Is any one else seing this alert - Shh/Updater-B False positives

@Sandy....

"I must emphasize that we apologize for all of the disruption caused to our many customers and partners worldwide. We recognize the issue is very serious, and are doing everything we can to resolve it."

Thanks, now who do we see about reimbursement of costs...............

this isn't the first time we had this of late (never this bad) but at least 3 times in the past couple of months updates have come out that have caused issues with NAC, infact there was one earlier yesterday I all of a sudden had a load of machines showing  assessment faliure AGAIN!  I still have quite a few showing it now!

Simply....Incredible and Stupid

What is the current binary everyone is seeing deployed?  Currently I show 1.3.2.176 which is the version I had yesterday when this mess started! 

Someone said a 3 month licesne extension??? How about a frigging year!!

Luckily only 2 files from Autoupdate was removed to quarantine, so I can just copy the contents of a working machine and paste it in and then they are able to update... but that is over 350 machines and 30 servers... 

Man oh man.. 

Where do I send my bill?

Who wants a license extension to continue with this madness? How about paying for users to switch to something reliable. Ouch.

---

putty wrote:

What is the current binary everyone is seeing deployed?  Currently I show 1.3.2.176 which is the version I had yesterday when this mess started! 

---

Hi Putty,

The update is contained in an IDE, not a binary update. You are running the latest version of the Sophos Update Manager. Please be sure that you have downloaded and deployed javab-jd.ide to your endpoints. Please see the advisory for further assistance if you are having difficulty downloading the updated IDE.

---

Nik_Nak2 wrote:

If anyone hasn't tried the below already give it a try - thankfully I had a back up.

The Shh/Updater B deleted some files and then I couldn't get the update files working.

1) Remove agen-xuv.ide from "C:\Program Files\Sophos\Sophos Anti-Virus"

2) Disable on access scanning in Sophos control centre

3) Under Anti-Virus Hips in the "Endpoint Security" module add - the aforementioned exceptions:

C:\Documents and Settings\All Users\Application Data\Sophos\

C:\Program Files\Sophos\

C:\Program Files (x86)\Sophos\

C:\programdata\sophos\

4) run "services.msc" from server - Start>Run command

5) Find the following 2 services: Sophos AutoUpdate Service & Sophos Update Manager

6) Right click and select properties and each service and write down the path to the executable files. They should be something like Program files\sophos\auto update & Program files\sophos\scc\sum

7) Locate these folders - these are where there are likely to be files missing! If you have a back up then locate the archived folders - then compare.

I was missing ALUpdate.exe and ALsvc.exe from the suto update folder and SophosUpdateMgr.exe, SUMservice.exe and UpdateSUMConfig.exe from the SUM folder. Providing you have the backups - and have disabled on access scanning you should be able to copy in the missing files.

8) Once you have done this restart the above mentioned services

9) Choose update now from the Sophos Control Center

10) Hey presto that should have fixed it - you may then need to either update all workstations manually or centrally from the server

Good luck

CB

Make sure that your two folders SUM & Sophos Auto Update files have the same files in as before - my sophos deleted a few and I had to go into a backup to get them back!

---

There are many extra steps here that are not required. Please see our advisory for instructions to assist with recovery.

What is sad with your step is that they don't always work.

If you move/delete the quarantine file, your step are useless because they suppose that file like alsvc.exe, almon.exe and other are still there... those are just the sophos file, just don't get us started on other software like acrobat, java, google update that are screwed also...

ML