Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
fghjgf wrote:Nathan - we've removed the Sophos anti-virus from our Exchange server because it would not autoupdate. As a result we appear to have lost network connectivity. The networks cards are there and appear correctly in control panel however we can't access the server from within the network and we can't see our SAN to load the LUNS. We are seeing this behaviour on client machines as well. I have not seen this symptom reported by anyone else - is it known and is there a solution?
This is the first I've heard of this as well. It may be due to the LSP used for the Web Protection component. If rebooting didn't fix it, (the LSP stays in the stack until after a reboot when you uninstall, to avoid interuptions in connectivity) you can try a "netsh winsock reset". Be warned that it will remove any other LSPs you may use, and I can't guarantee it will work. I've had much success restoring corrupt network stacks with it in the past though, so I would definitely give it a go.
You can confirm if this is likely the problem by running netsh winsock show catalog | findstr dll. If you see swi_ifslsp.dll in the list, then a winsock reset is your only recourse afaik.
Chadster wrote:How much trouble am I in when our clients were set to move the infected files. A one of the smaller offices Quickbooks is out of operation.
There have been a few scripts posted that will assist you if you've moved files. We're working on getting the scripts into the KB articles, but if you can't wait, scan back through this thread for some examples that were posted.
SteveSimons wrote:How the call queue? I just need to get in and get them to tell me what to do. There is a lot of information here that could get a layman in a heap of trouble.
As you might expect, call volume is very high right now. Last I checked the queue was ~60 callers deep. We have pulled in everyone we have available to take calls and are working through the workload as quickly as possible.
We are down to 49 from 189. The only prolem now is getting all the items quaratined from the user. Once we got the new java-jd.ide file in the bootstrap the the cleints where updating from the numbers starting going down as they where getting the updates. Our last update says 9:58 CST.
Looks like a lot of folks arent reading the entire thread, so I'll repeat this.
If you had Cleanup set to MOVE viruses to quaratine, you will probably need more than BAT scripts that only do part of the repair job! Many other programs were broken by this such as Adobe Reader, Flash, Google, and Sprint related stuff.
I came up with my own script that parses the SAV.log file and copies ALL files back to their original locations. If you deleted them, you're sunk and would have to copy from another computer I guess.
I also added some stuff from ktremain and KUSA's scripts to get the service restarted and almon (tray icon) running.
Make sure you put those sophos folder exclusions in first and deploy the new policy or else this could be undone again.
Good luck!
After setting exclusions and getting the clients to grab the new policy the updater works again.
Now, how do I clean up the quarantine on the clients? Is deleting the quarantine xml file the only way? Shouldn't there be a way to check and clean the quarantine from the server console?
StewartMoss's script is working well for us on all machines, XP, 7 (both 32-bit and 64-bit) Thanks Stewart!
I'm using PSEXEC to run the script with: psexec \\machinename -u {domainadmin} -p {password} -c C:\temp\stewartscript.bat
WIn 7 machines will not require a reboot. XP machines will. SHIELDV2 is the name of our staging server, so remember to change that to the name of yours.
After running the script, update them from the console and you should be good. I'm having to run this command on all machines, but you could use psexec to go down a list of machines automated if you had to.
@echo off echo. echo --------------------------------------------------?------------------ ECHO Sophos Bad-Update Fixer Batch File - ECHO removes bad definition and rebuilds the auto-updater ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd. Echo Version 1.0.1 - 20-Sept-2012 - Fixed for 32bit and 64bit detection echo --------------------------------------------------?------------------ echo. REM This script is for Sophos, Sophos Agents and their customers only and is to be used at your own RISK. REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to REM any damages done by this script REM REM Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a copy of the REM autoupdater which you have placed into a staging area. REM REM The autoupdater folder in the staging area is the entire folder copied from the CIDs REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\s?au\program files\Sophos\AutoUpdate" REM REM History: 1.0.1 Fixed the script because it thought all Windows 7 machines were 64 bit! REM REM Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved. REM All copyright information needs to remain as it is. REM http://www.accumulo.co.za/ Echo Stopping Services NET STOP "Sophos Agent" NET STOP "Sophos Anti-Virus" NET STOP "Sophos Anti-Virus status reporter" NET STOP "Sophos AutoUpdate Service" NET STOP "Sophos Message Router" NET STOP "Sophos Web Control Service" NET STOP "Sophos Web Intelligence Service" REM Operating System Detection to copy to the right location REM Windows 5.1 is Windows XP ver | findstr /i "5\.1\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Server 2003 has the same paths as Windows XP REM Windows 5.2 is Windows 2003 server ver | findstr /i "5\.2\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Ok so only Windows Vista, Windows 7 and Server 2008 have made it to here REM Now we need to work out if we are 32 bit or 64 bit Windows. We use the registry and read the REM attributes of the first logical CPU. If it contains the characters "x86" it is 32 bit. REG.exe Query "HKLM\Hardware\Description\System\CentralProc?essor\0" | Find /i "x86" > nul If %ERRORLEVEL% == 0 Goto Windows732Bit goto Windows764bit :Windows732Bit :WindowsXp echo Processing for 32bit operating systems or Windows XP xcopy "\\shieldv2\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C echo Deleting offending definition cd \"program files\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 32bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. "C:\program files\sophos\AutoUpdate\ALMON.EXE" goto DoneStartServices :Windows764bit echo Processing for 64bit operating systems (Windows Vista, Windows 7 and Server 2008) xcopy "\\shieldv2\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K echo Deleting offending definition cd \"program files (x86)\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 64bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE exit
