Sophos: Shh/Updater-B False Positive

What a morning! I walk into work, sit down, getting ready to munch on my cheese and bacon roll, open Outlook, BAM! Email spam about Sophos AV, FML…

This morning a False Positive update was released to all Sophos endpoint machines. Any computer that was left running overnight would have automatically downloaded the update and applied it. The result, 667 Viruses Alerts. Uh-oh. Investigations began and we found out that it was indeed a false positive update released by Sophos.

Quick way to resolve this issue which is also outlined in the above Naked Security blog:

  1. Log into your Sophos Enterprise Console.
  2. Make sure that all your Anti-Virus and HIPS policies are configured to “Deny access only” if automatic cleanup is not possible
    On Access Policy
  3. Once you’ve edited all the policies that affect your endpoints, click on the Viruses/spyware link under Computer Alerts
  4. Select all the machines that have the SHH/Updater-B virus, right click > comply with > Group Anti-Virus and HIPS Policy
    Apply policy
  5. Confirm if the policy has been successfully applied
  6. Right click the computer with Same as policy and select Resolve Alerts and Errors. A window will appear and you will need to select all the computers with the SHH false positive and click Acknowledge.
  7. Repeat the process for any computers that are offline
  8. Email your angry clients and blame good ol’ Sophos for their worries 🙂


So this False Positive has also deleted updating files across ALL APPLICATIONS including, but not limited to, Google, Adobe, CA ARCserve, Sophos, Quickbooks, NVIDIA…. and the list goes on.

It’s gonna be a loooooooooong day!

Leave a Reply

Your email address will not be published. Required fields are marked *