Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261225 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0
    dreec wrote:

    Hi Nathan,

    The advisory has worked for 8 out of my 10 clients.

    However I have 2 clients where either the SEC or Control Centre will no longer download updates.

    Basically my SEC last updated at 2114 last night. (BST)

    Since then I have been getting the "Threat Detection data update failed" (80040404) ,  "Software Update failed" (80040401) & "Delivery failed for software subscription......" (80040406)

    I have spent most of the day troubleshooting and investigating these errors just in case they had nothing to do with this issue.

    However I have had no joy.   It was only when my colleague m,entioned that they were getting the same issue on another server that I realised it MUST be related to this issue.   

    I followed the advisory to the letter, and as mentioned above it has worked on the majority of my clients,  however I'm still stuck with 2 clients who can not get thier AV updated.

    Regards,

    dreec

    Hi Dreec,

    It sounds like you are still having problems with the Sophos Anti-Virus scanner blocking necessary files due to the false positive. Can you confirm if the program files\sophos\sophos anti-virus\ directory contains agen-xuv.ide and NOT javab-jd.ide? If so, do the following:
    1. net stop savservice
    2. delete agen-xuv.ide
    3. net start savservice

    Try updating SUM after doing the above. Let me know if it still fails!

    :31665
  • 0
    Jeff1527 wrote:

    Here you go..

    2012-09-20 11:17:52 : Cmd-ALL << [I1018][DispatcherSupplements-2012-09-20T16-17-52-2][1] Started dispatcher with ...snip

    Hi Jeff,

    Have you tried to do a repair of the Sophos Update Manager? The error message in your log has been seen before and can be fixed by doing the repair. If you have already done the repair, I would try rebooting the system next. Let me know if both of those steps have been done and if it still doesn't work with the "Couldn't create catalogue sdds.local.xml" message in the SUMTrace.

    :31669
  • 0

    If sophos is set to deny access to infected files, how do we restore the files?  Is there any way to do this via command line or script?

    :31677
  • 0

    Hi Nathan,

    I have done as per your instructions.

    The agen-xuv.ide file is not present (I think I deleted that at about 0930 this morning), but I did check!

    I can get clients to update FROM the SEC i.e. I can push down policies to disable on-access scanning & to re-enable again. 

    From clients I can update TO the SEC i.e. I can click "update now" and the clients happily go off and have no updates to bring down. Because .........

    I cannot update from SOPHOS to update my SEC in order for the clients to be updated with the javab-jd.ide file.

    :31679
  • 0

    I have tried repairing.  It tells me that it cannot find a bunch of EXE files when its repairing.

    The download status has not changed since the before I tried using the advisory.

    Might I add 51 minutes on HOLD.. Yippee!

    EDIT:  and at 1 hr I was cut off!

    :31681
  • 0
    jcetas wrote:

    If sophos is set to deny access to infected files, how do we restore the files?  Is there any way to do this via command line or script?

    If you've denied access, you only need to obtain and deploy the fixed ide javab-jd.ide. This will stop the detection of the file, though there will still be entries in the QM regarding it. Clearing those is not critical to restore functionality of the system though.

    :31683
  • 0
    Jeff1527 wrote:

    I have tried repairing.  It tells me that it cannot find a bunch of EXE files when its repairing.

    The download status has not changed since the before I tried using the advisory.

    Might I add 51 minutes on HOLD.. Yippee!

    Is the AV scanner still flagging the false positive when you are doing the repair?

    :31685
  • 0
    dreec wrote:

    Hi Nathan,

    I have done as per your instructions.

    The agen-xuv.ide file is not present (I think I deleted that at about 0930 this morning), but I did check!

    I can get clients to update FROM the SEC i.e. I can push down policies to disable on-access scanning & to re-enable again. 

    From clients I can update TO the SEC i.e. I can click "update now" and the clients happily go off and have no updates to bring down. Because .........

    I cannot update from SOPHOS to update my SEC in order for the clients to be updated with the javab-jd.ide file.

    I hope I'm not being a pain here, but did you delete agen-xuv.ide and restart savservice on the SEC/SUM server prior to having SUM perform an update? Can you confirm if \\server\sophos update\cids\s000\savscfxp\savxp contains the javab-jd.ide file? (note that your S000 may be different. checking the endpoint updating policy to confirm) It sounds like SUM hasn't pulled the new file down. Are you still getting software delivery failed messages on your SUM?

    :31687
  • 0

    Following the instructions in the KB article 118311 I managed to get both the servers and all affected workstations updated correctly (verified presence of javab-jd.ide and definitions), however the false positives remain in quarantine on the workstations.  I ran the following on several test machines which clears the local quarantine list. 

    net stop "sophos anti-virus"
    del /f /q "%allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    del /f /q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
    net start "sophos anti-virus"

    I then modified and updated the policy so the following directories would once again be scanned by on-access scanning.

    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\

    Scans of the previously falsely detected files returned clean.  I then scanned non-sophos update agents which were quarantined, Flash Player and Google updater in this case.  They returned clean.  I verified that the update functions of these applications worked.

    However, before I push this batch file to 2,000 computer I want to understand how the quarantine works.  By deleting the XML file are the files truely being un-quarantined, unlocked and returned to their original locations?  Just browsing through all the detections i'm seeing dozens of different applications on the quarantine lists.  I do not want to cause an even bigger problem, and I do not have the resources to manually remove items from quarantine on each PC.      Anybody have a clue on this?  

    Thanks!

    :31689
  • 0

    Quarantine is clean on the SUM server

    :31691