Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260939 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Hi, for our clients, we did the following to get them to update successfully again.

    1) Clear the quarantine list (from the client or the server console)

    2) Use PSExec to stop the SAVService on the remote client (which disabled On Access Scanning)

    3) Rename the agen-xuv.ide file to agen-xuv.ide.old

    4) Use PSExec to start the SAVService on the remote client

    5) Update the defenitions (from the client or the server console)

    Here is a batch file I used to performs steps 2, 3, and 4:

    C:\Tools\psexec -accepteula -i -s \\<remotepc> net stop savservice
    rename "\\<remotepc>\c$\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" "\\<remotepc>\c$\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide.old"
    C:\Tools\psexec -accepteula -i -s \\<remotepc> net start savservice

    :30925
  • 0
    fdtech wrote:

    Nathan,

    Thank you for the link. I have checked this but the following path and service do not exist on my SEC server. Please advise.

    1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
    2. Restart the 'Sophos Anti-Virus Service'

    If that service isn't present, then I wouldn't expect you to have this issue. Did you have a SHH/updater-b alert on this system?

    :30927
  • 0
    lost_guy wrote:

    Good night.

    Typing in for second time, sorry for spam but its 3:16 at night :(

    Sophos Endpoint Sec and Con 10.0

    Deleted

    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

    C:\Program Files (x86)\Google\Update\1.3.21.123\goopdate.dll

    C:\Program Files (x86)\Sophos\AutoUpdate\SingleGUIPlugin.dll

    C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

    Just access denied:

    C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe

    Moreover, the protocoll says something like "on access scan shut down by system", then "Detectdataversion 4.81G (Detection Engine 3.35.1) is used" and "on access scan is on".

    My Question: Am i done yet, are the lost ones important (no backup) and did it update properly?

    Thanks for help

    lost_guy

    You'll want to reinstall Flash and the Google app you were using. As for if you are up to date or not, you need to check c:\program files\Sophos\Sophos Anti-Virus\ for the file javab-jd.ide. If you have that, then you are up to date and you can sort the Flash and Google issues in the morning.

    :30929
  • 0

    CHECK YOUR SCHEDULED SCANS TOO!

    Apparently ours were set for 9PM, and to DELETE (unlike the active scan).  Just 5,000 more emails about deleted files!  THANKS SOPHOS!!!

    Sure, I'll accept my share of blame for not knowing this in advance.

    Is there a way to HALT ALL SCHEDULED SCANS from the console immediately?

    :30931
  • 0

    Hi Nathan.  Not picking on you, but it needs to be passed up the line that that's not acceptable.  I'm working on approximately 5000 detections & manually clearing each client locally isn't going to happen.

    :30933
  • 0

    Thanks for help Nathan, you made a lot of people have a more comfortable day / night now :)

    Good night.

    :30935
  • 0
    jkillebrew wrote:

    Oops, i had that commented out and the first line while testing the additions from your script. I corrected it, so the current copy is good to go. :smileywink: btw your script needed to wait between stopping and starting the service.

    FixSAV.vbs I think this is the best script so far but if anyone has improvements or a better one, please share!

    Also anyone using this should DISABLE ON ACCESS SCANNING from the console on all your workstations before running this or it may be undone again!

    This is the script to use. Nicely done. Mine was the lazy man's version... Quick and dirty. Yours is the deluxe model. I do see some of my code in there so Yay for teamwork. :)

    :30937
  • 0

    I think I've done all I can for now, so I'll be signing off for the night. I hope I was able to ease the pain for some of you even if just a little. Again, many apologies for this mess. I wish you all the best of luck getting your environments back to a stable state.

    :30939
  • 0
    markho wrote:

    CHECK YOUR SCHEDULED SCANS TOO!

    Apparently ours were set for 9PM, and to DELETE (unlike the active scan).  Just 5,000 more emails about deleted files!  THANKS SOPHOS!!!

    Sure, I'll accept my share of blame for not knowing this in advance.

    Is there a way to HALT ALL SCHEDULED SCANS from the console immediately?

    Once the scan has kicked off, no. PSEXEC to restart savservice is your best bet in that case.

    :30941
  • 0

    We are seeining cases where channelupdater.dll and loger.dll is quarantined (from logs) but not actually located in the infected folder.  When we restore these missing dll's (from another system), Sophos works.

    :30943