Shh/Updater-B false positive: Recovery instructions for Sophos Enterprise Console

  • ID dell'articolo: 118328
  • Aggiornato: 07 lug 2014

Issue

You may have seen alerts for the Shh/Updater-B virus. These are false alerts and there is no malware on your computers.

Click here, to read more about 'What's the problem?'

First seen in

Sophos Update Manager
Enterprise Console 4.5.0

What To Do

To resolve the problems, you need to...

  1. Ensure that your server or servers are downloading updates from Sophos
  2. Discover affected endpoints and fix updating issues

1. Ensure that your server or servers are downloading updates from Sophos

Enable Live Protection on your Sophos Update server(s)

  1. In Enterprise Console, right click on the Anti-virus and HIPS policy used by your Update Manager(s) and select View/Edit Policy.
    Note: Sophos Update Manager is always included with Enterprise Console, although you may have additional Update Manager servers.
  2. Click Sophos Live Protection... and ensure Enable Live Protection is selected.
  3. Wait 10-15 minutes for the change to take effect.

Ensure you have the latest update that will include the fix for the problem

  1. Open Enterprise Console. Go to View|Bootstrap Locations....
  2. In each location listed, open the ..\SAVSCFXP\SAVXP folder. Check the date modified on the files listed and confirm that some of the files contain a timestamp within the last week. 
  3. As before open the Anti-virus and HIPS policy applied to the Update Manager server. Go to the Windows Exclusions tab on the 'On-access scan settings' dialog and add the following entries:

    C:\Documents and Settings\All Users\Application Data\Sophos\
    C:\Program Files\Sophos\
    C:\Program Files (x86)\Sophos\
    C:\ProgramData\Sophos\
    C:\Windows\temp\sophos_autoupdate1.dir\
    C:\Progra~1\Sophos\
    C:\Progra~2\Sophos\
    C:\Docume~1\AllUse~1\Applic~1\Sophos\

    Ensure that 'Exclude Remote Files' is also checked.

    Important: Adding these exclusions is a temporary measure, and must be removed once the issue is resolved.

  4. Under the Cleanup tab, look at the Viruses/spyware section

    if the selected option is:

Run an update on your Update Manager(s)

  1. In Enterprise Console, under Update Managers, right-click on each primary Update manager and select 'Update Now'.

    Note: Update managers may require some time to update.
  2. Check that the files are now up tp date, go to Endpoints.
    • Go to View|Bootstrap Locations.
    • In each location listed, open the ..\SAVSCFXP\SAVXP folder. Confirm that some files now contain a recent date modified timestamp.

Now you should have the latest update from Sophos and can apply it to your endpoint computers.

2. Discover affected endpoints and fix updating issues

Discover affected endpoints

If you already know the list of affected computers, go the next section titled 'Edit the policies applied to affected endpoint computers'.

Find out which endpoints require attention within Enterprise Console.

  1. On your Sophos Management server download the file fpc.bat and save it to a directory of your choosing.
  2. Execute the batch file from a command prompt by first changing directory to where the file was saved to, then run the following: fpc.bat > FpWithoutFix.txt
  3. Once the command completes, open FpWithoutFix.txt to see the computers which have 'agen-xuv.ide'.

Edit the policies applied to affected endpoint computers

You need to change the cleanup action used on the affected endpoints to ensure they do not continue to cause problems with false positives.

  1. In Enterprise Console, for each group containing affected endpoints, right-click and select View/Edit Group Policy Details.
  2. Edit each Anti-virus and HIPS policy by using a right-click and selecting View/Edit Policy...Click Configure... under On-access scanning, select the Cleanup tab.
  3. Based on the cleanup option selected under Viruses/spyware perform one of the following actions:
    • 'Deny access only':
      • Enable Live Protection. Updating should resume shortly. No further actions should be required on these endpoints.
    • 'Delete' or 'Deny access and move to...':
      • Enable Live Protection
      • Under Windows Exclusions add the following::

        C:\Documents and Settings\All Users\Application Data\Sophos\
        C:\Program Files\Sophos\
        C:\Program Files (x86)\Sophos\
        C:\ProgramData\Sophos\
        C:\Windows\temp\sophos_autoupdate1.dir\
        C:\Progra~1\Sophos\
        C:\Progra~2\Sophos\
        C:\Docume~1\AllUse~1\Applic~1\Sophos\

        Ensure that 'Exclude Remote Files' is also checked.

        Important: Adding these exclusions is a temporary measure, and must be removed once the issue is resolved.

      • Change the Cleanup option to Deny access only.

Fix updating on affected endpoint computers

You now need to run the tool available in article 118323 on all affected endpoint computers.

We have produced the following articles to cover methods that can be used to deploy the tool across your network:

  • Enterprise Console, see article 118351
  • PsExec, see article 118337
  • Active Directory Group Policy (GPO), see article 118338

Important: 

  • Deleted files from third party applications may required re-installation. To generate a list of deleted files use the tool fpdf.bat as described in 118324.
  • When you have finished, remove any scanning exclusions that you added.

You can also change cleanup settings back if you modified them, but Sophos recommends the 'Deny access only' only option.

Sophos also recommends that you enable Sophos Live Protection.

3. How do I clear existing console alerts?

To clear all outstanding ‘ssh/’ alerts from your console, we recommend to follow the steps below:
  1. Close Sophos Enterprise Console.
  2. Download the file ‘fpack.txt’ to your management server.
  3. Rename the downloaded file to ‘fpack.bat’.
  4. Run the batch file. If there are any errors running the tool they will be displayed.
  5. To check the alerts have been ‘Acknowledged’ launch Enterprise Console and review the outstanding alerts.

Alternatively you can use Enterprise Console to ‘Acknowledge’ the alerts, to do so:

  1. Launch Enterprise Console.
  2. Click on the ‘Viruses/spyware’ link on the Dashboard to switch the computer list view to display: ‘Managed computers with outstanding Virus/malware alerts’.
  3. Select all computers (Ctrl-A).
  4. Right click and choose ‘Resolve Alerts and Errors…’.
  5. Click on the ‘Name’ column header to sort by alert name in order to group all ‘Shh/’ detection entries together in the list.
  6. Select all ‘Shh/’ detections then click ‘Acknowledge’. 

 

 
Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente

Commenti