Advisory: Shh/Updater-B False positives

  • Article ID: 118311
  • Rating:
  • 4658 customers rated this article 1.5 out of 6
  • Updated: 06 Mar 2015

Last updated:  16 October 2012 at 10:45 BST

Latest update

The root cause analysis of this incident is now available.  In it we explain how this event occurred and what changes Sophos has already made - or will make in the near future - to ensure this kind of incident does not happen again.

Important security advice

If you were affected by this issue and your anti-virus cleanup options were set to "Deny access and move to …" or "Delete" files, the false positive may have prevented non-Sophos applications, such as Adobe and JavaTM, from updating or running. If not fixed, these applications could create a security risk (for example: a recent vulnerability in Adobe is shown here APSB12-22 - Security updates available for Adobe Flash Player).

If you had non-Sophos applications damaged during the false positive, then beginning in October 2012, you may receive a suspicious behavior alert via your console.  Read article 118323 to get tools and information to help fix the issue.

What's the problem?

Note: These issues only affect Windows computers.

You may have seen many false alerts on your computer or network. These false alerts also prevented the updating of Sophos products and some other products.

For many customers, the problem was temporary.

Provided you are using Endpoint Security and Control version 10 with the default settings, the problem should have resolved itself within three hours. You should now be fully protected and receiving updates as usual.

How do I know if the problem was temporary for me?

If you had these settings applied to your computers, you should be fine already:

  • Sophos Live Protection is turned on.
  • The Cleanup setting is "Deny access only".

You should just check that updating is working as usual. You also need to clear the false alerts from your management console and endpoint computers.

What will I see if I am still affected?

You know that you are affected if:

  • You still see new alerts for the shh/Updater-B virus.
  • You have updating problems, for example the Sophos icon missing from the system tray.

What to do

If you are still affected, you should follow the instructions for your type of installation. Select the appropriate link below:

We would like to apologize for all of the disruption caused to our many customers and partners worldwide. We recognize this issue was very serious.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent