You see a 'zFP-REALNETWORKS' suspicious behavior alert in your console, against the computer that is the Sophos management server.
This special alert does not indicate a threat on your computer. It does indicate that you may have software problems that need fixing urgently.
We issued this alert to ensure that you are aware that some non-Sophos products on your network were affected by the recent Sophos false positive issue. Unless you have already fixed these products, they could be out of date and could make you subject to future vulnerabilities. We chose a suspicious behavior alert to show that this issue is a high priority.
An example of the alert is shown below.
Additionally, in the computer details of your management server, you may also see one or more 'zFP-' suspicious behavior alerts that includes non-Sophos (third-party) application names.
First seen in Sophos Endpoint Security and Control
We have provided this alert because you may have third-party applications, installed on Windows endpoint computers, which are not functioning correctly due to the recent Shh/Updater-B false positive.
If you see this alert the following must be true:
Note: Even if you have fixed some applications already, there may be others you do not know about.
An overview of the required steps is:
You need to run a batch file which will create a text file listing computers that could have non-Sophos applications that are affected by the shh/Updater-B false positive.
Open this article on the on your management server, or the server that hosts the Sophos SQL Server instance and follow step one to four below.
fpdf.bat > FpActionedFiles.txt
You will now have a text file called FpActionFiles.txt that list workstation computers. You can use this list in sections 2 and, if required, section 3.
To fix non-Sophos applications on endpoint computers follow steps one to three below.
The steps are designed to be repeated locally on each endpoint computer mentioned in the FpActionFiles.txt file. Therefore you may want to copy the tool and instructions onto a USB pen (or similar device) that you can then use when visiting each workstation. If there are a large number of affected computer you should see the links to further articles on how to deploy the tool across a network.
Note: You should run the tool with administrative rights.
Sophos Fix Script log.txt
Sophos Fix Log_[TIMESTAMP].txt
Should you need to contact Sophos Technical Support you should submit these logs to allow us to resolve your issue quicker.
If your anti-virus cleanup settings did not delete any files (see 'Need to check your Anti-Virus settings?' section for confirmation), no further action is necessary.
Tip: We have produced the following articles to cover different methods that can be used to deploy the tool across your network:
If you discover that some third-party applications are still not functioning correctly, and you have followed the instructions above, then the alerts were most likely not listed in the database. Hence the computers listed in the FpActionFiles.txt file was not a full list of all affected computers.
In this situation we recommend you run the FixIssues.exe tool on all your endpoint computers. See the list of different methods of deployment in the section above.
You only need to follow this section if your anti-virus cleanup settings deleted files. If you have not already done so, watch the video in the 'Need to check your Anti-Virus settings?' section if in doubt.
If your anti-virus settings did delete files: Use the links below for instructions on recovering each application identified.
Note: If you have already used the FixIssues tool from Sophos, you have restored any files that were moved. You only need to follow these instructions if your anti-virus cleanup settings deleted files.
Other alerts that may be present in your console include:
If you are still having issues or the above steps do not resolve the application you may find more help on this SophosTalk thread: Shh/Updater-B: remediating third party applications.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.