Thursday, 20 September 2012

Sophos detecting itself as a virus

Ouch. Last night Sophos released a definition update that categorised it's own updater as malware. Depending on the policy set by the administrator Sophos then quarantined or, in some cases, deleted it's own updating mechanism.

Sophos have a support article at http://www.sophos.com/en-us/support/knowledgebase/118311.aspx. The bad ide file causing the Shh/Updater-B False positives is agen-xuv.ide.

Assuming you had set your Sophos installation up to quarantine the files and not delete them, you can get Sophos working again by running the following commands on each affected machine -

net stop "Sophos Anti-Virus"
Alupdate.exe -manualupdate

(you may need to specify the full path to Alupdate.exe, which may change depending on your OS)

This is not a great solution because it disables your on-access protection while the fixed IDE file is deployed!.

Sophos have not specified this as a solution. The reason I post this is that some people cannot use any of their current solutions. If you are in this situation I would check with them before deploying this. However, from the limited testing I have done, this seems to work. Again, test test and test again before deploying any fix like this, and try all the Sophos recommended options before this one.

An alternative, non-ConfigMgr solution, is to use group policy to delete the bad IDE file.

It also appears that only Windows machines are affected. MacOS seems to be fine with the bad definition file.

No comments: