Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261451 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Hi Nathan,

    I have issue same as HealthAdmin however once run the VBS using Psexec tool will failed with error not enough disk space which i have check target machines have 50GB free size.

    Below are the command use to trigger the scripts which have theVBS and the IDE file to the same directory.

    Appreciate if you can confirmed that command script below are correct. Thanks

    Psexec Command:

    PsExec.exe \\172.64.18.151 -u admin -p password cscript.exe \\172.16.116.169\Sophos Tools\script\CSQscripts\FixUpdate.vbs /fixIssues:true /cid:\\172.64.18.151\SophosUpdate\CIDs\S015\SAVSCFXP /updateNow:true

    :32243
  • 0
    Azwan wrote:

    Hi Nathan,

    I have issue same as HealthAdmin however once run the VBS using Psexec tool will failed with error not enough disk space which i have check target machines have 50GB free size.

    Below are the command use to trigger the scripts which have theVBS and the IDE file to the same directory.

    Appreciate if you can confirmed that command script below are correct. Thanks

    Psexec Command:

    PsExec.exe \\172.64.18.151 -u admin -p password cscript.exe \\172.16.116.169\Sophos Tools\script\CSQscripts\FixUpdate.vbs /fixIssues:true /cid:\\172.64.18.151\SophosUpdate\CIDs\S015\SAVSCFXP /updateNow:true

    I think you want to wrap the VBS in a batch file, then call that using PSEXEC. Not sure why you got a disk space error though, I haven't heard of any reports like that.

    :32245
  • 0
    jedunn wrote:

    I just downloaded brand new warehouse and cids folder to my sum and agen-xuv with a date of 9-19 - 1:29 was in there?????

    That doesn't make any sense to me....

    The IDE agen-xuv.ide has other detections in it, so this IDE will still be present on the systems once they are fixed. As long as javab-jd.ide is ALSO present (or Live Protection is enabled), then you won't experience the false positive.

    :32247
  • 0
    kevinhcs wrote:

    Was wondering why a few of our customers were badly hit and some of our customers were at minimal or not hit at all by the false positive? 

    Our anti virus settings were unfortunately set to Delete and all had Live Protection turned on. What makes the difference some got hit and some not?

    Can anyone explain? Thanks!

    Lucky timing and Live Protection. The SHH detections trigger SXL lookups to our cloud servers if Live Protection is enabled. We were able to mark the detections as clean in the cloud quicker than we could deliver the IDE to correct the detection. So if someone were lucky enough to get the problem IDE after we had marked the detections clean in the cloud, then they wouldn't have experienced the false positive.

    :32253
  • 0

    Health Admin, I've had some success with this script.

    mkdir "%allusersprofile%\temp\sophos"
    copy %~dp0fixupdate.vbs "%allusersprofile%\temp\sophos" /y
    copy %~dp0javab-jd.ide "%allusersprofile%\temp\sophos" /y
    cd "%allusersprofile%\temp\sophos"
    cscript //nologo "FixUpdate.vbs" /fixIssues:true /cid:\\sophos\SophosUpdate\CIDs\S000\SAVSCFXP\ /updateNow:true /verbose:true

    rmdir /s /q "%allusersprofile%\temp\sophos"

    NOTE: I didn't use %temp% because some of my servers were resolving to C:\Users\username\AppData\Local\Temp\2

    :32255
  • 0
    SYSOP wrote:

    Sophos,

    When can we expect a script/automated fix to address the issues for those who simply had the "Deny access only" set in their policies? I'm seeing scripts in the Advisory for the other sections, just not for "Deny access only" section. Maybe I'm missing something? Maybe one of the other scripts addresses this? Please let us know/update the Advisory with more information on this. Wish I had more time to go through the forums, but Sophos isn't the only fire I have to put out around here. :smileysad:

    Thanks in advance for your help/response.

    ________________________________________________

    Deny access only

    Note:     Enabling Sophos Live Protection (in step three above) should resolve the issue if your configuration is set to 'Deny access only'. We recommend allowing time for your endpoint computers to enable this option locally and report to the console before continuing below.

    1. Stop the Sophos Anti-Virus service (Start | Run | Type: services.msc | Press return).
    2. Delete the quarantine.xml file from:
      C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml
      or
      C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml
    3. Start the Sophos Anti-Virus service.
    4. Force an update on the computer.  To do this right-click on the Sophos shield and select 'Update now'. 
    5. If the update fails, then perform a reboot of the computer.

    What issues are you experiencing? If you've obtained the IDE javab-jd.ide and deployed it to the endpoints using the steps at the beginning of the advisory KBA, then the steps you quoted should be all that is left for you.

    :32257
  • 0

    Nathan,

    Thanks for your response. I was referring to a script which would handle the automatic stopping/starting of services + removal of the quarantine file(s) for the affected endpoints... then a forced Update for each.

    Also, with the removal of the Quarantine file(s), how does this affect reporting? (Only asking here since I might not be the only one interested in this answer)

    Thanks again!

    :32259
  • 0
    SYSOP wrote:

    Nathan,

    Thanks for your response. I was referring to a script which would handle the automatic stopping/starting of services + removal of the quarantine file(s) for the affected endpoints... then a forced Update for each.

    Also, with the removal of the Quarantine file(s), how does this affect reporting? (Only asking here since I might not be the only one interested in this answer)

    Thanks again!

    The script in http://www.sophos.com/en-us/support/knowledgebase/118323.aspx will do what you're looking for. Please give that a go and let me know how you make out.

    As for the reporting question, clearing the items from the endpoint QM by deleting quarantine.xml won't clear them from SEC. So if you're looking for a way to determine how many machines were affected, that information will still be in the Console. Also, QC posted some SQL that will extract that from the database. Hope that answers your question.

    :32261
  • 0

    When trying to run the VB script (FixUpdate.vbs) from an elevated command prompt on a users PC, it fails.  It cannot stop the service. If we log onto the same PC with an administrative account, the script runs fine.

    :32265
  • 0
    BlackDiamond wrote:

    When trying to run the VB script (FixUpdate.vbs) from an elevated command prompt on a users PC, it fails.  It cannot stop the service. If we log onto the same PC with an administrative account, the script runs fine.

    Thats rather unexpected. Win7 or WinXP?

    :32275