Put you hand up here Sophos and say SORRY!

Hi Mawftech,

First, sorry to have taken a while to get back to you (and by extension, everyone else impacted by this).

Second, I've just ripped out the Welcome text from the SophosTalk home page and put in some new text that a) points users at the relevent online information and b) apologises for the disruption caused, and the extra work that results.

In more than six years at Sophos, I've never seen anything like this. Please bear with us, and accept my own personal apology.

Best regards,

spike

Thanks Spike.

Matt

Apology accepted.

I am sure that I speak for many of your customers when I say that we appreciate that antivirus protection is a complicated process and that mistakes can and do happen.

However, my experience with Sophos has always been one of an exemplary service and while this issue is inconvienient I would rather have an occasional false positive than some other antivirus service.

Yup - I agree with Matt that something more visible should have been done. A nakedsecurity post is definitely not all that could and should be done. I'd have expected a Technical Alert - don't tell me it was impossible.

To be fair, correction has been fast and interestingly the impact varied (Live Protection has probably mitigated the effect).

It did not take too long to make the clients working again as fortunately our policies generally are set to Deny access only and in the segment where we use Delete it hit Alsvc.exe first (for whatever reason), attempted to delete it and failed (for once I'm glad for that).

The master SUMs recovered automatically, for one child I excluded the \Sophos directories after that it updated. Then used the same exclusions for the other endpoints (never thought I'd really use the Export/Import feature - but there you have it).

In case some AutoUpdate executables have been deleted (which depending on what is missing shows different symptoms from no visible result to various errors) I've found that

• stopping SavService (thus disabling scanning)
• copying the missing files to the AutoUpdate program directory
• triggering an update (click Almon.exe if the Sophos icon is not present)

resolves the problem (of course SavService should be started afterwards).

If you have many (or off-site) clients this could be scripted and packaged

Christian

Hi Christian,

Thank you for your message, we now have a script that can be pushed out which will repair damage to Auto Update on affected endpoints - http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

Hope this helps.

Scott

I agree with Christian something should have went out as soon as this was reported! Nothing came out until the next day.....my techs and I are having to run around to all of our endpoints to resolve this.

Sophos needs to improve the capabilities of the enterprise console, we need the ability to completely uninstall the software and remove all traces from endpoints so we can re-deploy the software. Sophos should also include some sort of outbreak manager into that console so we can pre-define certain actions...

We are one of those sites where the documented fixes are not working at all. I still have 126 computers that are completely jacked up. We have resulted to touching each computer manually and trying to fix it through trial and error. I am irritated and upset that such gorss negligence in quality control has taken place. We now are on day three of lost time due to this fiasco.

--Josh--

One thing that is clearly standing out here is that the product itself is lacking in several critical admin areas. For example, when files are deleted either manually or automatically, the installer fails because it cannot uninstall the previous version. There are several fixes for this - I've been knocking a couple of registry entries out to fool the installer into thinking it isn't installed to start with - seems to then 'update' the broken version ok and start working again.

Matt