Is any one else seing this alert - Shh/Updater-B False positives

We also were set to deny and were very very fortunate that it was setup this way. 

Fortunately many of our endpoints updated themselves and fixed themselves, the ones that did not we simply we pushed Sophos out to the system again and the issue was resolved.

Is anyone else seeing this behavior?

From console... Resolve alerts for computers, then their "Primary server" becomes blank, effectively preventing me from triggering a manual "update now".

---

jedunn wrote:

my sum states 

last updated : 9/19/4.21

download status

last checked at : 9/19/4.21

config

matches

version

1.3.2.176

but all of my endpoints are awaiting policy transfer

cant we delete the cids folder and redownload???

---

Unfortunately, deleting the CIDS folder won't resolve the issue with endpoints showing "awaiting policy transfer". That is an issue with the Remote Management System. It would help if I knew better your current situation, but it will be difficult for me to do that via the forums. I would suggest scanning the last 5 pages of this thread to see if any of the solutions/workarounds mentioned can help in your situation, or wait to get through to Support. Wish I had more for you.

---

newguy wrote:

---

Nathan wrote:

---

hitechgreg wrote:

Nathan,

How do i update my javab-jd.ide file?  I've read over the advisory but it doesnt fix it.  In my AV i have the one from 7:02 pm, but the one that is shared in SUM site is from 5:20 pm yesterday.  How do i get this to update?  I've ran SUM and it updates succesfully...

Thanks

-greg

---

If you HAVE a file named javab-jd.ide, then you have the updated defition file. Are you still seeing files blocked, or are you only seeing the items in the Quarantine Manager? If the former, it would seem that the client doesn't have the javab-jd.ide file. If the latter, the QM needs to be cleared manually or by actioning the steps to delete quarantine.xml. These actions need to be carried out on each endpoint as there isn't a central method for clearing the QM.

---

I do not have the javab-jd.ide file. Where can I get it from?

---

The file is available on our warehouse and databanks. You'll need to either download it using your Sophos Update Manager or the Sophos Autoupdate client (in the case of standalone systems). Please see the advisory for more details on how to obtain the updated IDE.

@StewartMoss

Nice script!

One suggestion.

Instead of querying the registry to find the architecture.

Check for the environment variable %ProgramFiles(x86)%

Only 64 bit systems will have this variable, and you avoid having to query the registry.

You could do something like this:

IF EXIST "%ProgramFiles(x86)%" (
 SET arch=64
) ELSE (
SET arch=32
)

---

lucas wrote:

Is anyone else seeing this behavior?

From console... Resolve alerts for computers, then their "Primary server" becomes blank, effectively preventing me from triggering a manual "update now".

---

This is the first report of this behavior I've heard. Does the primary server information show on the policy when viewed in SEC, or is it gone from there as well? If the policy is intact on SEC, try performing a comply with > group updating policy to see if that sorts the endpoint. (don't push all policies as that will just unnecessarily increase network load) If that doesn't work, please phone in to support.

Since turning on live protect my list has dropped from 760 to 31.  However I still have over 700 that aren't updating correctly.  For those a fresh push from the console seems to be curing quite a few.  So we are getting there.  I'm still expecting a few hundred will require manual intervention though as Sophos AV acts different from PC to PC despite them all being a standard image.

---

lucas wrote:

Is anyone else seeing this behavior?

From console... Resolve alerts for computers, then their "Primary server" becomes blank, effectively preventing me from triggering a manual "update now".

---

lucas,

Yes I had the same problem in that both my Primary and Secondary locations were blank in the update tab in the EC.

Through trial and error I have found that restarting the Sophos Agent service on the affected PC puts the info back in the Enterprise Console after about 10 seconds or so.

Hope this helps

Richard

We can't even manually uninstall Sophos in Add or Remove/Programs and Features in Control Panel.

When trying to uninstall Sohpos AutoUpdate.

Warning 25010. An error occurred while running the custom action 'NoUpdateInPreogress'. Contact your support personnel.

so, although there is a TON of great information in here.. I still can't get my server to update!

I don't have that ide on the server side and now a lot of my endpoints are disappearing from the console because sophos is effectively killing itself. 

We're running EC 10 and I don't have those paths that were mentioned:

c:\programfiles\sophos\sophos anti-virus

My other thought was to disable our local share and let our endpoints use the 2nd udpate location but of course, sophos ate itself and it won't do that now.. I'm feeling a lot of re-installs in my future. 

I just need to get the ec to update... any ideas?

Oh - and I'll take a pot of coffee and some asprin from Sophos please!