SophosLabs just recently provided an update for Live Protection which is causing innocent files to be classified as viruses. The update will detect any software that includes an updater (Google Update, Adobe Flash Updater, etc.) and warn the user that a potential file virus has been detected. Several of SecureState’s clients are currently receiving a large volume of alerts generated by this update. Sophos has recently posted an update on how to resolve this issue.
Sophos is recommending the following course of action:
“Ensure that endpoints are up to date with the latest IDE files. The detection and alerts will have stopped with the release of javab-jd.ide, which was released on Wed, 19 Sep 2012 21:32.
The MD5 for this IDE is 90e873330239722f58efabf8c27e7138.
1. Confirm SUM is updated and downloaded javab-jd.ide to distributions
2. Check within the update manager view there are no download errors and Sophos Update Manager has downloaded recently successfully.
3. Check the local Sophos Anti-virus installation has received the IDE – javab-jd.ide.
For example if you navigate to the following locations to check.
C:\Program Files\Sophos\Sophos Anti-virus\
C:\Program Files (x86) \Sophos\Sophos Anti-virus\
4. Check the distributions are populated with the IDE – javab-jd.ide by identifying the Bootstrap Locations within SEC, from View within the toolbar. For Windows packages navigate to the locations shown and confirm the ide exists within the SAVXP folder.
For example: \\SERVERNAME\SophosUpdate\S000\SAVSCFXP\SAVXP\
If SUM has updated and the distributions have been updated with the IDE then move into the Endpoints section. Otherwise please follow these steps:
1. Check the Anti-virus & Hips policy assigned to the Sophos Update Manager server and make a note of the current Cleanup options within the onaccess scanning configuration.
2. Set the configuration to the below if configured differently:
Deny access only for Virus/Spyware
C:\Documents and Settings\All Users\Application Data\Sophos\
C:\Program Files (x86)\Sophos\
3. Enable Live Protection within the ‘Sophos Live Protection’ option
4. Depending on the Cleanup configuration noted in point 1 follow the steps relevant to your configuration:
Deny access only
Stop the Sophos Anti-Virus service (Start | Run | Type: services.msc | Press return).
Delete the quarantine.xml file from:
C:\Documents and Settings\Application Data\Sophos\Sophos Anti-Virus\Config\Quarantine.xml.
Start the Sophos Anti-Virus service.
Rerun the SUM.msi to repair the installation, navigate to:
C:\Documents and Settings\Application\Sophos\Update Manager\Install\
‘Right Click’ on the SUM.msi and select repair.’”