Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260719 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    over 800 alerts and climbing.  Busy signal from sophos.

    :30479
  • 0
    havoc64 wrote:

    havoc, try that on your SUM server first. The endpoints seem to be taking the update once it's available, but the false positive is preventing the SUM from being able to download the fixed file. Endpoints that haven't been rebooted yet and didn't have the files moved or deleted should recover on next update.

    I'm working on finding a workaround for systems that had the files deleted that doesn't require a reinstall. As soon as I have something I'll let you all know.

    Nathan,

    I tried that on our server and I got an error after I started the service that says...

    ALMon

    Error Loading External Resources (0x8007007e)

    Almon is just the system tray shield. Was the Sophos Update Manager able to download after you performed those steps?

    :30481
  • 0

    Hey Nathan - are there any consequences for already having Sophos delete every threat that it found? Are the files that are now missing and deleted going to have any affect on the pc? 197 files were deleted.

    Thanks!

    :30483
  • 0

    I can't find  javab-jd.ide on my endpoints *or* on my server. Where should it be?

    :30485
  • 0
    What is the easiest way to authorize or remove the ALUpdate.exe from quarantine? I've started updating my systems, but now they all still have that file listed in their quarantine... how can files easily be removed from quarantine on all of these systems? I don't seem to have that option in the console.
    :30487
  • 0
    1. Disable your on access scanning for your sophos server and workstations via the policy.
    2. Run the update manager on the server and check for an update.
    3. Verify that the update completed.
    4. Once update completed, update computers/servers.
    5. Acknowledge the errors on the systems and they should not come back.
    6. Re-enable the on access scanning for your sophos server and workstations via the policy.
    7. Relax, the issue is now resolved!
    :30489
  • 0
    1. Disable your on access scanning for your sophos server and workstations via the policy.
    2. Run the update manager on the server and check for an update.
    3. Verify that the update completed.
    4. Once update completed, update computers/servers.
    5. Acknowledge the errors on the systems and they should not come back.
    6. Re-enable the on access scanning for your sophos server and workstations via the policy.
    7. Relax, the issue is now resolved!
    :30491
  • 0
    wineoh wrote:

    What about we chosen ones who had DELETE set? Where is our fix?

    Unfortunately, at this time the only option I know will work in this case is to reprotect. If you have a system that didn't delete the files with the same version of Sophos installed as the affected endpoints, then copying the needed files around should work as well. Again, a tool like PSEXEC could be used to push the files around (note that Application Control flags PSEXEC). If I come up with another idea, I'll be sure to post it here.

    :30493
  • 0

    My server has both "Program Files" and a "Program Files (x86)" folders, and in the c:\Program Files\Sophos folder, there isn't any "Sophos Anti-Virus" folder, while it exists in the "(x86)" path.

    :30495
  • 0

    I think I got the update on my Server, but in trying to push it out to the PC's I still see an error:

    C:\Program Files (x86)\Sophos\AutoUpdate\iconfig.ppi      is still getting labeled as SHH/Updated-B and therefore not updating.

    Need more help!

    :30497