Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Virus Bug Briefly Identified Windows Explorer as Malware

Posted by Zonk on from the err-oops-pay-no-attention-to-your-OS dept.

SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."

12 of 131 comments (clear)

  1. I don't get it... by Anonymous Coward · · Score: 5, Funny

    Windows identified as malware... why is this a bug?

    1. Re:I don't get it... by Anonymous Coward · · Score: 5, Funny

      > Windows identified as malware... why is this a bug?

      Because it only identified the explorer component.

    2. Re:I don't get it... by iamacat · · Score: 4, Funny

      Here is an explanation why it is a bug

    3. Re:I don't get it... by dolo724 · · Score: 4, Funny

      In the late 90s and into the early 00s a few MS components and some legitimate DLLs were identified as virus laden. I solved the problem on my work machine by formatting the HD and installing RH-7, then VMWare for the only windows-dependent executable I couldn't get to run on wine. I had the fastest software package in-house and it made a kick-ass Quake server.

      maybe that's why I got laid off...

      --
      But you just gotta have another sigarette
  2. Obligatory fixed by Anonymous Coward · · Score: 4, Funny

    Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware

  3. Windows Is Not A Virus! by filesiteguy · · Score: 5, Funny

    Viruses are small and efficient.

    --
    The Kai's Semi-Updated Website Thingy
  4. um, don't they test these things before releasing? by Anonymous Coward · · Score: 5, Insightful

    Shouldn't this have been caught by even the simplest test before releasing?

    That's my first reaction, now I'm off to RTFA

  5. Re:um, don't they test these things before releasi by ubrgeek · · Score: 5, Funny

    You're right. But sometimes MS is in a hurry to get their product out.

    Oh, you mean Kaspersky Labs ...

    --
    Bark less. Wag more.
  6. O rly? by Dunbal · · Score: 5, Funny

    The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.

          And yet it still made the front page of Slashdot.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:O rly? by rhizome · · Score: 4, Insightful

      It made the front page of Slashdot because a corporate user shouldn't be stupid enough to use Microsoft Explorer over a real browser.

      So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?

      --
      When I was a kid, we only had one Darth.
  7. Re:Anti-Virus Bug Briefly Identified Windows Explo by realdodgeman · · Score: 5, Funny

    So what does that mean? are we all fucked?
    No, just you. We run Mac, Linux and BSD.
  8. Why things like this happen by Opportunist · · Score: 4, Insightful

    Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).

    But how? Don't they test?

    Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.

    Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.

    How do you solve that quandary?

    There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:

    MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.

    Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.

    That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.