Is any one else seing this alert - Shh/Updater-B False positives

Nathan, 

I performed the following

1.     Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]

Checked this location: \\server\SophosUpdate\CIDs\S000\SAVSCFXP\savxp and I do have the javab-jd.ide file however SEC still not updating.... 

Please help with any ideas

But the virus alert does go away if you manually open up Endpoint Security and Control and clear the files from Quarantine Manager.  I think I am going to resign myself to manually acknowledging the alerts in SEC. 

---

dspigelman wrote:

@Azurus

Still getting the error loading exernal resources (0x9007007e) message. You were right about the UNC path - you said that the name of your server was SHIELDV2, so I searched on that the first time, but it was only in the script once. This time I searched for \\ and found them both. However the first version had already been run, which may have caused the problem. In the meantime, I can't run or uninstall the AutoUpdater because of this error. I'm running Revo Uninstaller to clear it all out. Seems to be the only thing that works.

---

Sorry about that, you are right I didn't include my own UNC path in the second field, I left it default since I was using that particular one for a bunch of XP 32-bit machines.

What i'm finding if you dont delete the quarantine file and restart all of the services they wont update like it's suppose to.  We were fortunate enough that we had our files to be denied access instead of delete/move if infected.  Once we delete the Quarantine xml file and restart all of their services they seem to be working correctly.  

Dont know if that helps anyone, but thought i'd post it none the less.  

---

AndreLtbg wrote:

I checked the computer details and the clients did check in with the console. I ran the batch file against a few different machines and forced a reboot afterwards, so far the console is still showing the virus alerts even after the clients checked in after the reboot.

---

My apologies. I forgot a key bit. The QM has a routine that sends a  status message to SEC to clear the alert on the SEC side after the endpoint QM has been cleared. This doesn't happen when quarantine.xml is deleted manually. Therefore, ackwnowledging the alerts on the SEC side is also required. My apologies for the earlier mis-information!

You should be able to select a group of clients, then right click and select Resolve Alerts and Errors. All clients will be displayed. Click Select All then Acknowledge and they should all clear from SEC.

---

emsar wrote:

Nathan, 

I performed the following

1.     Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]

2.     Restart the 'Sophos Anti-Virus Service'

3.     Update SUM via the Sophos Enterprise Console

Checked this location: \\server\SophosUpdate\CIDs\S000\SAVSCFXP\savxp and I do have the javab-jd.ide file however SEC still not updating.... 

Please help with any ideas

---

Can you please explain what you mean by "SEC is still not updating"? Everyone has a different meaning behind that statement so I want to make sure we're on the same page.

Sophos Enterprise Console -- essentially our update manager

What is the average wait time for a call back? Getting frustrated at this point.

Maybe I missed something, but has Sophos or anyone posted a script to delete the quarantine xml file?

---

emsar wrote:

Sophos Enterprise Console

---

Sorry, I was with you on the SEC abbreviation, just wasn't sure what you meant by "not updating". Do you mean the virus alerts are still present? The Last Updated value for SUM doesn't change? The endpoints say Not Since?