Shh/Updater-B false positive: Recovery instructions for Sophos Control Center

  • ID dell'articolo: 118327
  • Aggiornato il: 31 gen 2014

Issue

You may have seen alerts for the Shh/Updater-B virus. These are false alerts and there is no malware on your computers.

Click here, to read more about 'What's the problem?'

First seen in

Sophos Endpoint Security and Control
Sophos Endpoint Security
Sophos Anti-Virus for Windows 2000+

What To Do

To resolve the problems, you need to...

  1. Ensure that your server is downloading updates from Sophos
  2. Discover affected endpoints and fix updating issues

Further recommended steps:

  • Clear existing console alerts
  • Clear existing Quarantine Manager alerts

Section 1. Ensure that your server is downloading updates from Sophos

Enable Live Protection on your Sophos Update server(s)

This can be done as follows:

  1. Launch Sophos Endpoint Security and Control from the Start Menu
  2. From the Menu bar, select 'Configure | Anti-Virus | Sophos Live Protection'
  3. Select the checkbox titled 'Enable Live Protection'
  4. Click 'OK'
  5. Wait 10-15 minutes for the change to take effect. 

Ensure you have the latest updates, which will include a correction to fix the problem.

In this section you will confirm that the Control Center is up to date and the latest updates have been downloaded to the distribution folder.

  1. Check that there are no download errors in the Dashboard of the Control Center and a successful update has been performed recently.
  2. Check the distribution folder, which is managed by your Control Center, is populated. To do this browse to the following location:

    \\SERVERNAME\SophosUpdate\CIDs\S000\SAVSCFXP\SAVXP\
    Note: The 'SAVSCFXP' folder name may differ depending on your license.

  3. Check the local Sophos Anti-virus installation (on the computer running the Control Center) is up to date. To do this, open the Sophos Endpoint Security and Control and check that the 'Last updated' value (on the left) shows a recent time and date.

You have now checked that your Sophos Control Center has performed a recent update. You have also checked the local Sophos Anti-Virus installation on the server is up to date.

If you have confirmed that both locations on the server (the central share and the local Sophos Anti-Virus folder) are up to date, go to Section 2.

If either are not up to date, go to the 'Configure Anti-Virus policy' section below to add exclusions to the central policy. This will enable all clients configured centrally to update on their next update.

Configure Sophos Anti-Virus policy

If your Control Center has failed to download the update or endpoints are still failing to update you will need to follow the extra steps in this section to enable updates to be distributed to your endpoint computers.  This must be done before moving on to troubleshooting your workstations.

  1. Select the 'Configure Scanning' option in your Control Center.

    Important: Keep a record of your current clean-up options within the on-access scanning configuration. You will need these when you get to Section 2.
     
  2. On the 'Configure scanning' window, select the 'On-access scanning' button and on the 'Windows Exclusions' tab add exclusions to match this list shown below: 

    Windows Exclusions
    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\
    C:\Windows\temp\sophos_autoupdate1.dir\
    C:\Progra~1\Sophos\
    C:\Progra~2\Sophos\
    C:\Docume~1\AllUse~1\Applic~1\Sophos\
    Ensure that 'Exclude remote files' is also checked

    Important: Adding these exclusions is a temporary measure, and must be removed once the issue is resolved.

  3. Under the Clean-up tab in the 'Configure Scanning' options, look at the Viruses/spyware section.

    You should now have repaired your server installation of Sophos Anti-Virus and your Control Center's ability to update.

Run an update via Sophos Control Center

In the Control Center click on 'Update Now' to perform download.

Note:

  • The update may require some time to complete. The update will have completed when the 'Last updated on' field, in the 'Dashboard' of the Control Center, has changed to the current date and time.
  • If you see an error (i.e., Unexpected updateResultInfo enumeration value encountered) refer to article 118332.

You should now have the latest update from Sophos. Go to Section 2.

Section 2. Discover affected endpoints and fix updating issues

For any managed endpoint displaying 'Locally configured' or not showing 'OK' for the 'Central configuration' column after making the policy exclusion changes above in Control Center, you will need to configure the same anti-virus settings locally within 'Endpoint Security and Control'.

In this section, we are ensuring the endpoint installation can download the latest updates, that resolve the issue, from the distribution folder, as mentioned in Section 1. 

  • Find your record for your system's clean-up options, as requested in Section 1's Configure Sophos Anti-Virus policy.

    Depending on the clean-up configuration, follow the relevant steps below:
    • If: 'Deny access only'
      When you have confirmed the configuration is as above, the next update will resolve the issue.
      See the section 'How do I clear existing Quarantine Manager alerts' below to clear the local Quarantine Manager.
    • If: 'Delete'
      See article 118323 for a script to assist with fixing Sophos AutoUpdate when the clean-up option was set to Delete.
    • If: 'Deny access and move to:'
      See article 118323 for a script to assist with fixing Sophos AutoUpdate, restoring moved files and restoring deleted Sophos files.

Further recommended steps:

How do I clear existing console alerts?

To clear all outstanding ‘shh/’ alerts from your console, we recommend to follow the steps below:

  1. Close your Control Center.
  2. Right-click on this link: fpack.txt, select 'Save link as...' and save the file to the Desktop of your server.
  3. Change the extensions of the file from .txt to .bat - you may have to show hidden file extensions on your server:
    • In a Windows Explorer window (Windows key+E to open) select (depending on operating system):
      • Windows 2008: 'Organize' button | 'Folder and search options' | 'View' tab | Uncheck the option 'Hide extensions for known file types'
      • Windows 2003: 'Tools' | 'Folder Options...' | 'View' tab | Uncheck the option 'Hide extensions for known file types'
  4. Run the batch file by double clicking on it. If there are any errors running the tool they will be displayed.
  5. To check the alerts have been ‘Acknowledged’ launch your Control Center and review the outstanding alerts.

Clear existing Quarantine Manager alerts

As each endpoint may have entries in the Quarantine Manager for the detections, we recommend that you take action to clear the entries. To do so:

  1. Launch 'Sophos Endpoint Security and Control'
    Start | All Programs | Sophos | Sophos Endpoint Security and Control | Sophos Endpoint Security and Control.
  2. Click on the 'Manage quarantine items'
  3. Click on 'Select all' and then click on 'Clear from list'.
  4. Click 'OK' when prompted.

 

 
Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente

Commenti