This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shh/Updater-B: selectively acknowledging FP's and errors via script?

Hey folks, hope y'all's week has been going well!

We've been going about cleaning up our endpoints from last week's glitch; the fix vbscript is working very well, and we're marking down the hostnames of the computers that have been fixed.

I saw the script that will acknowledge ALL the shh/updater-b alerts in Enterprise Console (4.5 in our case) but what if i don't want to acknowledge all of them?

Is there a way I can feed it a list of hostnames to acknowledge the SHH/Updater-B on? I'd like to later run a new list of ones to work on.

Or am I thinking about this all wrong? if I acknowledge them all, will the still-broken ones repopulate again? I had thought they would be ignored, since I acknowledged it.

Any advice or help would be appreciated.

This thread was automatically locked due to age.

0 jak over 13 years ago
HI,
Well you could use SEC, if you wish to clear the alerts from specific groups, you can right click on the groups and choose: "Resolve Alerts and Error".
From there you can clear just the 'Shh/' ones by sorting on the "Name" column.
Note: in SEC 5.x you can hold down shift to select multiple entries :)
From the database, can you identify those computers that are fixed to get a list of computer ids?

Does "fixed" mean that they have the "fix" ide file (i.e. javab-jd) for example?
If you can "id" the computers from a SQL query this could be used in a SQL query that calls the queries as in the batch file (http://sophserv.sophos.com/repo_kb/118328/file/fpack.txt), to ack the alerts i.e.
UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%';
UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID );
So based on the computers have the fixed ID, the SQL queries to clear alerts would be:
UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%' and ComputerID in ( SELECT ID FROM dbo.Computers WHERE IDEList LIKE N'%javab-jd%' ) GO UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID ) where ID in ( SELECT ID FROM dbo.Computers WHERE IDEList LIKE N'%javab-jd%' )
GO
Regards,
Jak
:33191
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 13 years ago

Talking of SQL queries, you might like this little HTA to create you some reports:
/search?q= 32679
As noted, the forum, messed with the : after the javascript so you'll have to edit that if you use it.
Regards,
Jak
:33197
Cancel
Vote Up 0 Vote Down

Cancel
0 MattAustin over 13 years ago

Thanks, Jak--by 'fixed' I mean bad ide deleted, new ide in place, SAU repaired, and where applicable, other 'updater' applications repaired (google, itunes, etc). They're ready to be acknowledged in sophos, but I don't want to acknoweldge all, since not all are repaired. I'm just a lowly helpdesk manager, not a ton of sql experience, so I'll look through and see what I can find/learn. The list we have is the computers' hostnames that have been repaired, so the "computer name" field in SEC.
:33203
Cancel
Vote Up 0 Vote Down

Cancel
0 JoltCube over 13 years ago
Hi MattAustin, sorry it has taken a while to get back to you, i believe there is a way of doing what you require mentioned:

http://www.sophos.com/en-us/support/knowledgebase/118328.aspx

Specifically:

Discover affected endpoints

If you already know the list of affected computers, go the next section titled 'Edit the policies applied to affected endpoint computers'.

Find out which endpoints require attention within Enterprise Console.

On your Sophos Management server download batch file fpc.bat and save it to a directory of your choosing.

Execute the batch file from a command prompt by first changing directory to where the file was saved to, then run the following:fpc.bat > FpWithoutFix.txt

Once the command completes, open FpWithoutFix.txt to see the computers which have 'agen-xuv.ide' but don't have 'javab-jd.ide'.

Bit further down there is a mention of:

Deleted files from third party applications may required re-installation. To generate a list of deleted files use the tool fpdf.bat as described in 118324.

HTH, if there is anything else you need please let us know
:33327
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 13 years ago
There are a few ways to integrate a text file into a SQL command. Import into a temp table and join on that, probably best option if you have thousands of clients.
If you have a shorter list or happy to run multiple queries, you could put the names into a comma separated list within the SQL, e.g.

UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%' and ComputerID in ( SELECT ID FROM dbo.Computers WHERE Managed=1 and IDEList LIKE N'%javab-jd%' and IDEList LIKE N'%bank-fqg%' and Name in( 'computer1', 'computer2' ) ) GO UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID ) where ID in ( SELECT ID FROM dbo.Computers WHERE Managed=1 and IDEList LIKE N'%javab-jd%' and IDEList LIKE N'%bank-fqg%' and Name in ( 'computer1', 'computer2' ) ) GO
So in the above examples, the alerts will be cleared for computers in SEC that show up with the names computer1 and computer2 that have the fixed IDE and have had Shh/* alerts. You might assume if they have the fixed IDE that updating is working (but as the resolve script dropped that, it might not be a good test). Maybe also bring in an .ide name from the last 24hours as well (a quick look suggests bank-fqg.ide could be used as above).
So if you can convert your machine list into a comma separated list with the entries in single quotes you should be able to use that.
Note, if you have multiple domains and therefore potentially multiple computers with the sane name, you may need to bring the domain name into the query but I would suggest this is unlikely.
Regards,
Jak
:33343
Cancel
Vote Up 0 Vote Down

Cancel