Monday, November 13, 2017
Home / Tech News / Sophos Shh/Updater-B False Positives

Sophos Shh/Updater-B False Positives

Knowledge base article: http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

A few Sophos customers have discovered detections today of Shh/Updater-B.  Several of these accounts involve detections of Sophos’s own code, but there are a number of third-party applications which are also being identified.  Sophos wants to assure users that these are false positives and are not a malware eruption, and apologises for any troublesomeness.

If you have Live Protection enabled, you should stop seeing these detections as the files are now marked “clean” in the cloud. (Details of how to enable Live Protection can be found in this knowledgebase article)

Section 1. Confirm SUM is updated and downloaded javab-jd.ide to distributions

  1. Check within the update manager view there are no download errors and Sophos Update Manager has performed a successful update recently.
  2. Check the local Sophos Anti-virus installation has received the IDE – javab-jd.ide.

    For example if you navigate to the following locations to check.

    C:\Program Files\Sophos\Sophos Anti-virus\
    C:\Program Files (x86) \Sophos\Sophos Anti-virus\

  3. Check the distributions are populated with the IDE – javab-jd.ide. To do this, in the console toolbar, select View, and identify the Bootstrap Locations.

    Once you have identified the location(s), for Windows packages, navigate to that location and confirm that the IDE exists within the SAVXP folder.

    For example:

    \\SERVERNAME\SophosUpdate\CIDs\S000\SAVSCFXP\SAVXP\

  4. If SUM has updated and the distributions have been updated with the IDE then continue with the instructions in Section 2. Endpoints checks. If not, proceed with the steps below.

For more information please refer to the Sophos article:  http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Megaupload plan to return after 5 years

The huge file-sharing website, Megaupload is scheduled to relaunch, five years after being raided and …