MUST READ: Microsoft unleashes bug bounty program — for betas, too

Topic: Malware

Discover

Sophos antivirus detects own update as false positive malware

Summary: Sophos' antivirus solution began marking its own updates as false-positive malware, which deleted critical files in the system's live protection program.

Zack Whittaker

By for Zero Day |

Users of Sophos' antivirus software were hit by a false positive bug on Wednesday that saw some of the program's own updates classed as a false positive malware, which then deleted crucial files.

Many enterprise and business computers were hit b the bug, creating reports to administrators reporting the program as SSH/Updater-B malware. The Register reports that administrators were bombarded with emails and alerts about the non-existent problem, which has since been fixed. 

The false positive left systems unable to update because the updating functionality itself was put under quarantine. Sophos apologized in a blog post and pointed to a knowledge base article, which included steps to help mitigate the non-existent 'outbreak':

If you have Live Protection enabled, you should stop seeing these detections eventually as the files are now marked 'clean' in the Live Protection cloud. If you do not have Live Protection enabled you will stop seeing the new detections once javab-jd.ide has been downloaded by your endpoints [released Wednesday evening.]

In the knowledge base article, Sophos confirmed that parts of the antivirus itself was being marked as malware (emphasis mine):

If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.

Many antivirus solutions are cautious of their own software, simply because many viruses and malware attempt to disable the programs in a bid to circumvent the system and networks, allowing the malware to spread even further. It's unclear if the antivirus solution left firms open to malware attacks or lessened the security of systems, but certainly would have caused problems for enterprises as the malware removal system is somewhat different to home users' systems. 

Again, according to The Register, said while "it was possible to get the latest update out to the clients -- however it is still necessary to go to every single impacted system and clean out the quarantined items."

Topics: Malware, Enterprise Software, Networking, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion

  • Never had luck with Sophos

    I tried Sophos on my Mac a couple times. But it seemed that everytime Apple updated OS X it broke Sophos AV. I was never impressed but then again I don't think I have yet to find a good AV program for Mac's. As for my PC I have stuck with Microsoft Security Essentials because it is so much less annoying then others. No ads and no frequent nagging about upgrading to a paid version.
    jscott418-22447200638980614791982928182376
    Reply Vote

  • Why do people

    STILL use AV products. It is a waste.... of .... time.....
    12312332123
    Reply Vote

  • Hundreds of our clients affected by this issue...

    ...and our internal machines as well. Why, indeed, are we still using Sophos?
    Matthew.W.Simpson@...
    Reply Vote

    • Not limited to Sophos

      This is not unique to Sophos. We've experienced the same in the past with McAfee and Symantec as well.

      That doesn't mean I'm OK with it nor happy about it though.
      dmitchell@...
      Reply Vote

  • Please clarify the statement "which then deleted crucial files"

    Deleting a virus is not a default configuration within Sophos anti-virus. Users of the software would have had to have set their configurations to do so, and this is against Sophos recommended settings. This false positive was rolled back using cloud realtime protection within 20 minutes of it being reported. Users who opted to configure Sophos outside of recommended settings did experience problems. I know this because I use Sophos on a few thousand systems, and it only hit my Windows systems. Within 20 minutes it was fixed without me having to do anything.
    r00tguy
    Reply Vote

    • Sophos killed the client update mechanism

      Rootguy . . . Although default config may not have deleted files. It flagged the client update program so you could not propagate the updates to the clients via the consul . . . Fortunately, I on my small network only about a dozen machines were hit. But I had to touch each machine to fix the problem.

      I think they have a script to fix it now, but I just got an email about a problem with quickbooks saying re-installation required . . .

      I will say this is the first major problem we have had with Sophos in 6 years or so.
      ZAD55
      Reply Vote

      • Re: Quickbooks (and Peachtree, etc.)

        If you "Clear" the quarantine on your Quickbooks server and on the Quickbook client PC Quickbooks will be all set. No reinstallation required.
        dmitchell@...
        Reply Vote

    • Where was the QA?

      This article doesn't explain the full extent of the problem. The signature also targeted other "updating" components of OTHER applications on the client pc's as well. I had over 7 applications that the updater.exe updater.dll, etc were deleted from on my SCHEDULED NIGHTLY scans. My on-access settings were set to "Deny Access" but the nightly delete. In my particuliar case all clients could not update their policy as they all displayed "Awaiting Policy Transfer" and my SUM was showing failure to update. Since i couldn't communicate with my clients i couldn't push a new policy disabling the nightly scans realizing it was going to delete files on client pc's i could only sit there and watch email after email rain down stating it deleted "program files (x86)\some critical application\updater.dll." To make matters worse NONE of this information was placed on Sophos' support site, there was a complete lack of dissemination of information, no updates, nada. The forums were the only avenue of support as Sophos call center wasn't even prepared for the onslaught of customers calling in that their lines were constantly dropping. Again - no communication of the problem and even then their initial article (Receiving a grand 1.1 rating out of 6) only covered one aspect and fix for the problems.

      Rootguy - Sophos botched this one. Regardless of someones' particuliar AV settings there was a complete failure of quality assurance with their promotion process. That update shouldn't have even made it off their servers. It deleted their own file base. Bottomline. Period. Failure!
      kesm0724
      Reply Vote

  • Could Only Happen On Dimdows

    Only on Microsoft Windows has the function of antivirus software needed to become so complex and so error-prone that it can now behave like an auto-immune disease!

    What new biological parallels will the next update invent, I wonder? Will we see allergies next, where certain kinds of legitimate software keep getting mistaken for malware?
    ldo17
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close