Is any one else seing this alert - Shh/Updater-B False positives

where can i find those script?

I completely agree.  There should have been better communication, more (and better) support available, and some remediation processes for the clients.  This couldn't be more true with our large, global  environment.  We never were able to get in touch with our TSAM or Support.  Thank goodness for these forums!  

We are just beginning to rollout Sophos into our environment (a few thousand clients in place, several thousand left to go) and this is not a good first impression for our users or management.  Our security team spent many hours bringing our environment back to a stable state because of an error  that never should have made it out of Sophos QA.  Our rep and TSAM will hear from me in the morning.  Everyone involved is just lucky that we were able to contain the problem to North and South America, with minimal impact in our EU or APAC sites.

script

Net Stop SAVService
If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Dleted)
Net Start SAVService

Hey guys,

I don't have time to paste all the scripts at the moment but it may help some to do something like below which made our cleanup of 400+ machines fairly simple.

Setup a text file with the name of each PC on a separate line

Setup a batch file with something like below to remove the offending IDE:

for /f %%a in (pclist.txt) do del "\\%%a\c$\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q

Grab the vbs script a few pages back to move the files out of quarantine and back to the correct location and add a line such as

Install pstools on a server and run psexec as below

for /f %%a in (pclist.txt) do copy script.vbs \\%%a\c$\script.vbs && psexec -u DOMAIN\admin -p password cscript c:\script.vbs

and reboot each machine.

If this is useful to anyone let me know if you need more info and I will come back and post some more when I have made sure all the fires are finally out :)

The instructions you have up are NOT ADEQUATE!!!!!

1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
2. Restart the 'Sophos Anti-Virus Service'
3. Update SUM via the Sophos Enterprise Console

Due to this process Sophos will have quarantined at least ALsvc.exe, cidsync.dll, ALUpdate.exe, and many other files that are requested for autoudpate to work. So these instrutions DO NOT WORK.  You need some tool to also restore the auto update functionality of Sophos that Sophos quarantined.

Hello Sophos

The big troubble is that the false positive malware has deleted files detected when the on-access has configured to delete the file.

In this case the Sophos Auto-Update has damaged and is impossible recovery easyly.

I things that one Sophos Utility designed to reinstall the Sophos Auto-Update and execute an upgrade inmeditelly in the affected machines was help to solve this troubble.

Maybe, this utility too will be work executing manually, automatically from AD or remotelly with some tool as psexec.

The other action to next days is include options to Denied access to all Sophos components to block this fails or the malware attack.

Regards

Linck Tello Flores

INNOVARE

www.innovare.pe

---

akurk wrote:

I have performed the procedure of moving the nodes to a policy with on access scanning turned off. Updated their policy and then performed an update..verified the updated IDE was downloaded and then returned them to a policy with on access scanning on.

I then "acknowledged" the alerts for the impacted files in the Console.

However on each individual workstations it still shows the impacted files in the quarantine.

Can someone with SOPHOS please tell us the following:

1. Is the fact that these items are still in the quarantine allow them to function?  (i.e. GoogleUpdater is in quarantine...will it function?)

2. How the heck (without going to each of our 1300 impacted machines do we get these out of quarantine ???!??!!??!?

---

1. Provided the files are still in their original locations and the ide javab-jd.ide has been applied to the endpoint, the fact that the item is listed in the QM will have no affect. The application will run. If you've moved files, deleted files, or don't have the updated IDE then the application will be blocked.

2. As for clearing the items from the endpoint QM, there is no central method that I'm aware of yet. If another method is discovered, I will post asap.

Sorry for going home everyone. I felt like most posts were largely items that had already been covered and that anything not solved through the steps discussed here would be too advanced to solve through the forum anyhow.

Well it's good to see a sophos Personel back on here even if you can't provide the best solution atleast your providing some kind of solution.. I'm still having issues with things taking for ever to deploy Policys.. Can I get a ohhh crap button. Cause I know I would have broke it by now..

@Nathan:

that's wrong all my device have the  javab-jd.ide, i delete agen-xuv and the file still in Quarantine and the applications still not working!

So if the policy was set to delete (alsvc) / then I'm stuffed? - is that the official answer?    I can manually copy alsvc back via script but would hope a solution that doesnt involve me doing anything would be found  ;)