This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHH/Updater-B Fiasco Recovery Steps

Just thought a thread for just the recovery steps would be helpful as I'm sure this is a big mess for many of my IT brethren who will be burning the midnight oil on the cleanup.

Perhaps a Sophos engineer could chime in on:

- what to do about "Software Delivery failed" in Update Manager

- what to do about ALsvc.exe and ALUpdate.exe being detected / quarantined

- other steps?

This thread was automatically locked due to age.

Parents

0 Poker_Rush over 13 years ago
Still checking this but I think it seems to be working.
Delete the agen_xuv.ide from Sophos directory on your server which has the Sophos Control Centre installed and restart the Anti Virus Service
Open the Endpoint Client on the server and write down all of the sophos files which have been quarantined.
Add the files to the suspicious files allowed list in the client.
The Control Centre will now start which will at least allow you to change the Group Policy to allow you to update the endpoints as below
Sophos Update Manager unable to update
If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.
To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:
Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
Restart the 'Sophos Anti-Virus Service'
Update SUM via the Sophos Enterprise Console
Endpoints unable to update
If you have endpoints that are unable to update due to the false positive issue there are two solutions:
Option 1
Add the following exclusions to the' Anti-Virus and HIPS' policy

C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\programdata\sophos\

Select Groups in SEC and select 'Update Now'
Once all groups have been updated remove the exclusions
Option 2
Centrally disable On-Access scanning via policy in SEC
Select Groups in SEC and select 'Update Now'
Once a group has updated re-enable On-Access scanning via policy in SEC
:31151
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Poker_Rush over 13 years ago
Still checking this but I think it seems to be working.
Delete the agen_xuv.ide from Sophos directory on your server which has the Sophos Control Centre installed and restart the Anti Virus Service
Open the Endpoint Client on the server and write down all of the sophos files which have been quarantined.
Add the files to the suspicious files allowed list in the client.
The Control Centre will now start which will at least allow you to change the Group Policy to allow you to update the endpoints as below
Sophos Update Manager unable to update
If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.
To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:
Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
Restart the 'Sophos Anti-Virus Service'
Update SUM via the Sophos Enterprise Console
Endpoints unable to update
If you have endpoints that are unable to update due to the false positive issue there are two solutions:
Option 1
Add the following exclusions to the' Anti-Virus and HIPS' policy

C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\programdata\sophos\

Select Groups in SEC and select 'Update Now'
Once all groups have been updated remove the exclusions
Option 2
Centrally disable On-Access scanning via policy in SEC
Select Groups in SEC and select 'Update Now'
Once a group has updated re-enable On-Access scanning via policy in SEC
:31151
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data