Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Nathan,
How do i update my javab-jd.ide file? I've read over the advisory but it doesnt fix it. In my AV i have the one from 7:02 pm, but the one that is shared in SUM site is from 5:20 pm yesterday. How do i get this to update? I've ran SUM and it updates succesfully...
Thanks
-greg
http://www.sophos.com/en-us/support/knowledgebase/118311.aspx
According to the instructions in the link above:
To clear application from quarantine do I have to do the following on each client computer?
Stop the Sophos Anti-Virus service (Start | Run | Type: services.msc | Press return).
Delete the quarantine.xml file from:
C:\Documents and Settings\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml.
or
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml
Start the Sophos Anti-Virus service.
Will the applications not be released from quarantine after the corrected IDE is downloaded?
Hi folks,
Thankfully our policy was set to deny access only already, but I've followed the latest Advisory up until
4. Depending on the Cleanup configuration noted in point 1 follow the steps relevant to your configuration:
Deny access only
This seems to me to be saying to carry out these steps on each of the endpoints in the organisation. Am I reading it correctly? Why not simply open the EM quarantine and click Clear list? IS there any better way that doesn't involve having to log into each and every machine with the endpoint on it?
I deleted the quarantine .xml files (see /search?q= 30335 ) with a batch file, combined with removing the IDE for those that were broken. We decided to do it manually but could have ran down a list of computers with a for loop.
Wish I'd found the knowledgebase article before I dug around looking for where it was stored mind!
Steve
This was one of the other batch files I used ... looped through asking for computer names, stopped services, swapped file for a known good empty one in the same dir as the batch, restarted services.
@echo off
REM Script to clear Sophos quarantine
:loop
set name=
set /p name=Enter name (blank to end):
if "%Name%"=="" exit /b
call :fixpc %name%
rem pause
goto loop
exit /b
:fixpc
set fixpc=%~1
set find=\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config
if not exist "%find%\quarantine.xml" set find=\\%fixpc%\c$\ProgramData\Sophos\Sophos Anti-Virus\config
sc \\%fixpc% stop "SAVService"
sc \\%fixpc% stop "SAVAdminService"
sc \\%fixpc% stop "Sophos Agent"
echo Waiting....
ping 127.0.0.1 -n 5 > Nul
rename "%find%\Quarantine.xml" *.old
copy /y "quarantine.xml" "%find%\quarantine.xml"
sc \\%fixpc% start "Sophos Agent"
sc \\%fixpc% start "SAVAdminService"
sc \\%fixpc% start "SAVService"
set /p x=%fixpc%: <NUL
dir "%find%\quarantine.xml" | find /i "quarantine"
Hi,
I have followed the Sophos fix on both my EC's, after doing this the number of alerts im receiving has greatly reduced. I can see the javab-jd.ide file on many of my client machines now.
But, some of my clients are still sending alerts, when i check none of them have the javab-jd.ide. Am i ok to copy and paste it over from another client? Not sure why some clients aren't updating, i've configured the HIPS policy as per the instruction.
Thanks
pritchi83 wrote:Hi folks,
Thankfully our policy was set to deny access only already, but I've followed the latest Advisory up until
4. Depending on the Cleanup configuration noted in point 1 follow the steps relevant to your configuration:
Deny access only
This seems to me to be saying to carry out these steps on each of the endpoints in the organisation. Am I reading it correctly? Why not simply open the EM quarantine and click Clear list? IS there any better way that doesn't involve having to log into each and every machine with the endpoint on it?
Unfortunately there is no mechanism to centrally clear all the items from the endpoint Quarantine Manager.
The quarantine manager does not prevent the files from being executed. The scanning engine itself carries out that function, so if you've obtained javab-db.ide but HAVEN'T cleared the items from the QM and HAVEN'T moved or deleted anything, then the files detected and listed in the QM will be allowed to run.
The actions to delete the quarantine.xml file can be carried out via a batch file pushed using a tool like PSEXEC. Check this thread for some example batch files and PSEXEC commands if you aren't familiar with these tools. I'm working on getting the advisory updated with some of this information.
This is my script to fix the bad definition and fix the updater and force the updater to run again
--- SNIP ---
@echo off
echo.
echo --------------------------------------------------------------------
ECHO Sophos Bad-Update Fixer Batch File -
ECHO removes bad definition and rebuilds the auto-updater
ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd.
Echo Version 1.0.1 - 20-Sept-2012 - Fixed for 32bit and 64bit detection
echo --------------------------------------------------------------------
echo.
REM This script is for Sophos, Sophos Agents and their customers only and is to be used at your own RISK.
REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to
REM any damages done by this script
REM
REM Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a copy of the
REM autoupdater which you have placed into a staging area.
REM
REM The autoupdater folder in the staging area is the entire folder copied from the CIDs
REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate"
REM
REM History: 1.0.1 Fixed the script because it thought all Windows 7 machines were 64 bit!
REM
REM Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved.
REM All copyright information needs to remain as it is.
REM http://www.accumulo.co.za/
Echo Stopping Services
NET STOP "Sophos Agent"
NET STOP "Sophos Anti-Virus"
NET STOP "Sophos Anti-Virus status reporter"
NET STOP "Sophos AutoUpdate Service"
NET STOP "Sophos Message Router"
NET STOP "Sophos Web Control Service"
NET STOP "Sophos Web Intelligence Service"
REM Operating System Detection to copy to the right location
REM Windows 5.1 is Windows XP
ver | findstr /i "5\.1\." > nul
IF %ERRORLEVEL% EQU 0 goto WindowsXp
REM Server 2003 has the same paths as Windows XP
REM Windows 5.2 is Windows 2003 server
ver | findstr /i "5\.2\." > nul
IF %ERRORLEVEL% EQU 0 goto WindowsXp
REM Ok so only Windows Vista, Windows 7 and Server 2008 have made it to here
REM Now we need to work out if we are 32 bit or 64 bit Windows. We use the registry and read the
REM attributes of the first logical CPU. If it contains the characters "x86" it is 32 bit.
REG.exe Query "HKLM\Hardware\Description\System\CentralProcessor\0" | Find /i "x86" > nul
If %ERRORLEVEL% == 0 Goto Windows732Bit
goto Windows764bit
:Windows732Bit
:WindowsXp
echo Processing for 32bit operating systems or Windows XP
xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C
echo Deleting offending definition
cd \"program files\Sophos\sophos anti-virus"
del /f "agen-xuv.ide"
Echo Starting 32bit Services
NET START "Sophos Agent"
NET START "Sophos Anti-Virus"
NET START "Sophos Anti-Virus status reporter"
NET START "Sophos AutoUpdate Service"
NET START "Sophos Message Router"
NET START "Sophos Web Control Service"
NET START "Sophos Web Intelligence Service"
Echo Starting ALMON.EXE to bring shield back
Echo If the batch file hangs here, check the shield is loaded and you can close this batch file.
echo Our work is done.
echo.
"C:\program files\sophos\AutoUpdate\ALMON.EXE"
goto NowDoneStartServices
:Windows764bit
echo Processing for 64bit operating systems (Windows Vista, Windows 7 and Server 2008)
xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K
echo Deleting offending definition
cd \"program files (x86)\Sophos\sophos anti-virus"
del /f "agen-xuv.ide"
Echo Starting 64bit Services
NET START "Sophos Agent"
NET START "Sophos Anti-Virus"
NET START "Sophos Anti-Virus status reporter"
NET START "Sophos AutoUpdate Service"
NET START "Sophos Message Router"
NET START "Sophos Web Control Service"
NET START "Sophos Web Intelligence Service"
Echo Starting ALMON.EXE to bring shield back
Echo If the batch file hangs here, check the shield is loaded and you can close this batch file.
echo Our work is done.
echo.
start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE
:NowDoneStartServices
