Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 44 replies
  • Subscribers 1 subscriber
  • Views 145767 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHH/Updater-B Fiasco Recovery Steps

chavez243

Just thought a thread for just the recovery steps would be helpful as I'm sure this is a big mess for many of my IT brethren who will be burning the midnight oil on the cleanup.

Perhaps a Sophos engineer could chime in on:

- what to do about "Software Delivery failed" in Update Manager

- what to do about ALsvc.exe and ALUpdate.exe being detected / quarantined

- other steps?

:30335


This thread was automatically locked due to age.
Parents
  • 0

    @TRLSecurity - thanks.  Luckily we didn't have the files set to delete, though I've always felt that a bit draconian anyway.

    BTW if you can get a list of the affected machines into a text file, one per line then use a loop on them like this.  All depends how bad the problem is, hit the firm I was dealing with 10pm UK time and was caught before it hit main logons next morning.

    (Script gets fiddled with when posting, and may well have copy/paste issues so make sure is ok before running it live...)

    Steve

    @echo off

    for /f "tokens=*" %%a in (yourtextfile.txt) do (

      sc \\%%a stop "Sophos Anti-Virus" >NUL

      ping 127.0.0.1 -n 2 >NUL

      if exist \\%%a\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\quarantine.xml (

          del "\\%%a\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\quarantine.xml" >NUL

          echo File deleted from XP location - %%a

      ) ELSE (

        if exist "%%a\c$\ProgramData\Sophos\Sophos Anti-Virus\config\quarantine.xml" (

          del "%%a\c$\ProgramData\Sophos\Sophos Anti-Virus\config\quarantine.xml" >NUL

          echo File deleted from XP location - %%a

        ) ELSE (

           echo Not found quarantine file at all - %%a

        )

      )

      sc \\%%a start "Sophos Anti-Virus" >NUL

    )

    Steve

    (who wish he'd type dragon-it better when I registered!)

    http://www.dragon-it.co.uk/

    :31541
Reply
  • 0

    @TRLSecurity - thanks.  Luckily we didn't have the files set to delete, though I've always felt that a bit draconian anyway.

    BTW if you can get a list of the affected machines into a text file, one per line then use a loop on them like this.  All depends how bad the problem is, hit the firm I was dealing with 10pm UK time and was caught before it hit main logons next morning.

    (Script gets fiddled with when posting, and may well have copy/paste issues so make sure is ok before running it live...)

    Steve

    @echo off

    for /f "tokens=*" %%a in (yourtextfile.txt) do (

      sc \\%%a stop "Sophos Anti-Virus" >NUL

      ping 127.0.0.1 -n 2 >NUL

      if exist \\%%a\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\quarantine.xml (

          del "\\%%a\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\quarantine.xml" >NUL

          echo File deleted from XP location - %%a

      ) ELSE (

        if exist "%%a\c$\ProgramData\Sophos\Sophos Anti-Virus\config\quarantine.xml" (

          del "%%a\c$\ProgramData\Sophos\Sophos Anti-Virus\config\quarantine.xml" >NUL

          echo File deleted from XP location - %%a

        ) ELSE (

           echo Not found quarantine file at all - %%a

        )

      )

      sc \\%%a start "Sophos Anti-Virus" >NUL

    )

    Steve

    (who wish he'd type dragon-it better when I registered!)

    http://www.dragon-it.co.uk/

    :31541
Children
No Data