Sophos False Positives 9/19/2012 - Shh/Updater-B

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
drepouille
Senior Member
Posts: 1842
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Postby drepouille » Sat Sep 22, 2012 2:18 pm

I thought maybe uninstalling and reinstalling Sophos would fix this. After the reinstall, Sophos seemed to be OK. However, after I did the first "Update now" Sophos immediately quarantined several files, including Sophos AutoUpdater components as well as the Macromedia Flash Player Update service.
Oh well, it was worth a try.
Dana

WillClaridge
New Member
Posts: 5
Joined: Thu Jan 27, 2011 9:59 pm
Location: Scappoose, OR

Postby WillClaridge » Sat Sep 22, 2012 2:33 pm

Part of the ongoing problem is that the Church's Sophos CID Server has not been updated with the 'fixed' detection identity; which is javab-jd.ide. The Server http://ldssr4.ldschurch.org/SophosUpdate/CIDs/S027/SAVSCFXP/ still shows the savxp directory with the Wed Sep 19th date, the date the false positive was distributed by Sophos.

Any clerk computer that has been turned off all week will automatically update on Sunday when turned on; and will start the false-positive quarantine process. If GSC can get the Server updated this will short-circuit a lot of grief on Sunday. Because Sophos is managed by GSC there is not much that we can do; they need to follow this process: http://www.sophos.com/en-us/support/knowledgebase/118328.aspx. Unfortunately when I spoke with GSC today they told me that the group that would do that does not have people working on the weekends.

I tried a few things unsuccessfully (as expected since Sophos is managed remotely). There is a mechanism to get javab-jd.ide on to the clerk computer via a download from the Sophos website, which I worked (on a newly imaged clerk PC), but as soon as the updater runs the next time it overwrites the new files with everything from the CID Server, at starts flagging false-positives.

So far my experience has been that Sophos quarantines itself, so if you reboot it goes silent. I am going to recommend to all of my wards that once Sophos starts flagging false positives that they should reboot, and then go on with business. So far doing this has not impacted the operation of the PC. Hopefully fixes will be pushed out soon.

drepouille
Senior Member
Posts: 1842
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Postby drepouille » Sat Sep 22, 2012 3:46 pm

I remember the good old days when we could download updates for Norton/Symantec Anti-Virus directly from the Symantec web site. Now we are locked into auto-updates from the Church's server.

Dana

benl64usa
New Member
Posts: 1
Joined: Wed May 11, 2011 4:51 am

Solution to the Sophos Problem

Postby benl64usa » Sun Sep 23, 2012 1:29 pm

A fix has been found for the solution. I've implemented on all MLS and FHC computers in my stake. The solution is easily implemented as follows:

1. Go to http://www.sophos.com/en-us/support/knowledgebase/118323.aspx
2. Download the fix
3. Run it as shown on the website *
4. Check to see what files were deleted. (A good thing would be "none") **
5. Log off or reboot your computer and you’ll be good to go.

* If you run the script and it doesn’t return to the DOS/command prompt, look at the attachment to this post. Look in the results of the script for the file called “xxxx - FalsePosDeleted.txt”. See what files were deleted from the c:\program files\sophos\autoupdate\ folder. Unzip the attachment and copy the deleted files to their original location. (NOTE: This works for both Windows XP and 7 machines).

** Look through the deleted files (if the text file isn’t empty). Sophos files that were deleted can be restored using the zip I attached to the post. It’s easier to reinstall any programs that had files deleted. The programs that I saw affected were Adobe Reader, Adobe Flash, Java, and Google Chrome. (You may have some other files depending on what you had installed.)

Good Luck!:D

Keywords for website search results: ALMon Error loading external resources (0x80070005)
Attachments
AutoUpdate.zip
(4.24 MiB) Downloaded 210 times

drepouille
Senior Member
Posts: 1842
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Postby drepouille » Sun Sep 23, 2012 4:08 pm

That fix seemed to work. However, it looks like the Church has shutdown its CID server.

Time: 9/23/2012 18:04:23
Message: ERROR: Download of Sophos AutoUpdate failed from server http://ldssr4.ldschurch.org/SophosUpdate/CIDs/S027/SAVSCFXP/
Module: CIDUpdate
Process ID: 2796
Thread ID: 2800

drepouille
Senior Member
Posts: 1842
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Postby drepouille » Sun Sep 23, 2012 4:42 pm

I checked the three ward clerk computers in my stake center. It looks like the Church may have pushed out a Sophos update via Tivoli to correct the issue. When I logged in, the Sophos update immediately started. The only thing it did NOT fix is the missing copy of inetconn.dll. I copied it from a functional system, rebooted, and all is well.
The stake clerk computer I had wiped and reinstalled yesterday is not quite so well. It still insists that the Church CID server is not responding. Oh well, I will leave that for another day.

techgy
Community Moderators
Posts: 3183
Joined: Sun Jan 13, 2008 6:48 pm
Location: California

Postby techgy » Tue Sep 25, 2012 5:36 pm

drepouille wrote:I checked the three ward clerk computers in my stake center. It looks like the Church may have pushed out a Sophos update via Tivoli to correct the issue. When I logged in, the Sophos update immediately started. The only thing it did NOT fix is the missing copy of inetconn.dll. I copied it from a functional system, rebooted, and all is well.
I've been dealing with this issue since this past Sunday. Every MLS computer in the stake is experiencing the same issue. The AutoUpdate feature won't work and we get several "false positives" on occasion.

Yesterday I spent over an hour on the phone with Local Unit Support in an attempt to remedy this issue. From the conversation I had with an individual who did their very best to help, they weren't aware of the issue as yet. I called back today and spoke to someone different and was told that they had not had any reports of problems with the sophos package.

I'm finding this almost unbelieveable since Sophos themselves is swamped with calls. I would have to believe that the local service desk would have had dozens of calls and that they were working on a resolution.

I've already tried the suggestions in this thread to no avail.
Have you read the Code of Conduct?

User avatar
aebrown
Community Administrator
Posts: 15094
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Tue Sep 25, 2012 6:09 pm

techgy wrote:I've been dealing with this issue since this past Sunday. Every MLS computer in the stake is experiencing the same issue. The AutoUpdate feature won't work and we get several "false positives" on occasion.


It's probably not much comfort to those who are having such hassles with this issue, but I would note that I have not experienced this issue, nor have any of the wards in my stake reported any such issue. So it's clearly not a universal problem. I have no idea why it afflicts some, but not others.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

drepouille
Senior Member
Posts: 1842
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Postby drepouille » Tue Sep 25, 2012 6:16 pm

The computers that were turned off during the week seemed to be OK on Sunday. The computers that were left on, logged in, and screen-locked were corrupted on Sept 19th by an auto-update. I called the Global Service Center twice on Saturday. They said they were aware of the problem, but did not have a fix for it.

User avatar
johnshaw
Senior Member
Posts: 2083
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Postby johnshaw » Wed Sep 26, 2012 5:28 am

With the direction the Desktop Management team has taken, I feel they have the responsibility to make the decision on what action to perform for recovery from this incident. I believe, personally, with my IT background, I would make a good decision (I have experience managing computer systems world-wide with computer management and automation tools) - but does everyone that is responsible for clerk computers have this type of experience? Will we all make a good decision? The same decision? The fix that some put into place might actually create more issues down the road.

What is an STS/Clerk to assume when no messaging is received from SLC through the STS Mailing list, MLS message, or tech community?

Something like:
We're working on it stay tuned
Please access this site online and perform steps 1-5
Have your clerks call into the GSC they have specific instructions on what to do

I think SLC / Desktop Management Team missed a golden opportunity to solidify in the minds of STS and Clerks that this is the right direction to be moving in.
“A long habit of not thinking a thing wrong, gives it a superficial appearance of being right, and raises at first a formidable outcry in defense of custom.”
― Thomas Paine, Common Sense


Return to “Clerk Computers”

Who is online

Users browsing this forum: No registered users and 0 guests