Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Using Article ID: 118338 to try to fix.
The file gets copied over, but the VB script blows and error.
Version 1.4
Trigger update option enabled
Problem IDE is present.
IDE that fixes issue is NOT present.
Update did not receive newer IDEs.
Stopping SAV service Failed to stop service with error:
2 Failed to stop SAV service
This is the same error as last week, it will only run if we are logged on as administrator.
I can't go around to hundreds of PCs and log on as an admin to fix this.
JonathanC wrote:So there is a reasonably simple solution to stop the script running everytime a machine boots up, if the script has been deployed via group policy. When we tested this earlier we added these lines to the FixIssues.vbs script;
dim objFSO : set objFSO = CreateObject("Scripting.FileSystemObject")
dim objFile : set objFile = objFile.CreateTextFile("C:\Windows\temp\sophosmarker.txt")
set objFSO = nothing
set objFile = nothing
You would then just need to add a check to see if the file exists at C:\Windows\temp\sophosmarker.txt and if it does exit the script.
This would mean that for instance if you have any remote users that don't access the netowrk to recieve a group policy update for 1/2 weeks, you can leave the group policy in place without effecting the end users repeatedly.
Thanks!
So is this something you've done? If so, how did you go about setting up a "checker" for that file? I'm clueless (ok not totally clueless) with scripting, and I'm in queue with our programming staff. Could be days before I get an answer from them.
Thanks in advance for your help on this! Sent PM as well in case you aren't babysitting this thread. (Your PMessaging is turned off)
<Pssst> Sophos:
*Still waiting on an answer from you about my "fpack.bat" question.
Sorry ptran, i have got to the point where i associate this thread with the specific issues with the Shh/updater issues, have you been able to contact support at all?
We are currently some-what busy across the board but you should be able to get hold of a support person for more specific help, sorry I am unable to help further on this issue at this point, it has been a rather long day and I need to call it a night before I give out poor advice… sorry I can’’’’t do more. I will pick up the forums where possible again tomorrow morning UK time.
Hello BlackDiamond
The KB say:
Open a command prompt with elevated permissions:
Regards
Linck Tello Flores
@LINCK
We must be talking about two different articles, no where in the article I am reading does it say that.
http://www.sophos.com/en-us/support/knowledgebase/118338.aspx
Following an unwanted detection the Sophos AutoUpdate component is no longer functioning. This is due to the files needed by Sophos AutoUpdate being deleted or moved as part of the clean-up action related to the false positive. This article explains how to setup a gpo script for Active Directory, which will allow the FixUpdate.vbs script to run on your network workstations.
Known to apply to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+
Operating systems Windows 2003 and above
What To Do
To enable this script to run, copy the FixUpdate.vbs script to a shared resource which your workstations can access. When the workstation starts the gpo startup script will use the FixUpdate script to correct the Sophos AutoUpdate installation.
Go to your Update Manager.
Uninstall the Sophos Agent
Uninstall Remote Management System
Uninstall Sophos Update manager
Verify you have javab-jd.ide in your install share \\SERVER\SophosUpdate\CIDs\S000\SAVSCFXP\savxp
Copy these files to the folder you install the Update Manager from under Remote Management. (\\server\SumInstall\Remote Management)
AutoUpdateAgentNT.exe
ClientMRInit.exe
EMLibUpdateAgentNT.exe
RouterNT
UpdateSUMConfig.exe
SUMinstallset.exe
Copy these files to the folder you install the Update Manager from under Update Manager (\\server\SumInstall\Update Manager)
SUMService.exe
SophosUpdateMgr.exe
Start the Update Manager Install
(If you are missing one, the installer will alert you and you will need to place that file in the install directory and then click “Retry”
Once the install is complete, Reinstall your Sophos Agent using the Update manager you just installed.
Your Update Manager will now be fixed and report to the Console correctly.
Do this for each Update Manager you have
Robert_Leonard wrote:Go to your Update Manager.
Uninstall the Sophos Agent
Uninstall Remote Management System
Uninstall Sophos Update manager
Verify you have javab-jd.ide in your install share \\SERVER\SophosUpdate\CIDs\S000\SAVSCFXP\savxp
Hi,
Please avoid uninstalling/attempting to uninstall our software. Cases where an unsuccessful attempt to uninstall the damaged components have been some of the more difficult cases to resolve. We are leveraging the working bits of our software as best we can to make solutions easier/quicker for affected customers, but uninstalling hampers that by removing components that are being leveraged. There is also a risk of damaging the installations further, making recovery steps more involved. Please see the KBA articles on this issue for assistance as the scripts within these KBAs are proving very helpful. Apologies for not posting the links again, just wanted to get this quick tidbit out.
LINCK wrote:Hello Sophos
The steps to use psexec in this KB
http://www.sophos.com/en-us/support/knowledgebase/118337.aspx
fail!!
C:\SophosFix>psexec \\1806974-S -u DOMSDP\sophos -p ****** -h -w %temp% -d cscript.exe //nologo \\1.1.194.40\SophosUpdate\FixUpdate.vbs /fixIssues:true /updateNow:true /clearQuarantine:true PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com PsExec could not start cscript.exe on 1806974-S: The system cannot find the file specified.In this time we are using this code :
File: ExecuteFixRemote.bat
@echo off Set CID=1.1.194.40 Set USERNAME=DOMSDP\Sophos Set PASSWORD=******* net use o: \\%CID%\SophosUpdate /User:%USERNAME% %PASSWORD% /persistent:no xcopy "o:\FixUpdate.vbs" "%systemRoot%\system32" /Y /H /R /K /C cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\%CID%\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:true /clearQuarantine:true net use o: /DeleteLauch the script with psexec.
C:\SophosFix>psexec @FpWithoutFix.txt -c -v executefixremote.bat -dCheck the KB.
Regards
Linck Tello Flores
Hi Linck,
Give it a go without the -w %temp% portion of the command. I'm having better luck that way.
BlackDiamond wrote:Using Article ID: 118338 to try to fix.
The file gets copied over, but the VB script blows and error.
Version 1.4
Trigger update option enabled
Problem IDE is present.
IDE that fixes issue is NOT present.
Update did not receive newer IDEs.
Stopping SAV service Failed to stop service with error:
2 Failed to stop SAV service
This is the same error as last week, it will only run if we are logged on as administrator.
I can't go around to hundreds of PCs and log on as an admin to fix this.
Hi,
Are you running this as a machine startup script, or a user startup script?
Has anyone come up with a way to return the Quarantine file to the way it should be (without the Sophos files) or are we still just deleting the file? Also, is the Quarantine now acting like it should - i.e. is it blocking things that are stored in Quarantine or are they still being allowed to run?
