Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260774 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0
    Drake wrote:

    So is this true,,, that if they are just in quarantine and not auto moved or deleted,, the new ide will take them out of quarantine?

    I thought it would, but can't seem to get that to happen on my test system. I'll need to investigate that further once the bigger fires die down.

    :30587
  • 0

    UPDATE FROM SOPHOS

    RED NOTIFICATION - False Positive detections with ssh/updater-B - UPDATE 15:11 PDT

    As the False Positive can affect our own binaries, in can in some instances prevent both SUM and SAU from being able to update.

    In these situations the following instructions can be used to workaround the issue, download the fixed IDE, and propagate it to all endpoints.

    SUM unable to update
    If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.
    To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:

    1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
    2. Restart the 'Sophos Anti-Virus Service'
    3. Update SUM via the Sophos Enterprise Console

    Endpoints unable to update
    If customers have endpoints that are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:

    1. Centrally disable On-Access scanning via policy in SEC
    2. Select Groups in SEC and select 'Update Now'
    3. Once a group has updated re-enable On-Access scanning via policy in SEC

    :30591
  • 0

    This worked for us:

    1. Sophos server couldn’’’’t update as the updater was located in an “infected” directory so when updater was accessed it was quarantined immediately – causing updating to fail. YIKES!
    2. Solution: I disabled on access scanning in the default policy (affecting everyone including sophos server) and was able to update the SOPHOS server immediately.
    3. Sophos server was now up to date and workstation updating should work (as on access scanning was disabled by the default policy change).
    4. We will enable On access scanning once we stabilize.

    Sophos server version is showing as 1.3.2.176 and reports:

    Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3991863 items in AV Log.

    :30593
  • 0

    Well...Nathan's suggestion of deleting the agen-xuv.ide file on the update managers and forcing an update from the console does seem to resolve the issue for two of my update managers updating from the internet

    But the clients...eg my client still shows a detection for the virus in spite of being updated

    Just recd an email from sophos for the solution:

    SUM unable to update
    If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.
    To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:

    1.  Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\  [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
    2.  Restart the 'Sophos Anti-Virus Service'
    3.  Update SUM via the Sophos Enterprise Console


    Endpoints unable to update
    If endpoints are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:

    1.  Centrally disable On-Access scanning via policy in SEC
    2.  Select Groups in SEC and select 'Update Now'
    3.  Once a group has updated re-enable On-Access scanning via policy in SEC

    I'll pray for those who had selected delete if clean up fails option

    :30595
  • 0

    Nathan

    I rempoved the agen-xuv.ide and restarted services on my server.  It still wont update.  I think the update.exe was deleted.

    What do I need to do to get updates working again on the server?

    Thanks

    :30597
  • 0

    Looks like our network is back to normal.

    Thanks to all those helping out here!  :heart:

    Sophos...learn your lesson and communicate with your customers better.  Nathan, you were valiant here but the corporation should have had better information at the root of the support page.

    :30599
  • 0
    MPGTucker wrote:

    Create a batch file with these contents:

    ----------

    @Echo OFF
    :: Sophos Fix by Matt Tucker

    Net Stop SAVService
    If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)
    If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Dleted)
    Net Start SAVService

    ----------

    Run this on your server, then perform an update. Once the server has been properly updated run this on every PC affected, pick your tool to do this. Thanks to Nathan for the heads up on the ide file.

    Just be sure to remove this once you've deployed javab-jd.ide. The IDE agen-xuv.ide has other definition files and will automatically be put back on the next IDE update. Your script will continue to delete it and cause unnecessary restarts of savservice.

    :30603
  • 0

    Nathan: I did that already - deleted agen-xuv.ide and restarted service - but am still unable to successfully "update now". Message states "software delivery failed",  last update was 4:23 PM EST today, and my current version is 1.3.1.168. Many files in the "program files\sophos\AutoUpdate" directory were quarantined by the Sophos endpoint running on my SUM server. I "authorized" all of them individually through the endpoint authorization manager, but they are still listed quarantine. Could that be my issue? Thanks.

    :30605
  • 0
    dharris wrote:

    I got the console to update with your help, and i tried to push the update to all the pc's, and then acknowledge the error, but I'm still getting re-occuring desktops saying they've infected, and they say "failed to install savxp: An unknown exception has occured." Tried rebooting a couple pc's but i don't think that has done anything.

    I'm afraid you have a bigger issue on your hands. I would recommend speaking with support on this for further assistance as it will be tough for me to help through the forum. Please be patient, the phone queues are still rather backed up.

    :30607
  • 0

    No need to disable On-Access. Just exclude all of the possible Sophos AutoUpdate folders from On-Access scanning via policy and your clients will be able to update:

    C:\ProgramData\Sophos\AutoUpdate\

    C:\Program Files (x86)\Sophos\AutoUpdate\

    C:\Program Files\Sophos\AutoUpdate\

    We should get paid by Sophos

    :30609