Sophos antivirus false-positive SHH/Updater-B

This morning all computers running Sophos Antivirus reported various files as infected with SHH/Updater-B virus.

This was a clear false positive and Sophos promptly issued a fix in detection updates released 19 Sep 21:32. Unfortunately most of the affected systems were not able to automatically download definition updates anymore...

False-positive seem to have affected various auto-update packages, including Adobe Reader, Foxit Reader and last but not least Sophos auto-update itself! Quarantined or even deleted auto-update files crippled Sophos antivirus and it was no longer able to auto-update or even properly run.

Sophos Endpolnt Security and Control error

Sophos published constantly updated knowledgebase article trying to cover all possible scenarios.

My solution was:

  • Centrally disable on-access scanning in Sophos Control Centre > Configure Scanning.
  • Delete all affected machines from Sophos Control Center
  • Re-protect all deleted machines via Sophos Control Centre again.

This re-installs Sophos on client machines with latest definition updates and replaces all missing or damaged files.

There were couple of machines which couldn't be re-protected via Sophos Control Centre.
Manual uninstall was failing while trying to remove Sophos AutoUpdate:

Sophos AutoUpdate Warning 25010

Warning 25010. An error occurred while running the custom action 'NoUpdateInProgress'. Contact your support personnel.

Sophos AutoUpdate Error 25010

Error 25010 An error occurred while running the custom action "WaitUntilFileUnlocked". Contact your support personnel.

On these machines I wiped Sophos AutoUpdate install using Windows Installer Cleanup utility. After this, re-installation via Sophos Control Centre worked fine.

 

A few other machines developed another issue. They were re-protected successfully, however Control Centre started logging following errors:

Event Decode Unavailable (Event Number: "-1604845556" Message Code: "SAVXP.2690121740" Inserts: "0". "". "". ""."")

This error is related to Sophos Web Intelligence service. This seems to be caused by some Web Intelligence files missing due to the false positive. Re-deploying Sophos via Sophos Control Centre doesn't seem to replace the files. As a test you can disable Web Scanning in Sophos Control Centre scanning options and after clients receive new policy the error should go away.

This one was resolved by one of the following methods:

  • Logon on the affected machine locally and uninstall Sophos antivirus via Control Panel. Then re-deploy via Sophos Control Centre as usual.
  • On machines where I couldn't logon locally issue was resolved by FixIssues.exe script provided by Sophos specifically to deal with the false positive issue. This can be run remotely via PsExec.exe tool. Or alternatevely you can download FixUpdate.vbs and deployed it as a start-up script via Group Policy.
    Here is an example .bat startup script which will run FixUpdate.vbs as long as it hasn't run on the machine before:
     
    @ECHO OFF
    set SRCFIXDIR=\\domain.local\SysVol\domain.local\Policies\{08F8731F-8AA4-44D2-8767-91AF5FE5946A}\Machine\Scripts\Startup
    set FIXDIR=C:\FixUtilDir
    if exist "%FIXDIR%" exit
    mkdir "%FIXDIR%"
    xcopy "%SRCFIXDIR%\FixUpdate.vbs" "%FIXDIR%\"
    chdir /d %FIXDIR%
    cscript //nologo "%FIXDIR%\FixUpdate.vbs" /fixIssues:true
     
    SRCFIXDIR - Group policy object directory where .bat and FixUpdate.vbs scripts are placed.

 

09.2012

Comments  

Chris
# Chris 2014-06-18 01:20
Just want to say thanks for this Post. Worked a treat for exactly the Same problem.
Liz
# Liz 2014-06-03 06:51
Windows Installer Cleanup utility worked perfectly. Thanks for stopping me from bashing my head against the keyboard!
Alex Coelho
+1 # Alex Coelho 2013-04-19 17:41
For me worked just using Windows Installer Cleanup utility... Tks
Visitor
# Visitor 2012-10-08 03:21
great job man! after days of problems, this got me out of the hell! Thanks buddy!
wng
# wng 2012-09-30 07:52
worked for me too!
jcvs
# jcvs 2012-09-24 14:23
Thanks, worked well for me too

Newsletter

Subscribe to receive occasional updates on new posts.
Your email will not be used for any other purpose and you can unsubscribe at any time.
Please wait