Thursday, 20 September 2012

Sophos anti-virus kills own updater

Last night anti-virus software from Sophos mistakenly detected its own updating software as being malware.

Additionally it also detected other updater applications as being malicious.

Many well-known anti-virus companies have experienced significant so-called 'false positive' incidents in recent years, but this one was particularly important because the security software quarantined its own updating software.

The usual solution for a serious false positive incident is for the company to issue an update, as quickly as possible, to correct the situation. In this case, though, updates were hard to push out due to the updating software having been disabled.

Sophos issued advice on how to fix the problem.

However, not everyone has found this to be satisfactory. Customer comments on Sophos' website included:
You managed to push out a false positive which flags your own update utility as a trojan and quarantines it, and the solution is... wait for it... to update Sophos using the now-quarantined update binary. Well done.
We were hit with this. I've disabled "on-Access" until it's cleared up, but what do I do with the endpoints that are already quarantined? In the quarantine the only options are "move" and "delete"...
This fiasco has also broken Sage MicroPay and Sage accounts on our customer sites. Payroll for these customers has been severely disrupted as a result. The only resolution we have so far for this is a reinstallation of the affected applications. The suggested fix as posted here to date does nothing but attempt to repair the Sophos environment. The knock on effect for other applications could be huge.
See more cases of 'dodgy updates', including when Avira's software detected itself as Trojan; Microsoft detected Google Chrome as a banking Trojan; McAfee software broke computers, and the company offered financial compensation; while Avast! destroyed some Windows installations.