Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261059 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Anyone know how to clear the local quarantine of Sophos endpoint with SEC?

    :31165
  • 0

    As per the Sophos KB for the supposed fix for this incident (http://www.sophos.com/en-us/support/knowledgebase/118311.aspx)...

    To suggest that customers effectively TURN OFF THE ANTIVIRUS on the end-points, roll out the update, and then turn it back on again is such a terrible solution!  - Yeah, why not give the real malware a chance to have some fun! We haven't got anything else to do!

    At least as an alternative Sophos should be writing a script for all Windows platforms to remove the offending IDE, restart the SAV services, and accompany it with a guide on deploying the script using PSEXEC. This would be far quicker and safer then disable OnAccess scanning! Granted you need to enumerate a list of the target machines, but surely Sophos could write a script to pull this from SEC?

    It doesn't give customers much faith in Sophos as to how this major incident has been, and continues to be handled.

    1. Phone lines and amount of staff clearly unable to deal with the volume. - What happens when another major virus hits the wild? How will Sophos cope then!?

    2. Lack of communication from Sophos, apart from a few replies in some threads and a poorly advertised KB article. (See above)

    3. Poorly thought out solutions to a major incident.

    4. Lack of management control and ownership.

    I imagine as ever that there will be no official apology and explanation from Sophos. - The Marketing team and senior management would much prefer to bury their heads in the sand and continue to ignore everything.

    In the meatime if Sophos could come up with a script to clear the quarantine alerts for Shh/Update-B from the End-Points it would be very much appreciated. - Users logging back onto the machine after leaving it locked overnight and calling us with False Positive malware alerts is very nice. Not! Especially when the machine has already been patched with the updated IDE etc!

    Lastly, can someone from Sophos stop this thread and do a better job to advertise the solution!

    Oh, and get a proper incident management team!

    :31169
  • 0

    To clear the quarantine list, do the following:

    1) Stop Sophos - Including all Sophos services etc

    Replace the file Quarantine.xml located here:

    2008+

    C:\ProgramData\Application Data\Sophos\Sophos Anti-Virus\config\

    2003-

    C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\

    with the following file content:

      <?xml version="1.0" ?> 
- <Threats prodver="102" version="1">
  <ViralThreats /> 
  <MCViralThreats /> 
  <PUAThreats /> 
  <AppControlThreats /> 
  </Threats>

     Restart sophos.

    The quarantine list should now be clear.

    Please note that this is a improvised fix and will not be supported by Sophos. Frankly I'm shocked at the poor level of support they have provided.

    Good luck all.

    :31185
  • 0

    The solution from DBLIND1 replacing the files and restarting the services works for me. :smileyvery-happy:

    :31197
  • 0

    Woudn't do that manually.
    You HAVE to check the Quarantine Manager yourself.
    If you replace the XML the REALL virusses you have on your endpoint also get 'acknowledged'.
    Would wait on Sophos support what to do, their solution seems to work.
    The only VISUAL problem is that you still got your infections in the Quarantine manager, the techinical part is already working.
    Dont rush things by replacing files on your self, you'll only make things worse.

    :31205
  • 0

    What a nightmare.

    We've managed to fix our sophos installs - however our default policy was to move infected files to the default location - C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED - So now we need to copy all of the other non-sophos files that have been copied there.

    We have our log files - does anyone know of a script that will parse the log file so we can copy the files back to there original locations?

    :31215
  • 0
    kilgore wrote:

    We have our log files - does anyone know of a script that will parse the log file so we can copy the files back to there original locations?


    See page 57 of this thread.

    :31219
  • 0

    Hi Everybody,

    Do we have an official fix from Sophos for this issue or these suggestions are just workarounds?

    Earier this morrning i wrote them an email but still no response...

    Regards,

    Aleksandar

    :31227
  • 0

    80% of the computers are updated after disabling antiviruships and aplication control.

    on those not updated (still antivirusandhip and application control on them not activated)

    there is almon error. will there be a fix for it or to manually unistall sophos on them and install

    it again.

    thanx in advance for response!

    :31235
  • 0

    I presume by the lack of response from Sophos Support on their own forums they are just simply ignoring us valued customers?

    :31237