Thursday, September 20, 2012

Sophos False Positive for Shh/Updater-B

I have been talking about Sophos a lot lately, so I feel kind of responsible if someone started using it because of me and woke up this morning to a startling "outbreak" of Shh/Updater-B.

This is a false positive that accidentally disabled the Sophos updater. It somehow made it past Sophos QA and caused a lot of people headaches last night.

The IDE that is responsible is agen-xuv.ide

This is a quick little script that stops the Sophos Antivirus service, deletes that IDE and restarts the service. You can run this on the update servers and any workstations that give you problems afterward via PStools.

net stop savservice

if %PROCESSOR_ARCHITECTURE%==x86 (
  rem 32 bit
del "c:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"
) else (
  rem 64 bit
del "c:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"
)

net start savservice

After running this Acknowledge alerts in the Enterprise console.
I hope this helps a few of you.

If you need to empty quarantines on individual machines try this, but be careful not to empty a quarantine that contains a real virus, this releases the lock on quarantined files if you are using the recommended setting of deny access instead of move or delete.

net stop savservice
del "%ALLUSERSPROFILE%\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
net start savservice

Thanks to The folks at Sophos who published this last night and tweeted it out to the world.  http://nakedsecurity.sophos.com/2012/09/19/sshupdater-b-fsophos-anti-virus-products/

No comments: