Are you running Sophos on your computers?
If so, you might see a warning message like this appear on your enterprise management software:
Virus/spyware ‘Troj/FarFli-CT’ has been detected in “C:WindowsSystem32winlogon.exe”. Cleanup unavailable.
Alternatively, if you’re an end user, you might not see anything at all. All you might see is a black screen on starting up your Windows PC.
This is clearly not good news. But what makes it worse is that Sophos is making a mistake – false alarming on the Windows 7 version of winlogon.exe, and messing with users’ machines.
In short, your anti-virus is giving you a tech support headache rather than saving you from a genuine malware infection.
Some victims of the false alarm took to Twitter to express their frustration:
https://twitter.com/Techhelplistcom/status/772530498262347777
Thanks for the lack of sleep Sophos
— Melissa Dyer (@DyerM268) September 4, 2016
To its credit, Sophos issued an update at 9am UTC on Sunday, fixing the false alarm.
But you have to wonder how – 30 year after the first anti-virus software was made available – we can still have security products mistaking common programs that ship with Windows for malware.
I know that’s important to get security updates for new malware threats out rapidly, but it’s important to balance a speedy response with proper quality control to ensure that huge goofs like this cannot occur.
This isn’t just a problem with Sophos, of course. Many other vendors have suffered from similar problems in the past, and will no doubt continue to do so in the future.
You can read more about the false alarm, and what Sophos has done about it, in this Sophos knowledgebase article.
It's very difficult to do daily updates, and also do a full test of each update before it's released. Actually, it's very difficult to do that monthly. I can't imagine how AV companies can do it for daily updates.
I remember when Virus Bulletin (a sister company to Sophos) did the same thing with Command.com.
But VB doesn't have a security product… do you mean that they erroneously included a clean command.com in their collection of files that anti-virus products should detect?
Or are you mixing up with F-Prot detecting command.com?
https://twitter.com/VessOnSecurity/status/772404324563574785
Its Unacceptable 30 years on as you say Graham bottom line…
VB used to publish scan strings so people could write their own antivirus. And they got them from Fridrik. And Fridrik gave them the Commnd.com scan string, and they published it as a scan string that would find viruses.
It was only the lucky happenstance that pretty much no-one ever used the VB scan strings that stood between that and a major embarrassment.
Ah yes, I remember Virus Bulletin publishing those "scan strings" now.
I always found it hard to believe that anyone would ever bother typing them in, and even more astonishing quite how many years VB kept publishing them…. I guess it filled up pages of the mag, but was hardly the most edifying of reads.
Thanks for the explanation.
At work yesterday one of our PCs failed to boot. After many restarts we found the problem to be Sophos having a problem with the login script. That PC worked eventually, but another PC could kept restarting after Windows login. Oops.
"In short, your anti-virus is giving you a tech support headache rather than a genuine malware infection."
Uh, people generally don't rely on their antivirus to give them a malware infection ;)
Whoops! Now fixed. Thanks!
One of the enterprise security products I use tracks each endpoint client by the machine name and OS build version. Unfortunately Microsoft lately has been changing the OS build version every month via updates. Needless to say this is causing issues as machines stop being protected as result. I think Microsoft has to take some of the blame, rather than only the security and AV companies.
Maybe Sophos should have checked with Tavis Ormandy first? Seems Sophos has been rather laced in other areas this year.
https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html?m=1
But, I'm only tweaking your nose Graham, knowing how much you love the little guy ( – ;