Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Might be onto something. I mistakenly installed the SUM software on this computer when I was trying to get sophos reinstalled before getting onto this forum. I did uninstall it a while ago, and after your tip here, I removed it from the Update Managers list. Unfortunately, I am getting the same results when trying to run the setup.exe program or when I try to push it from the console.
If you had your AV policy set to delete, we have had success using the batch file submitted earlier in this thread with a few mods as follows:
Net Stop "sophos Anti-Virus"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "Sophos Anti-Virus status reporter"
net stop "Sophos Device Control Service"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos
Anti-Virus\agen-xuv.ide"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo
File Deleted)
xcopy "\\Your Server Name\SophosUpdate\CIDs\S000\SAVSCFXP\SAU\program files\Sophos\AutoUpdate\*.*" "c:\SophosFix\AUFiles\"
If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files
(x86)\Sophos\AutoUpdate"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program
Files\Sophos\AutoUpdate"&Echo File Deleted)
Del "C:\ProgramData\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"
Del "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"
net start "Sophos AutoUpdate Service"
Net Start "Sophos Anti-Virus"
net start "Sophos Agent"
net start "Sophos Anti-Virus status reporter"
net start "Sophos Device Control Service"
net start "Sophos Message Router"
net start "Sophos Web Control Service"
shutdown -r -t 001
This will cause the workstation to reboot imediately.
We have 2800 machines and half of them did not update. We will be working through the night to get back to normal.
Nathan
Thanks for all of your help on here. It took awhile but I finally got all of my endpoints to update and the crisis is over. You should get an Olympic Gold Medal in Sophos Support after the last couple of days.
Thanks again for all of your posts!
Jim K in AZ
Folks,
I've been following this thread on-and-off since the "fun" started (there were only 9 pages in the thread when I first found it... seems like a lifetime ago!) and since I'm a Kaseya admin as well as the manager of an MSP-model Sophos deployment, it's been quite valuable along the way as I figure out the best way to deal with this "situation."
With the updated files I'm not seeing new infections, and I've cleaned the infection status flags via EC, but getting rid of the local Quarantine status indicators on end-user machines has proved trickier. If you want to test a machine to see if it "caught" the false-positive (thus populating Quarantine.XML) and then wipe out that XML to clear out the Quarantine... here's a Kaseya 6.x script to do that. It's a one-time job; running it repeatedly may not actually hurt but it won't help, either. Kaseya gurus may want to add some kind of way to flag this on a given system so it doesn't get re-run by accident.
(Note that I'm not checking the XML directly: I found the hard way that some XML files aren't listing the Updater-B items, even though the items show up in the client GUI! Frustrating.)
This script relies on 'grep.exe' which is part of the UnxUtils package: UnxUtils
<?xml version="1.0" encoding="utf-8"?> <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting"> <Procedure name="Sophos Updater-B Cleanup - kk" treePres="3" id="2015816798" folderId="42742512225121243118194173"> <Body description="After Sophos released their broken update that found all "updater" processes to be "viruses", now we have to clean up each and every Quarantine file on each affected endpoint.

If we can."> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\grep.exe" /> <Parameter xsi:type="EnumParameter" name="Condition" value="NotExists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write the selected file to the machine at the path specified - full path required." name="WriteFile" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\grep.exe" /> <Parameter xsi:type="StringParameter" name="ManagedFile" value="VSASharedFiles\UnxUtils\grep.exe" /> <Parameter xsi:type="BooleanParameter" name="DeleteAfter" value="False" /> </Statement> </Then> </If> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos quarantine file exists in ProgramData" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Command" value="type "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt" | #vAgentConfiguration.agentTempDir#\grep.exe -i "updater-b" >> #vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Contains" /> <Parameter xsi:type="StringParameter" name="Value" value="Updater-B" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos: Updater-B false-positive detected in AV logs" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net stop SAVService /y" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Delete the specified file - full path to the filename required." name="DeleteFile" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Path" value="C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net start savservice" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Issues a Stop command to a Windows Service" name="Stop Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> </Statement> <Statement description="Issues a start command to a Windows service" name="Start Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> <Parameter xsi:type="StringParameter" name="Parameter2" value="false" /> </Statement> </Then> </If> </Then> </If> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" /> <Parameter xsi:type="StringParameter" name="Value" value="" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos quarantine file exists in D&S\All Users" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Command" value="type "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt" | #vAgentConfiguration.agentTempDir#\grep.exe -i "updater-b" >> #vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <If description=""> <Condition name="TestFile"> <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\SAVUpdaterB.txt" /> <Parameter xsi:type="EnumParameter" name="Condition" value="Contains" /> <Parameter xsi:type="StringParameter" name="Value" value="Updater-B" /> </Condition> <Then> <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Comment" value="Sophos: Updater-B false-positive detected in AV logs" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net stop SAVService /y" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Delete the specified file - full path to the filename required." name="DeleteFile" continueOnFail="false" osType="None"> <Parameter xsi:type="StringParameter" name="Path" value="C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" /> </Statement> <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="net start savservice" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement description="Issues a Stop command to a Windows Service" name="Stop Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> </Statement> <Statement description="Issues a start command to a Windows service" name="Start Windows Service" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008"> <Parameter xsi:type="StringParameter" name="Parameter1" value="Sophos Agent" /> <Parameter xsi:type="StringParameter" name="Parameter2" value="false" /> </Statement> </Then> </If> </Then> </If> </Body> </Procedure> </ScriptExport>
Make of this what you will. Share and enjoy.
bssd wrote:If you had your AV policy set to delete, we have had success using the batch file submitted earlier in this thread with a few mods as follows:
Net Stop "sophos Anti-Virus"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "Sophos Anti-Virus status reporter"
net stop "Sophos Device Control Service"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos
Anti-Virus\agen-xuv.ide"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo
File Deleted)
xcopy "\\Your Server Name\SophosUpdate\CIDs\S000\SAVSCFXP\SAU\program files\Sophos\AutoUpdate\*.*" "c:\SophosFix\AUFiles\"
If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files(x86)\Sophos\AutoUpdate"&Echo File Deleted)
If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program
Files\Sophos\AutoUpdate"&Echo File Deleted)
Del "C:\ProgramData\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"
Del "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"net start "Sophos AutoUpdate Service"
Net Start "Sophos Anti-Virus"
net start "Sophos Agent"
net start "Sophos Anti-Virus status reporter"
net start "Sophos Device Control Service"
net start "Sophos Message Router"
net start "Sophos Web Control Service"
shutdown -r -t 001This will cause the workstation to reboot imediately.
We have 2800 machines and half of them did not update. We will be working through the night to get back to normal.
No need to start the services prior to restarting the system. They are all set to start automatically. Might speed your process up a touch for you.
MJewell wrote:Nate -
I wish that was the case..
since this message, I was able to get my core to update but now the endpoints are all telling me that the uninstall of the autoupdate failed so they won't do anything. I'm trying some of the other solutions that people have posted.
thanks, truly...
I honestly think that you are the ONLY one that is really trying to reach out to customers and help. I'd be all for putting in a GREAT word for you with the suits.
Sounds like you might have had the cleanup action set to delete. I think in your case you should try copying the contents of the \\server\sophos update\cids\s000\savscfxp\sau\program files\sophos\autoupdate folder to c:\program files\Sophos\autoupdate. That will replace the missing files and allow reprotecting to work again, or simply allow Autoupdate to work again and avoid the need to re-protect. Some others have posted some examples of how to do this.
Nathan.. Besides of being my hero last night since you've been the only one on vital support (i wonder if you are only one person..) I AM still disappointed after my shift which has went disasterously occupied, takin already more than 24hrs of my life away, leaving me ahead with a shade of grey on my skull and my amazingly brand new 5'o'clock shadow: I now look like cheap copy of Billy Joel..
Last night for a long time there was no usable update from sophos; I tried your hints, called several hotlines in Europe and America; eventually got some native irish or welsh speaker in the uk at sophos, who was hard to understand. All he proceed was just taking in my name, email addy and ph#; lateron last evening we got the f** facssimile which you guys might have sent out to purposely calm the hitten. :-/
Between the time of being threatened by Sophos' false positive and your helpful posts last night (and our doubts that really one could advice to shut down the real time scanner) we quickly had killed down our sbe server after a decontamination of almost all vital endpoints.. We cannot use the workaround at all since we have tried to replace sophos by other products (cannot even recall them all anymore, just to make sure our alarm systems will not be attacked). I already tried to reconcile everything but SBE cannot be erased completely at all. I have tons of errors and I'm looking for a straight start-over installation of SBE.
Please provide me with a clean uninstall and reinstall procedure. I guess many of the sysops from last night would appreciate a workaround like this, now where we have punched our console servers down..
Cheers
Peter
Please do not speak in abbreviations. I already have to fight with loads of it in specific terms; so I would be grateful if you soimply give me a short overview on how to either repair the server, or even better to reinstall it, to get a catch on all clients. Today I already figured out that yor engine becomes unspecific if the server has more than one Ethernet card... whew...
Looking forward to read your post. And: Thanks for your kind support last night.. Hope your wifey didn't kick you out after you've been late home.. ;-)
