Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Nathan wrote:
markho wrote:Is there a downside to just re-"Protecting" the computers whose Sophos Update files were sent to the INFECTED dir, rather than restoring those files to the original directory? Besides this not resolving the same issue with 3rd party updaters. Will this even work?
The only downside is increased network traffic. However, if this is the easiest option for you, then that would outweigh the network impact.
This doesn't appear to work. "Code 00000000a Uninstall of Sophos AutoUpdate failed."
jkrous wrote:Not sure what you mean by "error that the endpoints get".
Our clients seem unable to get the AutoUpdate service running again, even with moving the files back in place and rebooting. AutoUpdate keeps trying to reinstall, but it is unsucessful. "Configure Updating" on the clients is not behaving either. You cannot see the log or sometimes the entire updating options do not even appear int he client configuration screen.
Ah, ok. When the entire updating section is missing, that is due to ALMon.exe not running. You can re-launch almon from the program files\sophos\autoupdate directory.
In task manager, do you see the process alsvc.exe? If so, Autoupdate has started.
Vtl wrote:Nathan,
Acknowledging in the Enterprise Console has not removed the messages from my clients quarentine. Is this a timeing issue or do I need to go to each machine and clear the quarentine?
Thanks
Acknowledging the alerts through SEC doesn't appear to be removing them from the clients quarantine. I've observed the same behavior on my test machine. I don't know why yet, and haven't found a workaround yet either.
Thankfully, we are using Google Apps, which means email isn't a problem regarding protection, but it sure is a worrying development. We have had to dis-allow "on access scanning" which has us up and running at least for the moment. Looks like it may be a long night however.
Daemon
I don't see how your mess of an environment is Sophos fault. I turned off on access scanning and checked the update manager to make sure the new update was there and completed and then turned on access back on and everything is working again. It sounds like your configuration was wrong to begin with and you deleted things you weren't supposed to and now your fubarred and blaming Sophos for more then they deserve to be. Call support when this settles down and have them walk through your set up to ensure this doesn't happen again.
---------- HAPPY DAYS -----------
I just did this and it worked
Dowloaded the latest defs from http://downloads.sophos.com/downloads/ide/480_ides.zip
copied them to a group folder on the network
created a this batch file and placed it on the group drive
net stop savservice
del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q
del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q
xcopy "\\update file location\*.*" "C:\Program Files\Sophos\Sophos Anti-Virus\*.*" /y
xcopy "\update file location\*.*" "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\*.*" /y
net start savservice
sent an email to all staff to run this batch file
*********************************************************************************************************************************************
It's down to helpful people like this that we all end up with a solution. There are lots more people on here who have done ther uttermost to get everyone back up and running as quick as possible. It brings out the best in people and shows what a forum community can do when the crap hits the fan. :smileyhappy:
I have to say, I too am bitterly disappointed there is no news flash (at last time of looking) on the Sophos web site. I spent the first half an hour working out if the forum or other sites were bogus, telling everyone it's a false alarm. A sort of negative false positive. I deleted a number of files on my workstation before deciding to check further due to the sheer number of files being found, but conversely with the apparent no ill effect of my system. Very unvirus like!
I needed to spend this evening on a ongoing Exchange 2003 - 2010 transition problem, but ended up spending four hours on this!
markho wrote:
Nathan wrote:
markho wrote:Is there a downside to just re-"Protecting" the computers whose Sophos Update files were sent to the INFECTED dir, rather than restoring those files to the original directory? Besides this not resolving the same issue with 3rd party updaters. Will this even work?
The only downside is increased network traffic. However, if this is the easiest option for you, then that would outweigh the network impact.
This doesn't appear to work. "Code 00000000a Uninstall of Sophos AutoUpdate failed."
Hrm, didn't think of that. I'm guessing that a file that was deleted is necessary for the uninstall routines. I honestly haven't tested doing this just yet. The files needed _should_ be in the update location though, so even if deleted they could be obtained again. If you're good with VB, you could tweak the script for fixing moved files to fix deleted files in a similar method.
Updated VB Script:
' Script to move back files identified as infected using the SAV log files.
' It will parse all files called SAV* in the SAV log directory for move actions
' by default logs to: "\Users\[User]\AppData\Local\Temp\MovePDFBack.txt" or
' \documents and settings\[User]\Local Settings\Temp\MovePDFBack.txt" depending on OS.
const WOW_KEY = "Wow6432Node"
const FOR_READING = 1
const MESSAGE_STRING = "has been moved to"
const SAV_LOG_PRE_FIX = "SAV"
const VIRUS_NAME = "belongs to virus/spyware 'Shh/Updater-B'"
dim strWow6432Node, strLogPath, objFSO, objFile, strLogFileName
dim strSAVLogLocation, strSAVLogLocationDir, strRes, objLogFile, strRegPath
strLogFileName = "MoveFilesBack.txt" 'Lines contain the text in the constant "MESSAGE_STRING"
'Setup global objects
set objFSO = CreateObject("Scripting.FileSystemObject")
'Get script log file location to write to
strLogPath = GetLogLocation() & "\" & strLogFileName
set objLogFile = objFSO.CreateTextFile(strLogPath, true)
WriteToLog 0, "Starting script to recover quarantined files where: log contains the line: '" & MESSAGE_STRING
strWow6432Node = "\"
if Is64(".") then
strWow6432Node = "\" & WOW_KEY & "\"
WriteToLog 0, "64-bit machine."
else
strWow6432Node = "\"
WriteToLog 0, "32-bit machine."
end if
strRegPath = "HKEY_LOCAL_MACHINE\SOFTWARE" & strWow6432Node & "Sophos\SAVService\Application\LogDir"
strRes = GetKey(strRegPath)
if strRes = "0" then
WriteToLog 1, "Failed to get SAV log location from registry."
WriteToLog 1, "Exiting script."
wscript.quit (1)
else
WriteToLog 0, "Read the SAV log location from registry."
end if
strSAVLogLocationDir = strRes
WriteToLog 0, "Location of log directory: " & strSAVLogLocationDir
'For each file starts with 'SAV_LOG_PRE_FIX'
WriteToLog 0, "For each file in the directory that starts '" & SAV_LOG_PRE_FIX & "'."
set objFolder = objFSO.GetFolder(strSAVLogLocationDir).files
intFound = 0
for each SAVFile in objFolder
if instr(SAVFile.name, SAV_LOG_PRE_FIX) > 0 then
set objFile = objFSO.OpenTextFile (strSAVLogLocationDir & "\" & SAVFile.name, FOR_READING, false, -1)
WriteToLog 0, "=================Processing: '" & SAVFile.name & "'========================"
do While objFile.AtEndOfStream <> true
strLineIn = trim(objFile.ReadLine)
if instr(strLineIn, VIRUS_NAME) > 0 then
intFound=1
WriteToLog 0, "The next line will have info on " & VIRUS_NAME
End if
if intFound = 1 then
strLineIn = trim(objFile.ReadLine)
WriteToLog 0, strLineIn
intFound=0
if (instr (strLineIn, MESSAGE_STRING) > 0) then
'Interested in the lines as it matches our requirements.
arrOfLine = split(strLineIn, """")
strOrigFilePath = trim (arrOfLine(1))
strNewFilePath = trim (arrOfLine(3))
WriteToLog 0, strOrigFilePath & " -> " & strNewFilePath
if MoveFileBack (strNewFilePath, strOrigFilePath) then
WriteToLog 0, "File restored."
else
WriteToLog 0, "File restore failed."
end if
end if
end if
loop
end if
next
'***********************************************************************************************************
WriteToLog 0, "Script finished."
set objFolder = nothing
set objLogFile = nothing
set objFSO = nothing
'***********************************************************************************************************
'Functions
'***********************************************************************************************************
Function GetLogLocation()
on error resume next
Set objTempFolder = objFSO.GetSpecialFolder(2)
if objTempFolder = "" then
GetLogLocation = "C:\windows\temp\" 'Set to Windows temp if can't get the dir.
else
GetLogLocation = objTempFolder
end if
Set objTempFolder = nothing
End function
'***********************************************************************************************************
'***********************************************************************************************************
Function MoveFileBack (strCurrentLocation, srcOrigLocation)
WriteToLog 0, "-->MoveFileBack()"
on error resume next
err.clear
If objFSO.FileExists(strCurrentLocation) Then
WriteToLog 0, "File exists: " & strCurrentLocation & " attempt to move back to: " & srcOrigLocation
objFSO.moveFile strCurrentLocation, srcOrigLocation
if err.number <> 0 then
WriteToLog 1, "Failed to move file: " & err.number & " : " & err.description
MoveFileBack = false
else
MoveFileBack = true
end if
else
WriteToLog 1, "Moving file back failed as file " & strCurrentLocation & " doesn't exist."
MoveFileBack = false
End If
WriteToLog 0, "<--MoveFileBack()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function Is64(strMachineName)
WriteToLog 0, "-->Is64(" & strMachineName & ")"
on error resume next
err.clear
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strMachineName & "\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT AddressWidth FROM Win32_Processor")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description, 1
wscript.quit(1)
end if
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc = "32" then
Is64 = false
end if
if strDesc = "64" then
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
WriteToLog 0, "<--Is64()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function WriteToLog (strSev, strLogLine)
dim strToWrite
strToWrite = ""
select case strSev
case 0
strToWrite = "INF: "
case 1
strToWrite = "ERR: "
case else
strToWrite = "UNKNOWN: "
end select
objLogFile.WriteLine Date() & " " & Time() & " " & strToWrite & " " & strLogLine
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function GetKey(strPath)
on error resume next
dim strPathToLog
dim objReg
set objReg = wscript.createobject("wscript.shell")
err.clear
strPathToLog = objReg.RegRead (strPath)
if err.number = 0 then
GetKey = strPathToLog
else
GetKey = 0
end if
set objReg = nothing
End Function
'***********************************************************************************************************
almon.exe is not running.
alsvc.exe is running.
I try to relauch almon.exe, it starts an install process, then dies.
If I stop Sophos AutoUpdate Service and try to restart it, it takes a really long time and then says it cannot start.
We are also getting this error (can't put a screenshot here) after a reboot and trying to run Sophos first time.
https://commons.lbl.gov/display/cpp/error
