Addressing the Sophos False Positive
Update: Sophos has released official guidance that is better than my post here. You may find it at the revised knowledgebase article.
Today, for the first time in all the years I’ve been using their product, Sophos released a bad update. This update, as has happened with other firms, quarantined files that should not have been. However, unlike other firms that have had this issue, Sophos’s built-in security seems to have gotten in the way of the cleanup. As a result, some in the community have been complaining about the responses. (See, as an example, the initial KB article.)
That said, while the response could certainly have been improved (wider ranged communication, better technical detail early on, better assurance that it was a false positive and instruction to be patient and avoid further damaging the system, etc), it only took a few hours to release a workable workaround. For various reasons, it appeared on Google Plus in a somewhat unpolished form.
Below are the instructions, slightly more polished and hopefully a bit easier to read. Odds are, by the time you see this, an “official” response from Sophos will be out.
RED NOTIFICATION – False Positive detections with ssh/updater-B – UPDATE 15:11 PDT
The Sophos system has experienced a False Positive that is affecting our own binaries. In some instances, this can prevent both the SUM and SAU from being able to update. If this occurs, you will be unable to receive the fix that has been released.
If you are in this situation, there is a manual workaround.
SUM Unable To Update
If SUM is unable to update, it is likely because the updated files cannot be decoded. This happens because they are being falsely detected as Shh/Updater-B. To work around this issue and successfully download the fixed IDE file, follow these steps:
1a. (32 bit Windows): Delete agen-xuv.ide from C:Program FilesSophosSophos Anti-Virus
1b. (64 bit Windows): Delete agen-xuv.ide from C:Program Files (x86)SophosSophos Anti-Virus
2. Restart the ‘Sophos Anti-Virus Service’
3. Update SUM via the Sophos Enterprise Console
Endpoints unable to update
If your endpoints are unable to update due to the issue, follow these steps:
1. Centrally disable On-Access scanning via the policy in the Sophos Enterprise Console (SEC)
2. Select ‘Groups’ in SEC and select ‘Update Now’
3. Once a group has updated, re-enable On-Access scanning via policy in SEC
Once Sophos has an official word (in the morning), I will update this post with a link.