Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Now Sophos is detecting all updaters as virus' including Google Chrome, Adobe and our internal apps. GREAT JOB SOPHOS!!!

    :30683
  • 0

    I'm stuck - big time.

    On the server I've tried stopping the service, deleting the IDE file, and starting the service again.  No change.  I've tried disabling on-demand scanning.  No change.

    I have tried the same on the clients.  No change.

    A third of the computers are showing infected.  The other 2/3 are showing "awaiting policy transfer" and are not contacting the server - most likely because their update service is quarantined. 

    I need answers.  I cannot reach support.

    I have critical applications that will not start because Sophos has quarantined them.

    :30685
  • 0

    Well for me it looks like it did a false detection on more than just Sophos related files.

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\program files\Google\googletoolbar2.dll\FILE:0001". Cleanup unavailable.

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Disks\Audio\RtlUpd.exe". Cleanup unavailable.

    Infected file "C:\Disks\Audio\RtlUpd.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RtlUpd.exe.000".

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\MCK\Common\JRE\1.5.0_12\bin\jucheck.exe". Cleanup unavailable.

    Infected file "C:\MCK\Common\JRE\1.5.0_12\bin\jucheck.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\jucheck.exe.000".

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Meds\FDBIncrementalUpdate.exe". Cleanup unavailable.

    Infected file "C:\Meds\FDBIncrementalUpdate.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\FDBIncrementalUpdate.exe.000".

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe". Cleanup unavailable.

    Infected file "C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\jucheck.exe.2.000".

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Java\j2re1.4.2_13\bin\jucheck.exe". Cleanup unavailable.

    Infected file "C:\Program Files\Java\j2re1.4.2_13\bin\jucheck.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\jucheck.exe.3.000".

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\AutoUpdate\inetconn.dll". Cleanup unavailable.

    Infected file "C:\Program Files\Sophos\AutoUpdate\inetconn.dll" has been moved to "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\inetconn.dll.000".

    Infected file "C:\WINDOWS\RtlUpd.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RtlUpd.exe.2.000".

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\oracle\product\10.2.0\client_1\jdk\jre\bin\jucheck.exe". Cleanup unavailable.

    Infected file "C:\oracle\product\10.2.0\client_1\jdk\jre\bin\jucheck.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\jucheck.exe.1.000".

    Virus/spyware 'Shh/Updater-B' has been detected in "C:\oracle\product\10.2.0\client_1\jdk\jre\bin\jucheck_g.exe". Cleanup unavailable.

    Infected file "C:\oracle\product\10.2.0\client_1\jdk\jre\bin\jucheck_g.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\jucheck_g.exe.000".

    Is sophos really saying that we have to script and move these files into the original location? So mean while I have 2000+ hospital workstations that I would have to do this on. Assumingly if the script runs successfully. I am currently on hold with sophos but its been 32mins!

    :30687
  • 0

    Just opening the office here in Singapore and getting hit by thousands of quantine alerts for this... help!

    :30689
  • 0

    Nathan,

    My managment server was set to delete if found items was not cleanable. So my managment server is not currenly updateding. I have tried reinstalling over the top and have not been able to get the services going again. Do I at this point delete and reinstall the Enterprize Console to move forward and then re intall the client side software?

    :30693
  • 0

    I had 5 clients that were failing to update after the fix.  Reinstalling the client from the console resolved it.

    :30695
  • 0

    This is bad, I got it on a machine and it kept spamming the logs about this. Not only that, I rebooted the machine to see if it would clear up and it appears to have broken Sophos Anti-Virus. DO we have any updates on what is causing this or a valid workaround? This forum thread is huge and I'm having trouble disseminating all the information on here.

    I can look at possibly reinstalling Sophos AV and RMS, etc on here. But I want to know what happeened. Let me know if there is any data that I can send to support to help with this. It's on a lab machine so I can send logs, dll's, system profile or whatever.

    This smells like a bad virus definition. But what is horrible in  my case is that it started reporting all the Sophos update files as this virus and quarantined them all. This is from my SAV.txt file:

    20120919 210952    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\almonres.dll". Cleanup unavailable.
    20120919 210952    On-access scanner has denied access to location "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\almonres.dll" for user pgp_win7_x64-vm\PGP
    20120919 210952    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\almonres.dll1". Cleanup unavailable.
    20120919 210952    On-access scanner has denied access to location "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\almonres.dll1" for user pgp_win7_x64-vm\PGP
    20120919 210953    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALMonres.dll2". Cleanup unavailable.
    20120919 210953    On-access scanner has denied access to location "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALMonres.dll2" for user pgp_win7_x64-vm\PGP
    20120919 210953    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALMonres.dll3". Cleanup unavailable.
    20120919 210953    On-access scanner has denied access to location "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALMonres.dll3" for user pgp_win7_x64-vm\PGP
    20120919 210953    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALsvc.exe". Cleanup unavailable.
    20120919 210953    On-access scanner has denied access to location "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALsvc.exe" for user pgp_win7_x64-vm\PGP
    20120919 210954    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALUpdate.exe". Cleanup unavailable.
    20120919 210954    On-access scanner has denied access to location "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\ALUpdate.exe" for user pgp_win7_x64-vm\PGP
    20120919 210955    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\AUAdapter.dll". Cleanup unavailable.
    20120919 210955    On-access scanner has denied access to location "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\AUAdapter.dll" for user pgp_win7_x64-vm\PGP
    20120919 210955    Virus/spyware 'Shh/Updater-B' has been detected in "C:\Windows\Installer\$PatchCache$\Managed\BE814C515767eb242B3B829125AD10D4\2.7.1\cidsync.dll". Cleanup unavailable.

    :30697
  • 0

    Using Enterprise Console v5. I cannot get updates to download to the SEC server. How do the instructions for SUM apply to the SEC?

    :30701
  • 0

    We've been on hold for almost an hour now and the fixes on this forum are doing nothing for our SEC. We are still unable to update and the download status does not update. We have SEC version 4.0.0.2362 and our client is version 1.3.1.168, can someone provide help? Thank you.

    :30703
  • 0

    Yea this is great. We have about 6000 computers and about 120 servers that are all f*@#ed up. I can't update the SUM because it's a mess. Now i'm getting calls that most our apps are not working because files are getting deleted. This is a major disaster, not just a small mistake. This is worse than a virus, this is getting close to becoming a criminal act.

    :30705