Is any one else seing this alert - Shh/Updater-B False positives

Just got my place in the queue and support assisted with my issue.  Thank you for the assistance.  For anyone who may be running SEC v5, without SUM, who cannot download to the update manager, the following worked for me:

1. Stop the Sophos Update Manager service on the SEC server.

2. Go to C:\Documents and Settings\All Users\Application Data\Sophos

3. Locate the "Working" folder and open it.

4. Delete the contents of the "Working" folder. (mine contained two folders).

5. Next, go up one level and locate the Update Manager folder. Open this folder.

6. Delete the Warehouse folder and all of it's contents.

7. Start the Sophos Update Manager service.

8. In the SEC console, right-click the Update Manager and click the Update Now option.

9. If all is successful, you should see that it is downloading binaries under the 'download status' column. It takes a long time to download but once it did, my other update manager shares and clients were downloading the correct ides.

Unfortunately, we had the move/delete option selected for quarantine, so off to fix a billion other issues with deleted software. Hope this helps someone and best of luck to everyone.

1. Disable your on access scanning for your sophos server and workstations via the policy.
2. Run the update manager on the server and check for an update.
3. Verify that the update completed. How???
4. Once update completed, update computers/servers. How???
5. Acknowledge the errors on the systems and they should not come back. Where??
6. Re-enable the on access scanning for your sophos server and workstations via the policy.
7. Relax, the issue is now resolved!

Sorry for the simpliton approach to this but today and this crisis is the first time I have even used the Sophos Enterprise Console. 

From my standpoint this is far from fixed, damage has been done to the workstations files have been deleted still have yet to see a valid way to clear the items from quarantine on the client end of things.  Our policy is aggresive for clean up 

Can anyone tell me where I find this

There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘‘‘‘deny access’’’’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.

This little blip has deleted files for any program that has an updater built into it, Adobe, Sprint Smart View, Java, Quickbooks and many more I am sure we will find.

Any help on where to get on the line I highlighted would be great

---

mdm253 wrote:

From my standpoint this is far from fixed, damage has been done to the workstations files have been deleted still have yet to see a valid way to clear the items from quarantine on the client end of things.  Our policy is aggresive for clean up 

Can anyone tell me where I find this

There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘‘‘‘deny access’’’’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.

This little blip has deleted files for any program that has an updater built into it, Adobe, Sprint Smart View, Java, Quickbooks and many more I am sure we will find.

Any help on where to get on the line I highlighted would be great

---

From the Sophos Enterprise Console in the bottom left double-click your Anti-Virus and HIPS policy.

Next to "On-Access Scanning" click "Configure" button

Click Clean-up tab

Change to "Deny"

My Sophos setup was to delete files instead of quarantine/deny access.

Will replacing deleted Sophos update files on workstations and rebooting work? (for example \Sophos\autoupdate\ALsvc.exe) client are currently getting the ALmon error, and not updating due to that exe being deleted. The SUM updates just fine with the latest release, and I can manage workstations just fine (disable on-access scanning, etc)

will that matter if I have turned off the on access scanning then? because now that is a greyed out option, which is what had me scratching my head.  I did re-enable it for a second changed that setting and then turned it back off again.  We had so many virus spyware type outbreaks so Sophos had actually advised us to put clean up in delete, now I guess we have died by the sword

I have only been able to test on two machines, so far so good:

• Disable your on access scanning for your sophos server and workstations via the policy.
• Run the update manager on the server and check for an update.
• Verify that the update completed.
• Once update completed, update computers/servers.
• Acknowledge the errors on the systems and they should not come back.
• Re-enable the on access scanning for your sophos server and workstations via the policy.

I acknowledge the errors on the Enterprise Console and then "clear from list" on one workstation.  So far so good.  On the other, I haven't cleared. I am waiting and watching.

I have performed the procedure of moving the nodes to a policy with on access scanning turned off. Updated their policy and then performed an update..verified the updated IDE was downloaded and then returned them to a policy with on access scanning on.

I then "acknowledged" the alerts for the impacted files in the Console.

However on each individual workstations it still shows the impacted files in the quarantine.

Can someone with SOPHOS please tell us the following:

1. Is the fact that these items are still in the quarantine allow them to function?  (i.e. GoogleUpdater is in quarantine...will it function?)

2. How the heck (without going to each of our 1300 impacted machines do we get these out of quarantine ???!??!!??!?

Nathan, Thanks for your advise.

Can the people who have this resolved please post what version of binaries they're running? 1.3.2.176