Sophos False Positives 9/19/2012 - Shh/Updater-B

[jdlessley]

I am getting a constant Windows Installer, "almon" I think this is related to Sophos? How do I stop it?

This is one of the Sophos updater files that were moved as part of the false positive issue. You can read about it here. The fix is to run FixIssues.exe as described in the "Using FixIssues.exe (Recommended)" section of that Sophos knowledge base article.

[johnshaw]

Am I the only person that is still waiting for the Church to tell us what to do? Why were we as STS left to fend for ourselves, and fix an issue that only came about because of a centralized management system that was designed and mean to save us time, or reduce our work load? The irony is fantastic, but shouldn't we expect some kind of notification or email with instructions?

[lajackson]

Am I the only person that is still waiting for the Church to tell us what to do?

What problem? [grin]

We have not done anything. Since it is not interfering with anything we need to do, we have not worried about it. That is one of the "blessings" of centralized management. We let the central manager worry about it.

If they need help, they will ask. And it saves hours and hours of travel time around here.

[rmrichesjr]

I might be mistaken, but I understood the problem JohnShaw was referring to is the substantial damage to some, not all, administrative computers as a result of a flawed Sophos update. Based on what I have read here in the forum, I would have expected a significantly strong response with remedial instructions. If I had any adversely affected machines under my stewardship, I would be making a big nuisance of myself on appropriate support lines in pursuit of solutions for said machines.

[aclawson]

Am I the only person that is still waiting for the Church to tell us what to do? Why were we as STS left to fend for ourselves, and fix an issue that only came about because of a centralized management system that was designed and mean to save us time, or reduce our work load?

Per the D&C we are not to be commanded in all things. An STS is called to fix problems. Unless I am ordered and/or prevented from resolving an issue I will resolve it to the best of my ability. I don't care who gets the blame for causing a problem (that is only useful when figuring out a way to prevent it from happening in the future), if there is an issue I will resolve it.

With the case of Sophos, spending three minutes to watch a script run then maybe downloading the updated software is not anything that I need to be commanded to do. Since the machines are left unprotected until this is corrected, if I didn't work to fix the error then I would feel like I was being lax in my duties.

[lajackson]

With the case of Sophos, spending three minutes to watch a script run then maybe downloading the updated software is not anything that I need to be commanded to do. Since the machines are left unprotected until this is corrected, if I didn't work to fix the error then I would feel like I was being lax in my duties.

I agree with what you have said (including the part I did not quote).

However, our technology folks are not as savvy as you. And so we ask for instructions and do not receive them, and we wait patiently for directions in the meantime while those who should know about the problem and should provide support to us do not even acknowledge it.

Our technology specialists are not security specialists, but they are faithful brethren who are more than willing to follow instructions, and who then need further instructions when the first instructions do not work.

Or even better, official guidance on which set of instructions to follow when they receive conflicting instructions from "official" sources.

[nathangg]

I am getting a constant Windows Installer, "almon" I think this is related to Sophos? How do I stop it?

This is one of the Sophos updater files that were moved as part of the false positive issue. You can read about it here. The fix is to run FixIssues.exe as described in the "Using FixIssues.exe (Recommended)" section of that Sophos knowledge base article.

I ran fixissues.exe and I'm getting an error saying

"Could not resolve the issue"
The script encountered an error
Please contact technical support

Here is the log:

Code: Select all

Version 6.12
Fix issues enabled.
Checking that detected CID location is accessible
Could not access http://ldssr4.ldschurch.org/SophosUpdate/CIDs/S031/SAVSCFXP/, error 404 : Not Found
Checking Sophos CID location is accessible
CID location "http://downloads.sophos.com/tools/FPF_CID/9.5.6/SAVSCFXP" is accessible and will be used if a repair action is necessary
Working directory : 'C:\DOCUME~1\Clerk\LOCALS~1\Temp'
Problem IDE is present.
IDE that fixes issue is present.
Update did not receive newer IDEs.
Stopping SAV service
Deleting Quarantine.xml file
Deleted quarantine file C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml
SAU files missing from the program files directory
Writing false positive detections list to .\2013-8-7_9-14-13_#LU-525782#_001-FalsePosAll.txt
Writing false positive moved list to .\2013-8-7_9-14-13_#LU-525782#_002-FalsePosMoved.txt
Writing false positive moved to restore list to .\2013-8-7_9-14-13_#LU-525782#_003-ToRestoreMoved.txt
Writing false positive deleted list to .\2013-8-7_9-14-13_#LU-525782#_004-FalsePosDeleted.txt
Writing false positive deleted to restore list to .\2013-8-7_9-14-13_#LU-525782#_005-ToRestoreDeleted.txt
No other files need to be moved back
SAU files still missing after restoring moved files
RMS files missing from the program files directory
Restoring missing SAU files from the local cache
Repairing SAU using 'Sophos AutoUpdate.msi'
SAU reinstall failed because another installation is in progress. Please wait until that installation has finished and re-run the script
Starting SAV service
Restarting Sophos Agent
Update was not triggered due to an earlier failure

I've verified another installation is NOT in progress... so what now? Which technical support do we contact?

Thanks~!

[nathangg]

I just ran it again... a new error this time:

Code: Select all

Writing script output to .\2013-8-7_9-19-44_#LU-525782#_000-Output.txt
Version 6.12
Fix issues enabled.
Checking that detected CID location is accessible
Could not access http://ldssr4.ldschurch.org/SophosUpdate/CIDs/S031/SAVSCFXP/, error 404 : Not Found
Checking Sophos CID location is accessible
CID location "http://downloads.sophos.com/tools/FPF_CID/9.5.6/SAVSCFXP" is accessible and will be used if a repair action is necessary
Working directory : 'C:\DOCUME~1\Clerk\LOCALS~1\Temp'
Problem IDE is present.
IDE that fixes issue is present.
Update did not receive newer IDEs.
Stopping SAV service
Deleting Quarantine.xml file
Quarantine file C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml does not exist
Writing false positive detections list to .\2013-8-7_9-19-44_#LU-525782#_001-FalsePosAll.txt
Writing false positive moved list to .\2013-8-7_9-19-44_#LU-525782#_002-FalsePosMoved.txt
Writing false positive moved to restore list to .\2013-8-7_9-19-44_#LU-525782#_003-ToRestoreMoved.txt
Writing false positive deleted list to .\2013-8-7_9-19-44_#LU-525782#_004-FalsePosDeleted.txt
Writing false positive deleted to restore list to .\2013-8-7_9-19-44_#LU-525782#_005-ToRestoreDeleted.txt
No other files need to be moved back
Starting SAV service
Triggering update of product
Update encountered an error: 0x8000FFFF. Description: Timeout on waiting on update to finish

[lajackson]

Which technical support do we contact?

I called the Global Service Center and explained what I had done and that it did not work. They remotely logged into our administrative computer, removed the software, put an installer file on the desktop and fired it up.

They told me to delete the installer file when it was finished, and to call them back if it did not finish for some reason. The GSC stayed with me long enough that they felt confident it would install, which it did.

The total process involved two or three reboots, and we had to reestablish the remote connection afterward each time. Other than that, the GSC did the driving and we have not had a problem since.