It’s 2016, and anti-virus products still goof up like this…

Sophos false alarms on Winlogon.exe, causing chaos for some users.

Graham Cluley
Graham Cluley
@[email protected]

Sophos false alarms on Winlogon.exe, causing chaos for some users.

Are you running Sophos on your computers?

If so, you might see a warning message like this appear on your enterprise management software:

Virus/spyware ‘Troj/FarFli-CT’ has been detected in “C:WindowsSystem32winlogon.exe”. Cleanup unavailable.

Sign up to our free newsletter.
Security news, advice, and tips.

Alternatively, if you’re an end user, you might not see anything at all. All you might see is a black screen on starting up your Windows PC.

This is clearly not good news. But what makes it worse is that Sophos is making a mistake – false alarming on the Windows 7 version of winlogon.exe, and messing with users’ machines.

In short, your anti-virus is giving you a tech support headache rather than saving you from a genuine malware infection.

Some victims of the false alarm took to Twitter to express their frustration:

SophosTo its credit, Sophos issued an update at 9am UTC on Sunday, fixing the false alarm.

But you have to wonder how – 30 year after the first anti-virus software was made available – we can still have security products mistaking common programs that ship with Windows for malware.

I know that’s important to get security updates for new malware threats out rapidly, but it’s important to balance a speedy response with proper quality control to ensure that huge goofs like this cannot occur.

This isn’t just a problem with Sophos, of course. Many other vendors have suffered from similar problems in the past, and will no doubt continue to do so in the future.

You can read more about the false alarm, and what Sophos has done about it, in this Sophos knowledgebase article.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

10 comments on “It’s 2016, and anti-virus products still goof up like this…”

  1. drsolly

    It's very difficult to do daily updates, and also do a full test of each update before it's released. Actually, it's very difficult to do that monthly. I can't imagine how AV companies can do it for daily updates.

    I remember when Virus Bulletin (a sister company to Sophos) did the same thing with

    1. Graham CluleyGraham Cluley · in reply to drsolly

      But VB doesn't have a security product… do you mean that they erroneously included a clean in their collection of files that anti-virus products should detect?

      Or are you mixing up with F-Prot detecting

      1. RMc-Canada · in reply to Graham Cluley

        Its Unacceptable 30 years on as you say Graham bottom line…

      2. drsolly · in reply to Graham Cluley

        VB used to publish scan strings so people could write their own antivirus. And they got them from Fridrik. And Fridrik gave them the scan string, and they published it as a scan string that would find viruses.

        It was only the lucky happenstance that pretty much no-one ever used the VB scan strings that stood between that and a major embarrassment.

        1. Graham CluleyGraham Cluley · in reply to drsolly

          Ah yes, I remember Virus Bulletin publishing those "scan strings" now.

          I always found it hard to believe that anyone would ever bother typing them in, and even more astonishing quite how many years VB kept publishing them…. I guess it filled up pages of the mag, but was hardly the most edifying of reads.

          Thanks for the explanation.

  2. Karl

    At work yesterday one of our PCs failed to boot. After many restarts we found the problem to be Sophos having a problem with the login script. That PC worked eventually, but another PC could kept restarting after Windows login. Oops.

  3. John

    "In short, your anti-virus is giving you a tech support headache rather than a genuine malware infection."

    Uh, people generally don't rely on their antivirus to give them a malware infection ;)

    1. Graham CluleyGraham Cluley · in reply to John

      Whoops! Now fixed. Thanks!

  4. nick ioannou

    One of the enterprise security products I use tracks each endpoint client by the machine name and OS build version. Unfortunately Microsoft lately has been changing the OS build version every month via updates. Needless to say this is causing issues as machines stop being protected as result. I think Microsoft has to take some of the blame, rather than only the security and AV companies.

  5. David L

    Maybe Sophos should have checked with Tavis Ormandy first? Seems Sophos has been rather laced in other areas this year.

    But, I'm only tweaking your nose Graham, knowing how much you love the little guy ( – ;

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.