Is any one else seing this alert - Shh/Updater-B False positives

A KBA with a VB Script to help in cases where files have been moved is being published to our web servers as I write this. Should be up shortly, KBA 118315. I'll update with the hotlink shortly. The advisory KBA will also be updated with the link.

Since the action taken against Shh/Updater-B on all machines is either "None or "Blocked", then none of these files should have been moved from their original locations? 

So there should be no problems with deleting the quarantine file on all machines and acknowledging the alerts to clear them?

Anyone know if its possible to extract the PC's showing in the out of date computers list in the SEC?

---

Andrew8359 wrote:

The QM is just a list of items that the engine detected on. Clearing the QM doesn't take any action on the files, so if for example the files were moved to the INFECTED folder and you cleared the QM, the files would still be in the INFECTED folder.

If legitmately infected files are cleared from the QM, the engine will detect them again the next time they are accessed and add a fresh entry to the QM for them.

---

Nathan, assuming the "infected" files were not moved but were disabled in place, what then is proper procedure to remove them from quarantine and allow the software updates to run again?

---

To restore usability of the files, you just need to get the systems updated with javab-jd.ide. The items will still show in the QM after getting the fixed IDE on the system, but the files will no longer be blocked by the scanner. Clearing the QM entries isn't necessary at all really, except from a cosmetic pov.

---

Pec wrote:

Since the action taken against Shh/Updater-B on all machines is either "None or "Blocked", then none of these files should have been moved from their original locations? 

So there should be no problems with deleting the quarantine file on all machines and acknowledging the alerts to clear them?

---

Correct.

---

Azurus wrote:

@jkillbrew

You are correct, but after the script has been run and the issue corrected, it will not detect those 3rd party updaters as malicious any longer. The exceptions are added so you can run the script without re-quarantining the updater upon running the script.

Once the issues are solved across the board, you can re-enable On-Access or remove the exceptions.

---

True, but only way this will work is if you remove the bad definition as part of the script. Some scripts do remove the definition and restart SAV service, and those will work just fine, but those do not restore adobe and other updaters. Scripts that do restore those files do not fix the definition. Maybe I or someone should combine the various scripts together...

What I mean is shouldnt SAV catch the updater file during the script's process of copying the file back to its original location, outside of an exception folder, such as an adobe updater file?

---

Pec wrote:

Since the action taken against Shh/Updater-B on all machines is either "None or "Blocked", then none of these files should have been moved from their original locations? 

So there should be no problems with deleting the quarantine file on all machines and acknowledging the alerts to clear them?

---

Correct. If your cleanup policy was Non or Block, then you can should clear the file and you should be fine. Unfortunately, we had ours set to Block and Move.....

---

jkillebrew wrote:

---

Azurus wrote:

@jkillbrew

You are correct, but after the script has been run and the issue corrected, it will not detect those 3rd party updaters as malicious any longer. The exceptions are added so you can run the script without re-quarantining the updater upon running the script.

Once the issues are solved across the board, you can re-enable On-Access or remove the exceptions.

---

True, but only way this will work is if you remove the bad definition as part of the script. Some scripts do remove the definition and restart SAV service, and those will work just fine, but those do not restore adobe and other updaters. Scripts that do restore those files do not fix the definition. Maybe I or someone should combine the various scripts together...

What I mean is shouldnt SAV catch the updater file during the script's process of copying the file back to its original location, outside of an exception folder, such as an adobe updater file?

---

The script I have removes the offending IDE, therefor the next access, whether it be from a script or other method will proceed as normal. The script to move files back to their original locations should run after the commands to remove the offending IDE and after getting Sophos back on track.

---

Longun wrote:

Anyone know if its possible to extract the PC's showing in the out of date computers list in the SEC?

---

For connected computers:

exec dbo.ComputerListOutOfDateGet '2011-08-30 10:30:00:000',1

For disconnected computers:

exec dbo.ComputerListOutOfDateGet '2011-08-30 10:30:00:000',0

You'll need to adjust the date/time as needed. I _beleive_ the time is GMT. Execute against the SOPHOS50 db if you are on SEC50, SOPHOS51 db if on SEC5.1. I haven't checked to see if the stored procedure is present on older versions of SEC, but SOPHOS47 and SOPHOS45 would be the older dbs if you wanted to try it.

Edit: I think this just gives the computer ID. You could pass that list to a select statement to find the Name. Or if you're on SEC5+, set your filter to Out Of Date Computers, highlight the listed computers, CTRL+C, paste into notepad.