Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    What troubles me is all the people including myself that had their AV set to Move or Delete.  Everyone in here is talking about how to fix the issue with Sophos.  The problem I am dealing with is everything else that shh/updater-b has deleted.

    Here is our list to date of applications with binaries deleted:

    Adobe Rights Management

    Adobe Reader

    Adobe Flash Player

    Oracle Sun Java

    Fujitsu Updater

    Dell Autoupdater

    Allscripts Pro/PM Updater

    The worst one was the last one.  This detection deleted a necessary DLL for the application to run that checks for updates when you execute it.  We are a medical facility and this is our core application we use to register, schedule and bill patients at our clinic.

    Nothing like getting DOSed by your AV vendor in the middle of the day.

    In 16 years of working in IT I've never worked at a company or had someone I knew that dealt with a virus/trojan/spyware/malware that has cripled their systems like this did to us.

    If there is a Class Action suit let me know.  We are losing revenue and productivity because of this.  I have may angry employees and the 400 patients a day that visit this clinic to contend with.

    :31437
  • 0
    ITAssist wrote:
    lucas wrote:

    Is anyone else seeing this behavior?

    From console... Resolve alerts for computers, then their "Primary server" becomes blank, effectively preventing me from triggering a manual "update now".


    lucas,

    Yes I had the same problem in that both my Primary and Secondary locations were blank in the update tab in the EC.

    Through trial and error I have found that restarting the Sophos Agent service on the affected PC puts the info back in the Enterprise Console after about 10 seconds or so.

    Hope this helps

    Richard

    I've been having the local technicians reboot the machines. 

    To answer Nathan's question, the updater disappears in SEC, not on the client. It's as if clearing the alert blanks out that field in the database or something. On a hunch, I tried the "clean envelopes folder" trick, to no avail.

    :31439
  • 0

    Hi Nathan,

    I've just tried this on one of my clients, the Shield came back after i ran Almon.exe, but when i click on update now, nothing happens. Nothing happens if i try update now from the EC either.

    Checked and nothing showing in the quarentine.

    It said that it was last auto-updated last night, the problem update i think. Can i copy the javab-jd.ide into the folder on the client?

    Thanks

    :31441
  • 0

    Lucky I read Twitter before I went to bed last night so knew to get into work early to fix. Managed to get in a 8 and got it fixed by 8:30 before most of our laptops and desktops were turned on. Pretty annoying, glad I had the policy set to deny only and managed to salvage our clients. 

    :31443
  • 0
    turnitoff wrote:

    Hi Nathan,

    I've just tried this on one of my clients, the Shield came back after i ran Almon.exe, but when i click on update now, nothing happens. Nothing happens if i try update now from the EC either.

    Checked and nothing showing in the quarentine.

    It said that it was last auto-updated last night, the problem update i think. Can i copy the javab-jd.ide into the folder on the client?

    Thanks

    Sounds like the Autoupdate service isn't running. Try starting that and try again.

    :31445
  • 0

    I posted some .txt files to my dropbox account.

    We have tested this on x64 Windows 2008 Server and Windows 7 PC

    The File x64 is for Server ONLY

    The file FixSophos is for Vista/7

    After running x64, restart the Server and push sophos from Console.

    After running FixSophos the PC will Auto-Reboot (shutdown -r command at end of script)--if you remove, restart and Sophos should begin working again.

    https://www.dropbox.com/sh/zz8b9tyw5qmlacq/iFNXW0jGSB

    Good luck!

    :31447
  • 0
    lucas wrote:
    ITAssist wrote:
    lucas wrote:

    Is anyone else seeing this behavior?

    From console... Resolve alerts for computers, then their "Primary server" becomes blank, effectively preventing me from triggering a manual "update now".


    lucas,

    Yes I had the same problem in that both my Primary and Secondary locations were blank in the update tab in the EC.

    Through trial and error I have found that restarting the Sophos Agent service on the affected PC puts the info back in the Enterprise Console after about 10 seconds or so.

    Hope this helps

    Richard

    I've been having the local technicians reboot the machines. 

    To answer Nathan's question, the updater disappears in SEC, not on the client. It's as if clearing the alert blanks out that field in the database or something. On a hunch, I tried the "clean envelopes folder" trick, to no avail.

    That is very strange. Is rebooting the endpoints solving this problem for you?

    :31451
  • 0

    Change the .txt to a .bat

    Sorry... haha

    :31453
  • 0

    Sophos also takes out the Fedex Flat File Manager and Cisco Desktop Agents.

    :31455