Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Alphateam wrote:I cannot get through to tech support. I have gotten hung up on MANY times. When I add my name to be called back, the calls never come. I have been trying since 8am today to talk to someone in support.
Can I just create a new Sophos server and push out the current client? Will the new client and settings replace any of the clients that are broken?
First, I apologize for the difficulty you are having reaching support. I can assure you that nobody is being intentionally hung up on, however our phone system is under incredible load right now and has dropped a few unfortunate callers. Please try again if answers to your questions aren't easily found in the articles that have been released to assist with this issue.
Creating a new Sophos server and reprotecting is going to be more work then remediating your current environment. Further, reprotecting endpoints will likely fail if you are still getting false positives as the new files pushed to the endpoints will be deleted again. Please work through the steps in Advisory KBA and if you hit a snag, post back here and I or someone else may be able to provide you an answer to get you going again.
al04 wrote:The pushd is to make a temporary drive to that server and the popd is dt release it when finished.
So those options work for you if you run them manually rather than through a script? I ask because I attempted that on my test rig and couldn't get the pushd option to work.
On edit: Instead of using the pushd/popd options, try supplying the full UNC path to the VBS and see if that works better for you.
Juan_Carlos wrote:Perhaps instead of installing a new server, you CAN and you MUST at the end of this horrible tunnel, to re-protect your machines. This is the final soution. I just posted 3 scripts that will work for slving your SUM and Endpoints Solution, the scripts and all the files are in english also. Hope it helps
I run the script on the existing clients after the new server install?
Nathan wrote:
Alphateam wrote:I cannot get through to tech support. I have gotten hung up on MANY times. When I add my name to be called back, the calls never come. I have been trying since 8am today to talk to someone in support.
Can I just create a new Sophos server and push out the current client? Will the new client and settings replace any of the clients that are broken?
First, I apologize for the difficulty you are having reaching support. I can assure you that nobody is being intentionally hung up on, however our phone system is under incredible load right now and has dropped a few unfortunate callers. Please try again if answers to your questions aren't easily found in the articles that have been released to assist with this issue.
Creating a new Sophos server and reprotecting is going to be more work then remediating your current environment. Further, reprotecting endpoints will likely fail if you are still getting false positives as the new files pushed to the endpoints will be deleted again. Please work through the steps in Advisory KBA and if you hit a snag, post back here and I or someone else may be able to provide you an answer to get you going again.
I know it isn't intentional, but frustrating none the less. I've been trying to get this worked out since I first got in Thursday morning. I have went through all the steps on the knowledge base I could, but some of the scenarios do not fit my situation, hence the calls to tech support. The update manager says its updating, but I'm not getting the javab-jd.ide. I ran the VBS script and it bombed out halfway through. Without any further help from Sophos, the only option I could come up with was a compelte rebuild.
Alphateam, give this a shot. I posted it yesteday but these posts get buryied fast
HOW I FIXED MY SUM (The slightly longer but easy way)
1. Disable on access scanning on the server
2. Launch the Setup.exe in here: C:\Program Files (x86)\Sophos\Enterprise Console\SUMInstaller (You will get errors)
3. When the installer says it cant find the file search for the name here: C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED
4. You will find the missing files with .000 appended to them
5. Copy the files out of the infected folder to the path specified by the installer
6. Hit retry, it will find your file
7. Repeat for each file, my server needed i think 4 files restored.
8. This will repair the SUM and start the service
9. Use "Update Now" on your update manager in the enterprise console
if anyone is interested, we have created a script (VBS) that querries AD for computer names, then read the SAV.txt log from sophos to reverse the move of files that were wrongly moved/flagged as INFECTED. Best of all it has reporting!
' If you have any question/comment, please visit https://bitbucket.org/ncta/sophos-fixer ' Copyright (c) 2012 National Cable Telecommunication Association ' Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), ' to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, ' and to permit persons to whom the Software is furnished to do so, subject to the following conditions: ' The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. ' THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ' FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, ' WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Dim strFilter, strAttrs, strScope, strDNSSuffix, strBase Dim objConn, objRS, objShell,objExec,objFSO,objFile, fileName Dim objFSOLog, MasterLogFileTxt Dim currentDateTime, LogFileDirectory, MasterLogFile Dim ComputerFoundFileCounter, ComputerMoveFileCounter, CantMoveFountCounter, ComputerCounter Dim LogFileCantMove, WindowsDirectory Dim TriggerRestart, TriggerFindAndMoveFile, RunForXPCOnly Dim LogFileName Const ForReading = 1, ForWriting = 2, ForAppending = 8 TriggerRestart = False TriggerFindAndMoveFile = True 'Set RunForXPCOnly to -1 to run on all PC or 10 to run on the first 10 PC RunForXPCOnly = -1 WindowsDirectory = "C$\Windows\System32\" Set objFSOLog = CreateObject("Scripting.FileSystemObject") WScript.Echo "I'm starting. Click Ok to start. To stop, change the log folder and it will run into error and stop." LogFileDirectory = "C:\Log\Sophos\" CreateLogDirectoryAndFile() Set objShell = CreateObject("Wscript.Shell") ' List out the OU's you want computers in to be rebooted. Remember, if you add an OU, ' increment the strRoot(x) in *both* places. ' dc is for your domain Controller. ' ou is your folder directory going backward. ' IE. if you have a folder like this \\MyDomainControler.net\Network\Computers\Admin\Test. ' Then LDAP would be something liket his <LDAP://DC-ii/ou=Test,ou=Admin,ou=Computers,ou=Network,dc=MyDomainController,dc=net>; Dim strRoot(0) strRoot(0) = "<LDAP://Domain Controller name/ou=,dc=>;" ' Set the filter for computers only strFilter = "(objectclass=computer);" strAttrs = "name;" strScope = "subtree" ' Your domain name like example above would be .MyDomainControler.net strDNSSuffix = "" 'This is your main loop, each time a different OU. For i = 0 To UBound(strRoot) strBase = strRoot(i) Set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst Dim count count = 0 ComputerCounter = 0 WriteToLog MasterLogFile, "Starting The script" 'This is your inner loop, each time an individual PC found in the search of the base. Do while not objRS.eof ComputerCounter = ComputerCounter + 1 If count < RunForXPCOnly OR RunForXPCOnly = -1 THEN WriteToLog MasterLogFile, "Starting machine #" & ComputerCounter & ". """ & objRS.Fields("name").Value & """." ' Read Sophos Log File and Move Back to original location if it doesn't exist IF TriggerFindAndMoveFile = True THEN SearchSophosLogAndMoveFileBack(objRS.Fields("name").Value) WScript.Sleep 2000 End IF ' Restart PC IF TriggerRestart = True THEN WriteToLog MasterLogFile, "Restarting '" & objRS.Fields("name").Value & "' now" ShutDownComputer(objRS.Fields("name").Value & strDNSSuffix) WScript.Sleep 2000 END IF WriteToLog MasterLogFile, "Complete for " & objRS.Fields("name").Value & " -- Found: " & ComputerFoundFileCounter & ", Moved: " & ComputerMoveFileCounter & ", Can't Move:" & CantMoveFountCounter & "." count = count + 1 End If objRS.MoveNext Loop objRS.Close Set objRS = Nothing objConn.Close Set objConn = Nothing Next WriteToLog MasterLogFile, "Stopping The script" WScript.Echo "I'm Done." ' End of Script ' ' Starting all Sub Functions ' Sub SearchSophosLogAndMoveFileBack(byval strComputer) ComputerMoveFileCounter = 0 ComputerFoundFileCounter = 0 CantMoveFountCounter = 0 Dim PC Dim OneLine Dim Loc1, Loc2, Loc3, Loc4, FindText, StartFromDate Dim FileSource, FileDest PC = "\\" & strComputer & "\" LogFileName = LogFileDirectory & strComputer & ".txt" StartFromDate = "20120919" FindText = "has been moved to" FileName = PC & "C$\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt" Const ForReading = 1 Const TristateUseDefault = -2 Set objFSO = CreateObject("Scripting.FileSystemObject") IF (ObjFso.FileExists(FileName)) THEN Set objFile = objFSO.OpenTextFile(FileName, ForReading, False, TristateUseDefault) Dim arrFileLines() i = 0 Do Until objFile.AtEndOfStream Redim Preserve arrFileLines(i) arrFileLines(i) = objFile.ReadLine i = i + 1 Loop objFile.Close ' GET EV Variable Dim EV_ALLUSERSPROFILE, ALLUSERSPROFILE_Loc Set oShell = CreateObject( "WScript.Shell" ) EV_ALLUSERSPROFILE = oShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%") ALLUSERSPROFILE_Loc = "C:\Documents and Settings\All Users" For Each strLine in arrFileLines OneLine = strLine IF (InStr(OneLine, FindText) > 0 and Mid(OneLine, 1, 8) >= StartFromDate) THEN Loc1 = InStr(OneLine, """") Loc2 = InStr(Loc1 + 1, OneLine, """") Loc3 = InStr(Loc2 + 1, OneLine, """") Loc4 = InStr(Loc3 + 1, OneLine, """") FileSource = Mid(OneLine, Loc3 + 1, Loc4 - Loc3 - 1) FileDest = Mid(OneLine, Loc1 + 1, Loc2 - Loc1 - 1) IF (InStr(FileDest, ALLUSERSPROFILE_Loc) > 0) THEN FileDest = Replace(FileDest, ALLUSERSPROFILE_Loc, EV_ALLUSERSPROFILE) END IF FileSource = PC & Replace(FileSource, ":", "$") FileDest = PC & Replace(FileDest, ":", "$") MoveFile FileSource, FileDest End IF Next END IF End Sub Sub MoveFile (byval FileFrom, byval FileTo) Set ObjFso1 = CreateObject("Scripting.FileSystemObject") WriteToLog LogFileName, "Found File -- """ & FileFrom & """ --- To --- """ & FileTo & """" ComputerFoundFileCounter = ComputerFoundFileCounter +1 IF (ObjFso1.FileExists(FileFrom) AND ObjFso1.FileExists(FileTo) = false) THEN 'WScript.Echo "-- Moving " & FileFrom & " --- To --- " & FileTo IF (InStr(FileTo, WindowsDirectory) > 0) Then WriteToLog LogFileCantMove, "Can not moving file -- """ & FileFrom & """ --- To --- """ & FileTo & """" CantMoveFountCounter = CantMoveFountCounter + 1 Else MakeSureFolderExist FileTo ObjFso1.MoveFile FileFrom, FileTo ' Log file to move WriteToLog LogFileName, "Moving -- """ & FileFrom & """ --- To --- """ & FileTo & """" ComputerMoveFileCounter = ComputerMoveFileCounter + 1 End If End If End Sub Sub WriteToLog (byval FileName, byval Message) Dim filesys, filetxt Set filesys = CreateObject("Scripting.FileSystemObject") Set filetxt = filesys.OpenTextFile(FileName, ForAppending, True) GetCurrentDateTimeString() filetxt.WriteLine(currentDateTime & " -- " & Message) filetxt.Close set filesys = Nothing End Sub Sub ShutDownComputer(byval strComputer) Dim strShutDown,objShell ' Your psshutdown command with the following options: -r for reboot, -f for force, -c allow the user to cancel the shutdown, -t 300 to give the user strShutDown ="C:\PSTools\psshutdown.exe -r -f -c -t 15 -e p:0:0 -m " & chr(34) & "Restart of computer for update" & chr(34) & " \\" & strComputer Set objShell = CreateObject("WScript.Shell") objShell.Run strShutdown, 0, False Set objShell = Nothing End Sub Sub CreateLogDirectoryAndFile() GetCurrentDateTimeString () LogFileDirectory = LogFileDirectory & currentDateTime & "\" If Not objFSOLog.FolderExists(LogFileDirectory) Then objFSOLog.CreateFolder LogFileDirectory End If MasterLogFile = LogFileDirectory & "MasterLog.txt" LogFileCantMove = LogFileDirectory & "CantMoveFiles.txt" End Sub Sub GetCurrentDateTimeString() currentDateTime = Year(Now) & "-" & Month(Now) & "-" & Day(Now) & "-" & Hour(Now) & "-" & Minute(Now) & "-" & Second(Now) End Sub Sub MakeSureFolderExist (byval FileName) Dim FolderDir, IndexEnd, StartIndex, filesys set filesys=CreateObject("Scripting.FileSystemObject") ' set IndexEnd at 5 to skip the "\" in "\\" + Computer_Name IndexEnd = 5 ' Start making sure folder exist after reaching the Drive not before StartIndex = InStr(FileName, "$") + 2 Do While (InStr(IndexEnd + 1, FileName, "\") > 0) IndexEnd = InStr(IndexEnd + 1, FileName, "\") FolderDir = Mid(FileName, 1, IndexEnd) If IndexEnd > StartIndex Then If Not filesys.FolderExists(FolderDir) Then filesys.CreateFolder (FolderDir) End If End If Loop End Sub
If you would like more info, check out our Bitbucket account BitBucket
kurbycar32 wrote:Alphateam, give this a shot. I posted it yesteday but these posts get buryied fast
HOW I FIXED MY SUM (The slightly longer but easy way)
1. Disable on access scanning on the server
2. Launch the Setup.exe in here: C:\Program Files (x86)\Sophos\Enterprise Console\SUMInstaller (You will get errors)
3. When the installer says it cant find the file search for the name here: C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED
4. You will find the missing files with .000 appended to them
5. Copy the files out of the infected folder to the path specified by the installer
6. Hit retry, it will find your file
7. Repeat for each file, my server needed i think 4 files restored.
8. This will repair the SUM and start the service
9. Use "Update Now" on your update manager in the enterprise console
Please avoid disabling OnAccess scanning. We have a few reports now of customers that had previously unknown dormant Conficker infections or USB keys that had Conficker on them. They've recovered from the SHH false positive and found themselves battling a conficker infection again. I'm not trying to panic anyone, just be VERY careful if you're considering turning off the OnAccess scanner.
Alphateam wrote:
Nathan wrote:
Alphateam wrote:I cannot get through to tech support. I have gotten hung up on MANY times. When I add my name to be called back, the calls never come. I have been trying since 8am today to talk to someone in support.
Can I just create a new Sophos server and push out the current client? Will the new client and settings replace any of the clients that are broken?
First, I apologize for the difficulty you are having reaching support. I can assure you that nobody is being intentionally hung up on, however our phone system is under incredible load right now and has dropped a few unfortunate callers. Please try again if answers to your questions aren't easily found in the articles that have been released to assist with this issue.
Creating a new Sophos server and reprotecting is going to be more work then remediating your current environment. Further, reprotecting endpoints will likely fail if you are still getting false positives as the new files pushed to the endpoints will be deleted again. Please work through the steps in Advisory KBA and if you hit a snag, post back here and I or someone else may be able to provide you an answer to get you going again.I know it isn't intentional, but frustrating none the less. I've been trying to get this worked out since I first got in Thursday morning. I have went through all the steps on the knowledge base I could, but some of the scenarios do not fit my situation, hence the calls to tech support. The update manager says its updating, but I'm not getting the javab-jd.ide. I ran the VBS script and it bombed out halfway through. Without any further help from Sophos, the only option I could come up with was a compelte rebuild.
If you haven't already rebuilt your environment, please post where you're currently stuck and we'll see about getting you the help you need to get going again.
