Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Well after a day at it I think we are clear. Fingers crossed. Not happy at having on access scanning off for so long on clients PCs but there you go.
Still have clients awaiting policy update though???????
Sophos have been really disappointing me lately with worsening levels of customer service, today hasn't helped.
On the bright side all my Sophos licences are up for renewal in March 2013. hmmmmmmm
MJewell wrote:so, although there is a TON of great information in here.. I still can't get my server to update!
I don't have that ide on the server side and now a lot of my endpoints are disappearing from the console because sophos is effectively killing itself.
We're running EC 10 and I don't have those paths that were mentioned:
c:\programfiles\sophos\sophos anti-virus
My other thought was to disable our local share and let our endpoints use the 2nd udpate location but of course, sophos ate itself and it won't do that now.. I'm feeling a lot of re-installs in my future.
I just need to get the ec to update... any ideas?
Oh - and I'll take a pot of coffee and some asprin from Sophos please!
Is it possible you have 64bit systems and need to use the Program Files(x86) folder instead?
Vista/7
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ALsvc.exe.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\inetconn.dll.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\AUAdapter.dll.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\swi_update.exe.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\ALsvc.exe.000" "ALsvc.exe"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\inetconn.dll.000" "inetconn.dll"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\AUAdapter.dll.000" "AUAdapter.dll"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\swi_update.exe.000" "swi_update.exe"
shutdown -r
Windows Server 2008
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ALsvc.exe.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\inetconn.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\AUAdapter.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\swi_update_64.exe.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\sharedres.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\swlocale.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\sharedres.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\Logger.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ispsheet.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\SAUConfigDLL.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ischdres.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ilogres.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\iconfres.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\EMLibUpdateAgentNT.exe.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\config.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\cidsync.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ChannelUpdater.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ALMonres.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
MOVE "C:\USERS\ALL USERS\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\SingleGUIPlugin.dll.000" "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\"
PAUSE
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\ALsvc.exe.000" "ALsvc.exe"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\inetconn.dll.000" "inetconn.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\AUAdapter.dll.000" "AUAdapter.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\swi_update_64.exe.000" "swi_update.exe"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\ALMonres.dll.000" "ALMonres.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\ChannelUpdater.dll.000" "ChannelUpdater.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\cidsync.dll.000" "cidsync.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\config.dll.000" "config.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\EMLibUpdateAgentNT.exe.000" "EMLibUpdateAgentNT.exe"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\iconfres.dll.000" "iconfres.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\ilogres.dll.000" "ilogres.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\ischdres.dll.000" "ischdres.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\SAUConfigDLL.dll.000" "SAUConfigDLL.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\ispsheet.dll.000" "ispsheet.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\Logger.dll.000" "Logger.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\sharedres.dll.000" "sharedres.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\swlocale.dll.000" "swlocale.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\sharedres.dll.000" "sharedres.dll"
RENAME "C:\PROGRAM FILES (x86)\SOPHOS\AUTOUPDATE\SingleGUIPlugin.dll.000" "SingleGUIPlugin.dll"
PAUSE
Windows XP (untested)
MOVE "C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\ALsvc.exe.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
MOVE "C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\inetconn.dll.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
MOVE "C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\AUAdapter.dll.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
MOVE "C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SOPHOS\SOPHOS ANTI-VIRUS\INFECTED\swi_update.exe.000" "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\ALsvc.exe.000" "ALsvc.exe"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\inetconn.dll.000" "inetconn.dll"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\AUAdapter.dll.000" "AUAdapter.dll"
RENAME "C:\PROGRAM FILES\SOPHOS\AUTOUPDATE\swi_update.exe.000" "swi_update.exe"
shutdown -r
Nathan - we've removed the Sophos anti-virus from our Exchange server because it would not autoupdate. As a result we appear to have lost network connectivity. The networks cards are there and appear correctly in control panel however we can't access the server from within the network and we can't see our SAN to load the LUNS. We are seeing this behaviour on client machines as well. I have not seen this symptom reported by anyone else - is it known and is there a solution?
jedunn wrote:Does anyone have all their clients awaiting policy?????
And when does your sum show as last updated?
and version?
The version of SUM is not changed with the fix for this False Positive. The fix is in an ide named javab-jd.ide. It should have updated in the last 12hrs. If the clients are awaiting policy, that is a different issue that hasn't been tied directly to this false positive.
