Sophos Anti-Virus Update Identifies Sophos Code As Malware

← Back to Stories (view on slashdot.org)

Sophos Anti-Virus Update Identifies Sophos Code As Malware

Posted by timothy on Thursday September 20, 2012 @04:51AM from the auto-immune-disease dept.

An anonymous reader writes "Yesterday afternoon anti-virus company Sophos Inc. released a normal anti-virus definition update that managed to detect parts of their own software as malicious code and disabled / deleted sections of their Endpoint security suite, including its ability to auto-update and thus repair itself. For many hours on the 19th, Sophos technical call centers were so busy customers were unable to even get through to wait on hold for assistance. Today thousands of enterprise customers remain crippled and unable to update their security software." Sophos points out that not everyone will be affected: "Please note this issue only affects Windows computers."

24 of 245 comments (clear)

Min score:

Reason:

Sort:

99.999% by jsepeta · 2012-09-20 04:52 · Score: 5, Insightful

how many of Sophos customers are not on the Windows platform? that makes me laugh.

--
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
1. Re:99.999% by niiler · 2012-09-20 05:14 · Score: 3, Funny
  
  At first I thought you meant "proof of concept" anti-virus for Linux. :-P
2. Re:99.999% by thereitis · 2012-09-20 05:22 · Score: 4, Insightful
  
  Speaking of percentages, I wonder what percentage of anti-virus updates go terribly wrong like this. 0.00001%? AV companies are constantly producing new signatures, many times per day. All it takes is one mistake and you have a loose cannon and a front page news article like this one. It's impressive that there aren't more occurrences.
3. Re:99.999% by DaveAtFraud · 2012-09-20 05:24 · Score: 3, Funny
  
  I'm just glad I didn't have a mouthful of coffee when I read:
  
  Sophos points out that not everyone will be affected: "Please note this issue only affects Windows computers."
  or I would still be cleaning coffee off of monitors, laptop, papers, etc.
  I have a couple of old Windows XP installations I can still get to when some idiot creates a web site that only works right in IE (e.g., I live in Colorado and the state has a site for doing your state income tax that doesn't work when accessed with Firefox). Ditto for software like most income tax programs. I don't otherwise use Windows. Even my work laptop is running Linux (Fedora 16).
  Cheers,
  Dave
  
  --
  They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
  Ben
4. Re:99.999% by Verunks · 2012-09-20 05:32 · Score: 5, Informative
  
  So far, there have only been a couple 'proof of concept' viri for Linux. Nobody's figured out a way to pry any money away from us yet. :D
  but linux antivirus aren't used to protect linux, they are useful if you run a mail server or a proxy so you can clean mails and webpage before they infect a windows user, or to clean an infected windows installation, for example the kaspersky live cd is based on linux
5. Re:99.999% by Culture20 · 2012-09-20 05:37 · Score: 4, Insightful
  
  What's impressive is that this got out of Sophos' testing lab and into production. I guess they must not test signatures in house at all. Congratulations, Sophos customers, you've been promoted to alpha testers.
6. Re:99.999% by fuzzyfuzzyfungus · 2012-09-20 05:40 · Score: 4
  
  The trouble, in this case, is that it detects its own signature update componenets as viruses...
  Not only should this have been caught in testing(Since it would have cropped up more or less the moment the new signatures were loaded onto a live system with Sophos installed; but they hit files about which sophos presumably has intimate knowledge, this isn't some 'obscure packing/compression scheme used by legacy CAD program that seemed like a good idea in the 80's looks like a suspicious obfuscated payload' kind of thing.
  I am not impressed, though thankfully it only took me a little over half a day to fix it here...
7. Re:99.999% by jd2112 · 2012-09-20 06:16 · Score: 5, Funny
  
  What's impressive is that this got out of Sophos' testing lab and into production. I guess they must not test signatures in house at all. Congratulations, Sophos customers, you've been promoted to alpha testers.
  Actually, it's an incredible show of honesty on the part of Sophos. Perhaps Symantec and McAfee will follow suit and flag their own software as malicious as well.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
8. Re:99.999% by RDW · 2012-09-20 09:35 · Score: 3, Funny
  
  What's impressive is that this got out of Sophos' testing lab and into production.
  What's really impressive is that is that it also orchestrated a DDOS attack on the Sophos tech support helpline...
Can We Say Test our Code, anyone??? by realsilly · 2012-09-20 04:54 · Score: 4, Insightful

This is a classic case of not thoroughly testing code and making sure you have enough variations of test machines to ensure as little pain to clients as possible.
If I were a customer, I would be shopping for a better company.

--
Life takes interesting turns, but the most interest is when you're off the beaten path.
1. Re:Can We Say Test our Code, anyone??? by MrEricSir · 2012-09-20 05:08 · Score: 3, Insightful
  
  If I were a customer, I would be shopping for a better company.
  Is there a better company, though? Seems like all the major antivirus vendors have had embarassing false positives like this in the past.
  
  --
  There's no -1 for "I don't get it."
2. Re:Can We Say Test our Code, anyone??? by girlintraining · 2012-09-20 05:22 · Score: 3, Informative
  
  This is a classic case of not thoroughly testing code and making sure you have enough variations of test machines to ensure as little pain to clients as possible.
  Antivirus engines and definitions change daily, weekly at the most. Where do you suppose this "thorough testing" of code is supposed to happen? It costs time and money, and while you're busy doing that testing, the support lines are being flooded with "We've been infected by something your software doesn't protect against! What are we paying you for, anyway?" As a bonus, your competitors, who didn't decide to setup a massive lab with dozens of employees in it, testing all the typical configurations of a half dozen operating systems and the couple hundred most popular software packages of each... they already released a patch.
  Now, a software patch that causes the application to stomp on its own dick is amusing (and difficult to forgive), but demanding a massive expenditure of time and money is almost as unforgiveable. It's easy to demand best practices and ample safety margins: It's quite another thing to deliver it in a business environment. Most people in the industry, including the people at Sophos I'm sure, do the best they can with what they're given. It's pretty much the work creed of anyone in this industry -- few have the time and resources to do it right, they have to settle for 'good enough'.
  And sometimes, good enough breaks.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
3. Re:Can We Say Test our Code, anyone??? by girlintraining · 2012-09-20 06:01 · Score: 4, Insightful
  
  That's pocket change compared to how much the company can lose over a screw up like this.
  Emphasis mine. Look, every major antivirus producer has made a similar mistake to this. Sometimes, it takes the whole operating system down with it (Symantec anyone?). Whether you agree or disagree, it's clear there are business incentives for a fast workflow process -- and as the old saying goes "Do it fast, do it right, do it cheap -- pick any two." It's obvious which ones the antivirus industry as a whole has chosen. Rather than argue over whether or not they're right, I'm pointing out why they're making those choices. Businesses aren't willing to pay a premium to avoid mistakes like this. The cost of the occasional screwup like this is less than the cost required to do all the testing and lab work that many here on slashdot seem to support.
  It's a business decision they've made, right or wrong.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
Tautologies are fun by dkleinsc · 2012-09-20 05:03 · Score: 4, Funny

Obviously, once this change had gone in, Sophos was correct to identify itself as malicious.

--
I am officially gone from /. Long live http://www.soylentnews.com/
In other news... by MachineShedFred · 2012-09-20 05:06 · Score: 3, Funny

The detection rate for Sophos's malware engine inched closer to 100%.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Re:That's why I don't install AV software on my PC by asmkm22 · 2012-09-20 05:11 · Score: 5, Funny

That's like saying you don't use condoms because you know how to pull out.
Re:Which just goes to show... by localman57 · 2012-09-20 05:12 · Score: 5, Funny

"test by eyeballing the code" has its drawbacks.
Exactly. Sometimes code that looks useless is really pretty important. The article follow up said they removed this test from an iteration loop, since there weren't comments about what it did. Apparently the original programmers thought it obvious...

if ( asimov_3rd_violation())
{
continue;
}
else
{
remove_file(filename);
}
There needs to be an award for this by phrackwulf · 2012-09-20 05:14 · Score: 4, Interesting

Every year, we need to go down the list of software makers who have managed to totally Bork their users. The Meltdown awards. Just to distinguish between the companies that handle it well and the companies that are incompetent.

--
What would Richard Feynman do, if he were here right now? He'd do some math and he'd follow through!
Re:That's why I don't install AV software on my PC by localman57 · 2012-09-20 05:16 · Score: 5, Funny

My cousin used to say the same sort of thing about his know-it-all supervisor at work that was always riding him to wear safetly glasses. After he got back from disability, the guy got him a couple of tickets to Avatar in 3d, just to be an asshole.
Re:That's why I don't install AV software on my PC by Anonymous Coward · 2012-09-20 05:19 · Score: 3, Insightful

No, it's like saying you don't use condoms because you only go to bed with people you know well enough to trust them when they say they're on the pill.
Malware makers take note! by erroneus · 2012-09-20 05:26 · Score: 4, Interesting

Wanna cause problems? Add code from the various AV vendors...
Re:Which just goes to show... by localman57 · 2012-09-20 05:37 · Score: 3, Insightful

Just so this whole thing doesn't spin out of control, the code is total bullshit I made up myself. Seemed better than just posting a comment about the 3rd law.
Windows AV programs are malware by dskoll · 2012-09-20 05:52 · Score: 3, Interesting

Just think about it. The average Windows AV program runs with sufficient privilege to wreck your system by altering or removing arbitrary files. And it gets fed multiple updates per day created by teams of workers working in a hugely stressful situation: When a new virus appears, you've got to get those signatures out NOW.
I'm amazed people don't see this risks in this.
Notes from an effected enterprise by illtud · 2012-09-20 10:31 · Score: 4, Informative

Yes, this was bad. The virus signature in question appears to match any software that does auto-updates (possibly trying to spot phone-home malware?) so it's flagged dozens of software packages and according to what policy you've set, quarantined or deleted the files. This includes the auto-update part of the sophos client. The flood of emails from the sophos enterprise manager package as machines were switched on this morning quickly alerted us that this wasn't good, and just looking at names of the files it was flagging was enough to see that this was a false positive. Cleanup continues.
We've been very happy with sophos enterprise, and I'm staggered that this signature made it out the door - they should have numerous controls in place to ensure this can never happen and I await an explanation for how they failed.
I'm not too impressed by some of the advice given in their cleanup procedure - they advise setting the policy to not scan certain sophos directories - guess where viruses may try to hide in future.
This is an embarassing fubar which will have had a high impact on thousands of enterprises. It'll be interesting to see if Sophos come clean about the circumstances and can be convincing enough about how it's never going to happen again.