You see a 'zFP-OTHER' suspicious behavior alert in your console, against the computer that is the Sophos management server.
This special alert does not indicate a threat on your computer. It does indicate that you may have software problems that need fixing urgently.
We issued this alert to ensure that you are aware that some non-Sophos products on your network were affected by the recent Sophos false positive issue. Unless you have already fixed these products, they could be out of date and could make you subject to future vulnerabilities. We chose a suspicious behavior alert to show that this issue is a high priority.
An example of the alert is shown below.
Additionally, in the computer details of your management server, you may also see one or more 'zFP-' suspicious behavior alerts that includes non-Sophos (third-party) application names.
First seen in
Sophos Endpoint Security and Control
We have provided this alert because you may have third-party applications, installed on Windows endpoint computers, which are not functioning correctly due to the recent Shh/Updater-B false positive.
If you see this alert the following must be true:
- Your Anti-Virus policy was set to either 'move' or 'delete' files that the on-access scanner detected as malicious during the false positive issue.
- One or more computers have reported to the console that the local Anti-Virus has moved or deleted files associated with a third-party application.
- You have not purged (removed/deleted) console alerts regarding the move or delete action.
- The computer reporting the move or delete action is running a Windows operating system.
Note: Even if you have fixed some applications already, there may be others you do not know about.
Need to check your Anti-Virus settings?
What To Do
An overview of the required steps is:
- Run a batch file to produce a list of computers that have reported alerts (which have not been purged) for affected applications.
- Fix all applications where files were moved in section 2.
- If files were deleted: In section 3, fix applications where files were deleted.
1. Identify affected computers
You need to run a batch file which will create a text file listing computers that could have non-Sophos applications that are affected by the shh/Updater-B false positive.
Open this article on the on your management server, or the server that hosts the Sophos SQL Server instance and follow step one to four below.
- Right-click on this link: fpdf.bat, select 'save link' or 'save target' to the Desktop of your server.
- Open a command prompt (Start | Run | Type:
cmd.exe | Press return) and change directory (
cd) to the Desktop of the server.
- Type the command below to run the batch file and create an output text file:
fpdf.bat > FpActionedFiles.txt
Once the command completes you will see a new text file on the Desktop of the server called FpActionedFiles.txt
- Open FpActionFiles.txt to see the files that were moved or deleted on each affected managed computer.
If you do not see a list of computers, you may have run the file on the wrong computer. Use article 113030 to confirm the server that has SQL installed and hosts the Sophos core database.
You will now have a text file called FpActionFiles.txt that list workstation computers. You can use this list in sections 2 and, if required, section 3.
2. Fix applications where files were moved
To fix non-Sophos applications on endpoint computers follow steps one to three below.
The steps are designed to be repeated locally on each endpoint computer mentioned in the FpActionFiles.txt file. Therefore you may want to copy the tool and instructions onto a USB pen (or similar device) that you can then use when visiting each workstation. If there are a large number of affected computer you should see the links to further articles on how to deploy the tool across a network.
Note: You should run the tool with administrative rights.
- Right-click on this link: FixIssues.exe, select 'save link' or 'save target' to the Desktop of the endpoint computer.
- Double-click the tool to run it.
- Check that the applications are now working. If there are problems you should check the log files of the FixIssues tool. They are saved in the local temporary folder of the user running the tool. To access locate the logs files:
- Open the logged on user's temporary folder (Start | Run | Type:
%temp% | Press return).
- In a text editor open the main log file for the tool:
Sophos Fix Script log.txt
- Additionally you should also check:
Sophos Fix Log_[TIMESTAMP].txt
Should you need to contact Sophos Technical Support you should submit these logs to allow us to resolve your issue quicker.
If your anti-virus cleanup settings did not delete any files (see 'Need to check your Anti-Virus settings?' section for confirmation), no further action is necessary.
Tip: We have produced the following articles to cover different methods that can be used to deploy the tool across your network:
- Enterprise Console, see article 118351
- PsExec, see article 118337
- Active Directory Group Policy (GPO), see article 118338
What do to if third-party applications are still broken
If you discover that some third-party applications are still not functioning correctly, and you have followed the instructions above, then the alerts were most likely not listed in the database. Hence the computers listed in the FpActionFiles.txt file was not a full list of all affected computers.
In this situation we recommend you run the FixIssues.exe tool on all your endpoint computers. See the list of different methods of deployment in the section above.
3. Fix Other applications where files were deleted
You only need to follow this section if your anti-virus cleanup settings deleted files. If you have not already done so, watch the video in the 'Need to check your Anti-Virus settings?' section if in doubt.
You may recognize the affected applications from the file path and name. If so, repair or re-install as appropriate. You may find more help on this SophosTalk thread: Shh/Updater-B: remediating third party applications.
If you still need to identify the applications where files were deleted, you can do this in one of two ways:
- With an online Sophos tool
- With a script run on the endpoints
With an online Sophos tool
- In your web browser, go to File/Application lookup for Shh/Updater-B issue
- In the Search field, type in the file name (not the full path) you want to identify.
If our online tool cannot identify the files, use a script on the endpoints (next section)
With a script run on the endpoints
- Run the tool
FixUpdate.vbs as found in article 118323. You must use the command line option
/checkaffectedproducts:true to generate a log file listing potentially affected products.
Note: The default location for this logfile is the location from which the script was executed. Use the
/logpath:<path> option to place log files where they can be centrally stored and analyzed.
- Open the log file.
On a single endpoint computer, find the log file with a name in the format:
If you want to collate a single report from multiple endpoints, see article 118346.
The logfile may return product information for both Sophos products and non-Sophos products. The comma delimited logfile can be opened in a Microsoft Excel spreadsheet if required for analysis.
- The 'AffectedProducts' log file shows affected applications.
Some files may be shown as being from an unknown vendor. You can submit logs to Sophos using the tool described in article: 118405. This will help to improve our ability to identify non-Sophos applications.
- The log files may show information about non-Sophos products that have been impacted by the false positive. This information is provided for guidance only as Sophos cannot guarantee full accuracy. The information is based on files that have been identified as having been moved or deleted during the false positive detection. The information is provided to assist you to investigate the status of the non-Sophos product and repair if required.
- Some Sophos files detected may also be from within self-extracting folders. E.g. 'C:\sec_50\', 'C:\esw_100_sa\'. If an install is attempted from the damaged self-extractor the resultant behaviour will be unknown. There are 2 options to deal with these:
- Delete the temporary directory used by the self-extractor and then re-download it if required (recommended).
- Attempt to repair the temporary directory used by the self-extractor yourself.
- Other Sophos files detected such as .dat files within the 'Warehouse' directory. E.g. 'C:\ProgramData\Sophos\Update Manager\Update Manager\Warehouse\' or files in the 'Cache' directory of AutoUpdate, E.g.. 'C:\ProgramData\Sophos\AutoUpdate\Cache\', will be replaced when the Sophos application next updates successfully.
Other alerts that may be present in your console include: