Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260796 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Nathan: I did that already - deleted agen-xuv.ide and restarted service - but am still unable to successfully "update now". Message states "software delivery failed",  last update was 4:23 PM EST today, and my current version is 1.3.1.168. Many files in the "program files\sophos\AutoUpdate" directory were quarantined by the Sophos endpoint running on my SUM server. I "authorized" all of them individually through the endpoint authorization manager, but they are still listed quarantine. Could that be my issue? Thanks.

    DougfromMaine we have the same issue here. We are unable to update our server and none of the fixes are working.

    :30637
  • 0
    DougFromMaine wrote:

    Nathan: I did that already - deleted agen-xuv.ide and restarted service - but am still unable to successfully "update now". Message states "software delivery failed",  last update was 4:23 PM EST today, and my current version is 1.3.1.168. Many files in the "program files\sophos\AutoUpdate" directory were quarantined by the Sophos endpoint running on my SUM server. I "authorized" all of them individually through the endpoint authorization manager, but they are still listed quarantine. Could that be my issue? Thanks.

    Hrm, your SUM is behind on it's version. Possibly related, but hard to tell. I suggest contacting support for more focused assistance than what I can offer through the forum.

    :30639
  • 0
    ktremain wrote:

    I have an MSP platform that was set to MOVE non-cleanable files. 

    How do i get all the REMOTE clients fixed now? 

    I have repaired the SEC and SUM servers, so the updates are waiting to go out, but the clients updaters are MOVED, so they are not pulling fixed files.

    Unfortunately, you'll first need to restore the files that were moved. Perhaps a VB script that can extract the files/paths of the files in question from the sav.txt log, then copy just those files form the infected folder back to the original source. Or use PSEXEC to run a batch file across all affected systems to restore the files that were moved.

    :30641
  • 0
    wprensky wrote:

    Hi Nathan - the files are still showing in quarantine.  is there any way to manually reauthorize them?  Many thanks.

    You shouldn't need to re-authorize them, just  select "Clear from list" (or Acknowledge if you're on the Console).

    :30643
  • 0

    Yes

    I've got like 50 computers and some say to reboot and after they reboot Sophos doesn't load anymore.

    :30645
  • 0
    Monroe103 wrote:

    Yes

    I've got like 50 computers and some say to reboot and after they reboot Sophos doesn't load anymore.

    It sounds like you might have a different issue on your hands. This false positive was not known to cause any reboot alerts. If the alert was present before hand and you rebooted before getting the fixed IDE, then it's possible that parts of Sophos won't load. I would recommend contacting Support for further assistance.

    :30647
  • 0

    Unfortunately, you'll first need to restore the files that were moved. Perhaps a VB script that can extract the files/paths of the files in question from the sav.txt log, then copy just those files form the infected folder back to the original source. Or use PSEXEC to run a batch file across all affected systems to restore the files that were moved.

    Sorry, but thats not possible.  These machines are NOT on one site OR network.  They are on our customer sites updating over the internet to our datacentre.  There is NO way to run any scripts on them all centrally.  Some machines are even overseas.  Whats the status on Sophos releasing a "Fix-It" tool that our helpdesk can instruct users to run that will repair this mess?

    :30649
  • 0

    Nathan: I reviewed our "update manager details" and find that as far back as history is available - 9/5/12 - all updates have been failing. The wIndows event log error associated with update attempt appears below. Is it possible our subscription has lapsed? I wouldn't think so, because, how would we have obtained the update that caused the issue? Thanks again.

    Synchronize operation failed when synchronizing product release 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Couldn't authenticate user for resource with host server. URL was: http://dci.sophosupd.net/update/

    :30651
  • 0

    The problem is I've cleared (acknowledged) all of them on the Console but they still appear in the local quarantine list on each client. How do I clear the quarantine list on each client?!

    :30655
  • 0

    So, we have obviously had the same issue as everyone else.  But, since the bad update, my Enterprise Console is no longer reporting any connection with any clients or subscription update.  My clients can see the server, but the server has no record of the clients contacting it.  Kind of stuck here...

    :30657