This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

This thread was automatically locked due to age.

0 Help_Please over 13 years ago

Nathan below is our latest SUM log.
http://pastebin.com/QExp17Y9
:31593
Cancel
Vote Up 0 Vote Down

Cancel
0 Azurus over 13 years ago

Chadster, I do not work for Sophos. The script came from Steward Moss who works for a consulting firm. You can see the actions of the script if you look at it. Nothing malicious is being done. It's just a script that automates some of the tasks required in the fix. I'm using it now successfully, so I figured I would share. Take it or leave it, the choice is yours. :smileyhappy:
:31597
Cancel
Vote Up 0 Vote Down

Cancel
0 Nathan over 13 years ago

Help_Please wrote:
Nathan below is our latest SUM log.
http://pastebin.com/QExp17Y9
This looks like an authentication issue. Temporary fix: Obtain a set of trial credentials and use those in your Sophos Update Manager configuration. If that works, once everything dies down you can work with support to figure out why your normal credentials aren't working. Give the trial creds a bit of time to propogate to the various warehouses.
:31599
Cancel
Vote Up 0 Vote Down

Cancel
0 BenjaminP over 13 years ago

Hello, my name is Benjamin, I'm new here and not a native english speaker.
So I hope you can understand what I write.
We had a interesting day, but we build a solution for us.
Warning: this is just tested in our IT department at the moment!
The QuarReastore_de.vbs is from Sophos support and is also for testing!
script starts under the rhombuses
######################
REM stop services
net stop "Sophos Agent" > C:\BF.txt
net stop "SAVService" >>C:\BF.txt
net stop "SAVAdminService" >>C:\BF.txt
net stop "Sophos AutoUpdate Service" >>C:\BF.txt
net stop "Sophos Message Router" >>C:\BF.txt
net stop "Sophos Web Control Service" >>C:\BF.txt
net stop "swi_service" >>C:\BF.txt
net stop "swi_update_64" >>C:\BF.txt
net stop "Sophos Anti-Virus" >> C:\BF.txt
REM Start vbs-script
%WINDIR%\cscript.exe {DIP}\Apl\Sophos\UpdateBugfix\QuarReastore_de.vbs
REM delete files
if not exist "%ALLUSERSPROFILE%\Anwendungsdaten\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" goto next1 >>C:\BF.txt
del "%ALLUSERSPROFILE%\Anwendungsdaten\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /f/q >>C:\BF.txt
:next1
if not exist "%ALLUSERSPROFILE%\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" goto next2 >>C:\BF.txt
del "%ALLUSERSPROFILE%\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /f/q >>C:\BF.txt
:next2
if not exist "%ProgramFiles%\Sophos\Sophos Anti-Virus\agen-xuv.ide" goto next3 >>C:\BF.txt
del "%ProgramFiles%\Sophos\Sophos Anti-Virus\agen-xuv.ide" /f/q >>C:\BF.txt
:next3
if not exist "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" goto next4 >>C:\BF.txt
del "%ALLUSERSPROFILE%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /f/q >>C:\BF.txt
:next4
REM start services
net start "Sophos Anti-Virus" >>C:\BF.txt
net start "Sophos Agent" >>C:\BF.txt
net start "SAVService" >>C:\BF.txt
net start "SAVAdminService" >>C:\BF.txt
net start "Sophos AutoUpdate Service" >>C:\BF.txt
net start "Sophos Message Router" >>C:\BF.txt
net start "Sophos Web Control Service" >>C:\BF.txt
net start "swi_service" >>C:\BF.txt
net start "swi_update_64" >>C:\BF.txt
##############
script ends before the rhombuses.
It should also work if you only stop and start the "Sophos Anti-Virus" services.
But we did it so.
i hope this will help you.
:31601
Cancel
Vote Up 0 Vote Down

Cancel
0 lost_guy over 13 years ago

Good evening all.
Nathan, you are doing amazing work here. But don't forget to include information for students in your advisory (not sure if you have done that, if yes, i apologize).
I got the java(...).ide, but the upgrade options on the bottom of the endpoint window were gone. Luckily i was able to remove the programm (total of 2) and reinstall Sophos through the university homepage. Now the upgrade options are back again.
Good luck those businessman and -women, fighting the "prudent" Sophos.
Greetings

lost_guy
:31603
Cancel
Vote Up 0 Vote Down

Cancel
0 Help_Please over 13 years ago

Nathan I appreciate your help but do you have any other possible fixes? I would rather not do a temporary fix and don't understand why we could authenticate yesterday to receive the false positive update but we can no longer authenticate now to get the fix. Is there something manual that we could download on our server to get past our current issue?
:31605
Cancel
Vote Up 0 Vote Down

Cancel
0 Nathan over 13 years ago

lost_guy wrote:
Good evening all.
Nathan, you are doing amazing work here. But don't forget to include information for students in your advisory (not sure if you have done that, if yes, i apologize).
I got the java(...).ide, but the upgrade options on the bottom of the endpoint window were gone. Luckily i was able to remove the programm (total of 2) and reinstall Sophos through the university homepage. Now the upgrade options are back again.
Good luck those businessman and -women, fighting the "prudent" Sophos.
Greetings

lost_guy
Sounds like you experienced the problem with Almon.exe not running. In that case, the Upating section when you open the Sophos Anti-Virus GUI will be missing. You can relaunch Almon.exe from the Program Files\Sophos\Autoupdate directory.
:31607
Cancel
Vote Up 0 Vote Down

Cancel
0 Hessel-Admin over 13 years ago

Hi Benjamin,
can you please attach the QuarReastore_de.vbs
Cheers
:31609
Cancel
Vote Up 0 Vote Down

Cancel
0 BlackDiamond over 13 years ago

The file - javab-jd.ide is nowhere on the server running SEC.
The update manager says it was successful. 1.3.2.176
:31613
Cancel
Vote Up 0 Vote Down

Cancel
0 That1TechDude over 13 years ago

I am also experiencing these issues. I am able to update the SUM and SEC on the server side and some of my machines have removed the items from quaratine. In a rush to stem off an infection, or what I thought was an infection, I deleted files that Sophos flagged yesterday before I knew that this was an error on Sophos's part. I cannot get the update manager on those endpoints to start. I tried running the vb script included in here with no avail. I've done just about everything I can and the shield still doesn't show up. I try to start the Sophos AutoUpdate Server and I get this message:
Windows could not start the Sophos AutoUpdate Service service on Local Computer
Error 2: The system cannot find the file specified.
I went to the KB artice and tried the option where files were deleted. I replaced the files and I still can't get this to start.
I also tried running the ALMon.exe and I get this error:
Error loading external resources (0x8007007e).
And I tried to run the ALUpdater.exe and it said another program is being installed and I need to wait for it to complete. Funny this is that there are no other programs being installed.
I am on Win7 64-bit with other client machines on Win7 32-bit
Help please!!!!
:31615
Cancel
Vote Up 0 Vote Down

Cancel