Issue
Numerous binaries are falsely detected as
Shh/Updater-B.
Cause
An identity released by SophosLabs for use with our
Live Protection system is causing False Positives against many binaries that
have updating functionality.
Detections of ssh/updater-B made today are false
positives and not an outbreak.
If you have Live Protection enabled, you should stop
seeing these detections eventually as the files are now marked ‘clean’ in the
Live Protection cloud. If you do not have Live Protection enabled you will stop
seeing the new detections once javab-jd.ide has been downloaded by your
endpoints (released at Wed, 19 Sep 2012 21:32:00 +0000).
There is no cleanup for this detection, and you will
see it quarantined unless you have your on-access policy set to move or delete
detections if cleanup is not possible. Please double check your SAV policy
under cleanup; You want to ensure your secondary option (when cleanup is not
available or does not work) to be set to ‘deny access’ and not delete or move.
Once the detections have stopped, you can acknowledge the alerts in the
Console, this way you can see who is still reporting it, and confirm it is
trending down.
What To Do
You should ensure that endpoints are up to date with
the latest IDE files. This issue is resolved with javab-jd.ide which
was released at Wed, 19 Sep 2012 21:32:00 +0000.The MD5 for this IDE is 90e873330239722f58efabf8c27e7138.
Sophos Update Manager unable to update
If SUM is unable to update it is probable that files
in the warehouse are failing to be decoded as they are being falsely detected
as Shh/Updater-B.
To workaround this issue and successfully download the
IDE file that fixes this issue follow these steps:
1.
Delete agen-xuv.ide from C:\Program
Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos
Anti-Virus\]
2.
Restart the 'Sophos Anti-Virus Service'
3.
Update SUM via the Sophos Enterprise
Console
Endpoints unable to update
If you have endpoints that are unable to update due to
the false positive issue there are two solutions:
Option 1
1.
Add the following exclusions to the'
Anti-Virus and HIPS' policy
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\programdata\sophos\
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files\Sophos\
C:\Program Files (x86)\Sophos\
C:\programdata\sophos\
2.
Select Groups in SEC and select 'Update
Now'
3.
Once all groups have been updated remove
the exclusions
Option 2
1.
Centrally disable On-Access scanning via
policy in SEC
2.
Select Groups in SEC and select 'Update
Now'
3.
Once a group has updated re-enable
On-Access scanning via policy in SEC
Falsely detected files have been deleted
In the case that the 'Anti-Virus and HIPS' policy has
been set to delete files if they are unable to be cleaned up it will
be necessary to re-protect these endpoints as certain Sophos binaries
required for updating may have been removed.
If
you need more information or guidance, then please contact technical support.
The above
information can be found on our website: -http://www.sophos.com/en-us/support/knowledgebase/118311.aspx
The second
area of concern is then dependent on how your customers have set their AV
policy, as you may wish to note the following points:
- If they have the policy set to Sophos Default (Deny Access Only) – follow
the KB and the endpoints will be able to update, then acknowledge any
alerts in the console.
- If they have the policy set to Deny Access and Move to default
location – Then follow the KB, but you will need to manually
copy the quarantined files (back to their correct locations.
Note - The quarantine folder on Windows 7 is
C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED
- If they have the policy set to Delete – Then the current resolution
is to Re-Protect the Machines from SEC or re-deploy the client via
your other application deployment routes
No comments:
Post a Comment