I don’t know how many of you out there run Sophos along side your TEM installations. Thankfully, we do at all our client sites. So when we got bitten by the Sophos Shh/Updater-B false positive, we were able to use TEM to fix the large number of systems that were broken. It took us the better part of a day and a half to get this working properly. In the end, it saved us massive amounts of time.
The fixlet we built works on XP, 7, 2003 (untested), and 2008. It only addresses the individual endpoints, you still have to get the Sophos Update Manager working
first
. Some base-level testing was conducted, but nothing extensive, so it should be used with caution and care.
These forums have been extremely helpful for me building custom content in the past, so I thought I would return the favor. Anyone who is interested in this fixlet, drop me a line.
IBM/TEM Personnel - If you would like to discuss adding this to your action site(s), please feel free to contact me.
delete __createfile
createfile until __EOF
<paste the Sophos vbs script here, make sure to escape any left curly brace>
delete "{pathname of windows folder & "\Temp\SophosQuarRestore.vbs"}"
move __createfile "{pathname of windows folder & "\Temp\SophosQuarRestore.vbs"}"
wait cscript.exe "{pathname of windows folder & "\Temp\SophosQuarRestore.vbs"}"
The real trick comes in the relevance, of course. But here is the action script.
Of course, YMMV, and I provide
NO
guarantees. Be sure to test it out first!
// Download the QuarRestore.vbs script prefetch QuarRestore.vbs sha1:c574fcbdf73e40481f3ef8b04dfe3cc6be1bf97e size:7140 http:
//sophserv.sophos.com/repo_kb/118315/file/QuarRestore.txt
// FIRST, Stop the Sophos Services runhidden cmd.exe /C net stop savservice runhidden cmd.exe /C net stop
"Sophos AutoUpdate Service"
// Next, get rid of the quarantine.xml file
if
{ exists file
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
} delete
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif
if
{ exists file
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
} delete
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif
// Next, run the script to restore any quarnatined files wait
"{pathname of client folder of site "BESSupport
" & "\RunQuiet.exe
"} "
{pathname of system folder &
"\cscript.exe"
}
"__download\QuarRestore.vbs
// LAST, Restart the Sophos Services runhidden cmd.exe /C net start savservice runhidden cmd.exe /C net start
"Sophos AutoUpdate Service"
Disregard my last response, that is an incomplete action script.
Here is the COMPLETE action script.
// Download the QuarRestore.vbs script prefetch QuarRestore.vbs sha1:c574fcbdf73e40481f3ef8b04dfe3cc6be1bf97e size:7140 http:
//sophserv.sophos.com/repo_kb/118315/file/QuarRestore.txt
// FIRST, Stop the Sophos Services runhidden cmd.exe /C net stop savservice runhidden cmd.exe /C net stop
"Sophos AutoUpdate Service"
// Next, get rid of the bad file (agen-xuv.ide)
// There are 2 here, both 32- and 64-bit
if
{ exists file
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide"
} delete
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\agen-xuv.ide" endif
if
{ exists file
"C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide"
} delete
"C:\Program Files\Sophos\Sophos Anti-Virus\agen-xuv.ide" endif
// Next, get rid of the quarantine.xml file
if
{ exists file
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
} delete
"C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif
if
{ exists file
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml"
} delete
"C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml" endif
// Next, run the script to restore any quarnatined files wait
"{pathname of client folder of site "BESSupport
" & "\RunQuiet.exe
"} "
{pathname of system folder &
"\cscript.exe"
}
"__download\QuarRestore.vbs
// LAST, Restart the Sophos Services runhidden cmd.exe /C net start savservice runhidden cmd.exe /C net start
"Sophos AutoUpdate Service"