Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Nathan wrote:
MPGTucker wrote:Create a batch file with these contents:
----------
@Echo OFF
:: Sophos Fix by Matt TuckerNet Stop SAVService
If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Dleted)
Net Start SAVService----------
Run this on your server, then perform an update. Once the server has been properly updated run this on every PC affected, pick your tool to do this. Thanks to Nathan for the heads up on the ide file.
Just be sure to remove this once you've deployed javab-jd.ide. The IDE agen-xuv.ide has other definition files and will automatically be put back on the next IDE update. Your script will continue to delete it and cause unnecessary restarts of savservice.
After running this once on the server, then using Powershell to remote execute it on all my target computers I'm back down to 0 alerts.
Nathan wrote:
Lelia wrote:Nathan
I rempoved the agen-xuv.ide and restarted services on my server. It still wont update. I think the update.exe was deleted.
What do I need to do to get updates working again on the server?
Thanks
Do you have a backup of the server that you can restore the deleted files from? You can check the log on the Sophos Anti-Virus client to confirm what file was deleted and the location to restore it to. From the Home page in the Sophos Anti-Virus client, just click on "View anti-virus and HIPS log".
We had ours set to "Deny Access & Move". I began by shutting down Sophos (net stop savservice), and deleting the file "agen-xuv.ide", as directed. Then I manually restored the files, as Nathan suggests above, by pulling the details from the HIPS/AV Log. It was a long and tedious process. After that was done, I started SAVService back up, and ran "Update Now". It took some time, but the IDE's did update on the Server.
With the server now working, I am shifting my focus to the clients. (Already turned off On-Access, now trying to get them to update.)
Thank you Nathan for your diligent assistance through this difficult time. It is greatly appreciated!
Here's a quick VB script to restore files that were moved by quarantine to "Infected" folder.
Disclaimer: Works for me, but use at your own risk.
Set objFSO = CreateObject("Scripting.FileSystemObject")
infectedPath = "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\"
If objFSO.FolderExists("C:\Program Files (x86)\Sophos\AutoUpdate\") Then
progPath = "C:\Program Files (x86)\Sophos\AutoUpdate\"
ElseIf objFSO.FolderExists("C:\Program Files\Sophos\AutoUpdate\") Then
progPath = "C:\Program Files\Sophos\AutoUpdate\"
Else
Wscript.Quit()
End If
If objFSO.FileExists(infectedPath & "ALsvc.exe.000") And Not objFSO.FileExists(progPath & "ALsvc.exe") Then
objFSO.MoveFile infectedPath & "ALsvc.exe.000" , progPath & "ALsvc.exe"
End If
If objFSO.FileExists(infectedPath & "ALUpdate.exe.000") And Not objFSO.FileExists(progPath & "ALUpdate.exe") Then
objFSO.MoveFile infectedPath & "ALUpdate.exe.000" , progPath & "ALUpdate.exe"
End If
If objFSO.FileExists(infectedPath & "inetconn.dll.000") And Not objFSO.FileExists(progPath & "inetconn.dll") Then
objFSO.MoveFile infectedPath & "inetconn.dll.000" , progPath & "inetconn.dll"
End If
If objFSO.FileExists(infectedPath & "AUAdapter.dll.000") And Not objFSO.FileExists(progPath & "AUAdapter.dll") Then
objFSO.MoveFile infectedPath & "AUAdapter.dll.000" , progPath & "AUAdapter.dll"
End If
If objFSO.FileExists(infectedPath & "ChannelUpdater.dll.000") And Not objFSO.FileExists(progPath & "ChannelUpdater.dll") Then
objFSO.MoveFile infectedPath & "ChannelUpdater.dll.000" , progPath & "ChannelUpdater.dll"
End If
If objFSO.FileExists(infectedPath & "cidsync.dll.000") And Not objFSO.FileExists(progPath & "cidsync.dll") Then
objFSO.MoveFile infectedPath & "cidsync.dll.000" , progPath & "cidsync.dll"
End If
If objFSO.FileExists(infectedPath & "Logger.dll.000") And Not objFSO.FileExists(progPath & "Logger.dll") Then
objFSO.MoveFile infectedPath & "Logger.dll.000" , progPath & "Logger.dll"
End If
If objFSO.FileExists(infectedPath & "SingleGUIPlugin.dll.000") And Not objFSO.FileExists(progPath & "SingleGUIPlugin.dll") Then
objFSO.MoveFile infectedPath & "SingleGUIPlugin.dll.000" , progPath & "SingleGUIPlugin.dll"
End If
strServiceName = "Sophos AutoUpdate Service"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service Where Name ='" & strServiceName & "'")
For Each objService in colListOfServices
objService.StopService()
Next
For Each objService in colListOfServices
objService.StartService()
Next
GOT A REPLY FROM SOPHOS SUPPORT!
FOLLOW TO THE T, ALL WORKS MINT!!!!!
Please see the messaging below from SophosLabs regarding this issue:
Detections of ssh/updater-B made today are false positives and not an outbreak.
If you have Live Protection enabled, you should stop seeing these detections as the files are now marked ‘‘‘‘clean’’’’ in the cloud. If you do not have Live Protection enabled you will stop seeing the new detections once javab-jd.ide has been downloaded by your endpoints (released at Wed, 19 Sep 2012 18:48:35 +0000).
There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘‘‘‘deny access’’’’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.
An advisory has been published here:
http://www.sophos.com/en-us/support/knowledgebase/118311.aspx
SUM unable to update
If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.
To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:
1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
2. Restart the 'Sophos Anti-Virus Service'
3. Update SUM via the Sophos Enterprise Console
Endpoints unable to update
If endpoints are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:
1. Centrally disable On-Access scanning via policy in SEC
2. Select Groups in SEC and select 'Update Now'
3. Once a group has updated re-enable On-Access scanning via policy in SEC
Finally hung up after being on hold for an hour and 20 minutes. Should have used the call back feature!! I was just able to finally gain access to my Enterprise Console. The amount of traffic pretty much killed the box. I have been trying to get into it since around 530. Now I am trying to update it to see if it obtains the fix. It has been updating for about 5 minutes thus far.
ktremain wrote:
Nathan wrote:Many apologies to those on hold with support. As of about 5 minutes ago, the queue is 65 deep. Our engineers are working through the calls as quickly as possible. If you are on hold currently, please be patient and we will get to you as soon as possible. If you would like to use our call-back option, I would recommend doing so.
Please let us know here when the phone support queue dies down, then I will call in to discuss my issue further.
I'll do my best!
KUSA wrote:Here's a quick VB script to restore files that were moved by quarantine to "Infected" folder.
Disclaimer: Works for me, but use at your own risk.
<SNIP>
this is a FANTASTIC SCRIPT to fix sites that were set to MOVE - EVERYONE should run it!
note that on XP/2003 you must change infectedpath to
infectedPath = "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\"
Also, i had to add the following in before everything started working again
If objFSO.FileExists(infectedPath & "almonres.dll.000") And Not objFSO.FileExists(progPath & "en\almonres.dll") Then
objFSO.MoveFile infectedPath & "almonres.dll.000" , progPath & "en\almonres.dll"
End If
Apologies if I'm not understanding this but the instructions to delete agen-xuv.ide from the path:
C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
do not apply to my SEC server as I do not have the directory or files. How do I get the update managers in SEC v5 able to download updates?