zFP-MOZILLA

  • N.º del artículo: 118376
  • Actualizado: 12 mar 2014

Issue

You see a 'zFP-MOZILLA' suspicious behavior alert in your console, against the computer that is the Sophos management server.  

This special alert does not indicate a threat on your computer. It does indicate that you may have software problems that need fixing urgently.

We issued this alert to ensure that you are aware that some non-Sophos products on your network were affected by the recent Sophos false positive issue. Unless you have already fixed these products, they could be out of date and could make you subject to future vulnerabilities. We chose a suspicious behavior alert to show that this issue is a high priority.

An example of the alert is shown below.

Additionally, in the computer details of your management server, you may also see one or more 'zFP-' suspicious behavior alerts that includes non-Sophos (third-party) application names.

First seen in

Sophos Endpoint Security and Control

Cause

We have provided this alert because you may have third-party applications, installed on Windows endpoint computers, which are not functioning correctly due to the recent Shh/Updater-B false positive.

If you see this alert the following must be true:

  • Your Anti-Virus policy was set to either 'move' or 'delete' files that the on-access scanner detected as malicious during the false positive issue.
  • One or more computers have reported to the console that the local Anti-Virus has moved or deleted files associated with a third-party application.
  • You have not purged (removed/deleted) console alerts regarding the move or delete action.
  • The computer reporting the move or delete action is running a Windows operating system.

Note: Even if you have fixed some applications already, there may be others you do not know about.

Need to check your Anti-Virus settings?

What To Do

An overview of the required steps is:

  1. Run a batch file to produce a list of computers that have reported alerts (which have not been purged) for affected applications.
  2. Fix all applications where files were moved in section 2.
  3. If files were deleted: In section 3, fix applications where files were deleted.

1. Identify affected computers

You need to run a batch file which will create a text file listing computers that could have non-Sophos applications that are affected by the shh/Updater-B false positive.

Open this article on the on your management server, or the server that hosts the Sophos SQL Server instance and follow step one to four below.

  1. Right-click on this link: fpdf.bat, select 'save link' or 'save target' to the Desktop of your server.
  2. Open a command prompt (Start | Run | Type: cmd.exe | Press return) and change directory (cd) to the Desktop of the server.
  3. Type the command below to run the batch file and create an output text file:

    fpdf.bat > FpActionedFiles.txt

    Once the command completes you will see a new text file on the Desktop of the server called FpActionedFiles.txt
  4. Open FpActionFiles.txt to see the files that were moved or deleted on each affected managed computer.

    If you do not see a list of computers, you may have run the file on the wrong computer.  Use article 113030 to confirm the server that has SQL installed and hosts the Sophos core database.

You will now have a text file called FpActionFiles.txt that list workstation computers.  You can use this list in sections 2 and, if required, section 3.

2. Fix applications where files were moved

To fix non-Sophos applications on endpoint computers follow steps one to three below.

The steps are designed to be repeated locally on each endpoint computer mentioned in the FpActionFiles.txt file.  Therefore you may want to copy the tool and instructions onto a USB pen (or similar device) that you can then use when visiting each workstation.  If there are a large number of affected computer you should see the links to further articles on how to deploy the tool across a network.

Note: You should run the tool with administrative rights.

  1. Right-click on this link: FixIssues.exe, select 'save link' or 'save target' to the Desktop of the endpoint computer.
  2. Double-click the tool to run it.
  3. Check that the applications are now working.  If there are problems you should check the log files of the FixIssues tool.  They are saved in the local temporary folder of the user running the tool.  To access locate the logs files:
    1. Open the logged on user's temporary folder (Start | Run | Type: %temp% | Press return).
    2. In a text editor open the main log file for the tool: Sophos Fix Script log.txt
    3. Additionally you should also check: Sophos Fix Log_[TIMESTAMP].txt

Should you need to contact Sophos Technical Support you should submit these logs to allow us to resolve your issue quicker.

If your anti-virus cleanup settings did not delete any files (see 'Need to check your Anti-Virus settings?' section for confirmation), no further action is necessary.

Tip: We have produced the following articles to cover different methods that can be used to deploy the tool across your network:

  • Enterprise Console, see article 118351
  • PsExec, see article 118337
  • Active Directory Group Policy (GPO), see article 118338

What do to if third-party applications are still broken

If you discover that some third-party applications are still not functioning correctly, and you have followed the instructions above, then the alerts were most likely not listed in the database.  Hence the computers listed in the FpActionFiles.txt file was not a full list of all affected computers.

In this situation we recommend you run the FixIssues.exe tool on all your endpoint computers.  See the list of different methods of deployment in the section above.

3. Fix Mozilla applications where files were deleted

You only need to follow this section if your anti-virus cleanup settings deleted files. If you have not already done so, watch the video in the 'Need to check your Anti-Virus settings?' section if in doubt.

If your anti-virus settings did delete files: Use the links below for instructions on recovering each application identified.

Note: If you have already used the FixIssues tool from Sophos, you have restored any files that were moved. You only need to follow these instructions if your anti-virus cleanup settings deleted files.

Application Firefox
Vendor Mozilla
Impact
  • The following files are affected: 
    • %Program Files%\Mozilla Firefox\updater.exe
  • Firefox will continue to run as normal without this file present. 
  • There will be no notification that a file is missing. 
  • Firefox will detect when new updates are available but will fail to install these updates. 
  • The user may be presented with a notification that updating has failed.
Resolution
  • Use the Firefox installer to reinstall/upgrade Firefox.
  • The installer is available from http://www.mozilla.org
  • For a silent re-install run the installer with the command option "-ms" (without the quotes). 
  • There is no repair option available from the "Programs and Features" or "Windows Add Remove Programs".
Verified Verified for this version
  • Firefox 15.0.1.
Running on these operating systems:
  • Windows XP Professional SP3
  • Windows 7 Professional SP1
  • Windows 7 Enterprise SP1 (64 bit)

 

Application Thunderbird
Vendor Mozilla
Impact
  • The following files are affected:
    • %Program Files%\Mozilla Thunderbird\updater.exe
  • Thunderbird will continue to run as normal without this file present.
  • There will be no notification that a file is missing.
  • Thunderbird will detect when new updates are available but will fail to install these updates.
  • The user may be presented with a notification that updating has failed.
Resolution
  • Use the Thunderbird installer to reinstall/upgrade Thunderbird.
  • The installer is available from http://www.mozilla.org.
  • For a silent re-install run the installer with the command option "-ms" (without the quotes).
  • There is no repair option available from the "Programs and Features" or "Windows Add Remove Programs".
Verified Verified for this version:
  • Thunderbird 15.0.1.
Running on these operating systems:
  • Windows XP Professional SP3
  • Windows 7 Professional SP1
  • Windows 7 Enterprise SP1 (64 bit)

Further information

Other alerts that may be present in your console include:

zFP-ADOBE zFP-GOOGLE zFP-ORACLE zFP-SMARTTECHNOLOGIES
zFP-APPLE zFP-OTHER zFP-REALNETWORKS  

If you are still having issues or the above steps do not resolve the application you may find more help on this SophosTalk thread: Shh/Updater-B: remediating third party applications.

 
Si necesita más ayuda, póngase en contacto con soporte técnico.

Valore el artículo

Muy malo Excelente

Comentarios