You see a 'zFP-ORACLE' suspicious behavior alert in your console, against the computer that is the Sophos management server.
This special alert does not indicate a threat on your computer. It does indicate that you may have software problems that need fixing urgently.
We issued this alert to ensure that you are aware that some non-Sophos products on your network were affected by the recent Sophos false positive issue. Unless you have already fixed these products, they could be out of date and could make you subject to future vulnerabilities. We chose a suspicious behavior alert to show that this issue is a high priority.
An example of the alert is shown below.
Additionally, in the computer details of your management server, you may also see one or more 'zFP-' suspicious behavior alerts that includes non-Sophos (third-party) application names.
First seen in
Sophos Endpoint Security and Control
We have provided this alert because you may have third-party applications, installed on Windows endpoint computers, which are not functioning correctly due to the recent Shh/Updater-B false positive.
If you see this alert the following must be true:
- Your Anti-Virus policy was set to either 'move' or 'delete' files that the on-access scanner detected as malicious during the false positive issue.
- One or more computers have reported to the console that the local Anti-Virus has moved or deleted files associated with a third-party application.
- You have not purged (removed/deleted) console alerts regarding the move or delete action.
- The computer reporting the move or delete action is running a Windows operating system.
Note: Even if you have fixed some applications already, there may be others you do not know about.
Need to check your Anti-Virus settings?
What To Do
An overview of the required steps is:
- Run a batch file to produce a list of computers that have reported alerts (which have not been purged) for affected applications.
- Fix all applications where files were moved in section 2.
- If files were deleted: In section 3, fix applications where files were deleted.
1. Identify affected computers
You need to run a batch file which will create a text file listing computers that could have non-Sophos applications that are affected by the shh/Updater-B false positive.
Open this article on the on your management server, or the server that hosts the Sophos SQL Server instance and follow step one to four below.
- Right-click on this link: fpdf.bat, select 'save link' or 'save target' to the Desktop of your server.
- Open a command prompt (Start | Run | Type:
cmd.exe | Press return) and change directory (
cd) to the Desktop of the server.
- Type the command below to run the batch file and create an output text file:
fpdf.bat > FpActionedFiles.txt
Once the command completes you will see a new text file on the Desktop of the server called FpActionedFiles.txt
- Open FpActionFiles.txt to see the files that were moved or deleted on each affected managed computer.
If you do not see a list of computers, you may have run the file on the wrong computer. Use article 113030 to confirm the server that has SQL installed and hosts the Sophos core database.
You will now have a text file called FpActionFiles.txt that list workstation computers. You can use this list in sections 2 and, if required, section 3.
2. Fix applications where files were moved
To fix non-Sophos applications on endpoint computers follow steps one to three below.
The steps are designed to be repeated locally on each endpoint computer mentioned in the FpActionFiles.txt file. Therefore you may want to copy the tool and instructions onto a USB pen (or similar device) that you can then use when visiting each workstation. If there are a large number of affected computer you should see the links to further articles on how to deploy the tool across a network.
Note: You should run the tool with administrative rights.
- Right-click on this link: FixIssues.exe, select 'save link' or 'save target' to the Desktop of the endpoint computer.
- Double-click the tool to run it.
- Check that the applications are now working. If there are problems you should check the log files of the FixIssues tool. They are saved in the local temporary folder of the user running the tool. To access locate the logs files:
- Open the logged on user's temporary folder (Start | Run | Type:
%temp% | Press return).
- In a text editor open the main log file for the tool:
Sophos Fix Script log.txt
- Additionally you should also check:
Sophos Fix Log_[TIMESTAMP].txt
Should you need to contact Sophos Technical Support you should submit these logs to allow us to resolve your issue quicker.
If your anti-virus cleanup settings did not delete any files (see 'Need to check your Anti-Virus settings?' section for confirmation), no further action is necessary.
Tip: We have produced the following articles to cover different methods that can be used to deploy the tool across your network:
- Enterprise Console, see article 118351
- PsExec, see article 118337
- Active Directory Group Policy (GPO), see article 118338
What do to if third-party applications are still broken
If you discover that some third-party applications are still not functioning correctly, and you have followed the instructions above, then the alerts were most likely not listed in the database. Hence the computers listed in the FpActionFiles.txt file was not a full list of all affected computers.
In this situation we recommend you run the FixIssues.exe tool on all your endpoint computers. See the list of different methods of deployment in the section above.
3. Fix Oracle applications where files were deleted
You only need to follow this section if your anti-virus cleanup settings deleted files. If you have not already done so, watch the video in the 'Need to check your Anti-Virus settings?' section if in doubt.
If your anti-virus settings did delete files: Use the links below for instructions on recovering each application identified.
Note: If you have already used the FixIssues tool from Sophos, you have restored any files that were moved. You only need to follow these instructions if your anti-virus cleanup settings deleted files.
|Application ||Java(TM) 2 Platform Standard Edition (6.0/7.0) |
|Vendor ||Oracle |
|Impact || |
- The following files are affected:
- %Program Files%\Common Files\Java\Java Update\jucheck.exe
- %Program Files%\Common Files\Java\Java Update\jaucheck.exe
- %Program Files%\Common Files\Java\Java Update\jusched.exe
- %Program Files%\Common Files\Java\Java Update\jureg.exe
- The Java tools will continue to function. However updating will be broken and may not alert the user even when an update is triggered.
|Resolution || |
- Re-run the JRE or JDK installer to repair the Java update tools. You will be asked to confirm re-installation if the same version is already installed.
- The WEB Java installer is available from http://www.java.com, the offline Java installer is also available from the 'downloads' button on this page.
- If JRE Version 6 and Version 7 are both installed it is only necessary to re-install Version 7. This is because they share the same Java Update component.
- The offline Java installer will require the user to confirm the re-installation operation before it continues. To run the JRE installation in silent (or unattended) mode, you must first uninstall the existing Java installation.
- 'Programs and Features' or 'Windows Add/ Remove Programs' do not offer a repair option.
|Verified || Verified for these versions: |
Running on these operating systems:
- Java 6 Update 35 (32-bit) and Java 7 Update 7 (32-bit); the 64-bit variant does not support automated update and is not affected by the false positive.
- Windows XP Professional SP3
- Windows 7 Professional SP1
- Windows 7 Enterprise SP1 (64 bit)
Other alerts that may be present in your console include:
If you are still having issues or the above steps do not resolve the application you may find more help on this SophosTalk thread: Shh/Updater-B: remediating third party applications.