Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 44 replies
  • Subscribers 1 subscriber
  • Views 145756 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHH/Updater-B Fiasco Recovery Steps

chavez243

Just thought a thread for just the recovery steps would be helpful as I'm sure this is a big mess for many of my IT brethren who will be burning the midnight oil on the cleanup.

Perhaps a Sophos engineer could chime in on:

- what to do about "Software Delivery failed" in Update Manager

- what to do about ALsvc.exe and ALUpdate.exe being detected / quarantined

- other steps?

:30335


This thread was automatically locked due to age.
Parents
  • 0

    This needs testing still but seems to have worked OK on some test computers to clear the quarantine, remove the IDE, and trigger it to update.  After that some seemed to kick off, others needed a push with "update computers" from enterprise console.

    <?xml version="1.0" ?>
    - <Threats prodver="102" version="1">
      <ViralThreats />
      <MCViralThreats />
      <PUAThreats />
      <AppControlThreats />
    </Threats>

    set fixpc=PC1234
    sc \\%fixpc% stop "Sophos Anti-Virus status reporter"
    sc \\%fixpc% stop "Sophos Anti-Virus"
    sc \\%fixpc% stop "Sophos Agent"
    sc \\%fixpc% stop "Sophos Message Router"
    sc \\\%fixpc% stop "Sophos AutoUpdate Service"

    rename "\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml" *.old
    copy /y "quarantine.xml" "\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config"

    pause

    del \\%fixpc%\c$\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide

    pause

    sc \\%fixpc% start "Sophos Anti-Virus status reporter"
    sc \\%fixpc% start "Sophos Anti-Virus"
    sc \\%fixpc% start "Sophos Agent"
    sc \\%fixpc% start "Sophos Message Router"
    sc \\%fixpc% start "Sophos AutoUpdate Service"

    :31183
Reply
  • 0

    This needs testing still but seems to have worked OK on some test computers to clear the quarantine, remove the IDE, and trigger it to update.  After that some seemed to kick off, others needed a push with "update computers" from enterprise console.

    <?xml version="1.0" ?>
    - <Threats prodver="102" version="1">
      <ViralThreats />
      <MCViralThreats />
      <PUAThreats />
      <AppControlThreats />
    </Threats>

    set fixpc=PC1234
    sc \\%fixpc% stop "Sophos Anti-Virus status reporter"
    sc \\%fixpc% stop "Sophos Anti-Virus"
    sc \\%fixpc% stop "Sophos Agent"
    sc \\%fixpc% stop "Sophos Message Router"
    sc \\\%fixpc% stop "Sophos AutoUpdate Service"

    rename "\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml" *.old
    copy /y "quarantine.xml" "\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config"

    pause

    del \\%fixpc%\c$\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide

    pause

    sc \\%fixpc% start "Sophos Anti-Virus status reporter"
    sc \\%fixpc% start "Sophos Anti-Virus"
    sc \\%fixpc% start "Sophos Agent"
    sc \\%fixpc% start "Sophos Message Router"
    sc \\%fixpc% start "Sophos AutoUpdate Service"

    :31183
Children
No Data