Slashdot Mirror
Sophos Anti-Virus Update Identifies Sophos Code As Malware
An anonymous reader writes "Yesterday afternoon anti-virus company Sophos Inc. released a normal anti-virus definition update that managed to detect parts of their own software as malicious code and disabled / deleted sections of their Endpoint security suite, including its ability to auto-update and thus repair itself. For many hours on the 19th, Sophos technical call centers were so busy customers were unable to even get through to wait on hold for assistance. Today thousands of enterprise customers remain crippled and unable to update their security software."
Sophos points out that not everyone will be affected: "Please note this issue only affects Windows computers."
how many of Sophos customers are not on the Windows platform? that makes me laugh.
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
In other news, I have a Windows XP keygen that is absolutely not malware, which gets flagged as malware by every virus scanner I've tried except ClamAV. That makes me LOL.
This is a classic case of not thoroughly testing code and making sure you have enough variations of test machines to ensure as little pain to clients as possible.
If I were a customer, I would be shopping for a better company.
Life takes interesting turns, but the most interest is when you're off the beaten path.
... the chicken ate the egg, after all...
Onda Technology Institute
False positive. Microsoft pays off anti-virus developers so they could flag keygens, cracks, etc. as viruses.
malware from whom's perspective. Adobe absolutely things keygens are malware.
It makes me LOL that people still have keygens for Windows XP.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
So, how much testing do they perform on their own product. I suppose they do not even know how their own "dogfood" tastes.
"test by eyeballing the code" has its drawbacks.
In a perfect world, the QA manager would be updating his resume.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I once had Malwarebytes identify ATAPI.SYS as malware and remove it. That update also lasted a few hours but left lots of angry customers with expensive bricks to repair.
Strangely enough, two days ago the Sophos install I have on Mac OS also started flagging itself as a threat and disabling itself...
Blasted it off as quickly as I could. No harm done that I can find.
An honest scan report from a major anti-virus vendor. Was it flagged as spyware/advertising trojan?
Learning HOW to think is more important than learning WHAT to think.
Obviously, once this change had gone in, Sophos was correct to identify itself as malicious.
I am officially gone from
Considering all the people I know that still want to stay with XP no matter what, it doesn't surprise me at all.
Understanding the scope of the problem is the first step on the path to true panic.
Let's see this isn't a virus, it's kinda like software leukemia or a software autoimmune disease.
The detection rate for Sophos's malware engine inched closer to 100%.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
A definite Own Goal. This gaffe is one that will be repeated for years to come, if not decades.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
It was more funny than anything, explaining to my clients what happened. To their credit, Sophos released a patch within, I think, about 30 minutes. All in all, it wasn't that big of a deal to fix the 80 or so computers I manage since you just disable autoupdate and remove all of the false positives out of quarantine. Worst case scenario is you remotely uninstall a bunch of clients and redeploy through the Control Center.
That's like saying you don't use condoms because you know how to pull out.
As memory serves McAfee did this about 8-10 years ago with an update. It's a sign of poor release management and a failure to follow best practices. If they fail to follow best practices for something like this that is high visibility and customer facing, imagine what they look inside the company.
Time to start bringing your business elsewhere.
Every year, we need to go down the list of software makers who have managed to totally Bork their users. The Meltdown awards. Just to distinguish between the companies that handle it well and the companies that are incompetent.
What would Richard Feynman do, if he were here right now? He'd do some math and he'd follow through!
I'm at work actually, and use XP, you insensitive crow !
Ceci n'est pas une Signature !
These autoimmune diseases ain't a whole lot of fun. I'd prescribe some computosteroids and avoiding sunlight. Just stay in the basement.
Ezekiel 23:20
My cousin used to say the same sort of thing about his know-it-all supervisor at work that was always riding him to wear safetly glasses. After he got back from disability, the guy got him a couple of tickets to Avatar in 3d, just to be an asshole.
"It's a trap!"
Perfect attack vector for a real infection - as part of the AV suite. Talk about stealthy.
"But this one goes to 11!"
No, it's like saying you don't use condoms because you only go to bed with people you know well enough to trust them when they say they're on the pill.
And you also know that you would need to monitor both incoming and outgoing network traffic (at the router, not the client) to make sure nothing is calling home to a command server? Because you know that there is yucky stuff out there that is NOT obvious in any way other than network traffic monitoring?
I would say it's like having sex without a condom with a long-term partner who you trust not to carry diseases.
And that goes to show precisely why you should always use free AV instead of commercial AV.
I don't put AV software on production servers either unless PHBs etc require it. In my experience if you do things right, AV software is more likely to cause you problems than a virus.
And you are the reason why my company gets discounted rates on payment card processing. We actually *pass* the PCI audit every year.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Considering all the people I know that still want to stay with XP no matter what, it doesn't surprise me at all.
I was like that until I realized that Windows 7 is a very good OS. And, as a gamer, I also prefer DirectX 10 over 9.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
That's like saying you don't use condoms because you know how^H^H^Hwhen to pull out.
There, fixed that for you
"No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin
Wanna cause problems? Add code from the various AV vendors...
What will those people do when Microsoft ends support in less than 2 years.
No infections that you KNOW of.
rewriting history since 2109
Avira had a similar problem last year.
You might as well lock yourself in a jail cell and throw away the keys.
"With patience a ruler may be persuaded, and a soft tongue will break a bone."
First for calling itself out. And then again for NOTcalling Windows out.
So it goes...
What will those people [Windows XP lovers] do when Microsoft ends support in less than 2 years.
Be smugly satisfied that they eeked every ounce of use from their software while simultaneously feeling dirty for having to buy Windows 9.
Am I a bad person for laughing at this? Probably.
On a more serious note: this is the worst nightmare for anyone who has to manage a mobile/remote workforce (or in this case, a large remote customer-base). The idea that some code could break the ability to for a system that depends on communication to communicate is why there is such a thing as a development environment in many corporations where MS updates, AV updates, etc. are tested NOT on the production network. Of course, many corporations have had to cut back, and due to budgetary restrictions many companyies have effectively outsourced their testing to the vendors releasing the updates, depending on the vendor to test and not release some ridiculous update that (for instance) pushes out a firewall rule that stops the system from communicating, or as in this case, an update that nukes the AV software itself, and the ability for the AV software to repair itself by auto-updating. I do NOT envy any IT managers who are at a corporation using Sophos who let their users auto-update and don't do as I previously mentioned (i.e. test the updates/definitions). Ouch.
And now back to laughing.
Meh.
This is slashdot. A better analogy would be saying I don't use condoms because I only have sex with myself. And if I ever do have sex with someone else, I'd use a condom, or do it virtually ;).
As one of the techs trying to correct this, here's what I got to work:
1. Open the endpoint controls
2. Disable the on-access scanning
3. Clear the false detections
4. Manually launch ALMon.exe
5. Update and then re-enable the on-access scanning
Just think about it. The average Windows AV program runs with sufficient privilege to wreck your system by altering or removing arbitrary files. And it gets fed multiple updates per day created by teams of workers working in a hugely stressful situation: When a new virus appears, you've got to get those signatures out NOW.
I'm amazed people don't see this risks in this.
AV users have a very similar situation too. They have no infections that they or their AV software know of.
You might assume the AV vendor is really good at spotting malware, but their job is like solving the halting problem, only without knowledge of the full inputs and program.
I on the other hand prefer to "solve" the halting problem by ensuring the program actually halts no matter what happens- aka Sandboxing.
Why in gods name do you attribute this only to Microsoft? It's standard practice because the source of these aren't trustworthy and they're moderately easy to detect. I doubt Microsoft gives two shits if you download a keygen for a video game, yet they will pretty much all be detected by such AV software, generally even free software not theoretically bound by corporate purse strings.
Be happy that they dont have endure Patch Tuesday any longer.
"For keygens, I run them in an isolated VM instance and roll back the disk files after I'm done using them. You can never be too sure."
Or you could, I dunno, not use keygens?
(I'm sure I'll hear a rejoinder about old software that you've lost the key for, but we all know what people are really using them for).
What you suggest is like a HIV test. Might be a good idea once in a while, but if you need to do it regularly you're doing things wrong.
If you've got malware calling home, you've already lost, you've already been pwned. You should also know that nowadays many things call home- Chrome, Firefox, etc.
You may be surprised what might be crawling around your machine right now.
Point is, with or without AV protection, you can never know fer shure.
rewriting history since 2109
Indeed. Most people also prefer a pie in the face over a punch in the jaw.
We are currently considering switching AV vendors from Kaspersky (our license renewal is coming soon). So the boss contacted Sophos and they sent a guy yesterday to install a demo and got hit with this bug.
Needless to say the guy was pretty embarrassed.
I like ESET nod32 myself, but it seems that the administrative console is not as good as Kaspersky (K's allows to deploy software, turn off machines, send messages to users and lots of other non-AV stuff we actually need)
Open Source Java Web Forum with LDAP authentication
Why would I? My browser runs as a more restricted account than my main user account, I don't use Adobe's PDF reader. If I'm hit by drive-by malware that is sophisticated enough to use a privilege escalation exploit, the malware author is likely to know how to use virustotal etc and make sure his malware passes all AV checks. So AV software wouldn't save me either.
They are unlikely to bother with my sort of config since they can already make money from the masses of people who need AV software, or from Governments asking them to get specific targets.
It really appears they were just flagging anything that had Update in the path anywhere. One of our customers reported this to us. Three of our applications have Update in the file name, so they were flagged, as was their own updater. When I was looking up information about this, I found on the forums that in addition to their own software, they also quarantined, Adobe, Google, and a couple other apps that had update in the name. It isn't even based on JUST the filename. Anywhere in the path caused it to happen.
Like others said, how this could've even made it out of the lab is beyond me.
Try avast!? There is a free registration after 30 days which is annoying but it is free forever for basic protection. I stopped using MSE for that reason. Also unless my knowledge is outdated ClamAV is not really an anti virus package!
Just a scanner with no protection from naughty javascripts or from buffer overflows in flash files. Noscript works most of the time but I have encountered infected ads before that Avast halted.
http://saveie6.com/
Android rootkits, too, have been flagged (on windows) for a long time because "it's malware from a software/hardware manufacturer's point of view".
"You might as well get your son a ticket to hell as give him a five string banjo." -unknown minister
Anything from the internet is untrustworthy unless signed. Should those be marked as malware attacks and blocked too?
Someone stole my Office CD so I had to download a copy of the net and use a fakeKMS. It is perfectly legit as in Trojan and root-kit free but only Avast will not flag it as malware. It is very annoying.
I smell a rat here and would not be surprised if MS had a role in it. As a result I no longer use Microsoft Security Essentials. Ms security team is quite good and just as big as Symantec's. I am sure they share information with each other and if MS flags one keygen they share it by contract. Yes, MS has a vested interest to cut down on piracy as they sell software.
http://saveie6.com/
Well, there are guys like me: I have a tower running kubuntu, a notebook running W7, and an old Dell someone gave me that I repaired, including XP install disks. I want to use that box to sample LPs and cassettes and burn them to CD. EAC won't run on Linux or on any machine without an optical drive, and Audacity simply lacks the features I need. My only choices are XP on the old junker or buy a brand new computer, or build one from new parts and buy W7.
Nope, XP has to stay until they port EAC to Linux or the computer fairy buys me a new computer. You expect grandma, who's had her computer for ten years and only uses it for surfing and email, to spend a couple hundred bucks just to keep your spam box empty? Even the price of W7 is way too much, even if that old computer could run W7. As long as there are XP computers still useable, Microsoft should support it. It's their buggy code and bad design, after all.
Free Martian Whores!
I can't imagine a more horrible day at work than the one they're having.
It makes me LOL that people still have keygens for Windows XP.
XP is great to run in a VM for testing IT stuff or IE 6 or 7 if you are a web developer. It uses just 384 megs of ram which means I can run several instances with it and a virtualized server as well to test scripts or do training/learning.
As a main OS? Yeah, that would suck. I would need 16 gbs of Ram MIN on my desktop to virtualize 4 servers and 2 clients with Server 2012, Exchange 2013, IIS 8, and Windows 7 clients. I will probably upgrade soon as XP is going to be depreciated next year.
http://saveie6.com/
No, it's more like saying he know how to evaluate (and trust) his sexual partners before engaging in sex, and those that he doesn't trust or can't be sure of, he brings to the clinic to get tested first...
tl;dr
Change is certain; progress is not obligatory.
BitDefender once did the awesome feat of quarantining every. single. file. They even rolled out the update to all x64 Vista and 7 machines (possibly XP, too).
Thanks goodness for backups.
That's why I don't install AV software on my PC. I'm less likely to screw up than AV vendors are. Seriously. My own PCs have NEVER been infected by a virus. And yes I know how to check, and I know how to upload suspicious stuff to VirusTotal, and I know how to run browsers with different user accounts from my main account. Whereas the AV vendors make this sort of screw up every few years. So it's no point for me to slow down my computer with AV software. The sort of malware that would infect me would probably not be detected by their stuff anyway.
Do you use windows?
Is your computer connected to the internet?
If your answer to both these questions is "yes", congratulations! You just invalidated your whole argument. Your own PCs have never been infected by a virus that you could detect. Looking at all the the analogies that others have tried to come up with, I find it fitting to state that taking a windows PC on the internet without A/V, is akin to sharing a bath with all the patients in an infectious disease ward. You're not going to come out clean. Any claim to the contrary is the height of stupidity.
On the other hand, if you aren't using windows, or aren't using the internet, then your experience is a blip among the masses, and not a far-fetched one.
Pirated XP is still pretty common in much of the developing world.
Well yes, I understand that there are legitimate programs calling home as well.
My point being that there are enough exploits (IE, Adobe, Java based to name a few) that are drive by that it would be easy to end up with something and not even realize it. And then it is calling home, and you are pwned. And it is possible the only indication you would have would be anamalous network traffic. And while it is certainly true that it could go undetected by AV products, they do increase your chances of knowing something happened.
And on a side note, is it just me or has something similar to this level of screw up happened to just about every major AV vendor at this point?
That's fine, but I doubt that much of the developing world is posting on Slashdot about their key generators.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Yea, because they're the ones writing them.
Measure twice, cut once!
That's the old, craftsmanship way. These days, especially with software, it's measure with a micrometer, mark with chalk, cut with an axe.
Free Martian Whores!
they got cool music attached to them too, so RIAA wants them out.
world was created 5 seconds before this post as it is.
What you say is true, and your config certainly reduces the chances of being infrected. But the point that I am trying to make is that doesn't mean your PCs have NEVER been infected as you claimed in your original post. There is no way for you to know that solely on the basis of the preventative measures you mentioned.
And I don't mean to belabor the point, I have just always found it to be an interesting claim when someone says their PCs have never been infected but mention nothing of how they know...which would have to include client and network traffic analysis information. You cannot even make this claim with AV since as you point out there is malware that can pass AV checks.
Sophos in Greek means "wise".
Proverbs 21:19
Still tl;dr post.
Change is certain; progress is not obligatory.
one time a AV detected some pentesting/repair tools I had saved on my external hard drive and killed them all because they were supposed "hacking tools".
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Yeah i mean how hard is it to find a real corporate key on the internet anyway. :-P
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
continue to use XP with no updates, hell tones of people never installed the service packs and update while it was current. why should that change just because something they never used is now unsupported, besides they now have their ishiney to fondle
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Yes, this was bad. The virus signature in question appears to match any software that does auto-updates (possibly trying to spot phone-home malware?) so it's flagged dozens of software packages and according to what policy you've set, quarantined or deleted the files. This includes the auto-update part of the sophos client. The flood of emails from the sophos enterprise manager package as machines were switched on this morning quickly alerted us that this wasn't good, and just looking at names of the files it was flagging was enough to see that this was a false positive. Cleanup continues.
We've been very happy with sophos enterprise, and I'm staggered that this signature made it out the door - they should have numerous controls in place to ensure this can never happen and I await an explanation for how they failed.
I'm not too impressed by some of the advice given in their cleanup procedure - they advise setting the policy to not scan certain sophos directories - guess where viruses may try to hide in future.
This is an embarassing fubar which will have had a high impact on thousands of enterprises. It'll be interesting to see if Sophos come clean about the circumstances and can be convincing enough about how it's never going to happen again.
an easy way around it is to go to a the dump and over to the electronic drop point and look at the back of all the old computer and write down the install keys grab a OEM disk and your off with more pseudo-ligit keys than you could ever want for what ever versions of windows you want.
while your at it grab any ram and hard drives, and bluray drives/whatever other components you are in need of or are worth salvaging and seeing if they work. check the hard drives to see if they are still in working order, then run a file shredder on everything and overwrite the whole drive then format it. after a couple dump runs like this you have more components then you could ever use.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
linux and mac can still pass / host windows virus
Such items have been flagged by security software for eons before Microsoft Security Essentials was even an idea in someones head at Redmond. Even if these things are flagged, it's easy enough to bypass unless your security policies are set to forcibly remove them without letting you intervene in any way and you lack the privileges to change this.
The point I'm making is security software flags keygens/cracks/etc by the fact that they're generally very "underground" and far more subjected to less than reputable "additions" than other software. It's a proven attack vector which are widely used, and therefore is more serious of a risk than other downloads. Any security software worth its salt should definitely flag these items. It is their job to find security risks and prevent them. You're trying to add an ulterior agenda to smart security practice.
They're very easy to avoid so it should be a minor nuisance at best.
The reason that happens is likely due to the heuristics used to detect threats by the security tools outside the scope of the virus definitions. Those are the front line functions that are designed to (hopefully) catch bad code before the company even needs to send out a definition for it. When they detect a program is capable of doing certain things, they will get flagged with generic terms like that.
Lots of programs with things like auto-update functionality get similarly flagged, etc.
that is why god invented live cd's, virtual machines, and secure os's/browsers
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
maybe it shouldn't try to kill random things that it has no clue what they are though just flag it instead.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
An antivirus software that actually works!
That's generally what they do. If you're in a situation where it's forcefully removing them without giving you a chance to intervene then your policies are set weird. I've used several suites over the years, and all but one one merely brought up a message about such files and asked for my input.
sophose went auto-immune
It's amazing how far the "life" analogy goes in anti-malware world
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
If my browser is pwned by a drive by, the malware would still be running under a different account from my main account. It wouldn't be running using the same account as my financial browser account either.
The malware might be able to get my slashdot or facebook password, big deal. It can call home, but unless it uses a privilege escalation exploit it doesn't have access to the rest of my system and data. It can send spam or do a DDoS, but if it sends enough traffic or uses too much CPU/mem, I'm going to notice even if I don't sniff my network traffic.
And yes, most of the major AV vendors have done a similar screw up, hence that's why I think they are a bigger danger to me, and their stuff definitely slows things down.
As one of the four...
Yes, safe, but Sophos for Macs is free. No 'business cost' there...