Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Yes to the servername and I'm trying to run the .vbs from a batch file, which, when called from the command prompt on the machine locally, runs fine.
I've physically been to most of the machines and run the batch file now, but it would be good to find out why it won't run incase we end up in a similar situtaion at some other point.
Thanks for your help
Aaron
Nexis wrote:Sophos,
I've spent the time to read through all 111 pages of this thread to determine whether a solution has been provided to address Non-Sophos application files that have been deleted by Sophos due to this false positive debacle. So far the few posts that have mentioned similar circumstances have been conveniently ignored or overlooked. Not to mention I'm unable to remove Sophos from clients without corrupting the IP stack which prevents any network connection to the client.
While you've provided solutions to get Sophos properly configured and functional again, you've mentioned nothing about what can be done to fix business critical applications that have had files deleted due to this atrocity. Honestly how does a definition get released that causes your own product to show up as a virus is beyond me, that is literally zero testing, not one of your employees or testers put this into production within your business, that's unbelievably unacceptable and an apology doesn't fix the mess that has been left behind.
When will you be identifying applications that have been corrupted and providing solutions other than 'use a backup recovery application'. If the answer is 'there is nothing we can do', then I'm sorry but this wouldn't be an issue if just one of your however many staff installed this update on their own computer and picked it up before it was released to every business you accomodate. So you're going to have to do better than that.
Hi,
The latest fix tool does generate log files to help identify all files move/deleted:
http://www.sophos.com/en-us/support/knowledgebase/118323.aspx
Also you might find:
helps, note: the forum post broke one line in the script, the colon after the word Javascript was converted into the HTML expression for colon so needs to be reverted.
Regards,
Jak
After testing these solutions and my own, I discovered that deleting the quarantine.xml file on client machines has no effect on the console or client. RDP to client, opening Quarantine Manager and clearing the list of all Shh/Update-B and rebooting will clear console alerts and restart all services -- back in business and back to normal. For those having issues with the SEC and Update Manager try Article ID: 66176 as this solved my problem and may solve your subscription error messages also.
It appears those errors stopped the other night. Not sure why.
About half of my clients are not updating now. I have manually forced an update on the Update Managers and also manually forced updates on some of the clients and they are still reporting back that they haven't updated in 48+ hours.
I have re-installed the software on some of these computers and it still reports back this way.
Any ideas?
Regarding the clearing of endpoint quarantine messages (Where you have already run the script with the fixissues parameters try running the fixit tool with the following parameters:
cscript //nologo FixUpdate.vbs /clearQuarantine:true
This should clear the endpoint messages, I will speak to the KBA team about making this clearer, apologies for the issues, we will continue working on these sort of things and this feedback helps us improve it.
VEL wrote:It appears those errors stopped the other night. Not sure why.
About half of my clients are not updating now. I have manually forced an update on the Update Managers and also manually forced updates on some of the clients and they are still reporting back that they haven't updated in 48+ hours.
I have re-installed the software on some of these computers and it still reports back this way.
Any ideas?
Hi VEL,
Were these new installations pushed from the Enterprise Console? If so, I'd start from the top.. confirm that the Update Manager is actually updating (check within the update managers view in the Enterprise Console). You can also find the locations that Update Manager is updating within the Enterprise Console under the menu option 'View | Bootstrap Loactions'. Within each of these locations check to see that files have been modified within the last 48 hours (if not then concentrate on the update manager).
Assuming the files have been updated in the last 48 hours then concentrate on the endpoints, check to see which path they are updating from by opening Sophos Endpoint Security and Control and selecting 'Configure Updating'. Although you may not be able to perform any edits from here, you should be able to see the 'address' that it is attempting to update from. Double check to confirm it matches one of the bootstrap locations from above.
Hopefully this will get you on the right track.
Luke
Sophos,
"How do I clear existing console alerts?
To clear all outstanding ‘‘‘‘ssh/’’’’ alerts from your console, we recommend to follow the steps below:
Alternatively you can use Enterprise Console to ‘‘‘‘Acknowledge’’’’ the alerts, to do so:
I am having trouble getting the fixupdate.vbs to run silently. heres my setup:
1. I ran a query against the sophos DB to identify affected PC's, exported only pc names to list
2. Created a collection within SCCM of the affected computers
3. Created a "package" and advertised to a few test comptuers
4. its set to run hidden with admin rights
my command line argument is this:
FixUpdate.vbs /FixIssues:true
SCCM copies the vbs file to the local machine and knows where to find it. This works but i am prompted for every step of the repair process. I know i can run cscript.exe //b for batch mode but the script ends up in a dynamic location which makes it difficult to target. Is there a simple /silent switch built into the script that I can run? It doesnt show up in /help
Hello Nexis, regarding your post earlier (1102), we are working on a tool to centrally report back on the files that have been deleted. The goal is to be able to provide a report showing the files deleted by computer. It will be possible to run the tool periodically and get an up-to-date report based on those files that have been restored. We are also looking to see if we can present the information by application affected (rather than file deleted) and plan to sort the list to show at the top the applications which we believe should be repaired first.
