Is any one else seing this alert - Shh/Updater-B False positives

Hello,

Here are some instructions below if you would like to generate a list of affected Endpoints;

What To Do

1. On your Sophos Management server (assuming you are using the default local SQL instance) download the file: 'FpWithoutFix2.txt'. This example will use the location: 'C:\windows\temp\FpWithoutFix.txt'.
2. In a command prompt type the following (all on one line):
   sqlcmd -E -S .\sophos -d SOPHOS51 -i C:\windows\temp\FpWithoutFix2.txt -o C:\windows\temp\FpWithoutFix2Report.txt 
   
   Where:
   .\sophos represents a local SQL instance called SOPHOS (the default).
   SOPHOS51 represents the database name as used by Enterprise Console 5.1.  A list of database names and console versions can be found here: 17323 .  Update the database name as required for your version of the console.
3. Once the command completes, open 'C:\windows\temp\FpWithoutFixReport.txt' to see the computers which have 'agen-xuv.ide' but don't have 'javab-jd.ide'.  This list of computers should then be resolved as per 118311.

Additionally if you wish to create a report of files where an action has been take, e.g. 'Deleted' or 'Moved'.  Download the file: 'FpMovedAndDeletedFiles2.txt' and run this using the same method as above.  I.e. using the command:

sqlcmd -E -S .\sophos -d SOPHOS51 -i C:\windows\temp\FpMovedAndDeletedFiles2.txt -o C:\windows\temp\FpMovedAndDeletedFiles2Report.txt

Hope ths helps.

Scott

---

xTiNcTion wrote:
After following all steps ... SUM server update BUT I got: Event Decode Unavailable (Event number: "-1604845556" Message Code: "SAVXP.2690121740" Inserts: "0", "", "", "", "") advise! 95pages and counting? jejeje... kind of ridiculous!

---

I also have this on a couple of hundred clients, : Event Decode Unavailable (Event number: "-1604845556" Message Code: "SAVXP.2690121740" Inserts: "0", "", "", "", "")

We have most other "complications" under control but these computers that have this error refuses to update and I don´t know why. Any clues as what to this is about?

ScottC:

None of the links you provided contain valid external URLs.  And yes, some of us would like to use these reports.  For example, we see "http://sophtrac.green.sophos/repo_kb/118324/file/FpWithoutFix2.txt"

This is true for all of the links in your post.  Can you provide external links?

Thanks,

db

edited to correct typo.

---

doctorbob wrote:

ScottC:

None of the links you provided contain valid external URLs.  And yes, some of us would like to use these reports.  For example, we see "http://sophtrac.green.sophos/repo_kb/118324/file/FpWithoutFix2.txt"

This is true for all of the links in your post.  Can you provide external links?

Thanks,

db

edited to correct typo.

---

Hi,

Please try http://sophserv.sophos.com/repo_kb/118324/file/FpWithoutFix2.txt

Well done, Christian!  I think I'll use yours instead.  :smileyhappy:

Thanks,

Stan

First; thanks for your quick answer Nathan :smileyhappy:

Yes, in fact, I've the repairsau.bat, the ide and the vbs files in the same directory which is a public share

Sophos,

When can we expect a script/automated fix to address the issues for those who simply had the "Deny access only" set in their policies? I'm seeing scripts in the Advisory for the other sections, just not for "Deny access only" section. Maybe I'm missing something? Maybe one of the other scripts addresses this? Please let us know/update the Advisory with more information on this. Wish I had more time to go through the forums, but Sophos isn't the only fire I have to put out around here. :smileysad:

Thanks in advance for your help/response.

________________________________________________

Deny access only

Note: Enabling Sophos Live Protection (in step three above) should resolve the issue if your configuration is set to 'Deny access only'. We recommend allowing time for your endpoint computers to enable this option locally and report to the console before continuing below.

1. Stop the Sophos Anti-Virus service (Start | Run | Type: services.msc | Press return).
2. Delete the quarantine.xml file from:
   C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml
   or
   C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml
3. Start the Sophos Anti-Virus service.
4. Force an update on the computer.  To do this right-click on the Sophos shield and select 'Update now'. 
5. If the update fails, then perform a reboot of the computer.

Was wondering why a few of our customers were badly hit and some of our customers were at minimal or not hit at all by the false positive? 

Our anti virus settings were unfortunately set to Delete and all had Live Protection turned on. What makes the difference some got hit and some not?

Can anyone explain? Thanks!

I just downloaded brand new warehouse and cids folder to my sum and agen-xuv with a date of 9-19 - 1:29 was in there?????

That doesn't make any sense to me....

Well i think it would depend on the PCS being turned on when the bad update was sent out. If one business had a shutdown policy (company policy) in the evening they might have been lucky and missed the bad update.

At one site we have about 40 out of100 users that refuse to ever shut their pc down and they were all affected, while the people who shut their pc down when they go home were not.