Is any one else seing this alert - Shh/Updater-B False positives

---

wprensky wrote:

Hi Nathan - thanks for this  the updater seems to be working again -

quick quesiton - what happens to all the files that were in quarantine - we didn't do anything to them so they are still in the quarantine list - how do we get them all working again?

thanks. 

---

If they were just quarantined (and not moved or deleted) then once the new IDE is applied the files will no longer be blocked. In most cases the items listed as quarantined (the entries in the quarantine manager, not the files) will be removed automatically as well.

Our console is updating again.  Got the latest update, pushed it out to all the clients and I am flodded with SSH/Updater-B detections again. :smileymad:

---

datapa wrote:

I just disabled on access scanning when we were told false positives. An update came through around 30 minutes ago, and automatically propogated out to all clients. I turned on access scanning back on, acknowledged the warnings and all seems OK now. No need to manually re-install.

Big mess, but does seem resolved with no harm done for me. Hope everyone else can say the same!!

---

I can confirm that this worked for me too.

1. Disable your on access scanning for your sophos server and workstations via the policy.
2. Run the update manager on the server and check for an update.
3. Verify that the update completed.
4. Once update completed, update computers/servers.
5. Acknowledge the errors on the systems and they should not come back.
6. Re-enable the on access scanning for your sophos server and workstations via the policy.
7. Relax, the issue is now resolved!

Hope this helps everyone, it helped me thanks to Sophos support before their system crashed again. =)

I confirm the following:

• Disable your on access scanning for your sophos server and workstations via the policy.
• Run the update manager on the server and check for an update.
• Verify that the update completed.
• Once update completed, update computers/servers.
• Acknowledge the errors on the systems and they should not come back.
• Re-enable the on access scanning for your sophos server and workstations via the policy.

I also confirm Nathan's response that the quarantined items are cleaned up automatically. Verified on 200 machines thus far... Geez...

What if since its 3:00 and school is getting out, every computer is shut off with the ALsvc.exe in quaratine so that tomorrow the autoupdate service is not running and we can no longer deploy updated definitions? Is there are script or fix tool on the way to remotely repair our 10,000 systems?

(sorry if I missed something earlier in the massive thread)

---

sclime wrote:

This seems to resolve the alert on the server for the client, but how do we clear the quarantine items on the client???

---

Great question.  Nathan, what is the answer to this?  I am able to resolve the alerts on the console and update the systems after disabling scanning, but how do I then clear these entries off of the quarantine lists of these systems other than clicking Quarantine on every system and then clear the alert list?

I think I just need to wait till all my clients update.  A bunch are still not up to date.

Your fix doesn't work for everyone, but we sure appreciate you posting it over and over again.

Many thanks - the update when through - so I am going to hope that the listed files (about 200 of them :( ) will start to work again - we took no action knowing we could only make things worse.  Thanks for all the help - despite the "sophos just committed suicide" comments on here by others, I think you guys have done a very good job of both staying on top of this and of keeping in touch with us.  Well Done!