Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 44 replies
  • Subscribers 1 subscriber
  • Views 145744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHH/Updater-B Fiasco Recovery Steps

chavez243

Just thought a thread for just the recovery steps would be helpful as I'm sure this is a big mess for many of my IT brethren who will be burning the midnight oil on the cleanup.

Perhaps a Sophos engineer could chime in on:

- what to do about "Software Delivery failed" in Update Manager

- what to do about ALsvc.exe and ALUpdate.exe being detected / quarantined

- other steps?

:30335


This thread was automatically locked due to age.
  • 0

    Still checking this but I think it seems to be working.

    Delete the agen_xuv.ide from Sophos directory on your server which has the Sophos Control Centre installed and restart the Anti Virus Service

    Open the Endpoint Client on the server and write down all of the sophos files which have been quarantined.

    Add the files to the suspicious files allowed list in the client.

    The Control Centre will now start which will at least allow you to change the Group Policy to allow you to update the endpoints as below

    Sophos Update Manager unable to update

    If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.

    To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:

    1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
    2. Restart the 'Sophos Anti-Virus Service'
    3. Update SUM via the Sophos Enterprise Console

    Endpoints unable to update

    If you have endpoints that are unable to update due to the false positive issue there are two solutions:

    Option 1

    1. Add the following exclusions to the' Anti-Virus and HIPS' policy

      C:\Documents and Settings\All Users\Application Data\Sophos\
      C:\Program Files\Sophos\
      C:\Program Files (x86)\Sophos\
      C:\programdata\sophos\

    2. Select Groups in SEC and select 'Update Now'
    3. Once all groups have been updated remove the exclusions

    Option 2

    1. Centrally disable On-Access scanning via policy in SEC
    2. Select Groups in SEC and select 'Update Now'
    3. Once a group has updated re-enable On-Access scanning via policy in SEC
    :31151
  • 0

    and who I can finally remove the items in quarantine on the clients?
    Clients are updated, Hips on access I’’’’ve already deactivated, updated and reactivated.

    thanks for yours help ;)

    :31167
  • 0

    This needs testing still but seems to have worked OK on some test computers to clear the quarantine, remove the IDE, and trigger it to update.  After that some seemed to kick off, others needed a push with "update computers" from enterprise console.

    <?xml version="1.0" ?>
    - <Threats prodver="102" version="1">
      <ViralThreats />
      <MCViralThreats />
      <PUAThreats />
      <AppControlThreats />
    </Threats>

    set fixpc=PC1234
    sc \\%fixpc% stop "Sophos Anti-Virus status reporter"
    sc \\%fixpc% stop "Sophos Anti-Virus"
    sc \\%fixpc% stop "Sophos Agent"
    sc \\%fixpc% stop "Sophos Message Router"
    sc \\\%fixpc% stop "Sophos AutoUpdate Service"

    rename "\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml" *.old
    copy /y "quarantine.xml" "\\%fixpc%\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config"

    pause

    del \\%fixpc%\c$\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide

    pause

    sc \\%fixpc% start "Sophos Anti-Virus status reporter"
    sc \\%fixpc% start "Sophos Anti-Virus"
    sc \\%fixpc% start "Sophos Agent"
    sc \\%fixpc% start "Sophos Message Router"
    sc \\%fixpc% start "Sophos AutoUpdate Service"

    :31183
  • 0

    Is that script above a batch file or some other script type? 

    :31221
  • 0

    Does anyone know how to create a report in the Enterprise Console which tells me which files are delete from which systems?

    :31259
  • 0

    Thanks drahon-it.

    I have tried renaming quarantine.xml, and restarting the Sophos services, but that doesnt seem to have resolved the quarantined items issue for me.

    If anyone finds a good way to remove the quarantined items on the clients, please post it up here.

    Regards,

    Steve

    :31269
  • 0

    Maybe we were lucky.  I stop the services, put the basic fil in place of the one showing all the entries (take a look in notepad or browser), start it again and the client GUI shows no qurantined files.

    The enterprise console still shows them but you can select a load and acknowledge the lot in one go.

    Just deleted couple of thousand email messages, and 500 auto-logged helpdesks...

    :31279
  • 0

    If anyone's 3rd party software updaters were deleted, here are a couple of tools that I have used in the past to undelete files, they may turn out to be useful:

    TestDisk by CGSecurity

    PhotoRec by CGSecurity

    I am searching for the sophos history right now, trying to find a CSV or a log that I can use to build a list of all the files deleted by false positives and undelete them.

    :31345
  • 0

    @KPLSecurity

    It's a batch script.

    :31395
  • 0

    I thought of this last night after the 5+ hours of cleanup. 

    test code

    :31415