Sophos antivirus detects own update as false positive malware

Sophos' antivirus solution began marking its own updates as false-positive malware, which deleted critical files in the system's live protection program.
Written by Zack Whittaker, Contributor

Users of Sophos' antivirus software were hit by a false positive bug on Wednesday that saw some of the program's own updates classed as a false positive malware, which then deleted crucial files.

Many enterprise and business computers were hit b the bug, creating reports to administrators reporting the program as SSH/Updater-B malware. The Register reports that administrators were bombarded with emails and alerts about the non-existent problem, which has since been fixed. 

The false positive left systems unable to update because the updating functionality itself was put under quarantine. Sophos apologized in a blog post and pointed to a knowledge base article, which included steps to help mitigate the non-existent 'outbreak':

If you have Live Protection enabled, you should stop seeing these detections eventually as the files are now marked 'clean' in the Live Protection cloud. If you do not have Live Protection enabled you will stop seeing the new detections once javab-jd.ide has been downloaded by your endpoints [released Wednesday evening.]

In the knowledge base article, Sophos confirmed that parts of the antivirus itself was being marked as malware (emphasis mine):

If SUM is unable to update it is probable that files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.

Many antivirus solutions are cautious of their own software, simply because many viruses and malware attempt to disable the programs in a bid to circumvent the system and networks, allowing the malware to spread even further. It's unclear if the antivirus solution left firms open to malware attacks or lessened the security of systems, but certainly would have caused problems for enterprises as the malware removal system is somewhat different to home users' systems. 

Again, according to The Register, said while "it was possible to get the latest update out to the clients -- however it is still necessary to go to every single impacted system and clean out the quarantined items."

Editorial standards