Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Nathan,
The one system I checked by hand did have Sophos AutoUpdate Service running. I did a reboot, and that cleared up the "Updating Policy", as it now reads "Same as policy" instead of blank. I have now issued reboots across all the systems suffering this symptom, and they are all cleared up now.
Thanks a million!
I am running through some quarantine restores nows, that should be the last piece of this mess to clean up.
Thanks to all who have helped throughout the past couple of days. Especially Nathan and the other Sophos support members that have helped out on the Forums and got the advisories and fixes out to us.
gb1994 wrote:Nathan.. Besides of being my hero last night since you've been the only one on vital support (i wonder if you are only one person..) I AM still disappointed after my shift which has went disasterously occupied, takin already more than 24hrs of my life away, leaving me ahead with a shade of grey on my skull and my amazingly brand new 5'o'clock shadow: I now look like cheap copy of Billy Joel..
Last night for a long time there was no usable update from sophos; I tried your hints, called several hotlines in Europe and America; eventually got some native irish or welsh speaker in the uk at sophos, who was hard to understand. All he proceed was just taking in my name, email addy and ph#; lateron last evening we got the f** facssimile which you guys might have sent out to purposely calm the hitten. :-/
Between the time of being threatened by Sophos' false positive and your helpful posts last night (and our doubts that really one could advice to shut down the real time scanner) we quickly had killed down our sbe server after a decontamination of almost all vital endpoints.. We cannot use the workaround at all since we have tried to replace sophos by other products (cannot even recall them all anymore, just to make sure our alarm systems will not be attacked). I already tried to reconcile everything but SBE cannot be erased completely at all. I have tons of errors and I'm looking for a straight start-over installation of SBE.
Please provide me with a clean uninstall and reinstall procedure. I guess many of the sysops from last night would appreciate a workaround like this, now where we have punched our console servers down..
Cheers
Peter
Please do not speak in abbreviations. I already have to fight with loads of it in specific terms; so I would be grateful if you soimply give me a short overview on how to either repair the server, or even better to reinstall it, to get a catch on all clients. Today I already figured out that yor engine becomes unspecific if the server has more than one Ethernet card... whew...
Looking forward to read your post. And: Thanks for your kind support last night.. Hope your wifey didn't kick you out after you've been late home.. ;-)
Hi,
I'm sorry we weren't able to help you more. Without knowing the exact condition of your systems, it would be hard to put a set of directions together for you that I would be sure wouldn't cause you more headache. I would recommend pursuing help through Support again. Sorry I can't help more than that.
UABMaddog wrote:Well, guess since I can't get sophos to work without reinstalling all my freakin' servers I am going to switch Virus software! This is ridiculous!!!!!!!
Absolutely no help from Sophos what so ever!
Hello AVG/Norton/any-**bleep**-body-that-responds!
I'm really sorry for your frustration. We are currently updating the advisory with another script to help, which may make your life a little easier. Please keep an eye on the advisory KB in the next 15-20 minutes or so.
...Look at the last post..
Even though it's not YOUR fault I am considering exactly the same.
I was fine with Sophos for years; now where Sophos has cluttered us sysops with almost unresolvable problems in conditions of either swallowing their failure, or requesting a clean resolve,.. you ask us to calm down and work for you for free to solve your issues?!?
Nathan: It's up to you guys from Sophos to either provide us with clean and quick resolutions.., or we simply have to switch to the next nice lookin' one.. For sure you are going to be always a hero for me, but this is your gold, not the one for your company.. You have been tremendously miraculous last night, while you've been left alone with all of us scared admins from Sophos' side..
We do not request who is responsible for the certificate fault; we request quick, clean and proper support for the mess Sophos has done to us.
We 24/7 ones are so dependend on a quick workaround; customers and family are requesting it in a manner so we have no other choice.
Eat this.
You (and the other Nathans) have guts to talk to us; where is the rest of those ones who made us feeling comfortable, now letting us down as your important customers by convincing clients?
After no sleep of more than 40 hours I might be incorrect hte way I am requesting 100 percent of support; if you think this is some isue to give it further to others than feel free to do so. Else: Monday is my next shopping day; I am sure your competitors will love to take over big endpoint plants..
No appropriate rescue Monday means no Sophos on my client's systems anymore. I can't help it, have to make sure my client is satisfyied. My clients might only pay two guys at Sophos for a month, but I guess we are not the only ones who feel lost, and will gladly ride the next horse on Monday if it makes us inconvenient as sysops.
I mean it.
The advisory updates are nearly done replicating across the web servers. The advisory has an additional script that can help fix Sophos AutoUpdate in the event that your cleanup option was set to Delete. It can also be used in cases where you are struggling to get the fixed IDE deployed to your endpoints.
http://www.sophos.com/en-us/support/knowledgebase/118323.aspx is the KB article for the new script.
http://www.sophos.com/en-us/support/knowledgebase/118311.aspx is the original advisory article.
HiNathan,
Referring to the KB:
http://www.sophos.com/en-us/support/knowledgebase/118323.aspx
How do I use it in a AD environment via GPO? Can we trigger the vbs file without the commands? Eg. change the value in the vbs file to "fixIssues:true", "updateNow:true" and maybe cid to the Sophos server CIDs?
Thanks!
Nathan,
I've had a look at the script posted in the KB above. We can deploy the script using our management software but all the machines are at remote sites and the update location provided to all the clients is an HTTP link.
If we put this HTTP update location (eg http://sophos.company.com/sophos) in the UNC path will the script pick up the required files from this location?
Our PC policy had a 'delete' action while server had 'deny access'. It's strange because not all PC's deleted the Sophos FP.
Cheers,
Gregor
