Following an unwanted detection the Sophos AutoUpdate component is no longer functioning. This is due to the files needed by Sophos AutoUpdate being deleted or moved as part of the clean-up action related to the false positive.
Note: For this to occur your anti-virus configuration was set to an option other than 'Deny access only'.
First seen in Sophos Anti-Virus for Windows 2000+
An unwanted detection has deleted or moved files from their original location, preventing Sophos AutoUpdate from being able to run correctly and hampering remediation efforts.
We are making available an executable and script that can be used to repair endpoints where files were deleted or moved due to the false positive.
The executable or script can perform the following remediation steps:
Note: The page: http://www.sophos.com/en-us/support/field-search.aspx has also been provided to help associate detected files with application provider and application.
cscript //nologo sophos_temp\FixUpdate.vbs /fixIssues:true /useSophosCid:true > "Sophos Fix Script Log.txt"
For use when you need to use a custom set of command line options.
cscript FixUpdate.vbs /fixIssues:true
In addition to the recommended /fixissues:true option, the following options can be specified as required:
cscript FixUpdate.vbs /fixIssues:true /usesophoscid:true
Will ensure the client has the detection identity file that will stop the unwanted detection, clear the Quarantine Manager and fix the Sophos install using Sophos as the update location.
cscript FixUpdate.vbs /fixIssues:true /cid:\\server\sophosupdate\cids\s000\savscfxp
Will ensure the client has the detection identity file that will stop the unwanted detection, clear the Quarantine Manager, fix the Sophos install using the update location '\\server\sophosupdate\cids\s141\savscfxp' to replace missing Sophos files. All logs will be created in the same directory as the script file.
cscript FixUpdate.vbs /fixIssues:true /cid:http://server/sophosupdate/cids/s000/savscfxp /username:myUser /password:myPassword Will ensure the client has the missing identity file, clear the Quarantine Manager, fix the Sophos install using the update location 'http://server/sophosupdate/cids/s000/savscfxp' (using credentials to authenticate) to replace missing Sophos files. All logs will be created in the same directory as the script file. If the script is unable to obtain the location of the CID automatically it can be specified as an argument to the script using the /cid: option. The /cid: value can be either a UNC or HTTP address.
cscript FixUpdate.vbs /fixIssues:true /cid:http://server/sophosupdate/cids/s000/savscfxp /username:myUser /password:myPassword
cscript FixUpdate.vbs /clearQuarantine:true Will clear the Quarantine Manager on an endpoint.
cscript FixUpdate.vbs /clearQuarantine:true
Start | Run
C:\program files (x86)\Sophos\AutoUpdate\Almon.exe
The script checks for the presence of the agen-xuv.ide and javab-jd.ide. To stop false positive detection for 'Shh/Updater-B': if javab-jd.ide is not present, it drops it in the Sophos Anti-Virus directory and restarts the Sophos Anti-Virus service at the end. It also clears the local Quarantine Manager alerts.
The script parses the Sophos Anti-Virus logs to identify files deleted or moved due to false positives. It restores files moved back to the original location, but not the deleted files. Each steps creates log files that can be used for diagnostics.
It checks if the Sophos AutoUpdate install is healthy and if not it repairs it, even if files were deleted.
At the end it triggers an update.
Alerts on the Console side will still need to be 'Acknowledged'.
This is generic failure with many possible causes.
%windir%\System32\cscript.exe FixUpdate.vbs /fixIssues:true
Ensure you are running version 5.6 or later of the Windows Scripting Host. For Windows 2000, see article: http://www.microsoft.com/en-us/download/details.aspx?id=20240.
The necessary files aren't in the CID, most likely because they were deleted or moved as part of the false positive. Resolve the false positive issue on the Sophos Update Manager server and ensure the CID is complete, then run the script.
Multiple Windows Installer processes are blocking the script from running.
Check the 'Processes' tab of the Task Manager for multiple copies of msiexec.exe (one process being present is normal). If no further processes are shown: Rerun the script again.
If msiexec processes keep appearing:
Note: If further msiexec processes are created check in the both the 'Applications' and 'Processes' tabs of the Task Manager for a program(s) that may be attempting to repair itself, perform an update or installation. You may want to close all non-essential programs that are running including any programs that load automatically when Windows starts up and appear as small icons in the System Tray (next to the Windows clock on the Taskbar and may be hidden).
Tous les commentaires envoyés sont lus par un membre de notre équipe. En revanche, nous ne répondons pas aux questions techniques spécifiques. Si vous avez besoin d'assistance technique, veuillez poser votre question sur notre communauté. Pour tous produits sous licence, veuillez ouvrir un incident support.