Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260950 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0
    JasonC wrote:

    Hi Nathan.  Not picking on you, but it needs to be passed up the line that that's not acceptable.  I'm working on approximately 5000 detections & manually clearing each client locally isn't going to happen.

    Understood on both counts, and what you suggest has already been done.

    :30945
  • 0

    What the blank are SUM servers. I have been trying for 2 to 3 hours, like everyone else to find a solution.  Can we cut out some of the jargon.  Yes, I am a tech support and  for the second time in the last 4 weeks, I have been dropped into a crisis. I just want info that can be acted on with clear cut directions (that even an idiot can follow).

    Nathan,

    We have been told that an update has gone out. Per the Sophos Enterprise Console, I was last update 9/18/2012 6:14:29 PM, I am showing version 1.3.2.176 (which is the same version since the crisis started). I have tried pushing out the updates with no apparent success.  I have access to one workstation and have tried updating from there but the updater says no files needed updating.

    Are there any solutions from Sophos as yet?  Thank you for any information you can relay.

    :30947
  • 0

    I show computers in the SEC that show as up to date and have the javab-jd.ide file listed in "IDEs installed" but are still listed as having "Virus/spyware detected" is this expected or should it automatically be removed once these are no longer an issue?  

    :30949
  • 0
    KUSA wrote:
    jkillebrew wrote:

    Oops, i had that commented out and the first line while testing the additions from your script. I corrected it, so the current copy is good to go. :smileywink: btw your script needed to wait between stopping and starting the service.

    FixSAV.vbs I think this is the best script so far but if anyone has improvements or a better one, please share!

    Also anyone using this should DISABLE ON ACCESS SCANNING from the console on all your workstations before running this or it may be undone again!

    This is the script to use. Nicely done. Mine was the lazy man's version... Quick and dirty. Yours is the deluxe model. I do see some of my code in there so Yay for teamwork. :)

    Cool. I've run this on a handfull of our workstations so far and looking at the resulting log at c:\windows\temp\savfix.log I'm amazed at how many different files were moved to quarantine! Adobe and Google updaters, program installers downloaded from the internet for all kinds of various applications, and at least two dozen different sophos related files! This has been quite damaging for us.

    :30951
  • 0
    techmoore wrote:

    What the blank are SUM servers. I have been trying for 2 to 3 hours, like everyone else to find a solution.  Can we cut out some of the jargon.  Yes, I am a tech support and  for the second time in the last 4 weeks, I have been dropped into a crisis. I just want info that can be acted on with clear cut directions (that even an idiot can follow).

    Nathan,

    We have been told that an update has gone out. Per the Sophos Enterprise Console, I was last update 9/18/2012 6:14:29 PM, I am showing version 1.3.2.176 (which is the same version since the crisis started). I have tried pushing out the updates with no apparent success.  I have access to one workstation and have tried updating from there but the updater says no files needed updating.

    Are there any solutions from Sophos as yet?  Thank you for any information you can relay.

    Hi,

    Sorry for the techy jargon. SUM is the Sophos Update Manager, SEC is the Sophos Enterprise Console.

    The issue was an IDE, so the version of SUM is not changing as that was not what was fixed. We fixed the false positive (FP) by releasing javab-jd.ide. If you check the savxp folder in your update location (typically something like \\server\sophosupdate\cids\s000\savscfxp\savxp though s000 can be other numbers. check your update location on an endpoint or the bootstrap locations in SEC if you're unsure) you can see if you have that IDE. If so, the endpoints need to be updated to receive that as well. If not, follow the advice from the advisory to get your SUM to update.

    http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

    :30953
  • 0
    lknada0d83k wrote:

    I show computers in the SEC that show as up to date and have the javab-jd.ide file listed in "IDEs installed" but are still listed as having "Virus/spyware detected" is this expected or should it automatically be removed once these are no longer an issue?  

    Yes, that is expected. You'll need to acknowledge the alerts manually.

    :30955
  • 0

    Ok, seriously, I'm going home now. Best of luck to you all!

    :30957
  • 0

    Nathan,

    You wrote: Hi, please try deleting agen-xuv.ide from you SUM servers program files\sophos\sophos anti-virus directory and restarting savservice. that should get your SUM to update again.

    I am in the Services. However, which of the 11 Sophos services is the "savservice" you are refering to? Sophos Anti-Virus?

    :30961
  • 0
    Nathan wrote:
    lknada0d83k wrote:

    I show computers in the SEC that show as up to date and have the javab-jd.ide file listed in "IDEs installed" but are still listed as having "Virus/spyware detected" is this expected or should it automatically be removed once these are no longer an issue?  

    Yes, that is expected. You'll need to acknowledge the alerts manually.

    Can you post your script on the KB rather than having to copy paste it from the forum and not knowing if it is your latest version?  We have 1000+ endpoints to address.

    Also, after setting exclusions for the Sophos program folders we still cannot update from the console.  Turning on access scanning off is not an option as our groups are large and comptuers are often not connected.

    Is there a mechanism for Platinum Support members to get priority calls back since the queue is still broken?  

    :30963
  • 0

    I've found in our case that acknowledging cleared the alerts, however machines that were still affected were not updating. We chose the route with re-installing them (only like 40 or so endpoints were like this) and it appears that functionality has is back to normal for those machines.

    We were very fortunate as our settings for the scanner was set to deny and not delete.

    :30967