Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261611 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Yes it is logged under case #3465924 though seem to be stuck at the moment. This really did mess up an SBS 2011 box. Any chance the case could be looked at please

    :33021
  • 0
    In reading the latest advisory, I noticed the following. Maybe the below (fpack.bat) takes care of both the alerts in both the Console AND the Endpoints? Please advise.

    "How do I clear existing console alerts?

    To clear all outstanding ‘‘‘‘ssh/’’’’ alerts from your console, we recommend to follow the steps below:

    1. Close Sophos Enterprise Console.
    2. Download the file ‘‘‘‘fpack.txt’’’’ to your management server.
    3. Rename the downloaded file to ‘‘‘‘fpack.bat’’’’.
    4. Run the batch file. If there are any errors running the tool they will be displayed.
    5. To check the alerts have been ‘‘‘‘Acknowledged’’’’ launch Enterprise Console and review the outstanding alerts.

    Alternatively you can use Enterprise Console to ‘‘‘‘Acknowledge’’’’ the alerts, to do so:

    1. Launch Enterprise Console.
    2. Click on the ‘‘‘‘Viruses/spyware’’’’ link on the Dashboard to switch the computer list view to display: ‘‘‘‘Managed computers with outstanding Virus/malware alerts’’’’.
    3. Select all computers (Ctrl-A).
    4. Right click and choose ‘‘‘‘Resolve Alerts and Errors…’’’’.
    5. Click on the ‘‘‘‘Name’’’’ column header to sort by alert name in order to group all ‘‘‘‘Shh/’’’’ detection entries together in the list.
    6. Select all ‘‘‘‘Shh/’’’’ detections then click ‘‘‘‘Acknowledge’’’’. ""
     

    Sophos,

    Could you please let me know on the above ^ question?

    :33027
  • 0

    The batch file can clear the database (SEC) of alerts (well set them to non-outstanding).  

    The endpoint script (http://www.sophos.com/en-us/support/knowledgebase/118323.aspx) can clear the QM on the clients.

    Regards,

    Jak

    :33029
  • 0

    Anybody know where i can find the 

    I

    • The Cleanup setting is "Deny access only".

    mentioned in the KB article?

    :33037
  • 0

    Hi everyone,

    We have created a new video to help Enterprise Console customers, it can be found on this article: http://www.sophos.com/en-us/support/knowledgebase/118328.aspx

    It is titled: "Recovery instructions for Sophos Enterprise Console" and includes step by step instructions for enabling the best practice settings in your Anti-Virus and HIPS policy as well as how to check if your Update Managers have been affected by the Shh/Updater-B false positive. 

    This video is the first step for any customers using Enterprise Console that have been affected in anyway by this issue.

    A similar video for Control Center customers will be available later today.

    :33045
  • 0
    BlackDiamond wrote:

    Using Article ID: 118338 to try to fix.

    The file gets copied over, but the VB script blows and error.

    Version 1.4

    Trigger update option enabled

    Problem IDE is present.

    IDE that fixes issue is NOT present.

    Update did not receive newer IDEs.

    Stopping SAV service Failed to stop service with error:

    2 Failed to stop SAV service

    This is the same error as last week, it will only run if we are logged on as administrator.

    I can't go around to hundreds of PCs and log on as an admin to fix this.

    Hi,
    Are you running this as a machine startup script, or a user startup script?

    __________________________________________________________________________________

    @ Nathan - We are running this in the GPO as a computer script.  Under Computer configuration, not User Configuration.

    :33123
  • 0

    Hello BlackDiamond, have you seen the following article:

    http://www.sophos.com/en-us/support/knowledgebase/118337.aspx

    specifically try running the PSEXEC with the “psexec @FpWithoutFix.txt -u domain\username -p password -h -d \\SERVER\SophosUpdate\FixIssues.exe -q"

    Parameters. This will allow you to run the script with admin rights on the endpoints without visiting each one. HTH

    :33127
  • 0

    @ JoltCube

    When running this I get this on each system.

    PsExec could not start \\Our Server\SophosUpdate\FixIssues.exe on system

    Logon Failure: unknown user of bad password.

    :33141
  • 0

    @ JoltCube

    If I remove the user and password from the command, it appears to start the process.

    Will see how it goes.

    :-)

    :33143
  • 0

    “psexec @FpWithoutFix.txt -u domain\username -p password -h -d \\SERVER\SophosUpdate\FixIssues.exe -q"

    Just to check, if you are not using the -u domain\username -p password strings and it is running, it will use the logged on user rights, so you will need to ensure that the -u [YourDomain]\[DomainAdminUsername] -p [DomainAdminPassword] is correct, It may be worth checking that the Remote Registry Service has started on a test endpoint you can test this script against before running it via a GPO.

    :33145