Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260906 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0
    AZJim_K wrote:

    Nathan

    Unfortunalely  I am a new adopter and had the option set to move and delete quarantined files and now they are gone.  So I get the ALMon error loading external resources (0x80070005) on my server and all endpoints.  Also when this first came through I individually went to each of 8 workstations to scan and delete all found viruses.  Not good.

    Do I need to uninstall SAV on all workstations and have it sent down to them again by the server?

    I did this on the server as well.  Do I need to uninstall SAV and SCC from the server and reinstall?

    What a mess.  I wish that I had waited and had the setting setup differently.

    Thanks for your help.

    Uninstalling, as others have reported, will likely make the problem worse, or at least no better.

    I would recommend the following>
    1. Delete agen-xuv.ide and restart savservice
    2. Perform a repair on your SEC install and make sure that is successful
    3. Change your cleanup options in your AV policy to "Deny access only"

    From there the options come down to your skills with VB. If you're good at it, take the VB script I posted earlier and modify it to copy the necessary files from the CID locations. In the CID, you'll see that the individual components of the endpoint have a file structure that looks like the Program Files\Sophos\ structure. You should be able to locate all of the deleted Sophos program files from there. To fix other applications, you'll probably need to find the installation media for those applications to obtain the files, or restore them from backup.

    :30861
  • 0
    Nathan wrote:
    markho wrote:

    Yeah, I keep getting dropped too.  Maybe that's why the queue is going down.

    If you get into the system far enough to choose the option for a callback, I would suggest doing so.

    The only voicemail I can seem to get to is a Sophos office in Vancouver that says they're closed for the day and they'll return messages tomorrow.

    :30863
  • 0
    StAloysius wrote:

    I've been trying to deal with this all morning. Arrived to find a mess of emails.

    We are running Sophos Enterprise Console, and although I have tried following teh instructions here, it has been unable to pull new updates.


       Update manager status                                                                Date/time            Code      Description                            
                                                 20/09/2012 9:47:57 AM80040404  Threat detection data update failed.   
                                                 20/09/2012 9:47:57 AM80040406  Delivery failed for software subscription 'Recommended'. Access to the source update location is denied or the location is otherwise unavailable.
                                                 20/09/2012 9:19:55 AM80040401  Software update failed.                
                                                 20/09/2012 9:18:07 AM80040404  Threat detection data update failed.   
                                                 20/09/2012 9:08:09 AM80040404  Threat detection data update failed.

    Is there an alternative update location I can use to try and pull teh files from. Currently we use a server our upsteam organisation provides. Is there a Sophos server I can direct the update requests to as a secondary option?

    Also... our On Access Scan was set to delete ... any suggestions for repairing my endpoints, 30+ servers and about 1000 workstations/laptops?

    The false positive is preventing the Sophos Update Manager from updating itself. Please see

    http://www.sophos.com/en-us/support/knowledgebase/118311.aspx for further help.

    :30865
  • 0
    1TruBob wrote:

    Nathan -- I've been dropped by your phone system 7 times now.

    I'm terribly sorry about that. Are you able to get to the call back option? If you can, please try that.

    :30867
  • 0

    I am not Sophos savvy so can you explain to me what SUM is and how to update it. I cleared all the items from my quarantine by selecting all and clearing list. Is this correct?

    :30869
  • 0

    Solution for our 25 licenses: uninstall Sophos from everything and install 30-day Vipre Business trial. Our Sophos license was expiring soon and there's no way we're renewing after this.

    BTW, apparently due to today's issue, I can't even properly uninstall SOPHOS from the clients. AutoUpdate and Antivirus both refuse to be removed saying other installations are in progress. I am having to run the Microsoft Fixit Uinstall Tool just to get rid of them. So it's taking me like 20 minutes at each workstation to uninstall Sophos.

    At least we don't have 250 or 2,500 licenses...phew!

    :30871
  • 0

    Nathan, I am sorry to say that I selected the callback option 3 hours ago. I heard that I would get a call back in 30 minutes. Nothing - just sayin' you know that is supposed to work but apparently it is not, you may want to re-evaluate that advice. 

    This thread was the most helpful with you being the star. Not only are you helpful but you do not try to blow smoke up our skirts; you tell the truth. Thank you. 

    :30873
  • 0

    Good night.

    Typing in for second time, when the forum dropped me :(

    Sophos Endpoint Sec and Con 10.0

    Deleted

    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

    C:\Program Files (x86)\Google\Update\1.3.21.123\goopdate.dll

    C:\Program Files (x86)\Sophos\AutoUpdate\SingleGUIPlugin.dll

    C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

    Just access denied:

    C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe

    Moreover, the protocoll says something like "on access scan shut down by system", then "Detectdataversion 4.81G (Detection Engine 3.35.1) is used" and "on access scan is on".

    My Question: Am i done yet, are the lost ones important (no backup) and did it update properly?

    Thanks for help

    lost_guy

    :30875
  • 0
    markho wrote:
    Nathan wrote:
    markho wrote:

    Yeah, I keep getting dropped too.  Maybe that's why the queue is going down.

    If you get into the system far enough to choose the option for a callback, I would suggest doing so.

    The only voicemail I can seem to get to is a Sophos office in Vancouver that says they're closed for the day and they'll return messages tomorrow.

    Ah, the phone queues are switching over to AU, so this might explain the issues. Please keep trying!

    :30877
  • 0

    Nathan,

    I have an SEC console that refuses to update the update manager. Continual error message of  "Software Update Failed". Have restarted server and all services multiple times but am unable to connect to download updated IDEs.  Any thoughts?

    Thank you.

    :30879