Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260928 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0
    kturner wrote:

    Nathan, is there an uninstall tool available from Sophos to remove the AutoUpdater software?  The normal uninstaller is not working due to files being deleted earlier (I had it set to delete files it couldn't clean), and I can't seem to reinstall with the existing install in the current state.  I'd like to get a clean slate free of Sophos on these machines so I can reinstall from scratch on them.  Thanks for any help or tools you can offer.

    Unfortunately no. If you know the files you deleted, they are present in the update location (e.g. \\server\sophosupdate\cids\s000\savscfxp\sau, etc.). Copy the missing files back and your uninstall will work (though it shouldn't be necessary at that point).

    :30901
  • 0

    What can I do with my Console not updating since 4:49PM ( 5 hours now) telling Downloading binaries 1.3.2.176.

    I can tell computer to download update IDE from network drive manually with batch but now I'm still with an unupdated server.

    Try uninstall the Endpoint Sophos Antivirus from management server but cant uninstall Sophos AutoUpdate.

    SUM wont start on the server.

    :30903
  • 0

    Nathan, as stated I have followed the instructions here and on your advisory. Not sure what more I can do?

    :30905
  • 0
    Tinshield wrote:
    kturner wrote:

    Nathan, is there an uninstall tool available from Sophos to remove the AutoUpdater software?  The normal uninstaller is not working due to files being deleted earlier (I had it set to delete files it couldn't clean), and I can't seem to reinstall with the existing install in the current state.  I'd like to get a clean slate free of Sophos on these machines so I can reinstall from scratch on them.  Thanks for any help or tools you can offer.

    I had one machine that had that issue.  Use Revo http://download.cnet.com/Revo-Uninstaller/3000-2096_4-10687648.html?tag=mncol;1  You'll get an error thrown at you, don't cancel.  Continue through the process and delete all the registry files that Revo lists in BOLD and continue to the end.  Reboot and then reinstall the client from the console.  Good luck.

    Alternatively, the Microsoft FixIt tool can be used to basically rip out any installer information for a product. In theory, that would allow you to install over the top and replace the missing files. Rather clunky for a large number of machines though.

    :30907
  • 0
    TheGhost wrote:

    How can I cleanup the Quarantined items that our 2000+ computers have decided to block and even though I have done all the fixes etc. Then acknowledging the blocks through SEC it still seems like they are stuck on the device side.. As well when I go to the Update manager and click update now I get " Threat detection data update failed. "

    HELP!!!

    Unfortunately, right now the only way to clear the items from the QM on the client side is manually. I'll post back if I find another way.

    :30909
  • 0

    Finally got my side fixed! Here is what I did:

    • Disabled on-access scanning from SEC
    • Updated SEC to the current update
    • Ran the batch file (provided earlier in the forum somewhere) via Dell Kace Scripting to all of my computers:

    net stop savservice
    del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q
    del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q
    xcopy "\\Sophos Updating Share\*.*" "C:\Program Files\Sophos\Sophos Anti-Virus\*.*" /y
    xcopy "\\Sophos Updating Share\*.*" "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\*.*" /y
    net start savservice

    • The script fixed the computer updating errors
    • Then went into SEC and Acknowledged all of the Shh/Updater-B alerts
    • Reenabled on-access scanning in SEC

    Everything seems to be running smoothly now. I must also say that the update pushed out via Sophos did fix the initial major issue around 7:30pm EST as that is when I was able to get back into my SEC as it took over two hours to log into it due to the network traffic. All of my call center reps were then able to use their apps. I just was unable to get all of the PC's to update which the above stated corrected that issue. Hope this helps some.

    :30911
  • 0
    ktremain wrote:
    jkillebrew wrote:

    FixSAV.vbs

    I came up with my own script that parses the SAV.log file and copies ALL files back to their original locations. If you deleted them, you're sunk and would have to copy from another computer I guess.

    I also added some stuff from ktremain and KUSA's scripts to get the service restarted and almon running.

    Enjoy!

    BTW I didnt even fix the missing definition file, just ran this and then ran the updater, and it never re-quarantined my files.

    Nice script, i assume you intentionally left the copy line commented to force people to read and understand it? :)

    Oops, i had that commented out and the first line while testing the additions from your script. I corrected it, so the current copy is good to go. :smileywink: btw your script needed to wait between stopping and starting the service.

    FixSAV.vbs I think this is the best script so far but if anyone has improvements or a better one, please share!

    Also anyone using this should DISABLE ON ACCESS SCANNING from the console on all your workstations before running this or it may be undone again!

    :30913
  • 0

    Nathan,

    Thank you for the link. I have checked this but the following path and service do not exist on my SEC server. Please advise.

    1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
    2. Restart the 'Sophos Anti-Virus Service'
    :30919
  • 0
    StAloysius wrote:

    Nathan, as stated I have followed the instructions here and on your advisory. Not sure what more I can do?

    In that case, I'm afraid you'll have to wait until you can speak with support. Wish I had better news for you then that.

    :30921
  • 0

    Good night.

    Typing in for second time, sorry for spam but its 3:16 at night :(

    Sophos Endpoint Sec and Con 10.0

    Deleted

    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

    C:\Program Files (x86)\Google\Update\1.3.21.123\goopdate.dll

    C:\Program Files (x86)\Sophos\AutoUpdate\SingleGUIPlugin.dll

    C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

    Just access denied:

    C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe

    Moreover, the protocoll says something like "on access scan shut down by system", then "Detectdataversion 4.81G (Detection Engine 3.35.1) is used" and "on access scan is on".

    My Question: Am i done yet, are the lost ones important (no backup) and did it update properly?

    Thanks for help

    lost_guy

    :30923