Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 44 replies
  • Subscribers 1 subscriber
  • Views 145733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHH/Updater-B Fiasco Recovery Steps

chavez243

Just thought a thread for just the recovery steps would be helpful as I'm sure this is a big mess for many of my IT brethren who will be burning the midnight oil on the cleanup.

Perhaps a Sophos engineer could chime in on:

- what to do about "Software Delivery failed" in Update Manager

- what to do about ALsvc.exe and ALUpdate.exe being detected / quarantined

- other steps?

:30335


This thread was automatically locked due to age.
  • 0

    We had the "delete" option enabled and so it disabled our control center. I have been unable to repair Sophos Control Center via add/remove programs Repair option. So I decided to remove and install it from scratch, which was a big mistake, because even though the major revision is the same, apparently the one I had installed was newer, so now I can't see the Control Center at all and it cannot talk to the other components.

    If your control server is down and you have backups of it, I would recommend you manually pick out the files that were deleted from the Sophos program files folder rather than try a re-install, since we're in worse shape after the reinstall. That should work if the problem is as simple as it appears. Your deleted files should be listed n your AV log on that machine. Just make sure your backup is fresh so the versions sync.

    Edit: Another reason why I don't run antivirus on mission critical servers. Your mileage may vary.

    :30783
  • 0
    steveg95 wrote:

    The software has quarantined a critical .dll on some of our workstations with software other than Sophos. How do I repair Sophos and get the critical .dll out of quarantine to repair the other software?

    If you didn't move the file or delete it, then you just need the updated IDE javab-jd.ide and the application will work again.

    :30787
  • 0

    Hi, for our clients, we did the following to get them to update successfully again.

    1) Clear the quarantine list (from the client or the server console)

    2) Use PSExec to stop the SAVService on the remote client (which disabled On Access Scanning)

    3) Rename the agen-xuv.ide file to agen-xuv.ide.old

    4) Use PSExec to start the SAVService on the remote client

    5) Update the defenitions (from the client or the server console)

    Here is a batch file I used to performs steps 2, 3, and 4:

    C:\Tools\psexec -accepteula -i -s \\<remotepc> net stop savservice
    rename "\\<remotepc>\c$\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" "\\<remotepc>\c$\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide.old"
    C:\Tools\psexec -accepteula -i -s \\<remotepc> net start savservice

    :30917
  • 0

    The instructions provided thus far to remediate this debacle are clearly incomplete. I've replaced the offending IDE, restarted the service, disabled the On-Access Scan, and forced all clients to update and comply with the group policy - but I'm still finding quite a few affected machines (including the client running on the Enterprise Server).

    The number of erroneously tagged files has dropped - but not by more than about 40%. And of the files that were released - they were ALL Sophos related files. So the files that were nixed that belong to Adobe, Java, and a zillion other apps with use an updater - Well... I'm still in the can on those. Nicely done.

    SOPHOS - You need to look at the last released fix - it did not perform as advertised. Let's try this again...wash-rinse-repeat.

    [sigh] I'm gonna become a florist. How hard can it be to sell flowers? :^\

    :31017
  • 0

    Hello.

    Yes I am having problems with this also!!

    When I am going through the Endpoints unable to update process, I am getting stuck at option number 2. I am not sure what this means. Probably something very obvious, but can not find where to 'Select Groups' and 'Update Now' in the SEC. See below for what the instructions are.

    Can some please explain me this in a llittle more detail?

    Thanks,

    Dean

    If you have endpoints that are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:

    1. Centrally disable On-Access scanning via policy in SEC
    2. Select Groups in SEC and select 'Update Now'
    3. Once a group has updated re-enable On-Access scanning via policy in SEC
    :31069
  • 0

    You're in my boat. You're stuffed.

    Don't worry, I'm sure Sophos will be more than happy to fix this.

    If they can't they can re-install on a fresh server and re-input every single rule and setting.

    I have 3 servers.

    :31079
  • 0

    The best solutions we did was restored our PC from the date the Sophos is OK which was yesterday or last other day. and then update again the sophos.

    :31109
  • 0

    Here here, tell us how to fix it and quickly please.

     ------ The best solutions we did was restored our PC from the date the Sophos is OK which was yesterday or last other day. and then update again the sophos.

    :31117
  • 0

    I too would like to what to do with items still in quarantine.

    :31145
  • 0

    Hi,

    We used Entreprise Console to desactivate control on access on all afected plateform. Then we used 'Protect Computer' before reactivating control on access.

    :31147