Sophos False Positives 9/19/2012 - Shh/Updater-B

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
jdlessley
Community Moderators
Posts: 7024
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Sun Nov 04, 2012 1:02 pm

Miknmaur wrote:I am getting a constant Windows Installer, "almon" I think this is related to Sophos? How do I stop it?
This is one of the Sophos updater files that were moved as part of the false positive issue. You can read about it here. The fix is to run FixIssues.exe as described in the "Using FixIssues.exe (Recommended)" section of that Sophos knowledge base article.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center?

User avatar
johnshaw
Senior Member
Posts: 2096
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Postby johnshaw » Mon Nov 05, 2012 4:34 pm

Am I the only person that is still waiting for the Church to tell us what to do? Why were we as STS left to fend for ourselves, and fix an issue that only came about because of a centralized management system that was designed and mean to save us time, or reduce our work load? The irony is fantastic, but shouldn't we expect some kind of notification or email with instructions?
“A long habit of not thinking a thing wrong, gives it a superficial appearance of being right, and raises at first a formidable outcry in defense of custom.”
― Thomas Paine, Common Sense

lajackson
Community Moderators
Posts: 8471
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Postby lajackson » Wed Nov 07, 2012 12:50 pm

JohnShaw wrote:Am I the only person that is still waiting for the Church to tell us what to do?


What problem? [grin]

We have not done anything. Since it is not interfering with anything we need to do, we have not worried about it. That is one of the "blessings" of centralized management. We let the central manager worry about it.

If they need help, they will ask. And it saves hours and hours of travel time around here.

rmrichesjr
Community Moderators
Posts: 1837
Joined: Thu Jan 25, 2007 11:32 am
Location: Dundee, Oregon

Postby rmrichesjr » Wed Nov 07, 2012 9:14 pm

I might be mistaken, but I understood the problem JohnShaw was referring to is the substantial damage to some, not all, administrative computers as a result of a flawed Sophos update. Based on what I have read here in the forum, I would have expected a significantly strong response with remedial instructions. If I had any adversely affected machines under my stewardship, I would be making a big nuisance of myself on appropriate support lines in pursuit of solutions for said machines.

aclawson
Senior Member
Posts: 761
Joined: Fri Jan 19, 2007 6:28 pm

Postby aclawson » Sun Nov 11, 2012 12:00 pm

JohnShaw wrote:Am I the only person that is still waiting for the Church to tell us what to do? Why were we as STS left to fend for ourselves, and fix an issue that only came about because of a centralized management system that was designed and mean to save us time, or reduce our work load?


Per the D&C we are not to be commanded in all things. An STS is called to fix problems. Unless I am ordered and/or prevented from resolving an issue I will resolve it to the best of my ability. I don't care who gets the blame for causing a problem (that is only useful when figuring out a way to prevent it from happening in the future), if there is an issue I will resolve it.

With the case of Sophos, spending three minutes to watch a script run then maybe downloading the updated software is not anything that I need to be commanded to do. Since the machines are left unprotected until this is corrected, if I didn't work to fix the error then I would feel like I was being lax in my duties.

lajackson
Community Moderators
Posts: 8471
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Postby lajackson » Sun Nov 11, 2012 12:13 pm

aclawson wrote:With the case of Sophos, spending three minutes to watch a script run then maybe downloading the updated software is not anything that I need to be commanded to do. Since the machines are left unprotected until this is corrected, if I didn't work to fix the error then I would feel like I was being lax in my duties.


I agree with what you have said (including the part I did not quote).

However, our technology folks are not as savvy as you. And so we ask for instructions and do not receive them, and we wait patiently for directions in the meantime while those who should know about the problem and should provide support to us do not even acknowledge it.

Our technology specialists are not security specialists, but they are faithful brethren who are more than willing to follow instructions, and who then need further instructions when the first instructions do not work.

Or even better, official guidance on which set of instructions to follow when they receive conflicting instructions from "official" sources.

nathangg
Member
Posts: 249
Joined: Tue Dec 21, 2010 12:36 pm

Re:

Postby nathangg » Wed Aug 07, 2013 8:17 am

jdlessley wrote:
Miknmaur wrote:I am getting a constant Windows Installer, "almon" I think this is related to Sophos? How do I stop it?
This is one of the Sophos updater files that were moved as part of the false positive issue. You can read about it here. The fix is to run FixIssues.exe as described in the "Using FixIssues.exe (Recommended)" section of that Sophos knowledge base article.


I ran fixissues.exe and I'm getting an error saying

"Could not resolve the issue"
The script encountered an error
Please contact technical support

Here is the log:

Code: Select all

Version 6.12
Fix issues enabled.
Checking that detected CID location is accessible
Could not access http://ldssr4.ldschurch.org/SophosUpdate/CIDs/S031/SAVSCFXP/, error 404 : Not Found
Checking Sophos CID location is accessible
CID location "http://downloads.sophos.com/tools/FPF_CID/9.5.6/SAVSCFXP" is accessible and will be used if a repair action is necessary
Working directory : 'C:\DOCUME~1\Clerk\LOCALS~1\Temp'
Problem IDE is present.
IDE that fixes issue is present.
Update did not receive newer IDEs.
Stopping SAV service
Deleting Quarantine.xml file
Deleted quarantine file C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml
SAU files missing from the program files directory
Writing false positive detections list to .\2013-8-7_9-14-13_#LU-525782#_001-FalsePosAll.txt
Writing false positive moved list to .\2013-8-7_9-14-13_#LU-525782#_002-FalsePosMoved.txt
Writing false positive moved to restore list to .\2013-8-7_9-14-13_#LU-525782#_003-ToRestoreMoved.txt
Writing false positive deleted list to .\2013-8-7_9-14-13_#LU-525782#_004-FalsePosDeleted.txt
Writing false positive deleted to restore list to .\2013-8-7_9-14-13_#LU-525782#_005-ToRestoreDeleted.txt
No other files need to be moved back
SAU files still missing after restoring moved files
RMS files missing from the program files directory
Restoring missing SAU files from the local cache
Repairing SAU using 'Sophos AutoUpdate.msi'
SAU reinstall failed because another installation is in progress. Please wait until that installation has finished and re-run the script
Starting SAV service
Restarting Sophos Agent
Update was not triggered due to an earlier failure


I've verified another installation is NOT in progress... so what now? Which technical support do we contact?

Thanks~!

nathangg
Member
Posts: 249
Joined: Tue Dec 21, 2010 12:36 pm

Re: Sophos False Positives 9/19/2012 - Shh/Updater-B

Postby nathangg » Wed Aug 07, 2013 8:23 am

I just ran it again... a new error this time:

Code: Select all

Writing script output to .\2013-8-7_9-19-44_#LU-525782#_000-Output.txt
Version 6.12
Fix issues enabled.
Checking that detected CID location is accessible
Could not access http://ldssr4.ldschurch.org/SophosUpdate/CIDs/S031/SAVSCFXP/, error 404 : Not Found
Checking Sophos CID location is accessible
CID location "http://downloads.sophos.com/tools/FPF_CID/9.5.6/SAVSCFXP" is accessible and will be used if a repair action is necessary
Working directory : 'C:\DOCUME~1\Clerk\LOCALS~1\Temp'
Problem IDE is present.
IDE that fixes issue is present.
Update did not receive newer IDEs.
Stopping SAV service
Deleting Quarantine.xml file
Quarantine file C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml does not exist
Writing false positive detections list to .\2013-8-7_9-19-44_#LU-525782#_001-FalsePosAll.txt
Writing false positive moved list to .\2013-8-7_9-19-44_#LU-525782#_002-FalsePosMoved.txt
Writing false positive moved to restore list to .\2013-8-7_9-19-44_#LU-525782#_003-ToRestoreMoved.txt
Writing false positive deleted list to .\2013-8-7_9-19-44_#LU-525782#_004-FalsePosDeleted.txt
Writing false positive deleted to restore list to .\2013-8-7_9-19-44_#LU-525782#_005-ToRestoreDeleted.txt
No other files need to be moved back
Starting SAV service
Triggering update of product
Update encountered an error: 0x8000FFFF. Description: Timeout on waiting on update to finish

lajackson
Community Moderators
Posts: 8471
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Re: Re:

Postby lajackson » Wed Aug 07, 2013 11:46 am

nathangg wrote:Which technical support do we contact?

I called the Global Service Center and explained what I had done and that it did not work. They remotely logged into our administrative computer, removed the software, put an installer file on the desktop and fired it up.

They told me to delete the installer file when it was finished, and to call them back if it did not finish for some reason. The GSC stayed with me long enough that they felt confident it would install, which it did.

The total process involved two or three reboots, and we had to reestablish the remote connection afterward each time. Other than that, the GSC did the driving and we have not had a problem since.


Return to “Clerk Computers”

Who is online

Users browsing this forum: No registered users and 1 guest