Sophos Advisory: Shh Updater-B False positives

No Comments

Message from Sophos Below

Last updated:  20 September 2012 at 11.20 BST

——————————————————————————–
We would like to apologize for all of the disruption caused to our many customers and partners worldwide. We recognize the issue is very serious, and are doing everything we can to resolve it.
——————————————————————————–

Issue

Numerous executable files are falsely detected as Shh/Updater-B.

Cause

An identity released by SophosLabs for use with our Live Protection system is causing False Positives against many binaries that have updating functionality.

Detections of Shh/updater-B made today are false positives and not an outbreak.

If you have Live Protection enabled, you should stop seeing these detections eventually as the files are now marked ‘clean’ in the Live Protection cloud. If you do not have Live Protection enabled you will stop seeing the new detections once javab-jd.ide has been downloaded by your endpoints (released at Wed, 19 Sep 2012 21:32).

There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible. Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘deny access’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.

What To Do

You should ensure that endpoints are up to date with the latest IDE files. The detection and alerts will have stopped with the release of javab-jd.ide, which was released on Wed, 19 Sep 2012 21:32.
The MD5 for this IDE is 90e873330239722f58efabf8c27e7138

Sophos Update Manager unable to update

If Sophos Update Manager (SUM) is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.

To work around this issue and successfully download the IDE file that fixes this issue follow these steps:
1.Delete agen-xuv.ide from C:Program FilesSophosSophos Anti-Virus [C:Program Files (x86)SophosSophos Anti-Virus]
2.Restart the ‘Sophos Anti-Virus Service’
3.Update SUM via the Sophos Enterprise Console or select ‘Update Now’ from Control Centre

Endpoints unable to update for Enterprise Console

If you have endpoints that are unable to update due to the false positive issue there are two solutions:

Option 1
1.Add the following exclusions to the ‘Anti-Virus and HIPS’ policy

C:Documents and SettingsAll UsersApplication DataSophos
C:Program FilesSophos
C:Program Files (x86)Sophos
C:ProgramDatasophos
2.Select Groups in Enterprise Console and select ‘Update Now’
3.Once all groups have been updated remove the exclusions

Option 2
1.Centrally disable On-Access scanning via policy in Enterprise Console
2.Select Groups in Enterprise Console and select ‘Update Now’
3.Once a group has updated re-enable On-Access scanning via policy in Enterprise Console.

Falsely detected files have been deleted

In the case that the ‘Anti-Virus and HIPS’ policy has been set to delete files if they are unable to be cleaned up it will be necessary to re-protect these endpoints as certain Sophos binaries required for updating may have been removed.

Endpoints unable to update for Control Center

Option 1
1.Add the following exclusions to the ‘Configure Scanning’ configuration.

C:Documents and SettingsAll UsersApplication DataSophos
C:Program FilesSophos
C:Program Files (x86)Sophos
C:ProgramDatasophos
2.Highlight all the endpoints in Control Center (SCC), right-click and select ‘Update Computers Now’.
3.Once all endpoints have been updated remove the exclusions.

Option 2
1.Centrally disable On-Access scanning via ‘Configure Scanning’ configuration.
2.Highlight all the endpoints in SCC, right-click and select ‘Update Computers Now’.
3.Once all endpoints have been updated re-enable On-Access scanning via ‘Configure Scanning’ configuration within SCC.

Falsely detected files have been deleted

In the case that the ‘Configure Scanning’ configuration has been set to delete files if they are unable to be cleaned up it will be necessary to re-protect these endpoints as certain Sophos binaries required for updating may have been removed.

——————————————————————————–

We would like to apologize for all of the disruption caused to our many customers and partners worldwide. We recognize the issue is very serious, and are doing everything we can to resolve it.

sophos

This is author biographical info, that can be used to tell more about you, your iterests, background and experience. You can change it on Admin > Users > Your Profile > Biographical Info page."

More from our blog

See all posts