You see a 'zFP-GOOGLE' suspicious behavior alert in your console, against the computer that is the Sophos management server.
This special alert does not indicate a threat on your computer. It does indicate that you may have software problems that need fixing urgently.
We issued this alert to ensure that you are aware that some non-Sophos products on your network were affected by the recent Sophos false positive issue. Unless you have already fixed these products, they could be out of date and could make you subject to future vulnerabilities. We chose a suspicious behavior alert to show that this issue is a high priority.
An example of the alert is shown below.
Additionally, in the computer details of your management server, you may also see one or more 'zFP-' suspicious behavior alerts that includes non-Sophos (third-party) application names.
First seen in
Not product specific
We have provided this alert because you may have third-party applications, installed on Windows endpoint computers, which are not functioning correctly due to the recent Shh/Updater-B false positive.
If you see this alert the following must be true:
- Your Anti-Virus policy was set to either 'move' or 'delete' files that the on-access scanner detected as malicious during the false positive issue.
- One or more computers have reported to the console that the local Anti-Virus has moved or deleted files associated with a third-party application.
- You have not purged (removed/deleted) console alerts regarding the move or delete action.
- The computer reporting the move or delete action is running a Windows operating system.
Note: Even if you have fixed some applications already, there may be others you do not know about.
Need to check your Anti-Virus settings?
What To Do
An overview of the required steps is:
- Run a batch file to produce a list of computers that have reported alerts (which have not been purged) for affected applications.
- Fix all applications where files were moved in section 2.
- If files were deleted: In section 3, fix applications where files were deleted.
1. Identify affected computers
You need to run a batch file which will create a text file listing computers that could have non-Sophos applications that are affected by the shh/Updater-B false positive.
Open this article on the on your management server, or the server that hosts the Sophos SQL Server instance and follow step one to four below.
- Right-click on this link: fpdf.bat, select 'save link' or 'save target' to the Desktop of your server.
- Open a command prompt (Start | Run | Type:
cmd.exe | Press return) and change directory (
cd) to the Desktop of the server.
- Type the command below to run the batch file and create an output text file:
fpdf.bat > FpActionedFiles.txt
Once the command completes you will see a new text file on the Desktop of the server called FpActionedFiles.txt
- Open FpActionFiles.txt to see the files that were moved or deleted on each affected managed computer.
If you do not see a list of computers, you may have run the file on the wrong computer. Use article 113030 to confirm the server that has SQL installed and hosts the Sophos core database.
You will now have a text file called FpActionFiles.txt that list workstation computers. You can use this list in sections 2 and, if required, section 3.
2. Fix applications where files were moved
To fix non-Sophos applications on endpoint computers follow steps one to three below.
The steps are designed to be repeated locally on each endpoint computer mentioned in the FpActionFiles.txt file. Therefore you may want to copy the tool and instructions onto a USB pen (or similar device) that you can then use when visiting each workstation. If there are a large number of affected computer you should see the links to further articles on how to deploy the tool across a network.
Note: You should run the tool with administrative rights.
- Right-click on this link: FixIssues.exe, select 'save link' or 'save target' to the Desktop of the endpoint computer.
- Double-click the tool to run it.
- Check that the applications are now working. If there are problems you should check the log files of the FixIssues tool. They are saved in the local temporary folder of the user running the tool. To access locate the logs files:
- Open the logged on user's temporary folder (Start | Run | Type:
%temp% | Press return).
- In a text editor open the main log file for the tool:
Sophos Fix Script log.txt
- Additionally you should also check:
Sophos Fix Log_[TIMESTAMP].txt
Should you need to contact Sophos Technical Support you should submit these logs to allow us to resolve your issue quicker.
If your anti-virus cleanup settings did not delete any files (see 'Need to check your Anti-Virus settings?' section for confirmation), no further action is necessary.
Tip: We have produced the following articles to cover different methods that can be used to deploy the tool across your network:
- Enterprise Console, see article 118351
- PsExec, see article 118337
- Active Directory Group Policy (GPO), see article 118338
What do to if third-party applications are still broken
If you discover that some third-party applications are still not functioning correctly, and you have followed the instructions above, then the alerts were most likely not listed in the database. Hence the computers listed in the FpActionFiles.txt file was not a full list of all affected computers.
In this situation we recommend you run the FixIssues.exe tool on all your endpoint computers. See the list of different methods of deployment in the section above.
3. Fix Google applications where files were deleted
You only need to follow this section if your anti-virus cleanup settings deleted files. If you have not already done so, watch the video in the 'Need to check your Anti-Virus settings?' section if in doubt.
If your anti-virus settings did delete files: Use the links below for instructions on recovering each application identified.
Note: If you have already used the FixIssues tool from Sophos, you have restored any files that were moved. You only need to follow these instructions if your anti-virus cleanup settings deleted files.
|Application ||Google Chrome and Google Updater |
|Vendor ||Google |
|Impact || |
- The majority of the files associated with the Google Update software are affected, including:
- %Program Files%\Google\Update\GoogleUpdate.exe
- %Program Files%\Google\Update\<version number>\<all files (65 files)>
- Google Update is used to update a number of products (including Chrome and Google Earth), so several products may be affected. See http://support.google.com/installer/bin/answer.py?hl=en&answer=146158 for full list of products which use Google Update.
- You may see files related to several versions of Google Update affected but it should only be necessary to repair the latest version.
- The Chrome browser will continue to function without any warnings. However, all updating functionality will be broken, including checking for updates.
- Selecting the 'About Google Chrome' option in the browser will display the following warning in the event that the updater component has been broken:
- 'Update failed (error: 3) An error occurred while checking for updates: Update check failed to start (error code 3: 0x80070002 - system level)'
|Resolution || |
- Use the Chrome installer to reinstall Chrome. This will restore the files removed from the Google Update software.
- The online installer is available from www.google.com/chrome. Alternatively the standalone installer for all users "ChromeStandaloneSetup.exe" can be downloaded from http://www.google.com/chrome/eula.html?system=true&standalone=1 or the msi installer file can be downloaded from https://www.google.com/intl/en/chrome/business/browser.
- If you see the message "Installation failed. The Google Chrome installer failed to start." Follow the links provided by Google in the same window to resolve the problem.
- For a silent (or unattended) re-install either use the standalone installer with the command "ChromeStandaloneSetup.exe /silent /install" or use the msi installer file with the command 'msiexec /q /f <path to chrome msi file>'. When using the msi it must be the same Chrome version as that installed.
- 'Programs and Features' or 'Windows Add /Remove Programs' do not offer a repair option.
|Verified || Verified for this version |
Running on these operating systems:
- Google Chrome Version 22.0.1229
- Windows XP Professional SP3
- Windows 7 Professional SP1
- Windows 7 Enterprise SP1 (64 bit)
Other alerts that may be present in your console include:
If you are still having issues or the above steps do not resolve the application you may find more help on this SophosTalk thread: Shh/Updater-B: remediating third party applications.