Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
I've been trying since last week, none of the knowledge base things work, or the scripts or anything.
None of my servers have been updated since the 19th of September, and none of my end points have been updated since the 19th of September.
Trying to force an update on the Enterprise Console just comes up with "Software delivery failed"
I get loads errors in the Log Viewer along the lines of...
24/09/2012 13:16:09 Error Failed to update the log viewer dictionary: 'Couldn't authenticate user for resource with host server. URL was: http://dci.sophosupd.net/update/'.
24/09/2012 13:16:09 Error Failed to check update source status: 'Couldn't authenticate user for resource with host server. URL was: http://dci.sophosupd.net/update/'.
24/09/2012 13:16:09 Error Decoding of product release Sophos Update Manager version RECOMMENDED was not done because the synchronization failed.
Sophos don't respond to e-mails, and the phone is constantly engaged.
I am honestly thinking of just going with Avast Business as this is a nightmare.
after "resolving" the issue, now my clients are throwing errors saying they haven't updated since different dates. Some are 9-21, some are 9-22, some are earlier.
I have uninstall and re-installed the clients on some of these machines and they still show they are not up to date.
When I look at my update Manager I get errors:
Threat Detection data update failed
Software Update failed
Delivery failed for software subscription [subscription-name]. Access to the source update location is denied or the location is otherwise unavailable
How do i fix the updating process so they all stay up to date.
Hello mreaves,
this sounds like a license credentials issue. Please see Sophos Automatic Update - credentials for the link to use for checking them. If they are correct reenter them in the SUM configuration (although I don't see how they could have been "lost" it's worth making sure they are there before digging deeper).
Christian
Nexis wrote:Sophos,
I've spent the time to read through all 111 pages of this thread to determine whether a solution has been provided to address Non-Sophos application files that have been deleted by Sophos due to this false positive debacle. So far the few posts that have mentioned similar circumstances have been conveniently ignored or overlooked. Not to mention I'm unable to remove Sophos from clients without corrupting the IP stack which prevents any network connection to the client.
While you've provided solutions to get Sophos properly configured and functional again, you've mentioned nothing about what can be done to fix business critical applications that have had files deleted due to this atrocity. Honestly how does a definition get released that causes your own product to show up as a virus is beyond me, that is literally zero testing, not one of your employees or testers put this into production within your business, that's unbelievably unacceptable and an apology doesn't fix the mess that has been left behind.
When will you be identifying applications that have been corrupted and providing solutions other than 'use a backup recovery application'. If the answer is 'there is nothing we can do', then I'm sorry but this wouldn't be an issue if just one of your however many staff installed this update on their own computer and picked it up before it was released to every business you accomodate. So you're going to have to do better than that.
Hi Nexis,
The script detailed on this page will attempt to repair installations where possible - for example if the scanning settings were set to 'Deny access and move to..' the script will move the files (including non-Sophos products) back to the original location.
Where this is not possible (when scanning settings were set to delete), the script generates a list of files that are no longer on the computer.
Luke
Hello mreaves, we are sorry you are having issues contacting us to resolve this problem. As has already been stated, the updating issue is likely to be due to credential errors.
The logs statements look like it is failing with the initial credential checks that are used for updating the server and endpoints. If the endpoints are updating only from the CID then they will match the last update time of SUM. If your endpoints have a secondary update location of SOPHOS, and are still failing on an update, then it is likely you will need to get hold of our support team and confirm if there are any issues with your account. We have additional staff on the phones which are very busy at the moment but we are resolving calls as fast as is possible. The email queue is likewise very busy but these should be being addressed.
I understand the frustration of the situation you are in, but please continue trying to get hold of support, if you have raised an email ticket this will be being addressed as soon as we can.
VEL wrote:after "resolving" the issue, now my clients are throwing errors saying they haven't updated since different dates. Some are 9-21, some are 9-22, some are earlier.
I have uninstall and re-installed the clients on some of these machines and they still show they are not up to date.
When I look at my update Manager I get errors:
Threat Detection data update failedSoftware Update failed
Delivery failed for software subscription [subscription-name]. Access to the source update location is denied or the location is otherwise unavailable
How do i fix the updating process so they all stay up to date.
Hi VEL,
On the face of it this error message susggests that your Update Manager may not have the correct credentials to update from the Sophos warehouse. If you haven't already I would suggest double checking the credentials used by your Update Manager. If you have already tried this then the following article may be use: http://www.sophos.com/en-us/support/knowledgebase/66176.aspx
Luke
It down seems to say downloading binaries for longer. Before if started for a second then failed. So I'll see what happened.
The links on the credentials page worked and I could get to them all.
I entered the username and password again into the update manager credentials. I couldn't see the password, but the username WAS different to that on my licence schedule, so I used the ones on my licence schedule.
I'll see what happes.
This is a nightmare. Any suggestions on another product? As an IT group we just dont have time to "run all the .exe or .bat files they are asking us do" honestly i think they should hurry up and produce a new version that will rid us of all this hassle. Again, thank you sophos for increasing my workload. I will no longer recommend this product to any other business.
Hi,
I think it's fair to say false positives will affect any product over time. The key is to assume it will happen and therefore not take action other than block. With the default settings all computers would have been fixed in a couple of hours. If you move to another vendor, be sure to check the default action settings otherwise you'll end up in the same situation again.
Regrads,
Jak
My default settings were only "blocking" or "denying" also we have always had "live protection" enabled. This is still a mess. It didnt clear up its errors after updating. It didnt resolve it's own issue within a few hours as stated. Not every PC received the "java-jb.ide" definition. I have to go through each individual PC to check these things. We have 1000 PC's. I have been very patient. Now i am just inudated!
