Sophos anti-virus signals all computers infected due to a false positive – Shh/Updater-B

Today every computer protected by Sophos Endpoint Security and Control Anti-virus started to simultaneously report infections with Spyware Shh/Updater-B in various applications like Google Update and Sophos itself due to an obvious false positive. Currently Sophos’ forums are swamped with complains and IT managers all over the world are reporting infections close to 100% (makes sense since most of the computers reporting infections have Sophos installed, which is reported as infected)

Virus/spyware ‘Shh/Updater-B’ has been detected in “C:\Program Files\Sophos\AutoUpdate\ALsvc.exe”.

You can disable the reporting by disabling access scanning in Sophos. However, IT personnel all over the world are reporting thousand of e-mails and alerts received from the domain computers and a lot of wasted time taking care of user complains. Sophos’ own customer support is as you guessed, impossible to reach at this point.

Sophos seems to be aware of the issue and promised to fix it via an update, although how the updated will be delivered is currently unknown since their own update files were placed under quarantine (sic).

Update: SophosLabs tweeted the following:

We’re aware of aggressive detection alert, & are fixing the problem. No malware associated with update. Stay tuned for more info 

Update 2: Conforming to SophosLabs, the issue has been resolved:

“This issue is resolved with javab-jd.ide which was released at Wed, 19 Sep 2012 18:48:35 +0000.”

It is not yet clear how the update will be pushed on the machines where Sophos put itself under quarantine…One possible fix is as follow (via Sophos forums)

1. Open cmd prompt and type net stop savservice
2. Navigate to C:\program Files\Sophos\Sophos Anti-Virus and delete agen-xuv.exe
3. In cmd prompt, type net start savservice

To rollback to a previous update binary, click on your Update Managers, right-click and choose “Configure'”->”Advanced” tab, then use the drop-down menu to select an earlier file to comply with, then click “OK”. Use version from the drop down list.

via My own computer and Sophos forums