Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Jeff1527 wrote:Same checksum error
2012-09-20 12:49:55 : Starting to decode C:/Documents and Settings/All Users/Application Data/Sophos/Update Manager/Working/Decoded-Sub0/F26F7EC0-1302-4DA7-8B6B-A5383051D41A/rms/program files/Sophos/Remote Management System/EMLibUpdateAgentNT.exe IsCancelled? 0
2012-09-20 12:49:55 : EventLog: 3758112772 1 Inserts:> "C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Working\.\Decoded-Sub0\F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "SAVSCFXP" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "RECOMMENDED" "F26F7EC0-1302-4DA7-8B6B-A5383051D41A" "Checksum error: 1f34572837d9904ed93222719dae2762x000 -> EMLibUpdateAgentNT.exe"
Hi Jeff,
Sorry for the continued difficulty. Could I have you try renaming the %allusersprofile%\Sophos\Update Manager\Update Manager\Warehouse directory and try to update again? It's a bit of a heavy handed "fix" that I typically don't resort to, but it may be quicker than trying to get to the bottom of whatever is going on here.
N8Dawg wrote:has anyone tried to deploy any of these batch files via gpo? I've tried the popular one from Stewart Moss which executes fine when manually run, but it hangs when applied via gpo. Thanks.
The only issue I can think of off the top of my head is that if the script is run as a user startup script, and the user doesn't have sufficient rights to the folders in question, then there may be a problem. A machine startup script would elevate the permissions of the batch file and would get around that issue. Not sure if that is what is causing the problem for you though.
It does not do anything. does not recreate the warehouse folder.
012-09-20 13:09:50 : Cmd-ALL << [I1018][DispatcherSupplements-2012-09-20T18-09-50-3][1] Started dispatcher with ID 'DispatcherSupplements-2012-09-20T18-09-50-3'. It will run 1 events.
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionSyncSupplements][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionSyncSupplements' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : Sync failure: Couldn't create catalogue sdds.local.xml
2012-09-20 13:09:50 : Cmd-ALL << [E401F][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][Couldn't create catalogue sdds.local.xml][RECOMMENDED][SOPHOS] Supplement synchronisation operation failed when synchronising payload 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A'. Details: Couldn't create catalogue sdds.local.xml
2012-09-20 13:09:50 : Cmd-ALL << [E403C][7D48A012-0C64-4F21-BA27-A9CEDF442749][Not attempted.][0.0.0][SOPHOS] Supplements for payload '7D48A012-0C64-4F21-BA27-A9CEDF442749' could not be synchronised because the synchronise operation failed due to an earlier error.
2012-09-20 13:09:50 : Cmd-ALL << [E403C][2DE69C24-D975-47b2-8D2F-6BEA861A9C75][Not attempted.][RECOMMENDED][SOPHOS] Supplements for payload '2DE69C24-D975-47b2-8D2F-6BEA861A9C75' could not be synchronised because the synchronise operation failed due to an earlier error.
2012-09-20 13:09:50 : Cmd-ALL << [E403C][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][Not attempted.][RECOMMENDED][SOPHOS] Supplements for payload 'A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1' could not be synchronised because the synchronise operation failed due to an earlier error.
2012-09-20 13:09:50 : Cmd-ALL << [E400D][ActionSyncSupplements][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionSyncSupplements' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' failed!
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-Sub0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : GatherCurrencyData: Considering payload Payload-Sub0...
2012-09-20 13:09:50 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 13:09:50 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T18-09-50-3][F26F7EC0-1302-4DA7-8B6B-A5383051D41A] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T18-09-50-3' on product with rigid name 'F26F7EC0-1302-4DA7-8B6B-A5383051D41A' has been aborted because the data has not been synchronised correctly.
2012-09-20 13:09:50 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-Sub0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' succeeded!
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionDecodeEverything-Sub0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : Cmd-ALL << [E402A][F26F7EC0-1302-4DA7-8B6B-A5383051D41A][RECOMMENDED] The decode of payload F26F7EC0-1302-4DA7-8B6B-A5383051D41A and requested version RECOMMENDED was aborted because the synchronise is marked as failed.
2012-09-20 13:09:50 : Cmd-ALL << [E400D][ActionDecodeEverything-Sub0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDecodeEverything-Sub0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' failed!
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : Cmd-ALL << [I1017][ActionGenerateCid-Sub0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGenerateCid-Sub0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' could not execute.
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : Cmd-ALL << [I1017][ActionDeployCids-Sub0-0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDeployCids-Sub0-0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' could not execute.
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : GatherCurrencyData: Considering payload Payload-Sub1...
2012-09-20 13:09:50 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 13:09:50 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T18-09-50-3][7D48A012-0C64-4F21-BA27-A9CEDF442749] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T18-09-50-3' on product with rigid name '7D48A012-0C64-4F21-BA27-A9CEDF442749' has been aborted because the data has not been synchronised correctly.
2012-09-20 13:09:50 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub1][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-Sub1' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' succeeded!
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : Cmd-ALL << [E402A][7D48A012-0C64-4F21-BA27-A9CEDF442749][0.0.0] The decode of payload 7D48A012-0C64-4F21-BA27-A9CEDF442749 and requested version 0.0.0 was aborted because the synchronise is marked as failed.
2012-09-20 13:09:50 : Cmd-ALL << [E400D][ActionDeploySDF-Sub1-0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDeploySDF-Sub1-0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' failed!
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : GatherCurrencyData: Considering payload Payload-Sub2...
2012-09-20 13:09:50 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 13:09:50 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T18-09-50-3][2DE69C24-D975-47b2-8D2F-6BEA861A9C75] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T18-09-50-3' on product with rigid name '2DE69C24-D975-47b2-8D2F-6BEA861A9C75' has been aborted because the data has not been synchronised correctly.
2012-09-20 13:09:50 : Cmd-ALL << [I0009][ActionGatherCurrencyData-Sub2][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-Sub2' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' succeeded!
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : Cmd-ALL << [E402A][2DE69C24-D975-47b2-8D2F-6BEA861A9C75][RECOMMENDED] The decode of payload 2DE69C24-D975-47b2-8D2F-6BEA861A9C75 and requested version RECOMMENDED was aborted because the synchronise is marked as failed.
2012-09-20 13:09:50 : Cmd-ALL << [E400D][ActionDeploySDF-Sub2-0][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDeploySDF-Sub2-0' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' failed!
2012-09-20 13:09:50 : Cmd-ALL << [I1021][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:50 : GatherCurrencyData: Considering payload Payload-SDDM...
2012-09-20 13:09:50 : GatherCurrencyData: Sync marked as failed, sending the abort.
2012-09-20 13:09:50 : Cmd-ALL << [E402D][DispatcherSupplements-2012-09-20T18-09-50-3][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1] Gather Currency Data operation invoked by dispatcherId 'DispatcherSupplements-2012-09-20T18-09-50-3' on product with rigid name 'A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1' has been aborted because the data has not been synchronised correctly.
2012-09-20 13:09:50 : Cmd-ALL << [I0009][ActionGatherCurrencyData-SDDM][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionGatherCurrencyData-SDDM' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' succeeded!
2012-09-20 13:09:51 : Cmd-ALL << [I1021][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' started...
2012-09-20 13:09:51 : Cmd-ALL << [E402A][A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1][RECOMMENDED] The decode of payload A845A8B5-6532-4EF1-B19E-1DB2B3CB73D1 and requested version RECOMMENDED was aborted because the synchronise is marked as failed.
2012-09-20 13:09:51 : Cmd-ALL << [E400D][ActionDecodeEverything-SDDM][DispatcherSupplements-2012-09-20T18-09-50-3] Action 'ActionDecodeEverything-SDDM' with caller 'DispatcherSupplements-2012-09-20T18-09-50-3' failed!
2012-09-20 13:09:51 : Cmd-ALL << [E400E][DispatcherSupplements-2012-09-20T18-09-50-3] Event with dispatcher ID 'DispatcherSupplements-2012-09-20T18-09-50-3' failed to execute.
2012-09-20 13:09:51 : Cmd-ALL << [I1020][DispatcherSupplements-2012-09-20T18-09-50-3] All events with dispatcher ID 'DispatcherSupplements-2012-09-20T18-09-50-3' complete.
2012-09-20 13:10:50 : Thu Sep 20 13:10:50 2012 - No action
2012-09-20 13:10:50 : Thu Sep 20 13:10:50 2012 - No action
2012-09-20 13:10:50 : Thu Sep 20 13:10:50 2012 - No action
2012-09-20 13:10:50 : Thu Sep 20 13:10:50 2012 - No action
2012-09-20 13:11:50 : Thu Sep 20 13:11:50 2012 - No action
2012-09-20 13:11:50 : Thu Sep 20 13:11:50 2012 - No action
2012-09-20 13:11:50 : Thu Sep 20 13:11:50 2012 - No action
2012-09-20 13:11:50 : Thu Sep 20 13:11:50 2012 - No action
yep, running as a machine startup script and it hangs...please post if you have gotten this to work. 5,000 machines to fix. Thanks.
N8Dawg wrote:has anyone tried to deploy any of these batch files via gpo? I've tried the popular one from Stewart Moss which executes fine when manually run, but it hangs when applied via gpo. Thanks.
The only issue I can think of off the top of my head is that if the script is run as a user startup script, and the user doesn't have sufficient rights to the folders in question, then there may be a problem. A machine startup script would elevate the permissions of the batch file and would get around that issue. Not sure if that is what is causing the problem for you though.
toddh wrote:Hey,
If we delete the Quarantine.xml file manually, when the client communicates back to the SEC should the alerts be cleared?
Or do we need to manually acknowledge the alerts?
I just tested this on my test rig. If the alerts are cleared from the endpoint QM, the next time the client reports to SEC the alert in SEC is automatically cleared.
UABMaddog wrote:I just started working at this company and never used Sophos before. The veteran IT staff are out and I am the only one here today!
How on earth do I get my Sophos to stop eating itself and update with the new IDE?
Please start with the advisory in KBA 118311. Post back if you hit any snags and I'll do my best to assist.
http://www.sophos.com/en-us/support/knowledgebase/118311.aspx
So yesterday, I was able to follow instrcutions and put affected computers under a policy with on-access scanning turned off, then go to Update Computers and it would run the update. Now, after applying the new policy, Update Computers is greyed out. WTF??
