Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Azurus wrote:The script I have removes the offending IDE, therefor the next access, whether it be from a script or other method will proceed as normal. The script to move files back to their original locations should run after the commands to remove the offending IDE and after getting Sophos back on track.
jkillebrew wrote:
Azurus wrote:@jkillbrew
You are correct, but after the script has been run and the issue corrected, it will not detect those 3rd party updaters as malicious any longer. The exceptions are added so you can run the script without re-quarantining the updater upon running the script.
Once the issues are solved across the board, you can re-enable On-Access or remove the exceptions.
True, but only way this will work is if you remove the bad definition as part of the script. Some scripts do remove the definition and restart SAV service, and those will work just fine, but those do not restore adobe and other updaters. Scripts that do restore those files do not fix the definition. Maybe I or someone should combine the various scripts together...
What I mean is shouldnt SAV catch the updater file during the script's process of copying the file back to its original location, outside of an exception folder, such as an adobe updater file?
Right, so in your case the exceptions mean nothing in the immediate situation. Regardless of whether you put them in, you'd fix the problem.
There are a few ways to fix this, clearly. We need direction from sophos, something official. We on this forum had at least 4 scripts posted within a few hours after this hit us. I guess we're awesome. High fives all around!
Sophos, the VB Script is KBA 118315 is still an insufficient fix. Even though our policy is set to only move, there are many files flagged by Sophos in the "AutoUpdate" folder that do not exist in the "INFECTED" folder to copy back into place. We are having to copy files from the CID back to "AutoUpdate" folder. Can you please update your script for this functionality.
Same checksum error
2012-09-20 12:49:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/EMLibUpdateAgentNT.exe IsCancelled? 0
2012-09-20 12:49:55 : EventLog: 3758112772 1 Inserts:> "C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "SAVSCFXP" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "RECOMMENDED" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe"
2012-09-20 12:49:55 : Cmd-ALL << [E4004][C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A][SAVSCFXP][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][RECOMMENDED][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe] Decode operation failed when decoding payload 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe
2012-09-20 12:49:55 : Cmd-ALL << [E400D][ActionDecodeEverything-Sub0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' failed!
2012-09-20 12:49:55 : Cmd-ALL << [I1021][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:55 : Cmd-ALL << [I1017][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' could not execute.
2012-09-20 12:49:55 : Cmd-ALL << [I1021][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:55 : Cmd-ALL << [I1017][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' could not execute.
2012-09-20 12:49:55 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:55 : GatherCurrencyData: Considering payload Payload-Sub1...
2012-09-20 12:49:55 : GatherCurrencyData: Payload version information has changed, proceeding.
2012-09-20 12:49:55 : GatherCurrencyData: Obtaining currency data...
2012-09-20 12:49:55 : GatherCurrencyData: ReleaseHasRole(EPS) threw an exception, returning false. Details: Attribute not found.
2012-09-20 12:49:55 : GatherCurrencyData: No relevant attributes found for this payload.
2012-09-20 12:49:55 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' succeeded!
2012-09-20 12:49:55 : Cmd-ALL << [I1021][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:56 : Cmd-ALL << [S0015][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosMA][sec][7D48A012-0C64-4F21-BA27-A9CEDF442749][0.0.0] The SDF deployment operation was successful, and no new data files were decoded.
2012-09-20 12:49:56 : Cmd-ALL << [S0013][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosMA] The decode operation was successful, and no new data files were decoded.
2012-09-20 12:49:56 : Cmd-ALL << [I0009][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' succeeded!
2012-09-20 12:49:56 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:56 : GatherCurrencyData: Considering payload Payload-Sub2...
2012-09-20 12:49:56 : GatherCurrencyData: Payload version information has changed, proceeding.
2012-09-20 12:49:56 : GatherCurrencyData: Obtaining currency data...
2012-09-20 12:49:56 : GatherCurrencyData: ReleaseHasRole(EPS) threw an exception, returning false. Details: Attribute not found.
2012-09-20 12:49:56 : GatherCurrencyData: No relevant attributes found for this payload.
2012-09-20 12:49:56 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' succeeded!
2012-09-20 12:49:56 : Cmd-ALL << [I1021][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:56 : Cmd-ALL << [S0015][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosPA][PSRVR][2DE69C24-D975-47b2-8D2F-6BEA861A9C75][RECOMMENDED] The SDF deployment operation was successful, and no new data files were decoded.
2012-09-20 12:49:56 : Cmd-ALL << [S0013][C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Endpoint Management\4.5\Updates\Secure\SDFs\SophosPA] The decode operation was successful, and no new data files were decoded.
2012-09-20 12:49:56 : Cmd-ALL << [I0009][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' succeeded!
2012-09-20 12:49:56 : Cmd-ALL << [I1021][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:56 : GatherCurrencyData: Considering payload Payload-SDDM...
2012-09-20 12:49:56 : GatherCurrencyData: Payload version information has changed, proceeding.
2012-09-20 12:49:56 : GatherCurrencyData: Obtaining currency data...
2012-09-20 12:49:57 : GatherCurrencyData: ReleaseHasRole(EPS) threw an exception, returning false. Details: Attribute not found.
2012-09-20 12:49:57 : GatherCurrencyData: No relevant attributes found for this payload.
2012-09-20 12:49:57 : Cmd-ALL << [I0009][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' succeeded!
2012-09-20 12:49:57 : Cmd-ALL << [I1021][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' started...
2012-09-20 12:49:57 : Cmd-ALL << [S001A][C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-SDDM\A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][sum][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][RECOMMENDED] The decode operation was successful (and NULL).
2012-09-20 12:49:57 : Cmd-ALL << [S0013][C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-SDDM] The decode operation was successful, and no new data files were decoded.
2012-09-20 12:49:57 : Cmd-ALL << [I0009][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T17-49-50-1] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T17-49-50-1' succeeded!
2012-09-20 12:49:57 : Cmd-ALL << [E400E][DispatcherSupplements-2012-09-20T17-49-50-1] Event with dispatcher ID 'DispatcherSupplements-2012-09-20T17-49-50-1' failed to execute.
2012-09-20 12:49:57 : Cmd-ALL << [I1020][DispatcherSupplements-2012-09-20T17-49-50-1] All events with dispatcher ID 'DispatcherSupplements-2012-09-20T17-49-50-1' complete.
Nathan
I managed to copy files back in place that were deleted on my server and I have the SEC on the server updated and the ALMON.exe works on the SEC on the Server.
Also in SCC the Update option finally works. I told it to populate down to the endpoints. The only problem is the endpoints still have the ALMON.exe error and it doesn't load, so they are not updating.
I have tried rereading through the 87 pages of this board. On the workstations what is my next best step.
Thanks for your reply last night. At least you got me started.
Jim K in AZ
jkrous wrote:Sophos, the VB Script is KBA 118315 is still an insufficient fix. Even though our policy is set to only move, there are many files flagged by Sophos in the "AutoUpdate" folder that do not exist in the "INFECTED" folder to copy back into place. We are having to copy files from the CID back to "AutoUpdate" folder. Can you please update your script for this functionality.
Hi,
I'll notify the writer of the script though and see what we can do.
AZJim_K wrote:Nathan
I managed to copy files back in place that were deleted on my server and I have the SEC on the server updated and the ALMON.exe works on the SEC on the Server.
Also in SCC the Update option finally works. I told it to populate down to the endpoints. The only problem is the endpoints still have the ALMON.exe error and it doesn't load, so they are not updating.
I have tried rereading through the 87 pages of this board. On the workstations what is my next best step.
Thanks for your reply last night. At least you got me started.
Jim K in AZ
Someone posted in the last 5 or 6 pages a batch file that copies the Autoupdate files from the update location to the endpoint. I think something like that is your best bet. Post back if you weren't able to find the batch file I'm referring to.
