Anyone using Sophos today might start receiving these messages about shh/updater-b being detected and quarantined. This is most likely due to a software problem from a Sophos update today. I am sure they are working on an update since this seems to be a problem for all Sophos users.
Follow the fun on twitter: shh/updater-b
We’re aware of aggressive detection alert, & are fixing the problem. No malware associated with update. Stay tuned for more info #SophosLabs
— Sophos Support (@SophosSupport) September 19, 2012
Issue: Numerous binaries are falsely detected as ssh/updater-B.
Cause: An identity released by SophosLabs for use with our Live Protection system is causing False Positives against many binaries that have updating functionality.
What To Do: Customer should ensure that endpoints are update to date with the latest IDE files. This issue is resolved with javab-jd.ide which was released at Wed, 19 Sep 2012 18:48:35 +0000.
RED NOTIFICATION – False Positive detections with ssh/updater-B – UPDATE 15:11 PDT
As the False Positive can affect our own binaries, in can in some instances prevent both SUM and SAU from being able to update.
In these situations the following instructions can be used to workaround the issue, download the fixed IDE, and propagate it to all endpoints.
Sophos Update Manager unable to update
If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.
To workaround this issue and successfully download the IDE file that fixes this issue follow these steps:
1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
2. Restart the ‘Sophos Anti-Virus Service’
3. Update SUM via the Sophos Enterprise Console
Endpoints unable to update
If customers have endpoints that are unable to update due to the false positive issue the following steps can be taken to get the fixed IDE to them:
1. Centrally disable On-Access scanning via policy in SEC
2. Select Groups in SEC and select ‘Update Now’
3. Once a group has updated re-enable On-Access scanning via policy in SEC
Additional info is now available in this knowledge base article: