Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Nathan wrote:
Di-Ankh wrote:Would this be an answer for my issue? Not sure if this applies to Windows 2003 server or not...
http://www.sophos.com/en-us/support/knowledgebase/118323.aspx
Hi,
Yes, I would give that a go. Please let me know if you have any trouble with it.
This script works for me if I run it locally with Admin rights but I'm having a tough time scripting it with PSExec to trigger remotely. Can anyone post up again the syntax for that please...
EDIT: I'm able to push the files out to a temp folder on remote machines but not execute the .vbs with reqiured switches..
Nathan wrote:
al04 wrote:
Nathan wrote:
al04 wrote:
Nathan wrote:
al04 wrote:The pushd is to make a temporary drive to that server and the popd is dt release it when finished.
So those options work for you if you run them manually rather than through a script? I ask because I attempted that on my test rig and couldn't get the pushd option to work.
On edit: Instead of using the pushd/popd options, try supplying the full UNC path to the VBS and see if that works better for you.I am able to use the pushd options but I am still getting an error on the line RestoreCacheFilesfromCID-SAUreinstall action failure:1622. I have looked on other fourms about this error and there is nothing. I have been working on this problem for the last two days and I'm getting very frustrated. :smileymad:
I can appreciate your frustration. Unfortunately, this is the only report I've seen with the error 1622. I know it works without the pushd option, thus why I wanted to remove that variable from the equation. It isn't necessary to use the pushd option if you supply the full path to the script file when you call it with cscript. Can you give that a try please and let me know if you make any progress? Meanwhile I'll check with the developer of the script to see if they have any other ideas.
How did you get it to work with the cscript?
Hi,
I was stumped by the 1622 message, as that is from Windows Installer and means that it can't write the install log. I thought that the install log was going to the default %windir%\temp location, but the developer tells me that the log is actually written to the current working directory. IE, your network share. I presume the share is read-only? That might explain it. We're looking at changing that behavior in a future update to the script. Could take a little time for that to happen though, so for now maybe copy the script file and ide file to a local directory before calling it with cscript?
Sorry for not catching that earlier!
Do you know if the script is made for Windows 7 32 and 64 bit machines?
I have no idea what to do and if I use the auto update fix it just turns sophos back on on my user workstations and begins killing itself and the two previously mentioned programs.
Does anyone have a fix for this or am I screwed and do I need to uninstall the control center and start over and install the control center and 30+ workstations.
Provided your upadate server is OK and downloaded latest definitions then:
If you have policies set, then disable on access scanning. Once the policy has kicked in, the stations can be re-booted and they should update. If any files are in quarantine clear them (don't delete them) once you have cleared and all PCs updated, turn on the policy for on access scanning.
This can be done manually if needed, 30 stations isn't too bad to deal with.
al04 wrote:
Nathan wrote:
al04 wrote:
Nathan wrote:
al04 wrote:
Nathan wrote:
al04 wrote:The pushd is to make a temporary drive to that server and the popd is dt release it when finished.
So those options work for you if you run them manually rather than through a script? I ask because I attempted that on my test rig and couldn't get the pushd option to work.
On edit: Instead of using the pushd/popd options, try supplying the full UNC path to the VBS and see if that works better for you.I am able to use the pushd options but I am still getting an error on the line RestoreCacheFilesfromCID-SAUreinstall action failure:1622. I have looked on other fourms about this error and there is nothing. I have been working on this problem for the last two days and I'm getting very frustrated. :smileymad:
I can appreciate your frustration. Unfortunately, this is the only report I've seen with the error 1622. I know it works without the pushd option, thus why I wanted to remove that variable from the equation. It isn't necessary to use the pushd option if you supply the full path to the script file when you call it with cscript. Can you give that a try please and let me know if you make any progress? Meanwhile I'll check with the developer of the script to see if they have any other ideas.
How did you get it to work with the cscript?
Hi,
I was stumped by the 1622 message, as that is from Windows Installer and means that it can't write the install log. I thought that the install log was going to the default %windir%\temp location, but the developer tells me that the log is actually written to the current working directory. IE, your network share. I presume the share is read-only? That might explain it. We're looking at changing that behavior in a future update to the script. Could take a little time for that to happen though, so for now maybe copy the script file and ide file to a local directory before calling it with cscript?
Sorry for not catching that earlier!Do you know if the script is made for Windows 7 32 and 64 bit machines?
Should work on both architectures. Are you seeing instances where it doesn't?
kurbycar32 wrote:Nathan, I have a Sophos removal tool that support helped me with months ago built for some other reason. Would deploying the removal tool, and then allowing the product to reinsall itself be a legit solution to this problem?
Possibly, but I don't think it will be any easier than deploying the script from KBA 118323. I recommend trying that first rather than a full uninstall/reinstall.
Unfortunately the instructions there say that if the script returns SAU files missing, i need to manually copy over the AutoUpdate CID to the client. With 2,000 machines infected this is kind of a problem. What would be nice is if Sophos released a new client with the fix enabled in the exe, then we could just reprotect the clients from the console. By the way the removal tool was old and doesnt yank out version 10 clients.
kurbycar32 wrote:Unfortunately the instructions there say that if the script returns SAU files missing, i need to manually copy over the AutoUpdate CID to the client. With 2,000 machines infected this is kind of a problem. What would be nice is if Sophos released a new client with the fix enabled in the exe, then we could just reprotect the clients from the console. By the way the removal tool was old and doesnt yank out version 10 clients.
Hi,
I'll get that KBA updated with some better information for this scenario.
I don't think copying the SAU files locally will work here. If the UNC path is entered correctly after the /cid: switch, then the likely reason the files would be missing is if they had been deleted/moved from the CID due to the false positive. I was just working with another customer that had that exact scenario, where the SAU files were missing from the CID due to a scheduled scan that deleted them.
What you need to do first is get your Sophos Update Manager working correctly. Once that is done and the CID is complete, then you can successfully run the script. You can confirm if this is your issue by checking to see if alsvc.exe is in the CID or not. HTH
I have 3 CID folders, all have the alsvc file. Here is the command i executed:
cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\sophos-server\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true
Per documentation i attempted to run this manually before deploying it and it hasnt been able to fix anything yet.
