Page 1 of 4
Sophos False Positives 9/19/2012 - Shh/Updater-B
Posted: Wed Sep 19, 2012 5:10 pm
Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe".
Sophos got hit today with some major false positive issues, the item above shows that it is identifying itself as a virus. I have checked 2 computers and don't really have an idea how to fix it, but it is wrecking havoc with apps running on these desktops.
Posted: Wed Sep 19, 2012 5:25 pm
Got this via my FHC computer contact:
We are currently engaged with SophosLabs over a false positive relating to 'Shh/Updater-B', and I want to quickly let you know of this false positive, and that you do not have an outbreak.
If you have live protection enabled, you should stop seeing these detections as the files are now marked ‘clean’ in the cloud. If you do not have LiveProtection enabled you will stop seeing the new detections come in after the next IDE is released (releasing now in javab-jd.ide)
There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘deny access’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.
Posted: Wed Sep 19, 2012 5:47 pm
Is 'HIPSConnnect-001' a virus or a false positive?, have been seeing Sophos quarantine that over the last week after the misconfiguratrion that reverted that FHC back to earlier than 9.5B.
PS: All the PCs in that FHC are back on v10 as of last night. Ran everything we had to be sure that v10 got back on them all.
Posted: Wed Sep 19, 2012 5:55 pm
JamesAnderson wrote:Is 'HIPSConnnect-001' a virus or a false positive?
I don't have any info on that. But if 10 can't see it, it suggests to me that it's a false positive.
Posted: Wed Sep 19, 2012 8:33 pm
The false positives are causing initial quarantines, apps are not loading on startup, including the AV app. I saw the information posted online as well about enabling Live Protection, but due to the system being managed centrally, I am uncertain about the boundaries of who should do what on the clerk computer. Do I manage the AV on the computer or does the Desktop Management Team? Information From sophos is that the latest dat file also had this fixed, but I couldn't get any of the agents to perform an upgrade.
Posted: Thu Sep 20, 2012 7:27 am
Posted: Thu Sep 20, 2012 9:47 am
In my estimation this is a large gap that needs to have some work put into it. As the Desktop Management team enables more automation involved with managing the clerk computer, what is our involvement? Are we supposed to implement a fix (set the AV to Live Protection) or wait for a file to be pushed through TEM or AV? Where are the boundaries?
Posted: Thu Sep 20, 2012 10:52 am
JohnShaw wrote:As the Desktop Management team enables more automation involved with managing the clerk computer, what is our involvement? Are we supposed to implement a fix (set the AV to Live Protection) or wait for a file to be pushed through TEM or AV? Where are the boundaries?
I can only address your question with my personal opinion. I think the answer regarding the level of our involvement should be be determined by the PC's usability. If the condition was preventing the PC from functioning properly, and there was a workaround or temporary fix available, I would certainly take the initiative and put that fix into place. If it were simply a case of users getting alarmed over Sophos popping up and reporting a threat that we knew wasn't real, but the PC otherwise was working fine, then I would just put a sticky note on it assuring users we were aware of the problem and they could ignore it while a solution was being found.
Posted: Thu Sep 20, 2012 11:24 am
I also found that the issue did not affect the PCs in my FHC, we have 20+ and none had this issue.
Is it entirely possible that some PCs were on when the FP dropped, and Sophos did its thing and those that were not on between when the FP dropped and when the fix was implemented as described in their blog post above were not affected? We're only on during the evenings, and we never saw the FP issue. We were also on 9.5 or older briefly due to a misconfiguration at CHQ that has since been fixed, and I had them all back on v10 by late Tuesday evening.
Posted: Sat Sep 22, 2012 11:41 am
I am at the stake center. All the FHC computers are running Sophos 10, and appear to be unaffected by the false positive problem, since they are shutdown when the FHC is closed.
The four clerk computers in the stake center are hosed. They are running Sophos 9.5, which detected false positives on 9/19 in inetconn.dll and in FlashPlayerUpdateService.exe as shown below. The Global Service Center has no fix for this problem at this time.
20120919 203443 Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\AutoUpdate\inetconn.dll". Cleanup unavailable.
20120919 203443 Infected file "C:\Program Files\Sophos\AutoUpdate\inetconn.dll" has been deleted.
20120919 210300 Virus/spyware 'Shh/Updater-B' has been detected in "C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe". Cleanup unavailable.
20120919 210300 Infected file "C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe" has been deleted.
20120922 165448 Using detection data version 4.81G (detection engine 3.35.1). This version can detect 3991863 items.
20120922 165449 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.