Issue
If your cleanup options were set to "Deny access and move to …" or "Delete" files, the Shh/Updater-B false positive may have prevented some non-Sophos applications from updating or even running. Applications installed by your end users may also have been affected. This could create a security issue.
This article tells you how to identify and fix non-Sophos applications that have been affected.
Note: If your cleanup options were set to the default "Deny access only", you should not need to read this article.
Need to check your Anti-Virus settings?
Before you start
Before you start, we recommend that you familiarize yourself with the Shh/Updater-B problem and fix your Sophos applications. If you haven’t done this already, select the appropriate link below:
What To Do
1. What are the key steps?
- Run a Sophos script on your console to identify affected computers.
- Fix applications where files were moved.
- Identify applications where files were deleted.
- Fix applications where files were deleted.
2. Run a Sophos script on your console to identify affected computers
On your management server, or the server that hosts the Sophos SQL Server instance:
- Right-click on this link: fpdf.bat, select 'save link' or 'save target' to the Desktop of your server.
- Open a command prompt (Start | Run | Type:
cmd.exe | Press return) and change directory (cd) to the Desktop of the server. - Type the command below to run the batch file and create an output text file:
fpdf.bat > FpActionedFiles.txt
Once the command completes you will see a new text file on the Desktop of the server called FpActionedFiles.txt - Open FpActionFiles.txt to see the files that were moved or deleted on each affected managed computer.
If you do not see a list of computers you may have run the file on the wrong computer. Use article 113030 to confirm the server that has SQL installed and hosts the Sophos core database.
3. Fix applications where files were moved
You can use a Sophos script to fix affected applications on computers where files were moved. See article 118323 for instructions.
If your anti-virus cleanup settings did not delete any files, no further fixes should be necessary. However, we recommend you run the script in article 118323 on all endpoint computers just to be sure.
If your anti-virus cleanup settings deleted any files, continue to the next section.
4. Identify applications where files were deleted
You may recognize the affected applications from the file path and name. If so, repair or reinstall as appropriate. You may find more help on this SophosTalk thread: Shh/Updater-B: remediating third party applications
If you still need to identify the applications where files were deleted, you can do this in one of two ways:
- With an online Sophos tool
- With a script run on the endpoints
5.1. With an online Sophos tool
- In your web browser, go to File/Application lookup for Shh/Updater-B issue
- In the Search field, type in the filename (not the full path) you want to identify.
If our online tool cannot identify the files, use a script on the endpoints (next section)
5.2. With a script run on the endpoints
- Run the tool 'FixUpdate.vbs' as found in article 118323. You must use the command line option '
/checkaffectedproducts:true' to generate a log file listing potentially affected products.
Note: The default location for this logfile is the location from which the script was executed. Use the /logpath:<path> option to place log files where they can be centrally stored and analyzed.
- Open the log file.
On a single endpoint computer, find the log file with a name in the format:
yyyy-m-dd_hh-mm-ss_#machinename#_007-AffectedProducts.txt
If you want to collate a single report from multiple endpoints, see article 118346.
The logfile may return product information for both Sophos products and non-Sophos products. The comma delimited logfile can be opened in a Microsoft Excel spreadsheet if required for analysis.
- The 'AffectedProducts' log file shows affected applications.
Some files may be shown as being from an unknown vendor. You can submit logs to Sophos using the tool described in article: 118405. This will help to improve our ability to identify non-Sophos applications.
6. Fix the applications where files were deleted
If files were deleted, Sophos cannot restore your applications. You will need to repair or reinstall them. You may find help and advice on the SophosTalk forum here:
Shh/Updater-B: remediating third party applications
Note:
- The log files may show information about non-Sophos products that have been impacted by the false positive. This information is provided for guidance only as Sophos cannot guarantee full accuracy. The information is based on files that have been identified as having been moved or deleted during the false positive detection. The information is provided to assist you to investigate the status of the non-Sophos product and repair if required.
- Some Sophos files detected may also be from within self-extracting folders. E.g. 'C:\sec_50\', 'C:\esw_100_sa\'. If an install is attempted from the damaged self-extractor the resultant behaviour will be unknown. There are 2 options to deal with these:
- Delete the temporary directory used by the self-extractor and then re-download it if required (recommended).
- Attempt to repair the temporary directory used by the self-extractor yourself.
- Other Sophos files detected such as .dat files within the 'Warehouse' directory. E.g. 'C:\ProgramData\Sophos\Update Manager\Update Manager\Warehouse\' or files in the 'Cache' directory of AutoUpdate, E.g.. 'C:\ProgramData\Sophos\AutoUpdate\Cache\', will be replaced when the Sophos application next updates successfully.