On Wednesday, Sophos antivirus products did something very wrong: they started detecting false positives. The company has since fixed the issue, but only on Thursday did it become clear what the fiasco was all about: the Sophos software was detecting its own binaries as malware.
Here’s what happened. Earlier in the day Sophos warned its customers in a blog post of the following problem:
Some Sophos customers have reported detections today of Shh/Updater-B. Sophos would like to reassure users that these are false positives and are not a malware outbreak, and apologises for any inconvenience.
The prompt looked something like this:
Sophos then offered its customers instructions on what to do based on their configuration of its security solution. If your automatic updating system was working, it looked like the issue would fix itself as the software grabbed the latest updates. False positives happen, so I wasn’t too surprised. If anything, it was great to see Sophos get on top of the issue so quickly.
Yet there were cases where updates weren’t being delivered, and the company of course offered steps to perform workarounds. That should have sent alarm bells ringing, as the reason the updates weren’t working was because “files in the warehouse are failing to be decoded as they are being falsely detected as Shh/Updater-B.”
Yes, that’s right, the company’s product was categorizing parts of itself as a threat. The company also warned its corporate customers of something that I should have picked up on immediately: “Please double check your SAV policy under cleanup; You want to ensure your secondary option (when cleanup is not available or does not work) to be set to ‘deny access’ and not delete or move.”
I’ve heard of antimalware products detecting critical Windows components as malware and rendering computers unbootable, but this is arguably more mind boggling. Not only was Sophos’ detecting itself as malware, it was moving or deleting said components and effectively castrating itself.
This problem wasn’t officially confirmed until later in the day, in a Sophos Advisory last updated on Thursday: “An identity released by SophosLabs for use with our Live Protection system is causing False Positives against many binaries that have updating functionality.”
Again, the kicker is at the end:
In the case that the ‘Anti-Virus and HIPS’ policy has been set to delete files if they are unable to be cleaned up it will be necessary to re-protect these endpoints as certain Sophos binaries required for updating may have been removed.
Remember: no security company has perfect track record though, so don’t let this one issue scare you away completely. You’re allowed to laugh, however.
Image credit: stock.xchng