Is any one else seing this alert - Shh/Updater-B False positives

The VB script that KUSA posted is a bit too focused. It will work if those are the only files that were moved, but if others were moved (for other applications for example) it wouldn't. The one I posted will find all files detected as SHH/Updater-B and move them back.

---

Footprint-IT wrote:

Thankfully, we are using Google Apps, which means email isn't a problem regarding protection, but it sure is a worrying development. We have had to dis-allow "on access scanning" which has us up and running at least for the moment. Looks like it may be a long night however.

Daemon

---

Have you Update Manager perform an update to get the fixed IDE and get that rolled out to your endpoints and you'll be able to re-enable OnAccess.

---

KUSA wrote:

Here's a quick VB script to restore files that were moved by quarantine to "Infected" folder.

Disclaimer: Works for me, but use at your own risk.

---

I have slightly improved upon KUSA's original script and placed it on our server for all to download

Repair.VBS

I have added automatic detection of xp/2003, added the moving of an additional file for ALmon, and set it to automatically restart  ALMon.exe after it is done.

All credit for this goes to KUSA, i have just made minor changes.

This script fixes a broken autoupdate system for sites that were set to MOVE infected files.  it is NOT intended to fix any other situations.  I sincerley hope it helps some people fix their issue!

LEGAL DISCLAIMER: You are advised to read and understand the purpose of the script BEFORE running it on ANY system.  I take NO responsibility for any issues this script may cause.

---

henhowc wrote:

I don't want to sound like Captain Obvious here but for those still having the Shh/Updater-B items listed locally in their user client Quarantine Manager, did you check the items and click Clear from list?

I was confused at first as well as I thought that something like this would be under the Perform action drop-down where the Move or Delete options were located.

---

Captain,

I did just that through the console, and it doesn't appear to change the local quarantine. Manually clearing out the quarantine on 700+ computer seems like an exercise in futility.

I was having the same issue. At 6:31EST Enterprise Console is reporting that it has acknowledged the alerts on all my clients. I found this by viewing the details for a few before I figured it out.

Now all I have to worry about is computers that are off right now. Hopefully tomorrow isnt insane.

---

jkrous wrote:

almon.exe is not running.

alsvc.exe is running.

I try to relauch almon.exe, it starts an install process, then dies.

If I stop Sophos AutoUpdate Service and try to restart it, it takes a really long time and then says it cannot start.

We are also getting this error (can't put a screenshot here) after a reboot and trying to run Sophos first time.

https://commons.lbl.gov/display/cpp/error

---

Hrm, hard to say what is broken at this point. I'm afraid waiting in line to speak with support is your best bet. Sorry!

So, what IS the latest version?  Followed your instructions, Nathan.  But really need to know what version we should have now.

thanks but after i deleated the file the sheld is gone

---

JWH wrote:

So, what IS the latest version?  Followed your instructions, Nathan.  But really need to know what version we should have now.

---

No version changes, just a new ide. You need javab-jd.ide to correct the false positive.

---

digerman wrote:

thanks but after i deleated the file the sheld is gone

---

The shield is just tied to Almon.exe. You can relaunch almon.exe from the program files\sophos\autoupdate directory.