Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Nathan wrote:
That1TechDude wrote:I am also experiencing these issues. I am able to update the SUM and SEC on the server side and some of my machines have removed the items from quaratine. In a rush to stem off an infection, or what I thought was an infection, I deleted files that Sophos flagged yesterday before I knew that this was an error on Sophos's part. I cannot get the update manager on those endpoints to start. I tried running the vb script included in here with no avail. I've done just about everything I can and the shield still doesn't show up. I try to start the Sophos AutoUpdate Server and I get this message:
Windows could not start the Sophos AutoUpdate Service service on Local Computer
Error 2: The system cannot find the file specified.
I went to the KB artice and tried the option where files were deleted. I replaced the files and I still can't get this to start.
I also tried running the ALMon.exe and I get this error:
Error loading external resources (0x8007007e).
And I tried to run the ALUpdater.exe and it said another program is being installed and I need to wait for it to complete. Funny this is that there are no other programs being installed.
I am on Win7 64-bit with other client machines on Win7 32-bit
Help please!!!!
The behavior you are seeing is consistent with the files still missing. Can I please have you go through the steps again and make sure something wasn't skipped? Also, if you haven't taken steps to prevent redection of the false positive, the files may be getting deleted again as soon as you copy them over.
I saw your post a little too late. I tried to do a clean install on my machine and see if I could get everything up and running again and I can't uninstall sophos. The AutoUpdater will not uninstall and I'm at a stand still. I haven't gotten a chance to look at the other machines here because I'd like to fix my own and know that it works before I go and mess with other machines.
Hey,
I have been reading through the forums this morning and trying a few different things to try and get things up and running.
Couple of observations:
I have been able to confirm that our SUM has updated to the correct version (confirmed using the MD5). I have also been able to confirm that our clients have updated from the SUM correctly (confrimed again using the MD5). Is it enough to remove the Quarantine.xml and then do the manual acknowledgment?
Cheers
\2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO_Valuetype.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO_Security.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO_SSLIOP.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO_PortableServer.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO_ObjRefTemplate.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO_IORInterceptor.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO_DynamicAny.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/TAO.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/ScfVerify.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/RtrEvent.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/RouterNT.exe IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/ManagementAgentNT.exe IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/MSClientLib.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/EmErr.dll IsCancelled? 0
2012-09-20 12:09:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/EMTrace.dll IsCancelled? 0
2012-09-20 12:09:56 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/EMLibUpdateAgentNT.exe IsCancelled? 0
2012-09-20 12:09:56 : EventLog: 3758112772 1 Inserts:> "C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "SAVSCFXP" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "RECOMMENDED" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe"
2012-09-20 12:09:56 : Cmd-ALL << [E4004][C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A][SAVSCFXP][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][RECOMMENDED][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe] Decode operation failed when decoding payload 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe
2012-09-20 12:09:56 : Cmd-ALL << [E400D][ActionDecodeEverything-Sub0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' failed!
2012-09-20 12:09:56 : Cmd-ALL << [I1021][__MAINTENANCE_ACTION__][__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1] Action '__MAINTENANCE_ACTION__' with caller '__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1' started...
2012-09-20 12:09:56 : PurgeDecodeFolders determined folder in use: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1
2012-09-20 12:09:56 : PurgeDecodeFolders determined folder in use: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A
2012-09-20 12:09:56 : PurgeDecodeFolders determined folder in use: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosMA\7D48A012-0C64-4F21-BA27-A9CEDF442749
2012-09-20 12:09:56 : PurgeDecodeFolders determined folder in use: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosPA\2DE69C24-D975-47b2-8D2F-6BEA861A9C75
2012-09-20 12:09:56 : PurgeDecodeFolders: Working path appears to be: C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\
2012-09-20 12:09:56 : Cmd-ALL << [I0019] Successfully carried out maintenance operation.
2012-09-20 12:09:56 : Cmd-ALL << [I0009][__MAINTENANCE_ACTION__][__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1] Action '__MAINTENANCE_ACTION__' with caller '__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1' succeeded!
2012-09-20 12:09:56 : Cmd-ALL << [S000A][__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1] Event with dispatcher ID '__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1' completed successfully.
2012-09-20 12:09:56 : Cmd-ALL << [I1020][__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1] All events with dispatcher ID '__MAINTENANCE_DISPATCHER__-2012-09-20T17-09-53-1' complete.
2012-09-20 12:09:56 : Cmd-ALL << [I1021][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:09:56 : Cmd-ALL << [I1017][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' could not execute.
2012-09-20 12:09:56 : Cmd-ALL << [I1021][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:09:56 : Cmd-ALL << [I1017][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' could not execute.
2012-09-20 12:09:56 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:09:56 : GatherCurrencyData: Considering payload Payload-Sub1...
2012-09-20 12:09:56 : GatherCurrencyData: Payload version information has changed, proceeding.
2012-09-20 12:09:56 : GatherCurrencyData: Obtaining currency data...
2012-09-20 12:09:56 : GatherCurrencyData: ReleaseHasRole(EPS) threw an exception, returning false. Details: Attribute not found.
2012-09-20 12:09:56 : GatherCurrencyData: No relevant attributes found for this payload.
2012-09-20 12:09:56 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' succeeded!
2012-09-20 12:09:56 : Cmd-ALL << [I1021][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:09:57 : Cmd-ALL << [S0015][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosMA][sec][7D48A012-0C64-4F21-BA27-A9CEDF442749][0.0.0] The SDF deployment operation was successful, and no new data files were decoded.
2012-09-20 12:09:57 : Cmd-ALL << [S0013][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosMA] The decode operation was successful, and no new data files were decoded.
2012-09-20 12:09:57 : Cmd-ALL << [I0009][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' succeeded!
2012-09-20 12:09:57 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:09:57 : GatherCurrencyData: Considering payload Payload-Sub2...
2012-09-20 12:09:57 : GatherCurrencyData: Payload version information has changed, proceeding.
2012-09-20 12:09:57 : GatherCurrencyData: Obtaining currency data...
2012-09-20 12:09:57 : GatherCurrencyData: ReleaseHasRole(EPS) threw an exception, returning false. Details: Attribute not found.
2012-09-20 12:09:57 : GatherCurrencyData: No relevant attributes found for this payload.
2012-09-20 12:09:57 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' succeeded!
2012-09-20 12:09:57 : Cmd-ALL << [I1021][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:09:57 : Creating file package source...
2012-09-20 12:09:57 : Decoding the product...
2012-09-20 12:09:58 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/sophos.plk IsCancelled? 0
2012-09-20 12:09:58 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/manifest.dat IsCancelled? 0
2012-09-20 12:09:58 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/cabarc.exe IsCancelled? 0
2012-09-20 12:09:58 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/PatchImport64.exe IsCancelled? 0
2012-09-20 12:09:58 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/PatchImport32.exe IsCancelled? 0
2012-09-20 12:09:58 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/PatchConfig.xml IsCancelled? 0
2012-09-20 12:09:58 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/MCEScan.exe IsCancelled? 0
2012-09-20 12:09:59 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/x64/envprep.exe IsCancelled? 0
2012-09-20 12:09:59 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/PDATA/VendorAllowList.xml IsCancelled? 0
2012-09-20 12:09:59 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Sophos Endpoint Management/4.5/Updates/Secure/SDFs/SophosPA/PSRVR/PDATA/PatchFeed.xml IsCancelled? 0
2012-09-20 12:09:59 : Decoding complete.
2012-09-20 12:09:59 : Cmd-ALL << [S0014][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosPA][PSRVR][2DE69C24-D975-47b2-8D2F-6BEA861A9C75][RECOMMENDED] The SDF deployment operation was successful.
2012-09-20 12:09:59 : Cmd-ALL << [S0004][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosPA] The decode operation was successful.
2012-09-20 12:09:59 : Cmd-ALL << [I0009][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' succeeded!
2012-09-20 12:09:59 : Cmd-ALL << [I1021][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:09:59 : GatherCurrencyData: Considering payload Payload-SDDM...
2012-09-20 12:09:59 : GatherCurrencyData: Payload version information has changed, proceeding.
2012-09-20 12:09:59 : GatherCurrencyData: Obtaining currency data...
2012-09-20 12:09:59 : GatherCurrencyData: ReleaseHasRole(EPS) threw an exception, returning false. Details: Attribute not found.
2012-09-20 12:09:59 : GatherCurrencyData: No relevant attributes found for this payload.
2012-09-20 12:09:59 : Cmd-ALL << [I0009][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' succeeded!
2012-09-20 12:09:59 : Cmd-ALL << [I1021][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' started...
2012-09-20 12:10:00 : Cmd-ALL << [S001A][C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][sum][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][RECOMMENDED] The decode operation was successful (and NULL).
2012-09-20 12:10:00 : Cmd-ALL << [S0013][C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-SDDM] The decode operation was successful, and no new data files were decoded.
2012-09-20 12:10:00 : Cmd-ALL << [I0009][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T17-09-10-1] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-09-10-1' succeeded!
2012-09-20 12:10:00 : Cmd-ALL << [E400E][DispatcherSupplements-2012-09-20T17-09-10-1] Event with dispatcher ID 'DispatcherSupplements-2012-09-20T17-09-10-1' failed to execute.
2012-09-20 12:10:00 : Cmd-ALL << [I1020][DispatcherSupplements-2012-09-20T17-09-10-1] All events with dispatcher ID 'DispatcherSupplements-2012-09-20T17-09-10-1' complete.
Pec wrote:Following the instructions in the KB article 118311 I managed to get both the servers and all affected workstations updated correctly (verified presence of javab-jd.ide and definitions), however the false positives remain in quarantine on the workstations. I ran the following on several test machines which clears the local quarantine list.
net stop "sophos anti-virus"
del /f /q "%allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
del /f /q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
net start "sophos anti-virus"I then modified and updated the policy so the following directories would once again be scanned by on-access scanning.
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\ProgramData\Sophos\Scans of the previously falsely detected files returned clean. I then scanned non-sophos update agents which were quarantined, Flash Player and Google updater in this case. They returned clean. I verified that the update functions of these applications worked.
However, before I push this batch file to 2,000 computer I want to understand how the quarantine works. By deleting the XML file are the files truely being un-quarantined, unlocked and returned to their original locations? Just browsing through all the detections i'm seeing dozens of different applications on the quarantine lists. I do not want to cause an even bigger problem, and I do not have the resources to manually remove items from quarantine on each PC. Anybody have a clue on this?
Thanks!
The QM is just a list of items that the engine detected on. Clearing the QM doesn't take any action on the files, so if for example the files were moved to the INFECTED folder and you cleared the QM, the files would still be in the INFECTED folder.
If legitmately infected files are cleared from the QM, the engine will detect them again the next time they are accessed and add a fresh entry to the QM for them.
That1TechDude wrote:
Nathan wrote:
That1TechDude wrote:I am also experiencing these issues. I am able to update the SUM and SEC on the server side and some of my machines have removed the items from quaratine. In a rush to stem off an infection, or what I thought was an infection, I deleted files that Sophos flagged yesterday before I knew that this was an error on Sophos's part. I cannot get the update manager on those endpoints to start. I tried running the vb script included in here with no avail. I've done just about everything I can and the shield still doesn't show up. I try to start the Sophos AutoUpdate Server and I get this message:
Windows could not start the Sophos AutoUpdate Service service on Local Computer
Error 2: The system cannot find the file specified.
I went to the KB artice and tried the option where files were deleted. I replaced the files and I still can't get this to start.
I also tried running the ALMon.exe and I get this error:
Error loading external resources (0x8007007e).
And I tried to run the ALUpdater.exe and it said another program is being installed and I need to wait for it to complete. Funny this is that there are no other programs being installed.
I am on Win7 64-bit with other client machines on Win7 32-bit
Help please!!!!
The behavior you are seeing is consistent with the files still missing. Can I please have you go through the steps again and make sure something wasn't skipped? Also, if you haven't taken steps to prevent redection of the false positive, the files may be getting deleted again as soon as you copy them over.
I saw your post a little too late. I tried to do a clean install on my machine and see if I could get everything up and running again and I can't uninstall sophos. The AutoUpdater will not uninstall and I'm at a stand still. I haven't gotten a chance to look at the other machines here because I'd like to fix my own and know that it works before I go and mess with other machines.
You can try the Microsoft FixIt tool to remove the windows installer information for Sophos Autoupdate and try again. Or copy the contents of the \\server\sophos update\cids\s000\savscfxp\sau\program files\sophos\autoupdate to the c:\program files\sophos\autoupdate directory and trying again.
Jeff1527 wrote:*SNIP*
2012-09-20 12:09:56 : EventLog: 3758112772 1 Inserts:> "C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "SAVSCFXP" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "RECOMMENDED" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe"
ID 'DispatcherSupplements-2012-09-20T17-09-10-1' complete.
Looks like a checksum issue now, probably due to the earlier detection on the file. If you run Update Now again from SUM it _should_ fix the file. If not, search the update location for EMLibUpdateAgentNT.exe, delete all references you find that are in the update location, then try an update again.
Azurus wrote:Chadster you have to temporarily turn off On-Access scanning for the script to work... OR
You can keep it on if you choose, but you must add these exclusions:
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\ProgramData\sophos\
Keep in mind that this false positive breaks things outside of those exceptions, so if you turn On-Access scanning on with these exceptions, the false positive will still break adobe flash and acrobat updaters, google apps related updaters, sprint and various others. Our scripts will try to move the files back but if the false positive will probably just quarantine those files again, so weigh your options.
@jkillbrew
You are correct, but after the script has been run and the issue corrected, it will not detect those 3rd party updaters as malicious any longer. The exceptions are added so you can run the script without re-quarantining the updater upon running the script.
Once the issues are solved across the board, you can re-enable On-Access or remove the exceptions.
Nathan wrote:
Pec wrote:Following the instructions in the KB article 118311 I managed to get both the servers and all affected workstations updated correctly (verified presence of javab-jd.ide and definitions), however the false positives remain in quarantine on the workstations. I ran the following on several test machines which clears the local quarantine list.
net stop "sophos anti-virus"
del /f /q "%allusersprofile%\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
del /f /q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
net start "sophos anti-virus"I then modified and updated the policy so the following directories would once again be scanned by on-access scanning.
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\ProgramData\Sophos\Scans of the previously falsely detected files returned clean. I then scanned non-sophos update agents which were quarantined, Flash Player and Google updater in this case. They returned clean. I verified that the update functions of these applications worked.
However, before I push this batch file to 2,000 computer I want to understand how the quarantine works. By deleting the XML file are the files truely being un-quarantined, unlocked and returned to their original locations? Just browsing through all the detections i'm seeing dozens of different applications on the quarantine lists. I do not want to cause an even bigger problem, and I do not have the resources to manually remove items from quarantine on each PC. Anybody have a clue on this?
Thanks!
The QM is just a list of items that the engine detected on. Clearing the QM doesn't take any action on the files, so if for example the files were moved to the INFECTED folder and you cleared the QM, the files would still be in the INFECTED folder.
If legitmately infected files are cleared from the QM, the engine will detect them again the next time they are accessed and add a fresh entry to the QM for them.
Nathan, assuming the "infected" files were not moved but were disabled in place, what then is proper procedure to remove them from quarantine and allow the software updates to run again?
