Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261308 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    same here - just wont get updates since yesterday since all this started.

    :31829
  • 0

    Nathan,

      I checked the Sophos Update Manager under services.msc and that's running. I don't see anything that says "Sophos Autoupdate" with clients that have 10.0. I do see some clients who have 9.5 and the update for that is working fine. 

    :31831
  • 0

    I agree, 

    The tutorial is pretty hard to follow, can we get some pictures and have the directions broken down better?

    QUOTE:

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    Since this is the first time I have even looked at Sophos, where can I find a quick tutorial on using the Sophos Enterprise Console and saving the entire network from destroying itself....Google doesn't seem to have a link to it.....

    Seriously, I have looked at the 118311 article, but don't know how to even begin......for example, I don't even know how to: Check the Anti-virus & Hips policy assigned to the Sophos Update Manager server.......

    Is there a tutorial on the setup and configuration of Sophos Enterprise that I might be able to get through quickly...

    Sorry for the newbie questions, but it sucks being a newbie and the only one here to answer the phone (the freakin' LED burned out on my first line...LOL)

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    :31833
  • 0
    lucas wrote:

    I have a couple of questions about the Advisory 118311

    2. Windows Exclusions
    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\
    Exclude Remote Files

    Why should we exclude remote files? Isn't a "remote file" any file on a UNC path? Would that block scanning of anything that's not a drive letter - such as DFS shares accessed through the UNC??

    3. Enable Live Protection within the 'Sophos Live Protection' option

    Why? I haven't had this enabled before, why do I need to do it now?

    Live Protection allows you to leverage our cloud feature where we've already flagged the detected files clean. This means that even if you don't have the fixed IDE, if the client does a cloud lookup of the detection (all SHH detections do cloud lookups) then the detection will be bypassed and no alert generated.

    IMO, excluding remote files shouldn't be necessary if the other steps are taken. I suspect it was included just to be thorough.

    :31835
  • 0
    UABMaddog wrote:

    Since this is the first time I have even looked at Sophos, where can I find a quick tutorial on using the Sophos Enterprise Console and saving the entire network from destroying itself....Google doesn't seem to have a link to it.....

    Seriously, I have looked at the 118311 article, but don't know how to even begin......for example, I don't even know how to: Check the Anti-virus & Hips policy assigned to the Sophos Update Manager server.......

    Is there a tutorial on the setup and configuration of Sophos Enterprise that I might be able to get through quickly...

    Sorry for the newbie questions, but it sucks being a newbie and the only one here to answer the phone (the freakin' LED burned out on my first line...LOL)

    Documentation can be found on sophos.com as well as in the Enterprise Console's help file.

    :31839
  • 0
    Procopius wrote:

    Sorry if this has been posted before:

    I have written a batch file that:

    1.  Stops the Sophos Anti-Virus service

    2.  Deletes quarantine.xml

    3.  Starts the Sophos Anti-Virus service

    The problem I am having is that my Sophos Enterprise Console does not update to reflect that a particular host no longer has Virus/Spyware detected.  It does update when I manually open Sophos Endpoint Security and Control and clear the file from Quarantine manager.

    Thanks in advance.

    If you add a restart of the Sophos Agent service to your batch file, that should update the SEC console too.

    :31841
  • 0

    @dspigelman

    After looking again, it looks like you may have forgotten to add the other line inside the script for your UNC path. There are two places where you have to enter the address of your staging directory. The second one is for WIndows 7 machines and 64-bit machines.

    Take a look at the script and make sure.

    :31843
  • 0
    Procopius wrote:

    Sorry if this has been posted before:

    I have written a batch file that:

    1.  Stops the Sophos Anti-Virus service

    2.  Deletes quarantine.xml

    3.  Starts the Sophos Anti-Virus service

    The problem I am having is that my Sophos Enterprise Console does not update to reflect that a particular host no longer has Virus/Spyware detected.  It does update when I manually open Sophos Endpoint Security and Control and clear the file from Quarantine manager.

    Thanks in advance.

    I did the same thing.

    I just finished running it against 75 computers in my environment and not a single one has cleared from the SEC.

    I am going to wait a little bit to see if the server just needs some time to process it.

    If it doesn't clear, a manual acknowledgement may be necessary.

    :31845
  • 0
    Nathan wrote:
    Procopius wrote:

    Sorry if this has been posted before:

    I have written a batch file that:

    1.  Stops the Sophos Anti-Virus service

    2.  Deletes quarantine.xml

    3.  Starts the Sophos Anti-Virus service

    The problem I am having is that my Sophos Enterprise Console does not update to reflect that a particular host no longer has Virus/Spyware detected.  It does update when I manually open Sophos Endpoint Security and Control and clear the file from Quarantine manager.

    Thanks in advance.

    If you add a restart of the Sophos Agent service to your batch file, that should update the SEC console too.


    I have added the Sophos Agent part to my batch file but the console does not seem to update the virus status of the clients.

    :31847
  • 0

    Hi Nathan,

    I added a net stop and net start for "Sophos Agent" to my batch file.  I am afraid I am in the same boat with toodh and AndreLtbg.  The SEC has still not updated for those machines.  I am okay with manually acknowledging the errors in SEC, but I would perfer not to if another method can be found.

    Just to reiterate, the SEC does update within 5 seconds when you manually clear the files from quarantine manager.

    Thanks,

    :31849