Is any one else seing this alert - Shh/Updater-B False positives

How is it possible to exclude swi_update.exe from the quarantine list with the help of sophos enterprise console?

I don't want to log on every client, open up sophos endpoint security and exclude it from there. 

Yes.... thanks for your guidelines..

But I still cannot turn on the ALmon.exe

still getting Error loading external resources (0x8007007e)

Is it because some of the files been deleted?

What should I do ?

If your policy was to move or delete, then you may be at the mercy of Sophos.

We used deny access only.

"How is it possible to exclude swi_update.exe from the quarantine list with the help of sophos enterprise console?

What is the solution to solve Error loading external resources (0x8007007e)???

2. As for clearing the items from the endpoint QM, there is no central method that I'm aware of yet. If another method is discovered, I will post asap.

ahh so there is no way to remove them from the list on the central way so far... but at least everything works again

For me it worked to turn off the realtime protection in the management console for your whole network. The files were not moved away from its original place just access denied on access scans. After disable the on access scans sophos was able to update. Then I turned on on access scans again on the network. Now Im waitingfor a solution of how to remove the entries in the quaranaine manager without manual intervention on each system...

I have a slew of machines that I can't seem to get working. They show as awaiting policy transfer. The only thing I can seem to do is remote in and disable On-Access scanning. Then run a protect from the console or reinstall the client manually. I have THOUSANDS of clients in this state. 

Is there a central way to handle this? Because the sophos client has already blocked access to most of it's own components, I can't transfer any policies to these workstations. 

For the external resources error, look back on screen about 50 through 55 for the FixSAV.vbs script and the Repair.vbs script.

I used both of these, fixsav, then repair, and had success with over 90%.

Also had a batch file that deleted the offending agen-xuv.ide file.

Here is the text of that file

net stop savservice
del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q
rem del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q
rem xcopy "\\Sophos Updating Share\*.*" "C:\Program Files\Sophos\Sophos Anti-Virus\*.*" /y
rem xcopy "\\Sophos Updating Share\*.*" "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\*.*" /y
net start savservice

I rem'd out the three lines as we only have windows 7

Saved a lot of time.

I would include the files, but do not know how to attach.

SoTurn off on access scanning at your console.then

on the workstation

1.  login as administrator equivalent (click OK to clear the external error if you see it.

2.  run the fixide.bat file to remove the problem child

3. run fixsav.vbs  (count to 10 while it runs

4. run repair.vbs answer OK to both)

Go to systray and choose update now.

Fixes the error and in most cased fixes it. so sophos runs and updates again.

I didn;t write any of these, I jsut used them and figured I would save you some trouble....

This is what I did:

Change all policies to only deny access on virus detection.

Change all policies to disable OnAccess Scanning

Then

Method for Icon still in systray:

1.  Ensure OnAccess Scanning is disabled, if not, disable manually.

2.  Use the "Update Now" button - assuming you have downloaded the fixed defs to your update server.

3. Open Sophos and verify that the virus IDE count is 281 or greater under the View Product Info after you expand the Software portion (why they don't list this on the home screen I don't know).

Method for no Sophos Icon:

Note you can try to reinstall AFTER disabling OnAccess Scanning. HOWEVER, half of mine got errors during the install 25010 erros I think.  So instead,

1.  Ensure OnAccess Scanning is disabled, if not, disable manually.

2. I copied 5 files from the CID\S00x\SAVFPXP\SAVSCFXP\SAU\Program files\Sophos\AutoUpdate\ directory that seemed to be getting deleted.  They are ALsvc.exe, ALUpdate.exe, AUAdapter.dll, Cidsync.dll and  inetconn.dll.  I copied these files back to c:\Program FIles\Sophos\Autoupdate. 

3. I then restarted the Sophos AutoUpdate Service

4. Next, I reinstalled sophos.  You might be able to just reboot, but I was dealing with the 80 + Windows servers that were affected and wanted to be sure I had the ALMon systray icon back before I rebooted.

5. Then run the 'Update Now'

I have not yet reenabled OnAccess scanning since we were hit so close to 5pm.  I'm going to wait until 9 or 10 am until I'm sure that I have allowed all unaffected pcs to update to the fixed defs before reenabling.