Anybody been bitten by the Sophos Shh/Updater-B false positive?

(imported topic written by delichty91)

I don’t know how many of you out there run Sophos along side your TEM installations. Thankfully, we do at all our client sites. So when we got bitten by the Sophos Shh/Updater-B false positive, we were able to use TEM to fix the large number of systems that were broken. It took us the better part of a day and a half to get this working properly. In the end, it saved us massive amounts of time.

The fixlet we built works on XP, 7, 2003 (untested), and 2008. It only addresses the individual endpoints, you still have to get the Sophos Update Manager working

first

. Some base-level testing was conducted, but nothing extensive, so it should be used with caution and care.

These forums have been extremely helpful for me building custom content in the past, so I thought I would return the favor. Anyone who is interested in this fixlet, drop me a line.

IBM/TEM Personnel - If you would like to discuss adding this to your action site(s), please feel free to contact me.

Best wishes!

(imported comment written by SystemAdmin)

We’re using TEM to repair this as well using the vbs script Sophos has provided via KB 118315:

http://www.sophos.com/en-us/support/knowledgebase/118315.aspx

Can you post your action script on the forum?

Our action script is basically:

delete __createfile
createfile until __EOF
 
<paste the Sophos vbs script here, make sure to escape any left curly brace>
 
delete "{pathname of windows folder & "\Temp\SophosQuarRestore.vbs"}"
move __createfile "{pathname of windows folder & "\Temp\SophosQuarRestore.vbs"}"
wait cscript.exe "{pathname of windows folder & "\Temp\SophosQuarRestore.vbs"}"

(imported comment written by delichty91)

amelgares91 wrote:

We’re using TEM to repair this as well using the vbs script Sophos has provided via KB 118315:

http://www.sophos.com/en-us/support/knowledgebase/118315.aspx

Can you post your action script on the forum?

The real trick comes in the relevance, of course. But here is the action script.

Of course, YMMV, and I provide

NO

guarantees. Be sure to test it out first! :slight_smile:

// Download the QuarRestore.vbs script prefetch QuarRestore.vbs sha1:c574fcbdf73e40481f3ef8b04dfe3cc6be1bf97e size:7140 http:
//sophserv.sophos.com/repo_kb/118315/file/QuarRestore.txt   
// FIRST, Stop the Sophos Services runhidden cmd.exe /C net stop savservice runhidden cmd.exe /C net stop 
"Sophos AutoUpdate Service"   
// Next, get rid of the quarantine.xml file 

if
{ exists file 
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" 
} delete 
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif 

if
{ exists file 
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" 
} delete 
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif   
// Next, run the script to restore any quarnatined files wait 
"{pathname of client folder of site "BESSupport
" & "\RunQuiet.exe
"} "
{pathname of system folder & 
"\cscript.exe"
} 
"__download\QuarRestore.vbs   
// LAST, Restart the Sophos Services runhidden cmd.exe /C net start savservice runhidden cmd.exe /C net start 
"Sophos AutoUpdate Service"

(imported comment written by delichty91)

Disregard my last response, that is an incomplete action script.

Here is the COMPLETE action script.

// Download the QuarRestore.vbs script prefetch QuarRestore.vbs sha1:c574fcbdf73e40481f3ef8b04dfe3cc6be1bf97e size:7140 http:
//sophserv.sophos.com/repo_kb/118315/file/QuarRestore.txt   
// FIRST, Stop the Sophos Services runhidden cmd.exe /C net stop savservice runhidden cmd.exe /C net stop 
"Sophos AutoUpdate Service"   
// Next, get rid of the bad file (agen-xuv.ide) 
//   There are 2 here, both 32- and 64-bit 

if
{ exists file 
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" 
} delete 
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" endif 

if
{ exists file 
"C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" 
} delete 
"C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" endif   
// Next, get rid of the quarantine.xml file 

if
{ exists file 
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" 
} delete 
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif 

if
{ exists file 
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" 
} delete 
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif   
// Next, run the script to restore any quarnatined files wait 
"{pathname of client folder of site "BESSupport
" & "\RunQuiet.exe
"} "
{pathname of system folder & 
"\cscript.exe"
} 
"__download\QuarRestore.vbs   
// LAST, Restart the Sophos Services runhidden cmd.exe /C net start savservice runhidden cmd.exe /C net start 
"Sophos AutoUpdate Service"