Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 44 replies
  • Subscribers 1 subscriber
  • Views 145731 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHH/Updater-B Fiasco Recovery Steps

chavez243

Just thought a thread for just the recovery steps would be helpful as I'm sure this is a big mess for many of my IT brethren who will be burning the midnight oil on the cleanup.

Perhaps a Sophos engineer could chime in on:

- what to do about "Software Delivery failed" in Update Manager

- what to do about ALsvc.exe and ALUpdate.exe being detected / quarantined

- other steps?

:30335


This thread was automatically locked due to age.
  • 0

    Here here, tell us how to fix it and quickly please.

    :30397
  • 0

    Looks like we've got the same issue.

    I've just had >300 emails reporting that the ALsvc.exe is being detected and quarantined....

    Not great at all...

    :30411
  • 0

    I moved ALsvc.exe back into C:\Program Files (x86)\Sophos\AutoUpdate and resarted the service..working again

    :30413
  • 0

    We disabled AutoUpdate (Server Path).

    I deleted agen-xuv.ide and rebooted on one Machine. This works.

    Now I deploy deletion of the agen-xuv.ide on some managed PCs (Student Labs)

    Most unmanaged Clients were switched off - hopefully. The malicious Update came 22:35 here in Germany.

    :30473
  • 0

    I'm with these alerts to multiple computers. Infected files are:
    C: \ Program Files (x86) \ Sophos \ AutoUpdate \ swlocale.dll
    C: \ Program Files (x86) \ Sophos \ AutoUpdate \ ALUupdate.exe
    C: \ Program Files (x86) \ Sophos \ AutoUpdate \ jusched.exe

    what to do?

    Daniel Cunha

    Brazil

    :30509
  • 0

    UPDATE FROM SOPHOS

    RED NOTIFICATION - False Positive detections with ssh/updater-B - UPDATE 15:11 PDT

    As the False Positive can affect our own binaries, in can in some instances prevent both SUM and SAU from being able to update.

    In these situations the following instructions can be used to workaround the issue, download the fixed IDE, and propagate it to all endpoints.

    SUM unable to update
    If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.
    To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:

    1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
    2. Restart the 'Sophos Anti-Virus Service'
    3. Update SUM via the Sophos Enterprise Console

    Endpoints unable to update
    If customers have endpoints that are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:

    1. Centrally disable On-Access scanning via policy in SEC
    2. Select Groups in SEC and select 'Update Now'
    3. Once a group has updated re-enable On-Access scanning via policy in SEC

    :30589
  • 0

    Where do we download the fixed IDE from?

    :30631
  • 0

    The update services are not running, it gave me an error when i try to start it.  So how do I update?

    :30653
  • 0

    Hey all!

    I got the update to fix the problem, but now I seem to have a bigger problem.  Sophos updating works just fine, but the program is now telling me that there is a service failure with Sophos Antivirus and HIPS.  Is anyone else having this problem and if so, how have you fixed it?

    Thanks!

    :30663
  • 0

    The software has quarantined a critical .dll on some of our workstations with software other than Sophos. How do I repair Sophos and get the critical .dll out of quarantine to repair the other software?

    :30699