Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0
    Nathan wrote:
    hitechgreg wrote:

    Nathan,

    How do i update my javab-jd.ide file?  I've read over the advisory but it doesnt fix it.  In my AV i have the one from 7:02 pm, but the one that is shared in SUM site is from 5:20 pm yesterday.  How do i get this to update?  I've ran SUM and it updates succesfully...

    Thanks

    -greg

    If you HAVE a file named javab-jd.ide, then you have the updated defition file. Are you still seeing files blocked, or are you only seeing the items in the Quarantine Manager? If the former, it would seem that the client doesn't have the javab-jd.ide file. If the latter, the QM needs to be cleared manually or by actioning the steps to delete quarantine.xml. These actions need to be carried out on each endpoint as there isn't a central method for clearing the QM.

    I do not have the javab-jd.ide file. Where can I get it from?

    :31383
  • 0

    My comrades.  Here is what a kind person at Dell Kace helped me put together:

    @ECHO OFF
    REM Sophos.BAT
    REM other file present: ALsvc.exe, ALUpdate.exe, AUAdapter.dll, Cidsync.dll and  inetconn.dll.
    SET ARCH=
    IF EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus" SET ARCH= (x86)

    net stop "Sophos AutoUpdate Service"
    net stop SAVService

    del "C:\Program Files%ARCH%\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f /q
    REM copy "\\Sophos Updating Share\*.*" "C:\Program Files\Sophos\Sophos Anti-Virus\*.*" /y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\ALsvc.exe"     copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\ALsvc.exe.000"     "C:\Program

    Files%ARCH%\Sophos\Autoupdate\ALsvc.exe" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\ALUpdate.exe"  copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\ALUpdate.exe.000"  "C:\Program

    Files%ARCH%\Sophos\Autoupdate\ALUpdate.exe" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\AUAdapter.dll" copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\AUAdapter.dll.000" "C:\Program

    Files%ARCH%\Sophos\Autoupdate\AUAdapter.dll" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\Cidsync.dll"   copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\Cidsync.dll.000"   "C:\Program

    Files%ARCH%\Sophos\Autoupdate\Cidsync.dll" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\inetconn.dll"  copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\inetconn.dll.000"  "C:\Program

    Files%ARCH%\Sophos\Autoupdate\inetconn.dll" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\ChannelUpdater.dll"  copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\ChannelUpdater.dll.000" 

    "C:\Program Files%ARCH%\Sophos\Autoupdate\ChannelUpdater.dll" /Y

    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\config.dll"  copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\config.dll.000"  "C:\Program

    Files%ARCH%\Sophos\Autoupdate\config.dll" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\Logger.dll"  copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\Logger.dll.000"  "C:\Program

    Files%ARCH%\Sophos\Autoupdate\Logger.dll" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\SingleGUIPlugin.dll"  copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

    \SingleGUIPlugin.dll.000"  "C:\Program Files%ARCH%\Sophos\Autoupdate\SingleGUIPlugin.dll" /Y
    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Autoupdate\swlocale.dll"  copy "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\swlocale.dll.000"  "C:\Program

    Files%ARCH%\Sophos\Autoupdate\swlocale.dll" /Y

    IF NOT EXIST "C:\Program Files%ARCH%\Sophos\Sophos Anti-Virus\javab-jd.ide"  copy "p:\java-jd.ide"  "C:\Program Files%ARCH%\Sophos\Sophos Anti-Virus

    \javab-jd.ide" /Y

    net start "Sophos AutoUpdate Service"
    net start SAVService

    It works for 32 and 64 bit Windows.  I've found it requires a reboot to get the shield back.  Good luck.  This has been nuts.

    :31385
  • 0

    to  StewartMoss , your script works!  except the 64 bit part...I wonder if you could take a look and possibly advise?

    :31387
  • 0

    I deleted the quanatine.xml files however the sophos autoupdate service cannot be found on local computer error 2: the system cannot find file specified comes up.

    :31389
  • 0

    We have found a temporary resolution.  We were able to uninstall Sophos and install another AV.  I know this is not a permanent fix especially when you have thousands of endpoints, but if you have critical endpoints you need to get running again this does resolve the issue.

    :31391
  • 0
    nf wrote:

    nate,

    wehre can i find the folder cids?

    This should be present on your update server in a share named Sophos Update. That is the default location share name, but any share name could have been chosen for non-default update locations. If you aren't sure the path to your update server, you can open the Sophos Anti-Virus endpoint client and click "Configure Updating". Everything will be greyed out, but you'll be able to see the path to the update server in the Address field on the Primary Server tab.

    :31393
  • 0

    I know this doesn't help most - but it may help a few....  I had 1 workstation that was missing some files and would not Update - I copied the AutoUpdate file from a working workstation and pasted on the non-working WS (renamed the existing file AutoUpdateOLD) and this worked.

    :31397
  • 0

    @ITGal1967

    Regarding Nathan - "he has been extremely helpful and deserves a bonus, a raise, time off and major kudos for his work."

    I agree!

    I havent posted much, been playing the waiting game to see if a better fix will appear, but i've watched Nathan respectfully answer posts and offer as much help as he can.  Hats off to Nathan!

    :31399
  • 0
    Zatol wrote:

    I second ITGal's sentiments. I've got over 22,000 computers in my console and currently 579 are flagging this as a virus. If I can't centrally clear the quarantine list that means I've got to hunt down 579 computers at over 50 locations within 600 square miles.

    Nathan, any insight? This should be something that can be done from the console.

    For now, scripting the deletion of quarantine.xml is the only option to accomplish this without touching every system. That said, we are looking for alternatives.

    One note, if an item is in the QM that is not related to this FP and the QM is cleared, the next time that other file is run a new entry in the QM will be generated.

    :31401
  • 0

    I am the Technology Director of an entire School District.  We have 3500 computers running Sophos with 1 technician to service them.  Up until the last few months we have had standalone installs on every computer.  We currently only have 400 machines moved into console.  There better be a solution coming that doesn't involve going around and touching every machine or we will be looking for a new antivirus company.  Please feel free to contact me at the email address attached to my account as soon as possible to discuss fixes for this.

    :31403