Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Sophos know's their code and software better than me.
However after looking at the script it doesn't look like it would address one problem.
For us the ALMon.exe or (system tray shield) process was hung or non-responsive, often multiple times in memory and keeping file handles open on both the folder
C:\Program Files(x86)\Sophos\Autoupdate
and files within that folder.
We had to make sure to "kill" ALMon.exe in memory using the windows taskmanager, or we could not regain control to replace the directory for autoupdate
The script appears more targeted and "might" better address the problem by specifically replacing missing pieces, or even enable the current in memory process ALMon.exe to start working.
But we were concerned the files might not match up version wise, and chose to replace the entire directory and restart the process from the services.msc mmc control panel, and then manually restart the "ALMon.exe" shield process to get something we knew to be consistent.
The UNC path only works with windows network shares, as far as I know.
We also use an http:// repository because we are spread out between a local campus LAN and a wider WAN backed by the Internet.
So multiple file copies could appear brittle in that scripting has issues with being a general purpose http:// transport.
Two suggestions there:
1. Update the script to use the Windows Bitsadmin process to download the pieces as a job, if you can't build a script that uses the Windows API, then download the Win2003 bitsadmin.exe from the Windows resource kit -- I'm pretty sure the oldest version from Win2003 will work on Vista, 7, Windows 2008, r2 - and use that to perform the downloads and notify you when done
2. 7zip is a scriptable Zip compression and extraction tool. Windows has a Zip subsystem API, but does not appear to have a corresponding Unzip API.. mix an matching wouldn't be a great idea.. so just use 7zip
Lastly, for less than 100 machines, use some form of remote VPN tunnel system, to enable the UNC path to work.
But the only universal approach will probably be to use Bitsadmin
Here is an updated version of my cleanup script.
This has improved 64bit detection thanks to an earlier posting.
This script stops all the services (using their long names) and deletes the bad definition. It then recreates the autoupdater by copying the files fro ma clean staging area and then restarts the services and re-fires the sophos shield icon.
@ECHO off ECHO. ECHO --------------------------------------------------?------------------ ECHO Sophos Bad-Update Fixer Batch File - ECHO removes bad definition and rebuilds the auto-updater ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd. ECHO Version 1.0.2 - 20-Sept-2012 - Improved 32bit and 64bit detection ECHO --------------------------------------------------?------------------ REM This script is for Sophos, Sophos Agents and their customers and intended to simplyfying REM cleaning up from a bad update definition. This script is to be used at your own RISK. REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to REM any damage done by this script REM REM NOTE: Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a REM copy of the autoupdater which you have placed into a staging area. REM REM The autoupdater folder in the staging area is the entire folder copied from the CIDs REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate" REM REM History: 1.0.2 Script detects between 32bit and 64bit o/s only. Not interested REM in which operating system version. REM REM Known issues... Does not kill the ALMON.EXE process and the shield does not show. REM The system would still been rebuilt correctly with this process running. REM Workaround: Using taskmgr.exe to kill ALMON.EXE process and re-fire this script. REM ECHO Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved. REM All copyright information needs to remain as it is. ECHO Visit us at: http://www.accumulo.co.za/ ECHO. ECHO Stopping Services NET STOP "Sophos Agent" NET STOP "Sophos Anti-Virus" NET STOP "Sophos Anti-Virus status reporter" NET STOP "Sophos AutoUpdate Service" NET STOP "Sophos Message Router" NET STOP "Sophos Web Control Service" NET STOP "Sophos Web Intelligence Service" REM 32 bit or 64 bit Operating System Detection to copy to the right location IF EXIST "%ProgramFiles(x86)%" Goto Windows64bit :Windows32Bit ECHO Processing for 32bit operating systems. ECHO Copying AutoUpdate xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C ECHO Deleting offending definition cd \"program files\Sophos\sophos anti-virus" del /f "agen-xuv.ide" ECHO Starting 32bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" ECHO Starting ALMON.EXE to bring shield back ECHO If the batch file hangs here, check the sophos shield is loaded and you can close this window. ECHO Our work is done. ECHO. "C:\program files\sophos\AutoUpdate\ALMON.EXE" goto NowDoneStartServices :Windows64bit ECHO Processing for 64bit operating systems. ECHO Copying AutoUpdate xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K ECHO Deleting offending definition cd \"program files (x86)\Sophos\sophos anti-virus" del /f "agen-xuv.ide" ECHO Starting 64bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" ECHO Starting ALMON.EXE to bring shield back ECHO If the batch file hangs here, check the sophos shield is loaded and you can close this window. ECHO Our work is done. ECHO. start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE :NowDoneStartServices
LINCK wrote:Hello Sophos
Do is possible list with a sqlcmd command the affected machines?
For example list all machines who don't is up-to-date or have the false postive malware detected.
regards
Linck Tello Flores
I'm with Sr. Flores here. I cannot find a native way in the Console to export a list of machines based on criteria. If I could generate a text file of all machines which have not updated since 19-Sep MST-Denver, I could carry on with using psexec to run the Sophos supplied scripts for fixing the Sophos update and restoring the mal-quarantined files on our systems.
There are some fancy summary reports available via the SEC, but how to generate a lowly text list of machines meeting a criteria?
Gracias / Besten Dank / Gratzi / Merci / Thanks
Patrick
Good morning;
Hi Nathan further to your previous post;
I hope I'm not being a pain here, Not at all I just want the issue resolved!!
but did you delete agen-xuv.ide and restart savservice on the SEC/SUM server prior to having SUM perform an update? Yes
Can you confirm if \\server\sophos update\cids\s000\savscfxp\savxp contains the javab-jd.ide file? No it doesn't conatin the java-jd.ide file
It sounds like SUM hasn't pulled the new file down. - I know, THAT'S the issue I've been trying to explain
Are you still getting software delivery failed messages on your SUM? - Yes
Apologies Nathan I'm not having a pop at you, but when I get an email from Support this mornign telling me to "revist the KB article as it has been updated on information on how to fix the SUM and other information regarding the issue" and Section 1, point 1 is "Check within the update manager view that there are no download errors and Sophos Update Manager has performed a successful update recently." When that is the issue I'm having, sort of gets you in a good mood for the day!!
PatW wrote:
LINCK wrote:Hello Sophos
Do is possible list with a sqlcmd command the affected machines?
For example list all machines who don't is up-to-date or have the false postive malware detected.
regards
Linck Tello Flores
Sr Flores - I found this link helpful...
http://www.sophos.com/en-us/support/knowledgebase/34657.aspx#onaccessisoff
Especially the part I didn't know about selecting machines in the console and useing ctrl - C to copy the list...
You can select an entire list, bring it into Spreadsheet and sort.
Off and running.
Hoping you find a weekend to enjoy!
sqlcmd -E -S .\sophos -d sophos51 -Q "SELECT distinct (c.Name) FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t inner join [SOPHOS51] .[dbo].[ComputersAndDeletedComputers] as c on c.ID = t.ComputerID where t.ThreatName like 'Shh/%'" > computers.txt
You can post process it in Excel.
Note: This is for SEC 5.1, change the database names as per: http://www.sophos.com/en-us/support/knowledgebase/17323.aspx
If the computer doesn't have: javab-jd.ide this should list them:
SELECT distinct (c.ComputerName) FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t inner join [SOPHOS51].[dbo].[ComputerListData2] as c inner join [SOPHOS51].[dbo].[IDELists] as i on i.ID = c.IDEListID on c.ComputerID = t.ComputerID where i.idelist not like '%javab-jd.ide%'
SO:
sqlcmd -E -S .\sophos -d sophos51 -Q "SELECT distinct (c.ComputerName) FROM [SOPHOS51].[dbo].[ThreatInstancesAll] as t inner join [SOPHOS51].[dbo].[ComputerListData2] as c inner join [SOPHOS51].[dbo].[IDELists] as i on i.ID = c.IDEListID on c.ComputerID = t.ComputerID where i.idelist not like '%javab-jd.ide%'" > noidejavab-jd.txt
Regards,
Jak
Morning Dreec, do you still have the unpack files form the original SEC installation? It would most likely be in "C:\sec_51" where the number equates to your SEC version. Please run a repair from the SUM.msi in "C:\sec_51\ServerInstaller". This action should resolve your issue, apologies for the delays in answering this issue but please let me know if this resolves it. Thank you.
So what should you do when you get the following after right clicking SUM.msi and choose repair:
'This action is only valid for products that are installed'
Yes, it is installed and was working perfectly until the other day. Also double clicking the msi, all options are greyed out but defaults to 'Repair Sophos Update Manager' clicking next the application just hangs and does nothing. I have tried both SUM.msi files located in C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Install and C:\sec_51\ServerInstaller.
At the moment it does not appear update manager is working correctly, the status in the console has been stuck at downloading binaries since the 19th September and states that software delivery has failed.
Any help would be much appreciated as the support article on the site has not provided a working solution yet and trying to get through to Platinum Support is impossible as I just get a dead tone every time I try to call.
Hello mpowna,
I suggest you stop the Update Manager service. Also make sure there's no install/repair in progress. Remove the offending IDE if you have not yet already done so. Empty the Warehouse and Working folders (see for example here to locate them) and start the service.
Christian
