Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 2699 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

just a normal person, please help

tracey

hi all,

i'm a uni student who gets sophos through my uni. i have been affected by the false positive issue and moved the files before i knew that it was a 'fake' problem. i now can't get autoupdate to work at all, and can't uninstall sophos. i have tried using the script given by sophos but it didn't work and to be honest it's all getting well above my level of computer knowledge - i don't mind using dos commands but i'm not at all good with the errors it's generating. i realise there have been lots of questions about this issue earlier but couldn't see any easyish solution - if anyone could help i would be so grateful.

thanks.

:32611


This thread was automatically locked due to age.
  • 0

    Hi Tracy, would you be able to list the errors you are having on here so we can have a look at it? Once done we may be able to help you a bit more.

    :32613
  • 0

    Hi Tracy, I was in a similar situation. Try this protocol:

    /search?q= 32531

    :32621
  • 0

    HI,

    What information do you have in the file iconn.cfg (C:\ProgramData\Sophos\AutoUpdate\Config\) regarding:

    "ConnectionAddress"

    An http address from your uni?

    I assume that you also have specified in that file under:

    UserName = 

    and
    UserPassword = 

    some credentials.  Do you know the password as in the file it's "hidden"?

    Is so, you may just be able to download the script:

    http://downloads.sophos.com/tools/FixUpdate.zip

    unpack that: then in a command prompt run:

    cscript //nologo FixUpdate.vbs /fixIssues:true /username:myUser /password:myPassword

    Where you would change: myUser and myPassword to be that specified.

    Hope it helps,.

    Regards,

    Jak

    :32625
  • 0

    i have tried various lines for the command prompt and this is what it is coming up with. thanks so much for the help :)

    C:\>cscript //nologo FixUpdate.vbs /fixIssues:true
    Version 4.3
    Fix issues enabled.
    No CID specified as a command line argument, using the detected CID location: ht
    tp://sophos.brookes.ac.uk/ES/Unmanaged_XP/
    IDE that fixes issue is present.
    Update did not receive newer IDEs.
    Stopping SAV service
    Failed to stop service with error: 2
    Failed to stop SAV service

    C:\>cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\server\sophosupdate\ci
    ds\s141\savscfxp
    Version 4.3
    Fix issues enabled.
    Overriding default CID http://sophos.brookes.ac.uk/ES/Unmanaged_XP/ with CID \\s
    erver\sophosupdate\cids\s141\savscfxp
    CID passed at command line is inaccessible, argument value is: \\server\sophosup
    date\cids\s141\savscfxp
    Specify /Help to display command line options

    C:\>cscript //nologo FixUpdate.vbs /fixIssues:true /cid:http://server/sophosupda
    te/cids/s141/savscfxp /username:myUser /password:myPassword
    Version 4.3
    Fix issues enabled.
    Overriding default CID http://sophos.brookes.ac.uk/ES/Unmanaged_XP/ with CID htt
    p://server/sophosupdate/cids/s141/savscfxp
    IDE that fixes issue is present.
    Update did not receive newer IDEs.
    Stopping SAV service
    Failed to stop service with error: 2
    Failed to stop SAV service

    :32629
  • 0

    HI Tracey,

    So your update location is:

    http://sophos.brookes.ac.uk/ES/Unmanaged_XP/

    this was detected by the script when you didn't specify the update location.

    This location (if you go to it in a browser) seems to require authentication (your may need to ask your admin for the credentials if you don't recognise the account in the iconn.cfg file I mentioned before)

    So the command you need to run is:

    cscript //nologo FixUpdate.vbs /fixIssues:true /username:myUser /password:myPassword

    where you substitute myUser and myPassword in the above command with whatever credentials are required to access:

    http://sophos.brookes.ac.uk/ES/Unmanaged_XP/

    That being said you are getting the error message:

    "Failed to stop service with error: 2"  which translates to: "The system cannot find the file specified."

    The service (you can run services.msc to see al the services on the computer) in question is called "Sophos Anti-Virus" and the file the script is talking about would typically reside in:

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe"

    or

    "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe"

    so this is missing?

    Did you remove Sophos Anti-Virus from the computer?

    Regards,

    jak

    :32633
  • 0

    i have used that link with my user name and password and it still comes up with the same. i have checked the folder and the sav file is there!!

    :32635
  • 0

    Hello Tracy, apologies for not getting back to you regarding this issue sooner. Support and Engineering are looking into the cases where the tools have not worked so far and working on solutions for these issues. This is taking longer than we would like but please keep an eye on the advisory page for updates on new tools or solutions. 

    For now providing the "Sophos anti-virus" service is still running on your system you should be protected against known threats prior to the update event on your system but will be missing later identity files. Obviously while your system is in this state i would recommend being very cautious about clicking on links in emails etc. as recommended in our NakedSecurity articles. Once again we can only apologies for the frustration and concern due to this incident.

    :32637
  • 0

    Hello again,

    If you open up services by running "services.msc" (start - run - type: "services,msc"), can you manually stop the Sophos Anti-Virus Service?

    Otherwise, you could try opening up Task Manager (start - run - type: taskmgr.exe), switch to the "processes" tab, find savservice.exe and end the process.

    Then try running the command again, i.e.

    cscript //nologo FixUpdate.vbs /fixIssues:true /username:myUser /password:myPassword

    where you need to substitute myUser and myPassword in the above command with whatever credentials are required to access:

    http://sophos.brookes.ac.uk/ES/Unmanaged_XP/

    Out of interest, what OS are you running?

    Regards,

    Jak

    :32641
  • 0

    hi thanks for all your help so far.

    i'm running windows vista.

    jak i've tried doing what you suggested and i'm now getting a new error message. i'm hoping that this is progress!

    Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

    C:\Users\tracey>cd c:\

    c:\>cscript //nologo FixUpdate.vbs /fixIssues:true /username:12038347 /password:
    ********
    Version 4.3
    Fix issues enabled.
    No CID specified as a command line argument, using the detected CID location: ht
    tp://sophos.brookes.ac.uk/ES/Unmanaged_XP/
    IDE that fixes issue is present.
    Update did not receive newer IDEs.
    Stopping SAV service
    Deleting Quarantine.xml file
    Script encountered an error, details:
    Number = 70
    Description = Permission denied
    Failed to delete quarantine file C:\ProgramData\Sophos\Sophos Anti-Virus\Config\
    Quarantine.xml
    SAU files missing from the program files directory
    Writing false positive detections list to .\2012-9-24_15-41-17_001-FalsePosAll.t
    xt
    c:\FixUpdate.vbs(480, 13) Microsoft VBScript runtime error: Permission denied

    :32759
  • 0

    Looks like you have elevated privileges issues there from this line:

    Failed to delete quarantine file C:\ProgramData\Sophos\Sophos Anti-Virus\Config\
    Quarantine.xml

    Using Vista without modifying anything is likely hitting the UAC behaviour on this system, running the command prompt by r-clicking on it and selecting “Run as Administrator” as this may resolve this issue. HTH  

    :32763