Is any one else seing this alert - Shh/Updater-B False positives

You are right. These updated show 290, and Unkown show 289. You writ it must be 290.

Downlaod status for Update manager is Downloading binaries. You asume it will update

all endpoint computers after update is done? I'm forcing it.

Thanks for reply!

How come the console downloads updates fine since yesterday but file "javab-jd.ide" is missing from local and shared folders ?

May I copy it from a client to these locations ?

Just now (although Update Manager says "Software update failed.") the "Uknown" computers ar now "Yes".

Number of IDEs is 291 on them. Another question: Pleas can you write me how can I see which computers

have shield shown in Takbar Menu (without calling employees:smileyhappy:) because I have some computers

which stauts is Yes or Unknown but shield is not shown? There is no way to see that from console?

Thanks once more!

Hello Pjgfi,

there is no such thing as false positives as far as QM is concerned. You might argue it should have a list of detections where cleanup was not available and move or delete has been specified. But then you've told it explicitly to perform an action in this case - remember, the recommended setting is Deny access only. Move can break things but is useful if you want to collect samples or avoid repeated alerts. Delete should really only be used on machines which you can restore easily, in a scheduled job or in case of an outbreak.

Christian

Hello Pjgfi,

guess you have deleted the "bad" version yesterday. I'm surprised though that SEC shouldn't put the correct javab-jd.ide into the CID(s). It's always possible to delete a CID's contents and have it rebuilt by SUM (clients might complain for the short time it takes and if there's a new IDE its deployment might be delayed for a few minutes - but otherwise there's no harm).

Copying something into the CID is not recommended - you might try it on one or two clients to see if then their status is known, but if the IDE is missing from the CID you should have it rebuilt by SUM. 

Christian

Hello

Could you give us an example for the psexec syntax to be fully functional with your FixUpdate.vbs Script please?

Cause I have error code 1 or incorrect parameter errors.

For example:

C:\Users\chaminade-d\Desktop\sophos>psexec \\machinename -u domain\adminaccount -p password -i cscript //nologo \\server\share\scripts\FixUpdate.vbs /fixIssues:true /cid:\\srv-sophos\sophosupdate\cids\s003\savscfxp /updateNow:true

I get an "incorrect parameter error"

Thanks

Hello NicolaFBA,

Yes says the clients are up to date with the currently provided CID. It does depend on SUM's last download/update being successful.

Whether the shield is shown (meaning Almon.exe is running) can't be seen from the console. Guess you won't get an error if Almon is missing on the client.

Christian

Hello Nicklzk99,

acknowledging an alert in the console does nothing on the client side

of course one can question the current behaviour. Changing it the way you suggest would be a significant modification. Right now there's Cleanup (which you know has an effect on the client) and Acknowledge (which just clears an alert from display). Now successful action either from the console or on the client will clear the alert anyway. Apart from the risk that Acknowledge would clear information from QM which is still needed on the client (of course it can be found or recreated but ...) adding a "routine" feature for exceptional situations is not best practice. Just my opinion though.

So why not create a cleanup definition for Shh/Updater-B that automatically fixes this mess

Guess this would require changes to the engine and couldn't be rolled out in an IDE unless the required underlying operations were already implemented.

Christian

---

HealthAdmin wrote:

Hello

Could you give us an example for the psexec syntax to be fully functional with your FixUpdate.vbs Script please?

Cause I have error code 1 or incorrect parameter errors.

For example:

C:\Users\chaminade-d\Desktop\sophos>psexec \\machinename -u domain\adminaccount -p password -i cscript //nologo \\server\share\scripts\FixUpdate.vbs /fixIssues:true /cid:\\srv-sophos\sophosupdate\cids\s003\savscfxp /updateNow:true

I get an "incorrect parameter error"

Thanks

---

Hey,

Not sure about your syntax. If I had to guess PSEXEC is getting confused with the forward and back slashes after your -i switch.

What you might want to try is calling your VBscript from within a batch script. Then use PSEXEC to push out the batch script.

psexec @filelist -u domain\adminaccount path-to-your-batch-script.bat

You can leave the -p switch out and when you hit enter, it will prompt for the password. This way you don't have to make your password visible on the cmd.

Is there any way to export a list of computer names that have the virus from the console? It's appearing like I'm going to need to reinstall Sophos on a large number of computers via SCCM or KACE, as touching each computer that's been affected by this would be an assanine amount of time, something that our department currently does not have with the start of the school year, and the very large number of computers in our district that have been rendered useless to the Sophos console.

If there's any tool or way that could export computer names from the virus database, that'd be incredibly helpful for creating a collection to push an updated version of Sophos to. 

Thanks for any help.