This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shh/Updater-B: selectively acknowledging FP's and errors via script?

Hey folks, hope y'all's week has been going well!

We've been going about cleaning up our endpoints from last week's glitch; the fix vbscript is working very well, and we're marking down the hostnames of the computers that have been fixed.

I saw the script that will acknowledge ALL the shh/updater-b alerts in Enterprise Console (4.5 in our case) but what if i don't want to acknowledge all of them?

Is there a way I can feed it a list of hostnames to acknowledge the SHH/Updater-B on? I'd like to later run a new list of ones to work on.

Or am I thinking about this all wrong? if I acknowledge them all, will the still-broken ones repopulate again? I had thought they would be ignored, since I acknowledged it.

Any advice or help would be appreciated.

This thread was automatically locked due to age.

Parents

0 jak over 13 years ago
HI,
Well you could use SEC, if you wish to clear the alerts from specific groups, you can right click on the groups and choose: "Resolve Alerts and Error".
From there you can clear just the 'Shh/' ones by sorting on the "Name" column.
Note: in SEC 5.x you can hold down shift to select multiple entries :)
From the database, can you identify those computers that are fixed to get a list of computer ids?

Does "fixed" mean that they have the "fix" ide file (i.e. javab-jd) for example?
If you can "id" the computers from a SQL query this could be used in a SQL query that calls the queries as in the batch file (http://sophserv.sophos.com/repo_kb/118328/file/fpack.txt), to ack the alerts i.e.
UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%';
UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID );
So based on the computers have the fixed ID, the SQL queries to clear alerts would be:
UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%' and ComputerID in ( SELECT ID FROM dbo.Computers WHERE IDEList LIKE N'%javab-jd%' ) GO UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID ) where ID in ( SELECT ID FROM dbo.Computers WHERE IDEList LIKE N'%javab-jd%' )
GO
Regards,
Jak
:33191
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jak over 13 years ago
HI,
Well you could use SEC, if you wish to clear the alerts from specific groups, you can right click on the groups and choose: "Resolve Alerts and Error".
From there you can clear just the 'Shh/' ones by sorting on the "Name" column.
Note: in SEC 5.x you can hold down shift to select multiple entries :)
From the database, can you identify those computers that are fixed to get a list of computer ids?

Does "fixed" mean that they have the "fix" ide file (i.e. javab-jd) for example?
If you can "id" the computers from a SQL query this could be used in a SQL query that calls the queries as in the batch file (http://sophserv.sophos.com/repo_kb/118328/file/fpack.txt), to ack the alerts i.e.
UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%';
UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID );
So based on the computers have the fixed ID, the SQL queries to clear alerts would be:
UPDATE dbo.Threats SET Outstanding=0 WHERE ThreatName LIKE N'Shh/%' and ComputerID in ( SELECT ID FROM dbo.Computers WHERE IDEList LIKE N'%javab-jd%' ) GO UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID ) where ID in ( SELECT ID FROM dbo.Computers WHERE IDEList LIKE N'%javab-jd%' )
GO
Regards,
Jak
:33191
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data