Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
That1TechDude wrote:I am also experiencing these issues. I am able to update the SUM and SEC on the server side and some of my machines have removed the items from quaratine. In a rush to stem off an infection, or what I thought was an infection, I deleted files that Sophos flagged yesterday before I knew that this was an error on Sophos's part. I cannot get the update manager on those endpoints to start. I tried running the vb script included in here with no avail. I've done just about everything I can and the shield still doesn't show up. I try to start the Sophos AutoUpdate Server and I get this message:
Windows could not start the Sophos AutoUpdate Service service on Local Computer
Error 2: The system cannot find the file specified.
I went to the KB artice and tried the option where files were deleted. I replaced the files and I still can't get this to start.
I also tried running the ALMon.exe and I get this error:
Error loading external resources (0x8007007e).
And I tried to run the ALUpdater.exe and it said another program is being installed and I need to wait for it to complete. Funny this is that there are no other programs being installed.
I am on Win7 64-bit with other client machines on Win7 32-bit
Help please!!!!
The behavior you are seeing is consistent with the files still missing. Can I please have you go through the steps again and make sure something wasn't skipped? Also, if you haven't taken steps to prevent redection of the false positive, the files may be getting deleted again as soon as you copy them over.
Jeff1527 wrote:Let's see if I can type this a little clearer for the 3rd time...
After following the advisory, my SUM will not update the new files. It does nothing. It would at least give me a fail error prior to following the advisory. I have tried all parts of the advisory. I have tried repairing my updater, installing it from scratch and it will not update.
Is anything new being written to the SUMTrace logs found in %allusersprofile%\sophos\update manager\logs? If so, can you post it here for me to see?
Petaris wrote:Nathan,
When might we see an official script for restoring files for those of us who had "Deny and move" set?
Thanks!
Checking on that for you right now. Meanwhile, the script I have right now is posted below:
' Script to copy back files identified as infected using the SAV log files.
' It will parse all files called SAV* in the SAV log directory for copy actions
' by default logs to: "\Users\[User]\AppData\Local\Temp\CopyPDFBack.txt" or
' \documents and settings\[User]\Local Settings\Temp\CopyPDFBack.txt" depending on OS.
const WOW_KEY = "Wow6432Node"
const FOR_READING = 1
const MESSAGE_STRING = "has been moved to"
const SAV_LOG_PRE_FIX = "SAV"
const VIRUS_NAME = "Virus/spyware 'Shh/"
dim strWow6432Node, strLogPath, objFSO, objFile, strLogFileName
dim strSAVLogLocation, strSAVLogLocationDir, strRes, objLogFile, strRegPath
strLogFileName = "CopyFilesBack.txt" 'Lines contain the text in the constant "MESSAGE_STRING"
'Setup global objects
set objFSO = CreateObject("Scripting.FileSystemObject")
'Get script log file location to write to
strLogPath = GetLogLocation() & "\" & strLogFileName
set objLogFile = objFSO.CreateTextFile(strLogPath, true)
WriteToLog 0, "Starting script to recover quarantined files where: log contains the line: '" & MESSAGE_STRING
strWow6432Node = "\"
if Is64(".") then
strWow6432Node = "\" & WOW_KEY & "\"
WriteToLog 0, "64-bit machine."
else
strWow6432Node = "\"
WriteToLog 0, "32-bit machine."
end if
strRegPath = "HKEY_LOCAL_MACHINE\SOFTWARE" & strWow6432Node & "Sophos\SAVService\Application\LogDir"
strRes = GetKey(strRegPath)
if strRes = "0" then
WriteToLog 1, "Failed to get SAV log location from registry."
WriteToLog 1, "Exiting script."
wscript.quit (1)
else
WriteToLog 0, "Read the SAV log location from registry."
end if
strSAVLogLocationDir = strRes
WriteToLog 0, "Location of log directory: " & strSAVLogLocationDir
'For each file starts with 'SAV_LOG_PRE_FIX'
WriteToLog 0, "For each file in the directory that starts '" & SAV_LOG_PRE_FIX & "'."
set objFolder = objFSO.GetFolder(strSAVLogLocationDir).files
intFound = 0
for each SAVFile in objFolder
if instr(SAVFile.name, SAV_LOG_PRE_FIX) > 0 then
set objFile = objFSO.OpenTextFile (strSAVLogLocationDir & "\" & SAVFile.name, FOR_READING, false, -1)
WriteToLog 0, "=================Processing: '" & SAVFile.name & "'========================"
do While objFile.AtEndOfStream <> true
strLineIn = trim(objFile.ReadLine)
if instr(strLineIn, VIRUS_NAME) > 0 then
intFound=1
WriteToLog 0, "The next line will have info on " & VIRUS_NAME
End if
if intFound = 1 then
strLineIn = trim(objFile.ReadLine)
WriteToLog 0, strLineIn
intFound=0
if (instr (strLineIn, MESSAGE_STRING) > 0) then
'Interested in the lines as it matches our requirements.
arrOfLine = split(strLineIn, """")
strOrigFilePath = trim (arrOfLine(1))
strNewFilePath = trim (arrOfLine(3))
WriteToLog 0, strOrigFilePath & " -> " & strNewFilePath
if CopyFileBack (strNewFilePath, strOrigFilePath) then
WriteToLog 0, "File restored."
else
WriteToLog 0, "File restore failed."
end if
end if
end if
loop
end if
next
'***********************************************************************************************************
WriteToLog 0, "Script finished."
set objFolder = nothing
set objLogFile = nothing
set objFSO = nothing
'***********************************************************************************************************
'Functions
'***********************************************************************************************************
Function GetLogLocation()
on error resume next
Set objTempFolder = objFSO.GetSpecialFolder(2)
if objTempFolder = "" then
GetLogLocation = "C:\windows\temp\" 'Set to Windows temp if can't get the dir.
else
GetLogLocation = objTempFolder
end if
Set objTempFolder = nothing
End function
'***********************************************************************************************************
'***********************************************************************************************************
Function CopyFileBack (strCurrentLocation, srcOrigLocation)
WriteToLog 0, "-->CopyFileBack()"
on error resume next
err.clear
If objFSO.FileExists(strCurrentLocation) Then
WriteToLog 0, "File exists: " & strCurrentLocation & " attempt to copy back to: " & srcOrigLocation
objFSO.moveFile strCurrentLocation, srcOrigLocation
if err.number <> 0 then
WriteToLog 1, "Failed to copy file: " & err.number & " : " & err.description
CopyFileBack = false
else
CopyFileBack = true
end if
else
WriteToLog 1, "Copying file back failed as file " & strCurrentLocation & " doesn't exist."
CopyFileBack = false
End If
WriteToLog 0, "<--CopyFileBack()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function Is64(strMachineName)
WriteToLog 0, "-->Is64(" & strMachineName & ")"
on error resume next
err.clear
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strMachineName & "\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT AddressWidth FROM Win32_Processor")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description, 1
wscript.quit(1)
end if
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc = "32" then
Is64 = false
end if
if strDesc = "64" then
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
WriteToLog 0, "<--Is64()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function WriteToLog (strSev, strLogLine)
dim strToWrite
strToWrite = ""
select case strSev
case 0
strToWrite = "INF: "
case 1
strToWrite = "ERR: "
case else
strToWrite = "UNKNOWN: "
end select
objLogFile.WriteLine Date() & " " & Time() & " " & strToWrite & " " & strLogLine
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function GetKey(strPath)
on error resume next
dim strPathToLog
dim objReg
set objReg = wscript.createobject("wscript.shell")
err.clear
strPathToLog = objReg.RegRead (strPath)
if err.number = 0 then
GetKey = strPathToLog
else
GetKey = 0
end if
set objReg = nothing
End FunctionI THINK I may be OK here...
Following the advisory, my SUM is updated, containing javab-jd.ide.
My policy was set to Update Only, so I deleted my Quarantine.xml from the Update Server.
Previously, I had turned off desktop notifications, so the end users were not informing us of the problem.
All false positive alerts were acknowledged.
MOST endpoints are showing that they have updated and are no longer generating the false positives.
However, there are a couple that seem to be not updating. On those, when the users have some downtime, I will attempt to delete the Quarantine.xml file.
My questions:
1. Does the Quarantine.xml file need to be deleted on all Endpoints, even if they have updated, and appear to be all OK?
2. If so, how critical is it to perform this action? If the dust is settled, and everything appears to be OK, can I wait for the weekend?
My assumption is that I will have to delete Quarantine.xml from all endpoints, since this problem has quarantined a number of non-Sophos processes, and deleting Quarantine.xml will effectively un-quaranteen these items.
So...
3. If deleting Quarantine.xml un-quaranteen's items falsely quaranteened, won't it also release any items that were appropriately quarantined? It seems that we are essentially releasing all the prisoners, because there may be a few innocent people sent to jail.
Forgive me if these have been previously addressed. And, I certainly would like to hear if my assumptions here are incorrect.
Thanks!
Here you go..
2012-09-20 11:17:52 : Cmd-ALL << [I1018][DispatcherSupplements-2012-09-20T16-17-52-2][1] Started dispatcher with ID 'DispatcherSupplements-2012-09-20T16-17-52-2'. It will run 1 events.
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionSyncSupplements][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionSyncSupplements' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : Sync failure: Couldn't create catalogue sdds.local.xml
2012-09-20 11:17:52 : Cmd-ALL << [E401F][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][Couldn't create catalogue sdds.local.xml][RECOMMENDED][SOPHOS] Supplement synchronisation operation failed when synchronising payload 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Couldn't create catalogue sdds.local.xml
2012-09-20 11:17:52 : Cmd-ALL << [E403C][7D48A012-0C64-4F21-BA27-A9CEDF442749][Not attempted.][0.0.0][SOPHOS] Supplements for payload '7D48A012-0C64-4F21-BA27-A9CEDF442749' could not be synchronised because the synchronise operation failed due to an earlier error.
2012-09-20 11:17:52 : Cmd-ALL << [E403C][2DE69C24-D975-47b2-8D2F-6BEA861A9C75][Not attempted.][RECOMMENDED][SOPHOS] Supplements for payload '2DE69C24-D975-47b2-8D2F-6BEA861A9C75' could not be synchronised because the synchronise operation failed due to an earlier error.
2012-09-20 11:17:52 : Cmd-ALL << [E403C][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][Not attempted.][RECOMMENDED][SOPHOS] Supplements for payload 'A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1' could not be synchronised because the synchronise operation failed due to an earlier error.
2012-09-20 11:17:52 : Cmd-ALL << [E400D][ActionSyncSupplements][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionSyncSupplements' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' failed!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-Sub0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : GatherCurrencyData: Considering payload Payload-Sub0...
2012-09-20 11:17:52 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 11:17:52 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T16-17-52-2][F26F7EC0-1302-4DA7-8B6B-A5383051D41A] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T16-17-52-2' on product with rigid name 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A' has been aborted because the data has not been synchronised correctly.
2012-09-20 11:17:52 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-Sub0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' succeeded!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionDecodeEverything-Sub0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : Cmd-ALL << [E402A][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][RECOMMENDED] The decode of payload F26F7EC0-1302-4DA7-8B6B-A5383051D41A and requested version RECOMMENDED was aborted because the synchronise is marked as failed.
2012-09-20 11:17:52 : Cmd-ALL << [E400D][ActionDecodeEverything-Sub0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' failed!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : Cmd-ALL << [I1017][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' could not execute.
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : Cmd-ALL << [I1017][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' could not execute.
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : GatherCurrencyData: Considering payload Payload-Sub1...
2012-09-20 11:17:52 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 11:17:52 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T16-17-52-2][7D48A012-0C64-4F21-BA27-A9CEDF442749] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T16-17-52-2' on product with rigid name '7D48A012-0C64-4F21-BA27-A9CEDF442749' has been aborted because the data has not been synchronised correctly.
2012-09-20 11:17:52 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' succeeded!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : Cmd-ALL << [E402A][7D48A012-0C64-4F21-BA27-A9CEDF442749][0.0.0] The decode of payload 7D48A012-0C64-4F21-BA27-A9CEDF442749 and requested version 0.0.0 was aborted because the synchronise is marked as failed.
2012-09-20 11:17:52 : Cmd-ALL << [E400D][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' failed!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : GatherCurrencyData: Considering payload Payload-Sub2...
2012-09-20 11:17:52 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 11:17:52 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T16-17-52-2][2DE69C24-D975-47b2-8D2F-6BEA861A9C75] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T16-17-52-2' on product with rigid name '2DE69C24-D975-47b2-8D2F-6BEA861A9C75' has been aborted because the data has not been synchronised correctly.
2012-09-20 11:17:52 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' succeeded!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : Cmd-ALL << [E402A][2DE69C24-D975-47b2-8D2F-6BEA861A9C75][RECOMMENDED] The decode of payload 2DE69C24-D975-47b2-8D2F-6BEA861A9C75 and requested version RECOMMENDED was aborted because the synchronise is marked as failed.
2012-09-20 11:17:52 : Cmd-ALL << [E400D][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' failed!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : GatherCurrencyData: Considering payload Payload-SDDM...
2012-09-20 11:17:52 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 11:17:52 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T16-17-52-2][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T16-17-52-2' on product with rigid name 'A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1' has been aborted because the data has not been synchronised correctly.
2012-09-20 11:17:52 : Cmd-ALL << [I0009][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' succeeded!
2012-09-20 11:17:52 : Cmd-ALL << [I1021][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' started...
2012-09-20 11:17:52 : Cmd-ALL << [E402A][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][RECOMMENDED] The decode of payload A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1 and requested version RECOMMENDED was aborted because the synchronise is marked as failed.
2012-09-20 11:17:52 : Cmd-ALL << [E400D][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T16-17-52-2] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T16-17-52-2' failed!
2012-09-20 11:17:52 : Cmd-ALL << [E400E][DispatcherSupplements-2012-09-20T16-17-52-2] Event with dispatcher ID 'DispatcherSupplements-2012-09-20T16-17-52-2' failed to execute.
2012-09-20 11:17:52 : Cmd-ALL << [I1020][DispatcherSupplements-2012-09-20T16-17-52-2] All events with dispatcher ID 'DispatcherSupplements-2012-09-20T16-17-52-2' complete.
2012-09-20 11:18:52 : Thu Sep 20 11:18:52 2012 - No action
2012-09-20 11:18:52 : Thu Sep 20 11:18:52 2012 - No action
2012-09-20 11:18:52 : Thu Sep 20 11:18:52 2012 - No action
2012-09-20 11:18:52 : Thu Sep 20 11:18:52 2012 - No action
2012-09-20 11:19:52 : Thu Sep 20 11:19:52 2012 - No action
2012-09-20 11:19:52 : Thu Sep 20 11:19:52 2012 - No action
2012-09-20 11:19:52 : Thu Sep 20 11:19:52 2012 - No action
2012-09-20 11:19:52 : Thu Sep 20 11:19:52 2012 - No action
2012-09-20 11:20:52 : Thu Sep 20 11:20:52 2012 - No action
2012-09-20 11:20:52 : Thu Sep 20 11:20:52 2012 - No action
2012-09-20 11:20:52 : Thu Sep 20 11:20:52 2012 - No action
2012-09-20 11:20:52 : Thu Sep 20 11:20:52 2012 - No action
2012-09-20 11:21:52 : Thu Sep 20 11:21:52 2012 - No action
2012-09-20 11:21:52 : Thu Sep 20 11:21:52 2012 - No action
2012-09-20 11:21:52 : Thu Sep 20 11:21:52 2012 - No action
2012-09-20 11:21:52 : Thu Sep 20 11:21:52 2012 - No action
2012-09-20 11:22:52 : Thu Sep 20 11:22:52 2012 - No action
2012-09-20 11:22:52 : Thu Sep 20 11:22:52 2012 - No action
2012-09-20 11:22:52 : Thu Sep 20 11:22:52 2012 - No action
2012-09-20 11:22:52 : Thu Sep 20 11:22:52 2012 - No action
2012-09-20 11:23:41 : Cmd-Terminal >> Shutdown
2012-09-20 11:23:41 : Cmd-Terminal << Shutdown command received...
2012-09-20 11:23:41 : Cmd-ALL << [X????] System shutdown started!
2012-09-20 11:23:41 : UpdateLogViewerDictionaryOperation - Cancel called, but will do nothing.
2012-09-20 11:23:41 : WarehouseStatusOperation - Cancel called, but will do nothing.
2012-09-20 11:23:41 : SocksSocketAcceptor called Accept. Parameters: socket = 1440 sockaddr = 0x0151FD94 addr_length = 0x0151FCA4 Return code: ffffffff
2012-09-20 11:23:41 : UpdateLogViewerDictionaryOperation - Cancel called, but will do nothing.
2012-09-20 11:23:41 : WarehouseStatusOperation - Cancel called, but will do nothing.
2012-09-20 11:23:41 :
SUM Core is shutting down...
Hi Nathan,
The advisory has worked for 8 out of my 10 clients.
However I have 2 clients where either the SEC or Control Centre will no longer download updates.
Basically my SEC last updated at 2114 last night. (BST)
Since then I have been getting the "Threat Detection data update failed" (80040404) , "Software Update failed" (80040401) & "Delivery failed for software subscription......" (80040406)
I have spent most of the day troubleshooting and investigating these errors just in case they had nothing to do with this issue.
However I have had no joy. It was only when my colleague m,entioned that they were getting the same issue on another server that I realised it MUST be related to this issue.
I followed the advisory to the letter, and as mentioned above it has worked on the majority of my clients, however I'm still stuck with 2 clients who can not get thier AV updated.
Regards,
dreec
This is the last time I will post this script...... It works trust me. I have around half of my machines fixed so far.
1. Make sure your staging server is updated first with the correct IDEs (AutoUpdate folder on your server)
2. Temporarily roll out a policy that has On-Access disabled, or modify your policy by adding these exceptions within On-Access scanning:
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\programdata\sophos\
2. Replace the UNC path in the script to match the hostname of your staging server. (My server hostname is SHIELDV2 for reference).
3. Use PSEXEC to run this script remotely with the correct priveledges on as many computers as you need using the command below (replace with your own credentials. Machinlist.txt should be a list of hostnames. The script should be made into a BAT and placed in the same directory):
psexec @C:\temp\machinelist.txt -d -u domainadmin -p password -c C:\temp\script.bat
@echo off echo. echo --------------------------------------------------?------------------ ECHO Sophos Bad-Update Fixer Batch File - ECHO removes bad definition and rebuilds the auto-updater ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd. Echo Version 1.0.1 - 20-Sept-2012 - Fixed for 32bit and 64bit detection echo --------------------------------------------------?------------------ echo. REM This script is for Sophos, Sophos Agents and their customers only and is to be used at your own RISK. REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to REM any damages done by this script REM REM Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a copy of the REM autoupdater which you have placed into a staging area. REM REM The autoupdater folder in the staging area is the entire folder copied from the CIDs REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\s?au\program files\Sophos\AutoUpdate" REM REM History: 1.0.1 Fixed the script because it thought all Windows 7 machines were 64 bit! REM REM Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved. REM All copyright information needs to remain as it is. REM http://www.accumulo.co.za/ Echo Stopping Services NET STOP "Sophos Agent" NET STOP "Sophos Anti-Virus" NET STOP "Sophos Anti-Virus status reporter" NET STOP "Sophos AutoUpdate Service" NET STOP "Sophos Message Router" NET STOP "Sophos Web Control Service" NET STOP "Sophos Web Intelligence Service" REM Operating System Detection to copy to the right location REM Windows 5.1 is Windows XP ver | findstr /i "5\.1\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Server 2003 has the same paths as Windows XP REM Windows 5.2 is Windows 2003 server ver | findstr /i "5\.2\." > nul IF %ERRORLEVEL% EQU 0 goto WindowsXp REM Ok so only Windows Vista, Windows 7 and Server 2008 have made it to here REM Now we need to work out if we are 32 bit or 64 bit Windows. We use the registry and read the REM attributes of the first logical CPU. If it contains the characters "x86" it is 32 bit. REG.exe Query "HKLM\Hardware\Description\System\CentralProc?essor\0" | Find /i "x86" > nul If %ERRORLEVEL% == 0 Goto Windows732Bit goto Windows764bit :Windows732Bit :WindowsXp echo Processing for 32bit operating systems or Windows XP xcopy "\\shieldv2\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C echo Deleting offending definition cd \"program files\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 32bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. "C:\program files\sophos\AutoUpdate\ALMON.EXE" goto DoneStartServices :Windows764bit echo Processing for 64bit operating systems (Windows Vista, Windows 7 and Server 2008) xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K echo Deleting offending definition cd \"program files (x86)\Sophos\sophos anti-virus" del /f "agen-xuv.ide" Echo Starting 64bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" Echo Starting ALMON.EXE to bring shield back Echo If the batch file hangs here, check the shield is loaded and you can close this batch file. echo Our work is done. echo. start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE :exit
My script for what its worth.....we had Sophos set to delete files.
IF EXIST "c:\SophosFix\AUFiles\ALMon.exe" GOTO END
Net Stop "SAVService"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "SAVAdminService"
net stop "Sophos Device Control Service"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)
xcopy "\\server\SophosUpdate\CIDs\S000\SAVSCFXP\SAU\program files\Sophos\AutoUpdate\*.*" "c:\SophosFix\AUFiles\" /y
If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files (x86)\Sophos\AutoUpdate"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files\Sophos\AutoUpdate"&Echo File Deleted)
Del "C:\ProgramData\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"
Del "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"
net start "Sophos AutoUpdate Service"
Net Start SAVService
net start "Sophos Agent"
net start "SAVAdminService"
net start "Sophos Device Control Service"
net start "Sophos Message Router"
net start "Sophos Web Control Service"
:END
WASkydiver wrote:I THINK I may be OK here...
Following the advisory, my SUM is updated, containing javab-jd.ide.
My policy was set to Update Only, so I deleted my Quarantine.xml from the Update Server.
Previously, I had turned off desktop notifications, so the end users were not informing us of the problem.
All false positive alerts were acknowledged.
MOST endpoints are showing that they have updated and are no longer generating the false positives.
However, there are a couple that seem to be not updating. On those, when the users have some downtime, I will attempt to delete the Quarantine.xml file.
My questions:
1. Does the Quarantine.xml file need to be deleted on all Endpoints, even if they have updated, and appear to be all OK?
2. If so, how critical is it to perform this action? If the dust is settled, and everything appears to be OK, can I wait for the weekend?
My assumption is that I will have to delete Quarantine.xml from all endpoints, since this problem has quarantined a number of non-Sophos processes, and deleting Quarantine.xml will effectively un-quaranteen these items.
So...
3. If deleting Quarantine.xml un-quaranteen's items falsely quaranteened, won't it also release any items that were appropriately quarantined? It seems that we are essentially releasing all the prisoners, because there may be a few innocent people sent to jail.
Forgive me if these have been previously addressed. And, I certainly would like to hear if my assumptions here are incorrect.
Thanks!
Following the steps to delete quarantine.xml is only necessary to clear the endpoint quarantine manager. If legitimate items are cleared, they will still be blocked by the Anti-Virus engine, and a new entry in the QM will be generated. If your users don't commonly open their AV client to see that the QM has items listed, then clearing the endpoint QM is not necessary.