Fixing Sophos AutoUpdate after required files were deleted or moved by Sophos Anti-Virus due to a false positive

  • N°Id de l'article : 118323
  • Mis à jour : 06 janv. 2014

Issue

Following an unwanted detection the Sophos AutoUpdate component is no longer functioning. This is due to the files needed by Sophos AutoUpdate being deleted or moved as part of the clean-up action related to the false positive.

Note: For this to occur your anti-virus configuration was set to an option other than 'Deny access only'.

First seen in

Sophos Anti-Virus for Windows 2000+

Cause

An unwanted detection has deleted or moved files from their original location, preventing Sophos AutoUpdate from being able to run correctly and hampering remediation efforts.

What To Do

We are making available an executable and script that can be used to repair endpoints where files were deleted or moved due to the false positive.

The executable or script can perform the following remediation steps:

  • Stop false positive detection for 'Shh/Updater-B'.
  • Repair AutoUpdate.
  • Clear local Quarantine Manager alerts on the endpoint.
  • Trigger an update.
  • Replace missing Sophos Anti-Virus and Sophos Remote Management System files.
  • Generate the following log files in the same directory as the script file to help you determine what files have been affected.  They cover both third-party files and Sophos files affected:
    • *-Output.txt - log file of the script.
    • *-FalsePosAll.txt - files affected by the false positive.
    • *-FalsePosMoved.txt - files moved where the cleanup action was set to 'move to'.
    • *-ToRestoreMoved.txt - files which could be restored following a 'move to' action.
    • *-FalsePosDeleted.txt - files deleted where the cleanup action was set to 'delete'.
    • *-ToRestoreDeleted.txt - files deleted which are no longer on the computer.
    • *-MoveBackLog.txt - files restored by the script.
    • *-AffectedProducts.txt - where possible a mapping of files detected to their associated application.

Note: The page: http://www.sophos.com/en-us/support/field-search.aspx has also been provided to help associate detected files with application provider and application.

Important: 

  • The tools should be run with administrative rights.
  • The script requires Windows Scripting Host 5.7 on Windows 2000.
  • All output log files should be kept for reference until you are satisfied you have resolved all problems with each computer.

Using FixIssues.exe (Recommended)

  1. Download the tool from here.
  2. Run the file 'FixIssues.exe' on an affected endpoint.

    Note: This tool will automatically extract 'FixUpdate.vbs' and run it with the following command line options:
    cscript //nologo sophos_temp\FixUpdate.vbs /fixIssues:true /useSophosCid:true > "Sophos Fix Script Log.txt"
    If you require additional functionality, use 'FixUpdate.vbs' with different command line parameters (see 'Using FixUpdate.vbs' below).

    Log files can be found in the following locations:
    %temp%\Sophos Fix Script log.txt
    %temp%\Sophos Fix Log_[YYYYMMDDHHMMSS].txt
    All other logs can be found in: '%temp%'.

    The executable version can be launched in silent mode by specifying a command line argument, for example:
    FixIssues.exe silent

Using FixUpdate.vbs

For use when you need to use a custom set of command line options.

  1. Download the script from here.
  2. Extract the file to a folder of your choosing.
  3. Open a command prompt with elevated permissions.
    • For Windows Vista, Windows 2008 and Windows 7:
      Start | All Programs | Accessories | Right-click on Command Prompt | Select 'Run as Administrator'.
    • For Windows XP: ensure you are logged in as a user with administrative rights.
  4. Change directory to the location you extracted the files to.
  5. Run the command:

    cscript FixUpdate.vbs /fixIssues:true

    In addition to the recommended /fixissues:true option, the following options can be specified as required:

    Option Description
    /fixissues:true|false
    Attempt to fix known issues.
    /fixissues:true
    /fixissues:false
    /help Displays the help for the tool which includes the switches mentioned in this article.
    /cid:[location] Enables a custom update location to be specified, overriding the configured AutoUpdate location. The location specified can be a UNC or HTTP location.
    /cid:\\server\sophosupdate\cids\s001\savscfxp
    /cid:http://server/sophosupdate/cids/s141/savscfxp
    /clearquarantine:true|false Clears the endpoint Quarantine Manager.
    /clearQuarantine:true
    /clearQuarantine:false
    /usesophoscid:true|false Will use Sophos as an update location to replace missing files.  Useful where configured location is not accessible.
    /usesophoscid:true
    /usesophoscid:false
    /logpath:[location] A copy of the log files generated by the script can be optionally copied to a specified location.  When using this option, a directory based on the computer name of the client running the script will be created to help process logs from multiple computers centrally.  
    /logpath:\\server\share
    /logpath:C:\windows\temp
    Important: The custom location specified should be writable by the account executing the script.
    /checkAffectedProducts:true|false Generates the log file *-AffectedProducts.txt which lists where possible a list of affected files and their associated products.  This comma separated file can be opened in an application such as Microsoft Excel.  Note: You will need to import the file from within Excel to ensure it is correctly formatted as a csv file.
    /checkAffectedProducts:true
    /checkAffectedProducts:false

    Note:
    • To combine logs generated by multiple endpoints, please see article 118346.
    • For more information on interpreting this log file see article 118348.
    • To submit the 'AffectedProducts' log files to Sophos see article: 118405.
    /updatenow:true|false Will force an update of Sophos AutoUpdate once repaired.
    /updatenow:true
    /updatenow:false
    /restoreMovedFiles:true|false Restore files that were moved during the false positive detection while fixing issues.
    /restoreMovedFiles:true
    /restoreMovedFiles:false
    /verbose:true|false Turns on verbose logging for the script.
    /verbose:true
    /verbose:false

    Examples:

    cscript FixUpdate.vbs /fixIssues:true /usesophoscid:true

    Will ensure the client has the detection identity file that will stop the unwanted detection, clear the Quarantine Manager and fix the Sophos install using Sophos as the update location.

    cscript FixUpdate.vbs /fixIssues:true /cid:\\server\sophosupdate\cids\s000\savscfxp

    Will ensure the client has the detection identity file that will stop the unwanted detection, clear the Quarantine Manager, fix the Sophos install using the update location '\\server\sophosupdate\cids\s141\savscfxp' to replace missing Sophos files.  All logs will be created in the same directory as the script file.

    cscript FixUpdate.vbs /fixIssues:true /cid:http://server/sophosupdate/cids/s000/savscfxp /username:myUser /password:myPassword
    Will ensure the client has the missing identity file, clear the Quarantine Manager, fix the Sophos install using the update location 'http://server/sophosupdate/cids/s000/savscfxp' (using credentials to authenticate) to replace missing Sophos files. All logs will be created in the same directory as the script file.
    If the script is unable to obtain the location of the CID automatically it can be specified as an argument to the script using the /cid: option.
    The /cid: value can be either a UNC or HTTP address.

    cscript FixUpdate.vbs /clearQuarantine:true
    Will clear the Quarantine Manager on an endpoint.

  6. Once you've tested the script on a few computers you can deploy the script using the deployment method of your choice. (Microsoft group policy, e.g. startup/shutdown scripts, Zenworks, PsExec, Altiris, etc.).  We have produced the following articles to cover common methods that are used to deploy scripts across a network:
    • PsExec, see article 118337
    • Active Directory Group Policy (GPO), see article 118338
    • Enterprise Console, see article 118351

  7. Once the script has completed, check that the Sophos shield icon is displayed in the notification tray.  If not, logging off and back on to the computer will launch the shield. Alternatively you can manually launch Almon.exe by going to Start | Run and type one of the following:
    32-bit: C:\program files\Sophos\AutoUpdate\Almon.exe
    64-bit: C:\program files (x86)\Sophos\AutoUpdate\Almon.exe

Technical Information

The script checks for the presence of the agen-xuv.ide and javab-jd.ide. To stop false positive detection for 'Shh/Updater-B': if javab-jd.ide is not present, it drops it in the Sophos Anti-Virus directory and restarts the Sophos Anti-Virus service at the end. It also clears the local Quarantine Manager alerts.

The script parses the Sophos Anti-Virus logs to identify files deleted or moved due to false positives. It restores files moved back to the original location, but not the deleted files. Each steps creates log files that can be used for diagnostics.

It checks if the Sophos AutoUpdate install is healthy and if not it repairs it, even if files were deleted.

At the end it triggers an update.

Alerts on the Console side will still need to be 'Acknowledged'.

Known issues

Could not resolve the issue.
Please contact Technical Support. Error Code 1038

This is generic failure with many possible causes. 

  • Issue can occur when the path c:\windows\system32 (Or c:\winnt\system32 on Windows 2000) is missing from the PATH environment variable. A workaround is to use FixUpdate.vbs with a full path statement:

    %windir%\System32\cscript.exe FixUpdate.vbs /fixIssues:true
  • Send in logs from %temp% with a name format matching the prefix "Sophos Fix" (detailed above) to help Technical Support troubleshoot any other issues.

The script errors with the message: "Detected version of the Script Host does not support all required features. Required version is 5.6"

Ensure you are running version 5.6 or later of the Windows Scripting Host.  For Windows 2000, see article: http://www.microsoft.com/en-us/download/details.aspx?id=20240.

The script errors with 'SAU files missing' and 'Error loading external resources (0x8007007e)'

The necessary files aren't in the CID, most likely because they were deleted or moved as part of the false positive. Resolve the false positive issue on the Sophos Update Manager server and ensure the CID is complete, then run the script.

The script errors with 'FixUpdate.vbs (136, 9) (null): The specified module could not be found.' or 'RestoreCacheFilesFromCID - SAU reinstall failed because another installation is
in progress' and 'FixUpdate.vbs(135, 26) (null): 0x800700C1'

Multiple Windows Installer processes are blocking the script from running.

  1. Open Task Manager (Start | Run | Type: taskmgr.exe | Press return), move to the 'Processes' tab.
  2. Click on the 'Image Name" to sort alphabetically.
  3. Locate an 'msiexec.exe' process and click 'End Process'.  Accept the warning that will appear.
  4. Repeat for all other msiexec.exe processes in the list.

Check the 'Processes' tab of the Task Manager for multiple copies of msiexec.exe (one process being present is normal).  If no further processes are shown: Rerun the script again.

If msiexec processes keep appearing:

  1. Stop the Windows Installer service (Start | Run | Type: services.msc | Press return).
  2. Disable the service from its properties dialog (right-click on the service name to access).
  3. From the Task Manager 'End Process' on all remaining msiexec processes.
  4. Set the Windows Installer service back to 'Manual' for its 'Startup type'.

Note: If further msiexec processes are created check in the both the 'Applications' and 'Processes' tabs of the Task Manager for a program(s) that may be attempting to repair itself, perform an update or installation.  You may want to close all non-essential programs that are running including any programs that load automatically when Windows starts up and appear as small icons in the System Tray (next to the Windows clock on the Taskbar and may be hidden).


 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires