Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261016 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    What a nightmare for Sophos.

    They are going to be on damage control for months after this.

    So many people will leave. I'd expect nothing less than a full refund regardless.

    No solutions for the guys that have their policies set to move/delete the files.

    Me thinks it 's time for people in a similar position to jump ship and get a full refund if they can't get a working, detailed and correct solution for us.

    :31085
  • 0

    How to update the client to server without the ALmon.exe?


    Usually I need to right click the icon tray and click "Update Now"

    Please assist me soonest possible... Very urgent...

    I'm trying to solve this issue quite a long time..

    Right now, my server is working fine now... but all my client doesn't...

    PLeease help !~

    :31087
  • 0

    "How to update the client to server without the ALmon.exe?"

    Forgot to say that after applying the C:\Program Files\Sophos exclusion, I pushed the policy change to the client from the server, rather than attempting to pull the changed policy from the client.

    :31089
  • 0

    Some of our customers are running Sophos Control Centre on their servers. I went into the C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP\savxp folder and checked to make sure the server had been updated with the latest javab-jd.ide. Once confirmed it was there i went back into the console and made sure the on access scanning was turned off for endpoints in configure scanning and Configure Application Control. I then selected all endpoints and went to TOOLS and selected REPROTECT  COMPUTERS. Seems to be working so far.

    :31091
  • 0

    Need your help..

    can you list down the step?

    What to you mean by after applying the C:\Program Files\Sophos exclusion?

    Where can I do that?

    The problem is I cannot update from client to server, even I want to update from server to client also no respond....

    What to do ??

    :31095
  • 0

    Hi,

    Although manual (can be automated by using a script as well), below ar ethe steps which i followed for damage control:

    1. Go to c:\Program Files\Sophos\Sophos Anti-Virus. Search for a file name : agen-xuv.ide and delete if found
    2. Restart the Sophos AV service by going to  services.msc from the run prompt
    3. Go to run, type c:\Program Files\Sophos\AutoUpdate\almon.exe. The Sophos agent should appear on the taskbar
    4. Right click on the Sophos shield icon from the task bar and click update
    5. Once update is done, open Sophos AV, select all items from the quarantine related to this alert and click on Clear from List
    :31097
  • 0

    If SUM is unable to update it is probable that
    files in the warehouse are failing to be decoded as they are being falsely
    detected as Shh/Updater-B.

    To workaround this issue and successfully download the IDE file that fixes this
    issue follow these steps:


    1.  Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\
     [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]

    2.  Restart the 'Sophos Anti-Virus Service'

    3.  Update SUM via the Sophos Enterprise Console



    :31099
  • 0

    It seems we are missing the file "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe" . We aren't able to use the protect feature from the Console. What method can we use to reinstall AutoUPdate on affected machines?

    :31101
  • 0

    After I deleted agen-xuv.ide and restart the Sophos AV services..

    I cannot startup almon.exe

    Pop up error, "Error loading external resources (0x8007007e)"

    Please help ~

    :31103
  • 0

    "Need your help..

    can you list down the step?

    What to you mean by after applying the C:\Program Files\Sophos exclusion?

    Where can I do that?"

    This is to specifically address the "Error loading external resources (0x8007007e)" error when the PC starts and the Sophos Shield does not appear in the systray, therefore no update option from there...

    The first thing you could try if a managable number of machines are affected, is to add On-access scanning Exclusions  (you may first need to Authenticate user)...

    1. Open the Sophos Endpoint Security and Control from the Start Menu
    2. Authenticate user, if need be (options may be greyed out if Tamper Protection is enabled and you don't authenticate).
    3. Configure -> Anti-Virus -> On-access scanning...
    4. Exclusions tab
    5. Add Item Type Folder for "C:\Program Files\Sophos\" or whatever is appropriate for your install
    6. Select Sophos items from the Quarantine list and then "Clear from list"

    Reboot and you should hopefully find the Sophos Shield in the systray again.

    From the Sophos Server I added the exclusion under:

    1. Policies
    2. Anti-Virus and HIPS
    3. Default (or whichever policy you use for the affected machines)
    4. On-access scanning Configure button
    5. Windows Exclusions
    6. Add C:\Program Files\Sophos\
    7. OK, OK
    :31105