Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261159 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Nathan said: 

    For now, scripting the deletion of quarantine.xml is the only option to accomplish this without touching every system. That said, we are looking for alternatives.

    I am pleased to hear they are looking for alternatives to the script.

    I have decided on a manual approach. I am sure the script is good but with everything that has happened, I would prefer boots on the ground since I want the quarantine viewed to make sure nothing else has snuck in. I am the IT Director at a hospital research facility so I am being extra cautious here. 

    Again, thank you Nathan for your excellent communication - I have no doubt you would not have a problem finding a job elsewhere because I know I would hire you in heartbeat if I could. 

    :31515
  • 0

    What do some of your sums show as last  updated? MIne is 4.21 yesterday.

    :31517
  • 0

    It looks like this script must be run on each client. That isn't good but if that what it takes then so be it. Will the script work with Win7 x64 systems?

    :31519
  • 0

    Yes it works with Win 7 x64 machines. The only caveat is that you must update the machine from the console after the script is run. And... yes you have to run it on each machine, but you can use a tool like PSEXEC by Sysinternals to run it in an automated batch process so you don't have to touch each machine.

    :31521
  • 0

    I had the same problem with that 'noupdateinprogress' error when trying to manually uninstall the AutoUpdate client.  This Microsoft FixIt cleanup tool actually fixed it for me and then I was able to push out a new client install via my Enterprise Console to the client.

    http://support.microsoft.com/mats/Program_Install_and_Uninstall/

    :31523
  • 0

    Sigh.  Having followed the advisories (which I note have now silently changed their advice three times now) I am no closer to a solution.

    After repairing the SUM install, Sophos Control Center on win 2003 now crashes on attempting an update with the following.

    .\MainFrm.cpp(2483) : Assertion failed FALSE && "Unexpected updateResultInfo enumeration value encountered."

    ----- [outer exception] -----

       -- error: 0x80004005 (Unspecified error)

       -- facility: Generic (System)

       at 2

       at 1

       at void __thiscall CMainFrame::OnTimer(unsigned int,void (__stdcall *)(struct HWND__ *,unsigned int,__w64 unsigned int,unsigned long))

       at int __cdecl Run(int,enum bl::ConsoleType::Type)

       at int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)

    At present I can’’’’t update the Control Center repository – the last definition it got was allegedly at 21:20 last night and I can’’’’t pull down the javab-jd.ide file.

    Because the server won’’’’t update, the clients won’’’’t either.

    I tried disabling the server share so the clients would go direct to Sophos, but I just get an error about being unable to connect to local server and the update stops.

    It looks like I have to get the server to update before I can go any further.

    Anyone seen a workaround for the above?  I saw someone else had the same problem back on page 22, but noone seems to have posted a fix.

    :31525
  • 0
    SGHarrington wrote:

    So where might I find java-jd.ide file to download, and should I be replacing the agen-xuv.ide in my library, too?  Any help would be great! 

    It's on our databanks and warehouses, so once you've followed the directions in the advisory, you should be able to obtain it through your Update Manager or Sophos Autoupdate. Agen-xuv.ide has additional ide's that are helpful and should be in your library along with javab-jd.ide. If you only have agen-xuv.ide and DON'T have javab-jd.ide AND don't use Live Protection, then you will see the alerts for this False Positive.

    :31527
  • 0

    Click on the path and download the java-jb.ide extract the zip file and copy into the sophos\Sophos ANti-Virus folder of where the EC is located.   http://www.sophos.com/downloads/ide/

    Once you have the EC updated then you can push it to all the others through the EC.

    Hope this helps!

    :31529
  • 0
    bstgeorge wrote:

    Click on the path and download the java-jb.ide extract the zip file and copy into the sophos\Sophos ANti-Virus folder of where the EC is located.   http://www.sophos.com/downloads/ide/

    Once you have the EC updated then you can push it to all the others through the EC.

    Hope this helps!

    Please note that is technically not a supported method for updating an IDE. In this case it works, just be mindful of the engine version downloaded as they are not cross compatible. E.g., you may see an issue if you are running VDL4.87 and download IDEs for VDL4.86, etc.

    I would suggest following the processes outlined in the advisory to restore updating though, as there is less risk involved in the methods outlined there.

    :31535
  • 0

    That worked - thanks much!

    :31539