Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261473 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    iI can give that a go but even if we kill the task in task manager it comes back again & again ...eventually it stops and the msi from the sophos share installs ok ...strange

    :32301
  • 0

    I can not attach a screen shot.

    :32305
  • 0

    I'm seeing Sophos Autoupdate get stuck in an infinite loop when it's files have been moved, and when it tries to restart it calls msiexec.  I would suggest that in your script you put a check in to see if it has really stopped and if it isn't use taskkill to stop the Sophos processes and then kill msiexec.

    :32309
  • 0

    As User With Elevated CMD

    C:\WCICC-IT\Agen-xuvIssue>cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\ G---\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true

    Version 1.4

    Trigger update option enabled

    Problem IDE is present.

    IDE that fixes issue is NOT present.

    Update did not receive newer IDEs.

    Stopping SAV service Failed to stop service with error:

    2 Failed to stop SAV service

    As ADMIN With Elevated CMD

    C:\WCICC-IT\Agen-xuvIssue>cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\ G---\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true

    Version 1.4

    Trigger update option enabled

    Problem IDE is present.

    IDE that fixes issue is present.

    Update did not receive newer IDEs.

    Stopping SAV service Deleting Quarantine.xml file

    SAU files missing

    SAU Installation successful

    Starting SAV service

    Triggering update of product

    :32311
  • 0

    I am having a go at resolving this issue that we are having, but I am getting stuck at a certain point...

    We have the Clean Up set to "deny access and move to default location" but when looking in C:\Program Files\Sophos\Sophos Anti-Virus there is no "INFECTED" folder, there are only two folders in this directory "Web Control" and "Web Intelligence".

    Files have deffinately been move to this location, as I am seeing this in email from the console.   "Infected file "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" has been moved to "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\ALsvc.exe.000"."

    I have checked several machines that are affected, and all are the same having no "INFECTED" folder.  So I am kind of stuck with not knowing which path to take to get this issue resolved on my machines.  Is there a 1 fix for all scenarios that I can try?

    Also...  We are seeing more than just the Sophos Update files that are effected by this, will the "fix" that is run also restore all other files that were effected?

    :32313
  • 0

    Hi,

    Server seem to be updated. I see endpoint with error:

    Event Decode Unavailable (Event number: "-1604845556" Message Code: "SAVXP.2690121740" Inserts: "0", "", "", "", "")

    If i try to "protect" them I get other error:

    Codigo 00000005 Verification of update files failed. The files did not match the manifest.

    help here!

    :32321
  • 0
    SLCIT wrote:

    I am having a go at resolving this issue that we are having, but I am getting stuck at a certain point...

    We have the Clean Up set to "deny access and move to default location" but when looking in C:\Program Files\Sophos\Sophos Anti-Virus there is no "INFECTED" folder, there are only two folders in this directory "Web Control" and "Web Intelligence".

    Files have deffinately been move to this location, as I am seeing this in email from the console.   "Infected file "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" has been moved to "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\ALsvc.exe.000"."

    I have checked several machines that are affected, and all are the same having no "INFECTED" folder.  So I am kind of stuck with not knowing which path to take to get this issue resolved on my machines.  Is there a 1 fix for all scenarios that I can try?

    Also...  We are seeing more than just the Sophos Update files that are effected by this, will the "fix" that is run also restore all other files that were effected?

    Hi, I think I see the problem. The INFECTED folder is in ProgramDATA, not Program Files. At any rate, if Autoupdate is broken you'll have better luck using the script from 118323 first, then use the script in KB 118315. The advisory has been updated with this recommendation as well.

    :32323
  • 0
    xTiNcTion wrote:

    Hi,

    Server seem to be updated. I see endpoint with error:

    leftout wrote:

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

    If i try to "protect" them I get other error:

    leftout wrote:

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

    help here!

    Sounds like your endpoint hasn't been updated yet. Have you followed all of the steps in the advisory KBA 118311 yet? If not, give that a shot first and let me know how you make out. Specially note the temporary changes to your OnAccess policy.

    :32325
  • 0
    BlackDiamond wrote:

    As User With Elevated CMD

    C:\WCICC-IT\Agen-xuvIssue>cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\ GOVID802\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true

    Version 1.4

    Trigger update option enabled

    Problem IDE is present.

    IDE that fixes issue is NOT present.

    Update did not receive newer IDEs.

    Stopping SAV service Failed to stop service with error:

    2 Failed to stop SAV service

    As ADMIN With Elevated CMD

    C:\WCICC-IT\Agen-xuvIssue>cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\ GOVID802\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true

    Version 1.4

    Trigger update option enabled

    Problem IDE is present.

    IDE that fixes issue is present.

    Update did not receive newer IDEs.

    Stopping SAV service Deleting Quarantine.xml file

    SAU files missing

    SAU Installation successful

    Starting SAV service

    Triggering update of product

    Can you try to perform a net stop savservice logged on as you were in the first example? If that still fails, I would suspect that perhaps there has been something changed in the security policy that prevents Administrator from being able to stop services? Just guessing here, as I haven't been able to reproduce the behavior you're seeing.

    :32329
  • 0

    Hi everybody,

    I'm having a lot of installed Sophos products on Spanish operating systems, and the scripts are not working. I have updated the scripts with the Spanish OS variables but still with code errors. I have hours trying without success. Can somebody try the scripts for other languages?. I can help to work on it.

    :32331