Recovering from Sophos AntiVirus Incident on September 19th

Date Created: 9/25/2012 12:27:55 PM

Dear NAU PC Users,

In the Early afternoon of Wednesday September 19th, NAU’s Anti-Virus software vendor, Sophos, pushed a faulty virus definition update to all their customers. This affected NAU and personally owned Windows computers running Sophos AntiVirus. The faulty update caused Sophos to mistakenly identify any application or application component with “update” in its name as being infected with malware called  “Shh/Updater-B”

NAU ITS and our IT Pro partners across campus quickly realized that something was wrong, and ITS PC Support put new settings in place on our enterprise AntiVirus console to minimize the damage. Sophos issued a corrected update about an hour later.

Sophos AntiVirus’ mistakenly quarantining or deleting files may have damaged the installation of any applications that included a file with the word “update” in their names, which includes Java, Flash, Google Chrome, and Sophos AntiVirus itself among others. This last fact, that Sophos may have quarantined or deleted its own update module, has broken Sophos Antivirus for an undetermined number of NAU customers.

If you use Sophos AntiVirus obtained from NAU on your work or home machine, and you don’t see the Sophos shield icon in your windows system tray, your install is damaged and Sophos is no longer protecting your system properly. We are providing an automated script which will attempt to restore Sophos  to working order on your PC. 

Method 1

Here is a set of steps to fix the problems we’ve been seeing with Sophos for both on-campus and home-use computers:

  1. Go to the NAU software downloads page.
  2. Click “proceed to software downloads.”
  3. Login with your NAU credentials.
  4. Select your platform (Windows 32 bit or Windows 64 bit).
  5. Select your category (Anti-Virus).
  6. Click “Sophos Anti-Virus Fix.”
  7. Download the 20.9kB Zip file.
  8. Unzip the contents to the Desktop folder (note: fix won’t work unless it’s in the desktop folder, specifically).
  9. Open the file “Run_Me” as an Administrator (logged in as an Administrator in XP; in Vista/Win7 – right-click, “Run as Administrator”).
  10. Reboot after the script completes.
  11. Sophos should now be present in the system tray. 

Method 2

Alternatively, we have a backup plan in case the Sophos script doesn’t work and it requires the use of Microsoft Fix It.  Once a user attempts to uninstall Sophos through “Add/Remove Programs” (XP) or “Programs and Features” (Vista/7), the Sophos script absolutely won’t work anymore. Therefore, please ensure that you’ve tried Method 1 multiple times before resorting to Method 2. Here are the steps: 

  1. Back up the quarantine folder. These files can be used to help restore other applications that were impacted by Sophos problem.
    1. XP: C:\Documents & Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
    2. Win7: C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED
  2. Uninstall Sophos Remote Management System.
  3. Uninstall Sophos Anti-Virus.
  4. Open a web browser and go to the Microsoft Program Install and Uninstall page.
  5. Click the green “Run now” button.
  6. Save the file to your desktop and open the file after the download completes.
  7. Accept the Microsoft Fix It agreement.
  8. Tell the program you want to pick from the list of available fixes.
  9. Specify you’re having trouble uninstalling a program.
  10. Select Sophos AutoUpdate from the list of programs.
  11. Apply the suggested fixes (the utility should take a few minutes to uninstall Sophos AutoUpdate).
  12. When “Fix It” completes, Sophos AutoUpdate should now be gone from the list of installed programs.
  13. Install Sophos after downloading the newest version from the NAU software downloads page.
    1. Please select the appropriate version for either a home system or an NAU owned system.

If, after following the instructions above and restarting your PC, the Sophos shield does not reappear, please call the ITS Solution Center at 928-523-1511 for further assistance.

Another, more manual strategy to recover Sophos and other affected apps is to start the Sophos application on your system,  click on the “View anti-virus and HPS Log” button, scroll up to the afternoon of September 19th and see what files, if any, your system mistakenly identified as “Shh/Updater-B” and what Sophos did with them. If it moved them to quarantine and renamed them, the log will show you the original name and location of each file as well as the location of the renamed, quarantine file. You can repair Sophos and most other applications by copying the quarantined files back to their original locations, renaming the files to remove the “.000” Sophos added at the end of their names and then restarting your PC.

If you had Sophos configured to delete infected files, check the log as described in the previous paragraph to identify which applications were affected. To repair these applications, you can recover the deleted files from a recent backup (if you have one) or uninstall and  re-install the affected apps. (You may need to use Microsoft’s Fix-It tool to successfully uninstall damaged installations.)

We apologize for this disruption.