SHH/Updater-B Fiasco Recovery Steps

Both my student and staff domain console servers have now crashed after getting the update at 4:58CST yesterday.   Just renewed my 3 year subscription for 2800 licenses.  Cannot call into tech support.  "Priceless"

This is really bad... I mean real bad - like someone should lose their job bad. This mistake compromised and will continue to comproimse into the near future the network and endpoint security on the network of multimillion dollar corporations and businesses. Heads should roll.

Also if you had your policies set to delete or quarantine files as opposed to just denying access - your fix is a whole lot harder.. Just disabling on access protection isn't enough beccause the update files are gone! It still won't update. Not only that - this also broke java updating, adobe updating, HP's systems insight management updating.. - And that is just what it fried on my network..  God knows what else was impacted. 

Shameful. How did these definitions ever make it past QA at Sophos? 

@zack: Could us fellow forum members politely request that general comments on this issue are restricted to the main thread (http://community.sophos.com/t5/Sophos-Endpoint-Protection/Is-any-one-else-seing-this-alert-Shh-Updater-B-False-positives/td-p/29723)?  This thread is related to recovery steps, and should be restricted to this topic.

@drahon-it: I have tried your steps again and it has worked successfully.  Not sure what i did wrong the last time.

To reiterate: To remove the quarantined items listed on the client:

1. Stop the Sophos Anti-Virus service (SavService.exe)

2a. For Windows XP - Delete C:\Documents and Settings\Application Data\Sophos\Sophos Anti-Virus\Config\quarantine.xml

2b. For Windows 7 - Delete C:\ProgramData\Sophos\Sophos Anti-Virus\Config\quarantine.xml

3. Start the Sophos Anti-Virus service (SavService.exe)

At this point, the quarantine list should be empty.

Thanks to drahon-it for this tip.

Cheers,

Steve

@TRLSecurity

What would the steps be if you have your AV policy set to delete or move files - as opposed to just denying access? Also how would this fix java, adobe, HP SIM or any other program this broke? 

@TRLSecurity - thanks.  Luckily we didn't have the files set to delete, though I've always felt that a bit draconian anyway.

BTW if you can get a list of the affected machines into a text file, one per line then use a loop on them like this.  All depends how bad the problem is, hit the firm I was dealing with 10pm UK time and was caught before it hit main logons next morning.

(Script gets fiddled with when posting, and may well have copy/paste issues so make sure is ok before running it live...)

Steve

@echo off

for /f "tokens=*" %%a in (yourtextfile.txt) do (

  sc \\%%a stop "Sophos Anti-Virus" >NUL

  ping 127.0.0.1 -n 2 >NUL

  if exist \\%%a\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\quarantine.xml (

      del "\\%%a\c$\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\quarantine.xml" >NUL

      echo File deleted from XP location - %%a

  ) ELSE (

    if exist "%%a\c$\ProgramData\Sophos\Sophos Anti-Virus\config\quarantine.xml" (

      del "%%a\c$\ProgramData\Sophos\Sophos Anti-Virus\config\quarantine.xml" >NUL

      echo File deleted from XP location - %%a

    ) ELSE (

       echo Not found quarantine file at all - %%a

    )

  )

  sc \\%%a start "Sophos Anti-Virus" >NUL

)

Steve

(who wish he'd type dragon-it better when I registered!)

http://www.dragon-it.co.uk/

For what its worth this is my script i deployed with GPO

Net Stop "SAVService"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Agent"
net stop "SAVAdminService"
net stop "Sophos Device Control Service"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"

If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)

If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)

xcopy "\\server\SophosUpdate\CIDs\S000\SAVSCFXP\SAU\program files\Sophos\AutoUpdate\*.*" "c:\SophosFix\AUFiles\"

If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files (x86)\Sophos\AutoUpdate"&Echo File Deleted)

If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files\Sophos\AutoUpdate"&Echo File Deleted)

Del "C:\ProgramData\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"
Del "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"

net start "Sophos AutoUpdate Service"
Net Start SAVService
net start "Sophos Agent"
net start "SAVAdminService"
net start "Sophos Device Control Service"
net start "Sophos Message Router"
net start "Sophos Web Control Service"

So what is the solution when the steps in the article actually break SCC because the sum.msi cannot find some of the files?

This works but i would like some sort of logfile with a computer name so i can see the results

Sophos has just released a script to fix AutoUpdate.

http://www.sophos.com/en-us/support/knowledgebase/27828.aspx

This applies primarily to the worst scenario where cleanup was set to delete files.

Hello Fabi2000,

you can extract what has been deleted from the logs.

What can be done then depends on the product (unless you have a recent backup).

The missing files might still be available on another (unaffected) endpoint. The product installation might offer Repair to restore missing files from the source. If neither is available you'd have to obtain the install (medium). Might be necessary to run the product through an update then - therefore I'd install on a "recovery" machine and copy the files from there (note that only files have been moved/deleted as there was no cleanup routine - which might also perform actions in other parts, e.g. the registry - involved).

Sorry I can't suggest an easier solution

Christian