Is any one else seing this alert - Shh/Updater-B False positives

Well, I'm running this against a list using Powershell, everything is cleaning up pretty quickly.

---

ktremain wrote:

---

Unfortunately, you'll first need to restore the files that were moved. Perhaps a VB script that can extract the files/paths of the files in question from the sav.txt log, then copy just those files form the infected folder back to the original source. Or use PSEXEC to run a batch file across all affected systems to restore the files that were moved.

---

Sorry, but thats not possible.  These machines are NOT on one site OR network.  They are on our customer sites updating over the internet to our datacentre.  There is NO way to run any scripts on them all centrally.  Some machines are even overseas.  Whats the status on Sophos releasing a "Fix-It" tool that our helpdesk can instruct users to run that will repair this mess?

---

Unfortunately, such a tool is not in the works at the moment. Would something like the following be an option for you?

1. Obtain copies of the endpoint files flagged with this FP

2. Create a batch file to perform the file copies

3. Use a tool like winrar to create a self extracting zip of the files that executes the batch file once extraction completes.

4. Email sfx to users with instructions

Hi Nathan,

I have followed what has been advised on a few machines, I am now getting and "Unknown" status on the up to date field in my console.

Is there anything eles we need to do??

Thank you for your help

Be careful when disabling the whole on-access-scan:

when enabling it again, only scan on read is checked, but

standard seems everything but suspicious, infected boot and archive.

---

DougFromMaine wrote:

Nathan: I reviewed our "update manager details" and find that as far back as history is available - 9/5/12 - all updates have been failing. The wIndows event log error associated with update attempt appears below. Is it possible our subscription has lapsed? I wouldn't think so, because, how would we have obtained the update that caused the issue? Thanks again.

Synchronize operation failed when synchronizing product release 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Couldn't authenticate user for resource with host server. URL was: http://dci.sophosupd.net/update/

---

It's possible. There is definitely something amiss there, but I would need more details to dig further. Support is your best bet.

Many apologies to those on hold with support. As of about 5 minutes ago, the queue is 65 deep. Our engineers are working through the calls as quickly as possible. If you are on hold currently, please be patient and we will get to you as soon as possible. If you would like to use our call-back option, I would recommend doing so.

I don't want to sound like Captain Obvious here but for those still having the Shh/Updater-B items listed locally in their user client Quarantine Manager, did you check the items and click Clear from list?

I was confused at first as well as I thought that something like this would be under the Perform action drop-down where the Move or Delete options were located.

Just some notes on my experiences so far. 

In my Sophos Control Center I, unfortunately, had my on-access scanning cleanup option set to deny access and move to default location.  When the cluster f of an update occurred earlier, it threw a bunch of Sophos Auto Update files as well as some other update files into this location:

C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

Fortunately, as Nathan mentioned a few times in this thread, the log file takes note of the original file path of all files moved.  Log file is located here:

C:\ProgramData\Sophos\Sophos Anti-Virus\logs\sav.txt

I'm not a programmer and it would probably take me longer to figure out a script to automate this so I manually moved the files back to their original directories having to remove the .000 at the end of each file that Sophos adds when it moves the files.

My workstation is back up and running (and up to date) without any erros so at least Sophos quickly corrected the problem.

I manage only about 10 users so I guess I'll be spending some time manually moving these files unless someone has a better solution.

I feel very badly for all you enterprise admins out there that have off-site and large numbers of workstations to correct (unless you were smarter than I was to begin with and just denied access for cleanup). I've now changed that setting... :)

Good luck all! 

Yes, i'm getting this too, what the hell is going on here? (will read all posts)

---

Nathan wrote:

Many apologies to those on hold with support. As of about 5 minutes ago, the queue is 65 deep. Our engineers are working through the calls as quickly as possible. If you are on hold currently, please be patient and we will get to you as soon as possible. If you would like to use our call-back option, I would recommend doing so.

---

Please let us know here when the phone support queue dies down, then I will call in to discuss my issue further.

---

henhowc wrote:

I don't want to sound like Captain Obvious here but for those still having the Shh/Updater-B items listed locally in their user client Quarantine Manager, did you check the items and click Clear from list?

I was confused at first as well as I thought that something like this would be under the Perform action drop-down where the Move or Delete options were located.

---

Logging into 250+ PCs to manually clear the list from the quarantine is not exactly a acceptable solution.  Yes, you are correct, this does work if you do it from the local client.  We want a way to do this from the management console or via script in bulk.