Sophos Balls Up

joey1211

joey1211

joey1211

Soldato
Joined
28 Dec 2003
Posts
3,783
Location
Aberwristwatch
So, anyone else spent the day trying to get Sophos back up and running after their disaster of an update overnight?

Just come off the the phone with TASBooks after 2hrs when Sophos decided to delete one the .dll files that it needed to work. This was after after having to go round every workstation deleting the update files and copying over new ones.
 
Last edited:
AV is great when it works ............

.......... when it goes completely insane and tags its own updates as dangerous ... not so good
 
Not me personally but i know my colleague spent a considerable amount of time averting this for our site and a few clients!

Big balls up on there part. Fancy quarantining your own updater :rolleyes:
 
Been at it all day, absolute nightmare.

Looking at the 'infections' it detected pretty much any updater or update.dll with word update in!
4000 computers screwed and god knows how many servers still working on that.

Sophos advice was a pile of rubbish we ended up scripting a fix ourselves

Sigh :(
 
Bry said:
Sophos advice was a pile of rubbish we ended up scripting a fix ourselves
Click to expand...

This. Found some solid advice on their forums though. We only have 15 clients, so I went round and manually updated them.

For 400, I think I would have started crying, let alone 4000
 
joey1211 said:
This. Found some solid advice on their forums though. We only have 15 clients, so I went round and manually updated them.

For 400, I think I would have started crying, let alone 4000
Click to expand...

We are more or less in the later camp. Thankfully it's not my job to fix them but it broke Cisco Agent Desktop causing lots of problems for our call centres (which was my job to fix). Plus I had just returned from a few days off. :(
 
Had one site hit with this, this morning, luckily i was not at that site today. But had a look in the morning, we had about 40 of 100 machines affected to the point where they need might need manually individual remedy. Back at that site tomorrow...

Still not as bad as mcafee balls up few years ago when every machine at every client had a blue screen due to a bad dat that required manual fix via safemode.
 
Last edited:
joey1211 said:
This. Found some solid advice on their forums though. We only have 15 clients, so I went round and manually updated them.

For 400, I think I would have started crying, let alone 4000
Click to expand...
Luckily we have Altiris (XP) and ITMS (windows 7) so was able to easily send this script out in a mass.
Problem was with the servers where we didn't have Altiris/ITMS installed.
 
We noticed that any pcs that were left on over night have an update time of 23:33 last night and refuse to update because the update bins have been quarantined and service is stopped. Can't reinstall it because it just quarantined the bins again. But i think we are going to have to restart the problem clients and use a login script. Some people were using psexec remotely to fix but don't think the guy tried that yet.

Pcs that were shutdown over night were not affected.
 
Pigeon_Killer said:
Do AV software companies employ retards to produce signature updates? :mad:
Click to expand...
A post I made in the This Instant & Moment thread last night.

Fortunately I've got my clients configured to Deny Access Only so it was just a case of waiting for a fix, disabling on-access scanning, pushing the fix then reapplying on-access scanning.

Feel for the people that weren't as lucky as me. This sort of thing happened regularly with CA Antivirus and it was the false positives that made us jump ship.
 
Very suprised at the lack of info / articles on tech websites. Neowin was the only one this morning after I received 150 email warnings from the Sophos server at 7am in bed. The rest seem to be sleeping / ignoring the problem.
 
Last edited:
If anyone wants a link to the fix that I found for manually fixing the prob, let me know. It's on the Sophos forums, but I don't know how long that thread is now.

Good luck!
 
This is what I did as the icon was not showing up in the notification areas (on XP)

Copied from the Sophos forum

This is what I did:

Change all policies to only deny access on virus detection.

Change all policies to disable OnAccess Scanning

Then

Method for Icon still in systray:

1. Ensure OnAccess Scanning is disabled, if not, disable manually.

2. Use the "Update Now" button - assuming you have downloaded the fixed defs to your update server.

3. Open Sophos and verify that the virus IDE count is 281 or greater under the View Product Info after you expand the Software portion (why they don't list this on the home screen I don't know).

Method for no Sophos Icon:

Note you can try to reinstall AFTER disabling OnAccess Scanning. HOWEVER, half of mine got errors during the install 25010 erros I think. So instead,

1. Ensure OnAccess Scanning is disabled, if not, disable manually.

2. I copied 5 files from the CID\S00x\SAVFPXP\SAVSCFXP\SAU\Program files\Sophos\AutoUpdate\ directory that seemed to be getting deleted. They are ALsvc.exe, ALUpdate.exe, AUAdapter.dll, Cidsync.dll and inetconn.dll. I copied these files back to c:\Program FIles\Sophos\Autoupdate.

3. I then restarted the Sophos AutoUpdate Service

4. Next, I reinstalled sophos. You might be able to just reboot, but I was dealing with the 80 + Windows servers that were affected and wanted to be sure I had the ALMon systray icon back before I rebooted.

5. Then run the 'Update Now'

I have not yet reenabled OnAccess scanning since we were hit so close to 5pm. I'm going to wait until 9 or 10 am until I'm sure that I have allowed all unaffected pcs to update to the fixed defs before reenabling.
Page 66 on the relevant forum
http://community.sophos.com/t5/Soph...-Updater-B-False-positives/td-p/29723/page/65
 
You must log in or register to reply here.
Back
Top Bottom