Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Virus Bug Briefly Identified Windows Explorer as Malware

Posted by Zonk on from the err-oops-pay-no-attention-to-your-OS dept.

SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."

27 of 131 comments (clear)

  1. I don't get it... by Anonymous Coward · · Score: 5, Funny

    Windows identified as malware... why is this a bug?

    1. Re:I don't get it... by Anonymous Coward · · Score: 5, Funny

      > Windows identified as malware... why is this a bug?

      Because it only identified the explorer component.

    2. Re:I don't get it... by iamacat · · Score: 4, Funny

      Here is an explanation why it is a bug

    3. Re:I don't get it... by dolo724 · · Score: 4, Funny

      In the late 90s and into the early 00s a few MS components and some legitimate DLLs were identified as virus laden. I solved the problem on my work machine by formatting the HD and installing RH-7, then VMWare for the only windows-dependent executable I couldn't get to run on wine. I had the fastest software package in-house and it made a kick-ass Quake server.

      maybe that's why I got laid off...

      --
      But you just gotta have another sigarette
    4. Re:I don't get it... by AmyRose1024 · · Score: 3, Funny

      The actual patch is here: http://www.kubuntu.org/

  2. Obligatory fixed by Anonymous Coward · · Score: 4, Funny

    Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware

  3. Windows Is Not A Virus! by filesiteguy · · Score: 5, Funny

    Viruses are small and efficient.

    --
    The Kai's Semi-Updated Website Thingy
  4. jk by wizardforce · · Score: 3, Funny

    that's not a bug, it's a feature

    --
    Sigs are too short to say anything truly profound so read the above post instead.
  5. um, don't they test these things before releasing? by Anonymous Coward · · Score: 5, Insightful

    Shouldn't this have been caught by even the simplest test before releasing?

    That's my first reaction, now I'm off to RTFA

  6. Re:um, don't they test these things before releasi by ubrgeek · · Score: 5, Funny

    You're right. But sometimes MS is in a hurry to get their product out.

    Oh, you mean Kaspersky Labs ...

    --
    Bark less. Wag more.
  7. Re:um, don't they test these things before releasi by Anonymous Coward · · Score: 2, Funny

    Shouldn't this have been caught by even the simplest test before releasing?

    [X] In Soviet Russia, IE tests YOU!
    [X] Only old Koreans bother with testing!
    [X] "But it IS malware, boss!"
    [X] Netcraft confirms it - testing is dead!
    [X] I don't run IE, you ignorant clod!
    [X] "We tried to test it on Vista, and we will, as soon as its finished booting ..."

  8. O rly? by Dunbal · · Score: 5, Funny

    The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.

          And yet it still made the front page of Slashdot.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:O rly? by rhizome · · Score: 4, Insightful

      It made the front page of Slashdot because a corporate user shouldn't be stupid enough to use Microsoft Explorer over a real browser.

      So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?

      --
      When I was a kid, we only had one Darth.
    2. Re:O rly? by MMC+Monster · · Score: 2, Interesting

      I was under the impression that explorer.exe was the MSWindows file manager. As a file manager, it actually is quite nice and has some interesting (good, or at least different) properties compared to nautilus. Such as copying a folder with the same name as a folder in the target will perform a merge of the two folder contents rather than deleting the original contents or the target.

      --
      Help! I'm a slashdot refugee.
    3. Re:O rly? by Matt867 · · Score: 2, Informative

      "I use IE7 (due to policies and ) at work and FF at home. Why am I stupid ?" For starters your sentence should have been typed like this: "I use IE7 (due to job-related policies) at work and FF at home. Why am I stupid?"

    4. Re:O rly? by atraintocry · · Score: 2, Funny

      So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?

      The Windows Team, circa 1998.

  9. Where is the Obligatory Gay Male Coprophilia Porn by NeverVotedBush · · Score: 3, Funny

    Any story that puts MS in a bad light or makes fun of them almost always gets the story about some guy enjoying another's feces.

    I guess it's just too early still in Seattle... Maybe they will post it later.

    Merry Christmas Bill!

  10. Have you even used windows lately? by pcgabe · · Score: 2, Funny

    "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being
    falsely identified as malicious code.
    "Falsely?"

    It's not a virus, sure. Viruses tend to mature, become more efficient...

    But Explorer sure feels like malicious code...
    --
    Don't put advice in your sig.
  11. Dumb article by Anonymous Coward · · Score: 2, Funny

    From TFA:

    As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.

    Gee, makes it sound like losing explorer.exe is only mildly inconvenient.

  12. Seen it all before... by Alioth · · Score: 2, Interesting

    ...last year, when Symantec flagged part of the Windows Server 2003 resource kit as a trojan. That one stayed in 'the wild' much longer, probably because the resource kit in particular wasn't a widely installed piece of software.

    We've also had Norton 'false positive' on the Windows version of Oolite.

    One of these days, a widely used, automatically updated virus scanner is going to detect something like KERNEL32 as malware and kill a whole lot of machines. Wasn't there a problem like this with the Chinese version of Windows earlier this year?

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
    1. Re:Seen it all before... by Ash+Vince · · Score: 2, Insightful

      Both of the items you mention I can just about understand making it through a software testing process. It is feasible that none of the test machines had the two peices of software you mention installed. But if you can find me a windows box without explorer.exe I will show you a borked installation.

      It is not an optional component to install last time I checked so all of their test machines should have had this file. At least some of their test machines should have had exactly that same version of this file as the one they decided was a virus. So how the hell did they not notice when it quarantined or deleted it? Windows would go tits up at the next boot, if not earlier.

      The only way I can think this could happen is if the skimped on testing. In which case this is most definitely the sort of news I would like to read on slashdot as it will give me a reason not to use their anti-virus solutions. An Anti-Virus solution without a very well defined and effective testing procedure is not one I want to use.

      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
  13. HUHK = Hamburger University of Hong King by SlappyBastard · · Score: 2, Funny

    http://www.huhk.com/intro_background.html Hmmm... Truly viral marketing.

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
  14. Not as slow as yesterday by strcpy(NULL,... · · Score: 2, Informative

    Yesterday, we read about a dork playing jingle bells by hitting his video card fan. This story is an improvement.

    --
    echo 'cat sig | sh' > sig
  15. Anti-Virus Bug Briefly Identified Windows Explorer by tristian_was_here · · Score: 2, Funny

    So what does that mean? are we all fucked?

  16. Re:Anti-Virus Bug Briefly Identified Windows Explo by realdodgeman · · Score: 5, Funny

    So what does that mean? are we all fucked?
    No, just you. We run Mac, Linux and BSD.
  17. Why things like this happen by Opportunist · · Score: 4, Insightful

    Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).

    But how? Don't they test?

    Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.

    Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.

    How do you solve that quandary?

    There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:

    MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.

    Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.

    That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  18. Re:Windows is what is used @ work mostly, which = by causality · · Score: 2, Insightful

    I never stated a thing about being "fulfilled": I just stated people are wise to use something that IS the most used, so they are ready for it in the workplace, so they can get paid. Job requirements & training for them is what running Windows @ home does for most folks.

    The point I was making, which should be clear to you, was that there is no merit in making a choice just because it is popular. I can choose to eat food because "everyone else does" and it means nothing; I can choose to eat food because my survival as an organic being depends on it and this is a rational decision. You could claim that jumping on the Windows bandwagon is a sign of intelligence due to business realities; you could conversely claim that the truly intelligent find ways to deal with compatibility issues without needing to use a single Microsoft product. Both claims mean next to nothing without some reasoning and perhaps evidence to back them up, and for all I know a serious study might determine no correlation with intelligence at all. The only reason why I used the word "fulfilled" is because some of us make decisions using additional criteria other than how much cash is invested in something. You can treat that concept as a stumbling block and willfully miss the point I was making if you like, but this does not negate what I am saying.

    "To claim that the popularity of Windows is an inherent virtue of the OS is just plain silly."
    oh really? What better gauge is there?? I guess in YOUR world "the majority = dumb"... yea, ok. That would make you the "all knowing one" & the rest of us, just clueless... right???

    All I said is that popularity does not determine actual merit. To say that this must mean I think I am the "all knowing one" is an emotional knee-jerk response that attempts to turn this into a personal matter and does nothing to address what I was saying. You don't like what I am saying, that's fine, but to act like this gives you license to automatically declare it false and make assumptions about my character is the very arrogance of which you seem to be accusing me.

    The bottom line is, whether the popularity of Windows is due to inherent merit and good design cannot be assessed objectively in the current marketplace (I am putting this mildly). That claim could only be made if 1) all PCs were shipped with blank hard drives and did not come with an operating system of any kind and it was up to the user to separately obtain and install one and 2) all users were technically skilled enough, as well as willing and able, to independently evaluate the stability, performance, and security of all major (PC) operating systems before choosing the one to use. Unless you could arrange for both of these to be true, what popularity is measuring is the marketing skill, business acumen, and incumbency of Microsoft and not the actual merit or design of Windows.
    --
    It is a miracle that curiosity survives formal education. - Einstein