Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1527 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOLUTION for Sophos clients broken by Shh/Updater-B false positives

dnastar

After messing with this for quite some time, I have figured out a streamlined way to fix the Sophos clients that deleted their own files due to the false positives detected on Wednesday, September 19. 

Here is what you do:

1.  Restore a backup of any machine with the specific OS (XP, Vista, 7, etc) C:\Program Files (x86)\Sophos\AutoUpdate from a date before September 19, preferably September 18.  You only need the AutoUpdate folder, one for each OS...not one for each individual machine.

2.  Stop all Sophos services on the client

3.  Overwrite the C:\Program Files (x86)\Sophos\AutoUpdate folder on the client machine with the backup folder

4.  Install from \\servername\SophosUpdate\CIDs\S000\SAVCFXP\setup.exe

5.  Once this complete everything should be fixed. 

Notes:  If you whole network is XP 32-bit, then all you need is the AutoUpdate folder from before September 19 from one backup.  It can be used on all machines.  If you have a heterogeneous network (i.e. XPx32, XPx64, Vistax32, Vistax64, 7x32, 7x64, 2003x32, 2003x64, 2008, etc), you will need one AutoUpdate folder from each one to be used with the corresponding client's OS.

I apologize if this solution has already been posted.  I don't have time to read through the entire forum.  If this helps one person it was worth my time.

Good luck!

:32239


This thread was automatically locked due to age.
  • 0

    Someone posted a batch file that did all those steps, but for me step 1 was a system restore which resolved the issues with applications installed locally

    :32577
  • 0

    Net Stop "SAVService"
    net stop "Sophos AutoUpdate Service"
    net stop "Sophos Agent"
    net stop "SAVAdminService"
    net stop "Sophos Device Control Service"
    net stop "Sophos Message Router"
    net stop "Sophos Web Control Service"

    If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)

    If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" (Del "C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"&Echo File Deleted)


    xcopy "\\server\SophosUpdate\CIDs\S000\SAVSCFXP\SAU\program files\Sophos\AutoUpdate\*.*" "c:\SophosFix\AUFiles\"


    If Exist "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files (x86)\Sophos\AutoUpdate"&Echo File Deleted)

    If Exist "C:\Program Files\Sophos\Sophos Anti-Virus\savmain.exe" (Copy "c:\SophosFix\AUFiles\*.*" "C:\Program Files\Sophos\AutoUpdate"&Echo File Deleted)

    Del "C:\ProgramData\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"
    Del "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\Quarantine.xml"

    net start "Sophos AutoUpdate Service"
    Net Start SAVService
    net start "Sophos Agent"
    net start "SAVAdminService"
    net start "Sophos Device Control Service"
    net start "Sophos Message Router"
    net start "Sophos Web Control Service"

    :32579