Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0
    nf wrote:

    Nate,

    I have a few pc's that no mater what I can't get them updated. I even tried reprotecting them again..won't go. and can't update from the server either..not even the policies. Like i said mayb 10% of the pc's

    Try the following:

    1. Copy everything from:
      • \\YourServerName\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate
    2. Paste the contents into:
      • C:\Program Files\Sophos\Autoupdate
    3. Replace all files

    Then run C:\Program Files\Sophos\Autoupdate\almon.exe on the client machine to bring the Sophos shield back. Right click on the shield and select 'update now'. You can use a script to do this on multiple machines. Adjust as needed for 64bit systems, and the S000 folder may have a different name.

    :31357
  • 0
    GM_In_Texas wrote:

    http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

    According to the instructions in the link above:

    To clear application from quarantine do I have to do the following on each client computer?

    Stop the Sophos Anti-Virus service (Start | Run | Type: services.msc | Press return).

    Delete the quarantine.xml file from:

    C:\Documents and Settings\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml.

    or

    C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml

    Start the Sophos Anti-Virus service.

    Will the applications not be released from quarantine after the corrected IDE is downloaded?

    The above link now contains no information.

    Not helpful.

    :31359
  • 0
    hitechgreg wrote:

    Nathan,

    How do i update my javab-jd.ide file?  I've read over the advisory but it doesnt fix it.  In my AV i have the one from 7:02 pm, but the one that is shared in SUM site is from 5:20 pm yesterday.  How do i get this to update?  I've ran SUM and it updates succesfully...

    Thanks

    -greg

    If you HAVE a file named javab-jd.ide, then you have the updated defition file. Are you still seeing files blocked, or are you only seeing the items in the Quarantine Manager? If the former, it would seem that the client doesn't have the javab-jd.ide file. If the latter, the QM needs to be cleared manually or by actioning the steps to delete quarantine.xml. These actions need to be carried out on each endpoint as there isn't a central method for clearing the QM.

    :31361
  • 0

    Good Morning Nathan, nice to see you back. 

    Any idea if Sophos is working on a way to centrally clear the quaratine list on each endpoint? I know that is not how it is designed at the moment but many of us are looking at serious dollars in bringing in extra hands to do this. Let your engineers know:

    1) Each quarantine does need to be inspected prior to clearing the list in case anything else snuck in during this time period. 

    2) When you are looking a hundreds or thousands of endpoints, you are facing days of workstations without on-access protection and they are now vulnerable. 

    3) It is not feasible to ask users to clear the endpoints because of number 1) as well as they could well delete necessary files. 

    They need to remember many sites have hundreds to thousands of endpoints so they need to start working proactively instead of expecting us to do their work for them.

    To the CEO of Sophos: it really sad that we are relying on Nathan alone for information - he has been extremely helpful and deserves a bonus, a raise, time off and major kudos for his work. 

    :31363
  • 0
    Nathan wrote:
    <snip>

    Unfortunately there is no mechanism to centrally clear all the items from the endpoint Quarantine Manager.

    The quarantine manager does not prevent the files from being executed. The scanning engine itself carries out that function, so if you've obtained javab-db.ide but HAVEN'T cleared the items from the QM and HAVEN'T moved or deleted anything, then the files detected and listed in the QM will be allowed to run.

    The actions to delete the quarantine.xml file can be carried out via a batch file pushed using a tool like PSEXEC. Check this thread for some example batch files and PSEXEC commands if you aren't familiar with these tools. I'm working on getting the advisory updated with some of this information.

    Thanks for the update Nathan, I'll take a look about the thread, but I'll keep an eye on the advisory for next recommended course of action.

    :31365
  • 0

    I second ITGal's sentiments. I've got over 22,000 computers in my console and currently 579 are flagging this as a virus. If I can't centrally clear the quarantine list that means I've got to hunt down 579 computers at over 50 locations within 600 square miles.

    Nathan, any insight? This should be something that can be done from the console.

    :31367
  • 0

    nate,

    wehre can i find the folder cids?

    :31371
  • 0

    I fully agree, RL!

    It took my whole morning to write a quick & dirty solution; fortunately in our case no files where deleted.

    Execute this in your domain controller as domain administrator:

    psexec -u DOMAIN\admin -s \\* "%LOGONSERVER%\NETLOGON\repair-sophos.bat"

    repair-sophos.bat:

    @echo off
net stop "Sophos Agent"
net stop "SAVService"
net stop "SAVAdminService"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
net stop "swi_service"
net stop "swi_update_64"
del /f /q "%ProgramFiles%\Sophos\Sophos Anti-Virus\agen-xuv.ide"
del /f /q "%ProgramFiles(x86)%\Sophos\Sophos Anti-Virus\agen-xuv.ide"
del /f /q "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
del /f /q "%ProgramData%\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
net start "Sophos Agent"
net start "SAVService"
net start "SAVAdminService"
net start "Sophos AutoUpdate Service"
net start "Sophos Message Router"
net start "Sophos Web Control Service"
net start "swi_service"
net start "swi_update_64"

    Lucas.

    :31373
  • 0

    StewartMoss, thanks for the script! Is there a way you could post it somewhere where we could download it in the correct formatting? I'm trying to sift through the unicode but I think when it was posted in the forums it lost some formatting....

    :31379
  • 0

    my sum states 

    last updated : 9/19/4.21

    download status

    last checked at : 9/19/4.21

    config

    matches

    version

    1.3.2.176

    but all of my endpoints are awaiting policy transfer

    cant we delete the cids folder and redownload???

    :31381