HealthAdmin wrote:

    This is what i get:

    C:\Users\user\Desktop\sophos>psexec \\machinename -u domain\adminaccount  \\server\share\sophos\repairsau.bat

    PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com

    Password:

    C:\WINDOWS\system32>cscript.exe //nologo \\server\share\sophos\FixUpdate.vbs  /fixIssues:true /cid:\\srv-sophos\sophosupdate\cids\s003\savscfxp /updateNow:true

    Version 1.4 Trigger update option enabled

    javab-jd.ide is missing

    \\server\share\sophos\repairsau.bat exited on appli1 with error code 1.

    What could be this error code 1 because the script should copy the missing file am I right?

    Correct. Did you extract both the VBS and the IDE file to the same directory you are running the VBS out of?

    :32201