Sophos False Positives 9/19/2012 - Shh/Updater-B

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
drepouille
Senior Member
Posts: 1763
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Postby drepouille » Wed Sep 26, 2012 2:39 pm

That is how I felt last Saturday when I called the Global Service Center. Before I called, I considered trying to fix the problem myself. However, I reminded myself that, although I am the STS, I did not own the computers, and I should give the GSC the chance to tell me how THEY wanted me to fix the problem. However, they didn't know anything about it. They certainly had no idea how they wanted to fix it. One tech sent me a file named sophos-9.5_config_2012-07-12.conf, but neither of us could figure out how to install it. He didn't tell me what it did, or how it would fix the issue.
The silence is deafening!

User avatar
gregwanderson
Senior Member
Posts: 701
Joined: Thu Apr 15, 2010 9:34 pm
Location: Huntsville, UT, USA

Postby gregwanderson » Wed Sep 26, 2012 4:24 pm

I regard this as a complete fiasco. I've been suspicious of the way the whole remote management idea has been presented to us. Sophos (at least the way it's configured on our clerk computer) is a heavy-handed way to keep things "safe" with it's complete lack of user control. I can't schedule the times when it does it's crippling updates, for example, and they come at the times which are often the most disruptive to clerk duties. But now that Sophos itself has caused real, destructive problems and there's STILL NO WAY for the user to control it... well... it seems like this kind of problem was predictable. Once again, I must note the irony of how the most trusted leaders in our ward are treated to the least trusting computer policies I've ever run into (...but, of course, I work in the "small business" world).

[/rant mode]

sokly
New Member
Posts: 4
Joined: Tue May 29, 2012 1:48 pm

Sophos KB to fix 'Shh/Updater-B' -False positive

Postby sokly » Wed Sep 26, 2012 8:34 pm

Here is the Sophos KB to fix this problem.

http://www.sophos.com/en-us/support/knowledgebase/118323.aspx


JohnShaw wrote:Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe".

Sophos got hit today with some major false positive issues, the item above shows that it is identifying itself as a virus. I have checked 2 computers and don't really have an idea how to fix it, but it is wrecking havoc with apps running on these desktops.

User avatar
gregwanderson
Senior Member
Posts: 701
Joined: Thu Apr 15, 2010 9:34 pm
Location: Huntsville, UT, USA

Postby gregwanderson » Thu Sep 27, 2012 6:04 am

Those instructions are written in Programmer-ese instead of plain English. So I doubt the average clerk will want to try doing this fix. I never even knew the word "endpoint" before Sophos entered my life... and I still don't know exactly what it means.

We're still waiting for the official instructions from CHQ, of course, or for the official automatic fix that will run in the background while we don't have to do anything (like... the way this problem got into our computer is the way it should get out).

User avatar
Mikerowaved
Community Moderators
Posts: 3491
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Postby Mikerowaved » Thu Sep 27, 2012 7:10 am

mrrad wrote:Those instructions are written in Programmer-ese instead of plain English. So I doubt the average clerk will want to try doing this fix.

Point well taken, however, my hope is the average STS is either a bit more computer savvy than the average clerk, or has someone in their hip pocket that is (and is available to help).

mrrad wrote:We're still waiting for the official instructions from CHQ, of course, or for the official automatic fix that will run in the background while we don't have to do anything (like... the way this problem got into our computer is the way it should get out).

I agree this would be the best solution for all involved, but I have no idea if a fix is even on the radar for CHQ to be working on, since this seems to have only affected some units. Reading the comments of others that have called asking for direction didn't give me a very warm and fuzzy feeling. It would be great if someone from CHQ could weigh in on this discussion and let us know if a fix is in the making.
So we can better help you, please edit your Profile to include your general location.

sokly
New Member
Posts: 4
Joined: Tue May 29, 2012 1:48 pm

Sophos: LATEST UPDATE - Technical Alert: Shh/Updater-B false positive

Postby sokly » Thu Sep 27, 2012 9:17 am

Sophos Technical Alert
Shh/Updater-B false positive


We would like to apologize again for the disruption caused by last week’s false positive. We continue to regularly update the [font=Arial][color=#006699]knowledgebase article with further advice and remediation tools to help customers still affected by the issue. [/font][/color]

Important: Check all your applications
If you have been affected by the false positive and your antivirus cleanup options were set to ‘Deny access and move to...’ or ‘Delete’ you should check that all your applications–not just Sophos–are up to date and working correctly. You should do this even if your Sophos solution is now working as normal.

As previously advised, the false positive may have also impacted non-Sophos applications, such as Adobe and JavaTM.

We have created a [color=#006699][font=Arial]separate knowledgebase article that includes a new tool to help you identify Sophos and non-Sophos applications affected by this issue. Even if you have fixed some applications there may be others that appear to work but may not update in future. [/font][/color]

Contacting Sophos
Our support call volumes remain high and our queues are still longer than normal. We are working hard to answer all calls as quickly as possible. [color=#006699][font=Arial]Contacting Sophos support.[/font][/color]
[color=#006699][font=Arial]Sophos Support Twitter and our support forum continue to be alternative sources of information and advice. You can also request support via our online form.[/font][/color]

What caused this issue
We will soon publish a root cause analysis including the steps we are taking to ensure it never happens again. In the meantime, please [color=#006699][font=Arial]read the message from Kris Hagerman, Sophos CEO.[/font][/color]

jsmackley
New Member
Posts: 13
Joined: Fri Nov 12, 2010 11:37 am
Location: Bonney Lake, Wa

Sophos Fale Positives 9/19/2012 - Shh/Updater-B

Postby jsmackley » Sun Sep 30, 2012 3:35 pm

I have noticed that there TEM Support Center icon (blue circle with a lower case b) in the systray now and when you click on it there is a list of "Offers" available. One of those "Offers" is entitled "Sophos Shh/Updater-B false positive FIX". I have downloaded that on several computers and it does fix this problem.

ulupoi
Member
Posts: 88
Joined: Mon Jan 24, 2011 2:21 am
Location: California, USA

Postby ulupoi » Tue Oct 02, 2012 4:26 pm

The FixIssues clears the quarantine list, but autoupdate remains nonfunctional (the Sophos shield icon in the system tray remains missing). I think it's because FixIssues is supposed to download deleted Sophos files, but they are not available from our computers, maybe because our updates come from church HQ. I'm reinstalling Sophos, instead.

JamesAnderson
Senior Member
Posts: 758
Joined: Tue Jan 23, 2007 2:03 pm

Postby JamesAnderson » Tue Oct 02, 2012 4:43 pm

Reinstall Sophos, that will do it. After you have reinstalled, force an update to get the remaining files that it needs.

That last step may take a bit, but Sophos will remember what it still needs to get if you have to leave and shut down the machine, and will pick up where it left off the next time the machine is turned on until it has installed everything it needs for v10 to be complete.

This was found to occur, as I reset the machines that were reverted accidentally by ChQ to v9.5 last month. That is all fixed now and all is working properly now.

Miknmaur
New Member
Posts: 38
Joined: Fri Jan 14, 2011 5:26 pm

Postby Miknmaur » Sun Nov 04, 2012 10:52 am

I am getting a constant Windows Installer, "almon" I think this is related to Sophos? How do I stop it?


Return to “Clerk Computers”

Who is online

Users browsing this forum: No registered users and 1 guest