Shh/Updater-B false positive by Sophos anti-virus products

 Anti-Virus  Add comments
Sep 202012
 

Some Sophos customers have reported detections today of Shh/Updater-B.

Sophos would like to reassure users that these are false positives and are not a malware outbreak, and apologises for any inconvenience.

False positive

If you have Live Protection enabled, you should stop seeing these detections as the files are now marked “clean” in the cloud. (Details of how to enable Live Protection can be found in this knowledgebase article).

If you do not have Live Protection enabled you will stop seeing the new detections once javab-jd.ide has been downloaded by your endpoint computers (released at Wed, 19 Sep 2012 21:32 +0000).

There is no cleanup for this detection, and you will see it quarantined unless you have your on-access policy set to move or delete detections if cleanup is not possible.

Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘deny access’ and not delete or move. Once the detections have stopped, you can acknowledge the alerts in the Console, this way you can see who is still reporting it, and confirm it is trending down.

What To Do

You should ensure that endpoints are up to date with the latest IDE files. This issue is resolved with javab-jd.ide which was released at Wed, 19 Sep 2012 21:32 +0000.

Sophos Update Manager unable to update

If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.

To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:

  1. Delete agen-xuv.ide from C:Program FilesSophosSophos Anti-Virus [C:Program Files (x86)SophosSophos Anti-Virus]
  2. Restart the ‘Sophos Anti-Virus Service’
  3. Update SUM via the Sophos Enterprise Console

Endpoints unable to update

If you have endpoints that are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:

  1. Centrally disable On-Access scanning via policy in SEC
  2. Select Groups in SEC and select ‘Update Now’
  3. Once a group has updated re-enable On-Access scanning via policy in SEC

Further information:

Knowledge base article: http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

We will update this page as appropriate. Please consider following our support team @SophosSupport on Twitter for updates.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-t31jVO06vY/