This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

This thread was automatically locked due to age.

0 SYSOP over 13 years ago

JonathanC wrote:
If you visit the knowledge base advisory at http://www.sophos.com/en-us/support/knowledgebase/118323.aspx and download the tool, this will clear the Quarantine Manager for you.
Thanks for the link. I followed it over to the "Using Group Policy" section (http://www.sophos.com/en-us/support/knowledgebase/118338.aspx) and now I'm curious to know (if we use that) how to actually keep track of which ones have been done, which ones still need to be done, and when we can safely remove the GPO ~~without~~ ~~having~~ so it doesn't repeat it self for all of the machines (which have been done) every time they boot up.

^I guess the above question may be for Sophos to answer.
:32797
Cancel
Vote Up 0 Vote Down

Cancel
0 SLCIT over 13 years ago

When running a test to restore files that have been moved (using the file attached on http://www.sophos.com/en-us/support/knowledgebase/118323.aspx), for Sophos as well as 3rd Pparty apps, I am getting a permission denied in the log file. Files are still located in the INFECTED directory, but they are no longer showing in the quarantine area of the Sophos client. I have run this being logged in as a domain admin, as well as run the CMD prompt as an Administrator. What am I doing wrong?
Check if source file exists: 'C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\ispsheet.dll.2.000'
Failed to move back file: Error=70 : Permission denied
:32801
Cancel
Vote Up 0 Vote Down

Cancel
0 JonathanC over 13 years ago

So there is a reasonably simple solution to stop the script running everytime a machine boots up, if the script has been deployed via group policy. When we tested this earlier we added these lines to the FixIssues.vbs script;
dim objFSO : set objFSO = CreateObject("Scripting.FileSystemObject")
dim objFile : set objFile = objFile.CreateTextFile("C:\Windows\temp\sophosmarker.txt")
set objFSO = nothing
set objFile = nothing
You would then just need to add a check to see if the file exists at C:\Windows\temp\sophosmarker.txt and if it does exit the script.
This would mean that for instance if you have any remote users that don't access the netowrk to recieve a group policy update for 1/2 weeks, you can leave the group policy in place without effecting the end users repeatedly.
:32803
Cancel
Vote Up 0 Vote Down

Cancel
0 LINCK over 13 years ago

Hello Sophos
We have 2200 machines and have 896 machines affected, in all these the scrpt display this error:
--
SAU files still missing after restoring moved files
SAV files missing from the program files or common application data directories
Restoring missing SAU files from the local cache
Repairing SAU using 'Sophos AutoUpdate.msi'
SAU reinstallation failure: 1603
Starting SAV service
--
Please, I need one method to reinstall correctly the SAU.
Regards
Linck Tello Flores
:32805
Cancel
Vote Up 0 Vote Down

Cancel
0 ptran over 13 years ago

All,
I'm still having trouble with Sophos software. I decided to reistall Sophos AntiVirus and now i get "Error 3059. Could not save the updating settings on the computer"
I had to use Windows Utility Cleaner to clean up my previous install and now i get this error everytime i install sophos.
:32809
Cancel
Vote Up 0 Vote Down

Cancel
0 ptran over 13 years ago

Can someone please help me with the autoupdate issue mentioned above?
:32813
Cancel
Vote Up 0 Vote Down

Cancel
0 JoltCube over 13 years ago

ptran, sorry to hear you are having issues, have you been able to run the KBA's below? If so what errors have you been experiancing?
:32817
Cancel
Vote Up 0 Vote Down

Cancel

0 LINCK over 13 years ago

Hello Sophos

The steps to use psexec in this KB

http://www.sophos.com/en-us/support/knowledgebase/118337.aspx

fail!!

C:\SophosFix>psexec \\1806974-S -u DOMSDP\sophos -p ****** -h -w %temp% -d cscript.exe //nologo \\1.1.194.40\SophosUpdate\FixUpdate.vbs /fixIssues:true /updateNow:true /clearQuarantine:true
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

PsExec could not start cscript.exe on 1806974-S:
The system cannot find the file specified.

In this time we are using this code :

File: ExecuteFixRemote.bat


@echo off

Set CID=1.1.194.40
Set USERNAME=DOMSDP\Sophos
Set PASSWORD=*******


net use o: \\%CID%\SophosUpdate /User:%USERNAME% %PASSWORD% /persistent:no
xcopy "o:\FixUpdate.vbs" "%systemRoot%\system32"  /Y /H /R /K /C

cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\%CID%\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true /clearQuarantine:true

net use o: /Delete

Lauch the script with psexec.

C:\SophosFix>psexec @FpWithoutFix.txt -c -v executefixremote.bat -d

Check the KB.

Regards

Linck Tello Flores

www.innovare.pe

0 SLCIT over 13 years ago

Can I get a little help from Sophos on my permission denied issue above?
:32827
Cancel
Vote Up 0 Vote Down

Cancel
0 ptran over 13 years ago

JoltCube,
I don't think these fixes are related to the problem I have. I'm just having issues reinstalling Sophos. The autoupdate feature of the program doesn't get installed.
:32829
Cancel
Vote Up 0 Vote Down

Cancel