Is any one else seing this alert - Shh/Updater-B False positives

Hello BlackDiamond, could you confirm if you have used the latest scripts? These have had a lot of improvements on the initial releases. Do you have any specifics on the OS’’’’s affected? Have you had any success with any of the tools on any systems?

Yes, the latest scripts are being used. In looking at the list of PCs with this error, it looks like they are all Windows 7.

We have used the scripts on other Windows 7 systems and they appear to be working now.

The only fix I have found is to sign on to the PC with an admin account.

Run MicrosoftFixit.ProgramInstallUninstall.FISC.135271592702497964.1.2.Run.exe from Microsoft and remove everything related to Sophos.

After that, the system can be protected again from the SEC.

Now I just need to do this on 100+ systems...

EDIT BELOW

Upon further review. After running Protect Computers... in SEC. The system never goes back online in SEC. It just sits with the down arrow, looking like it is doing something.

On the system itself, there are two items listed in Quarantine.

Shh/Updater-B C:\Program Files (x86)\Sophos\AutoUpdate\swlocale.dll

Shh/Updater-B C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api

Is there a way to tell when these were added to the QM?

Can I move or delete them?

EDIT II

How is it possible to have two of the same system in the SEC?

The system I mentioned previously in this post had two. One was normal, one was not after running the Microsoft fix. I had not resorted, so they were not next to each other in the PC list.

 EDIT Final

OK

If I follow all of my previous steps and then remove the items from quaratine and rerun Protect Computers from SEC, it appears to work.

The issue is I have over 100 systems that are still in this state.  Is there no other way to get them up and running again?

Morning BlackDiamond, I am looking into this now, are you working in a domain environment? I am currently presuming so, if so, what type of admin account are you using for this, local admin, domain admin or forest admin?

To answer your query:

How is it possible to have two of the same system in the SEC? If you re-protect the endpoint and its UID has changed for any reason, you may end up with multiple system entries in the DB. I have heard of this behaviour previously but as i am not a DBAdmin am not able to expand much further on the root cause of this, but we may be able to get a script to help remove the duplicate machine ID's, if i recall correctly though this will require re-protecting the system to re-add it to the DB as the operation would delete the system information and its associated UID records.

Could you clarify the statement "remove the items from quarantine and rerun Protect Computers from SEC", are you referring to acknowledging the alerts from the console or on the endpoint? As this behaviour seems a little odd and has not been seen so far in our testing, if we can get a root cause we should be able to get the script working for you, which should hopefully reduce the pain threshold a bit for the rollout to your remaining systems.

[Edit] Just spoke to my colleagues, could you confirm if the duplicates are split between Managed and unmanaged? If so select the unmanaged systems and delete them from the console, this should resolve the issue regarding those. [/Edit]

@ JoltCube

We are using a domain administrator account.

There was only one case of duplicate system, so that is a non-issue at this point.

I am talking about the endpoints. They have the files listed previously in their local quarantine. If you try and do the same thing from SEC, it is blank.  If I remove the files from the endpoint quarantine and re-run protect computers from the SEC, the endpoint will return to normal in the SEC.

Hello BlackDiamond, I am escalating this to support as they may have a tool that will assist with this, sorry about the delay getting back to you i was working on some other issues.

Hello Everyone,

We were also affected with the update that came out on Sept. 19 but hopefully it was fixed. However, I would like to know if I could get/download that (AGEN-XUV.IDE) exact file that was released on Wednesday Sept. 19 , which caused false positive issue? I just wanted to do some testing  and it would be very useful to have that same file.

Hi..!!

1. Kindly unable Tamper proctection on the console if the service allowed.

1. Run  \\IP of the server or either servername\sophosupdate\S000\SAVSCFXP\ on the issued Endpoint (Manual SAV installation accordingly)

2. Right click and Install the Sophos Setup.exe as Administrator

3. Key in the Administrator account to the Sophos Administrator

4. After successful installation according the Sophos Administrator, The endpoint able to exclude the previous error.

5. Enable back the Tamper proctection on the console if the service allowed.

The below link helpfull for review:

http://www.sophos.com/en-us/support/knowledgebase/12386.aspx

http://www.sophos.com/en-us/support/knowledgebase/114191.aspx

Hope it able to solve the issue which you faced.

If the issue still on, kindly take SDU logs and send to Sophos Support.

Best regards,

Lingez

ABS Malaysia