Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3261407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
  • 0

    Hi Christian,

    Thanks for your reply, but the steps you have suggested have already been done.  Any other ideas?

    :32081
  • 0

    Hi

    Dreec summed up our issues perfectly (and I expect many more of your customers)

    We have deleted agen-xuv.ide and restart savservice on the SEC/SUM and then performed an update both on client and server this errors with " Threat Detection data update failed"

    we do not have the  javab-jd.ide file?  but we do have the 90e873330239722f58efabf8c27e7138.dat file

    It sounds like SUM hasn't pulled the new file down.  maybe? 

    Are you still getting software delivery failed messages on your SUM?  - Yes, loads, infact it hasnt worked since your increasingly infomous update.

    Please run a repair from the SUM.msi - when I do it errors stating that the SUMadpater.dll file is locked.

    I have also tried many other solutions last night to try and resolve these issues, and feel that Im now an expert in a system that was rarely touched (apart from dealing with the odd file here and there).

    I understand that your teams are working hard to fix this, but it does seem that the adisories you have published are good for some installations and not for others, I would expect to see some scripts from you by now that fixes this for us, deleting the corrpt install files and retifing the install. it also seems that most of the people on here are not used to managing the interface.

    I havent tried to contact support as I would expect it to be a lost cause, I have a lot of respect for the your support team that are replying on the forum, Nathan in particular continued into the early hours supporting dilligently and clearly the customers that rasied issues on here.

    :32087
  • 0

    I'm also having a hard time with our servers & clients.

    The one thing that's weird is that quarantines are all shown EMPTY on all machine althought there were some Sophos files moved in the INFECTED folder.

    Why is that I can't simply see the items and have theme restored ?

    Thanks.

    PJ

    :32091
  • 0

    Endpoints are showing an Up to Date status of unknown in the EC. I ran the script on the EC server to move back any files related to the EC. What can i do to rectify the staus problem?

    :32097
  • 0

    Hello Pjgfi,

    the Quarantine only shows unhandled detections. A move to the INFECTED folder is considered a successful remedy and thus the item isn't on the list. Please have a look at Restoring Files Moved by Sophos Anti-Virus Due To A False Positive

    Christian 

    :32099
  • 0

    Hello mpowna,

    the steps you have suggested have already been done

    Hm, that means whenever you start the SUM service it changes to Downloading binaries (which doesn't seem to finish) and Last updated remains 19th? And it does populate the warehouse? The Logviewer should tell you how far it gets - to find out where it's stuck (if it is) a look at the SUMTrace log might be necessary. To get a clean report you should empty the Warehouse once more.

    Christian

    :32101
  • 0

    Endpoints are showing an Up to Date status of unknown in the EC. I ran the script on the EC server to move back any files related to the EC. What can i do to rectify the staus problem?


    The same here. I've noticed this only happens after procedure is done on computer which ewre yasterday updated at 16:09.

    On computers last updated yasterday at 1:04 Up to date is shown Yes. Plesa let me know if you find solution.

    Thanx!

    :32107
  • 0

    Hello NikolaFBA,

    look at the Anti-Virus details in SEC's endpoint view. Check the column IDEs (right now the number is 291) as well as Detection data (which should be 4.81). When SEC downloads updates it makes note of the resulting "package", the time it was built and its contents. When the clients report their status SEC looks up the number to find a matching package (this is where it gets the Not since ... information from). If it doesn't find a matching package description the status is Unknown.

    Do the Unknown clients report more or less IDEs than the Yes ones? I assume the former due to an "orphaned" IDE. Usually this corrects itself in one of the next updates (i.e. when actually new IDEs are downloaded).

    Christian

    :32109
  • 0

    So if I understand this correctly, acknowledging an alert in the console does nothing on the client side (items will still remain in their local quarantine)?  Seems like a long overdue "feature" for something this basic, but whatever...

    I do know we still have the "cleanup" option.  So why not create a cleanup definition for Shh/Updater-B that automatically fixes this mess (moves files back to their original location, clears the quarantine, fixes the autoupdater, basically everything those scripts you are providing does but in 1 simple click in the console)?  Probably a moot point by now but just an idea to save hours and hours of work for admins.

    :32111
  • 0

    Thanks Christian for your quick answer about Quarantine.

    That's kind of a weird behavior, especially for false positives. Anyway...I'll try the script.

    :32113