Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sophos Anti-Virus Update Identifies Sophos Code As Malware

timothy posted about 2 years ago | from the auto-immune-disease dept.

Bug 245

An anonymous reader writes "Yesterday afternoon anti-virus company Sophos Inc. released a normal anti-virus definition update that managed to detect parts of their own software as malicious code and disabled / deleted sections of their Endpoint security suite, including its ability to auto-update and thus repair itself. For many hours on the 19th, Sophos technical call centers were so busy customers were unable to even get through to wait on hold for assistance. Today thousands of enterprise customers remain crippled and unable to update their security software." Sophos points out that not everyone will be affected: "Please note this issue only affects Windows computers."

cancel ×

245 comments

99.999% (5, Insightful)

jsepeta (412566) | about 2 years ago | (#41401283)

how many of Sophos customers are not on the Windows platform? that makes me laugh.

Re:99.999% (-1, Troll)

jamstar7 (694492) | about 2 years ago | (#41401505)

Guess I'm one of those lucky few. I don't use Sophos OR Windows for my computing needs.

So far, there have only been a couple 'proof of concept' viri for Linux. Nobody's figured out a way to pry any money away from us yet. :D

Re:99.999% (3, Funny)

niiler (716140) | about 2 years ago | (#41401603)

At first I thought you meant "proof of concept" anti-virus for Linux. :-P

Re:99.999% (5, Informative)

Verunks (1000826) | about 2 years ago | (#41401895)

So far, there have only been a couple 'proof of concept' viri for Linux. Nobody's figured out a way to pry any money away from us yet. :D

but linux antivirus aren't used to protect linux, they are useful if you run a mail server or a proxy so you can clean mails and webpage before they infect a windows user, or to clean an infected windows installation, for example the kaspersky live cd is based on linux

Re:99.999% (4, Insightful)

thereitis (2355426) | about 2 years ago | (#41401721)

Speaking of percentages, I wonder what percentage of anti-virus updates go terribly wrong like this. 0.00001%? AV companies are constantly producing new signatures, many times per day. All it takes is one mistake and you have a loose cannon and a front page news article like this one. It's impressive that there aren't more occurrences.

Re:99.999% (4, Insightful)

Culture20 (968837) | about 2 years ago | (#41401959)

What's impressive is that this got out of Sophos' testing lab and into production. I guess they must not test signatures in house at all. Congratulations, Sophos customers, you've been promoted to alpha testers.

Re:99.999% (4)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#41402003)

The trouble, in this case, is that it detects its own signature update componenets as viruses...

Not only should this have been caught in testing(Since it would have cropped up more or less the moment the new signatures were loaded onto a live system with Sophos installed; but they hit files about which sophos presumably has intimate knowledge, this isn't some 'obscure packing/compression scheme used by legacy CAD program that seemed like a good idea in the 80's looks like a suspicious obfuscated payload' kind of thing.

I am not impressed, though thankfully it only took me a little over half a day to fix it here...

Re:99.999% (3, Funny)

DaveAtFraud (460127) | about 2 years ago | (#41401771)

I'm just glad I didn't have a mouthful of coffee when I read:

Sophos points out that not everyone will be affected: "Please note this issue only affects Windows computers."

or I would still be cleaning coffee off of monitors, laptop, papers, etc.

I have a couple of old Windows XP installations I can still get to when some idiot creates a web site that only works right in IE (e.g., I live in Colorado and the state has a site for doing your state income tax that doesn't work when accessed with Firefox). Ditto for software like most income tax programs. I don't otherwise use Windows. Even my work laptop is running Linux (Fedora 16).

Cheers,
Dave

Re:99.999% (1, Troll)

Rasputin (5106) | about 2 years ago | (#41401917)

It's not uncommon. Companies run Sophos on Solaris or Linux servers to scan uploaded files before they're passed to the poor stupid Windows systems.

Re:99.999% (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#41402043)

They also have a mac client, if I recall. If you need A/V for the Windows boxes anyway, plus something on the mail server to snip some of the crap out on the way in, it becomes a fairly easy sell for the vendor to shove a few mac or linux licenses out the door if some of their customers have a paranoic 'zOMG all computers must have antivirus to protect our megahertz!!!" policy. If you have to implement that, it's easier to at least implement it all in one place, with one console, and maybe a volume discount...

Re:99.999% (1)

Dynamoo (527749) | about 2 years ago | (#41402133)

And an Android client.

Don't they test these things before deploying??? (1)

Anonymous Coward | about 2 years ago | (#41401299)

In other news, I have a Windows XP keygen that is absolutely not malware, which gets flagged as malware by every virus scanner I've tried except ClamAV. That makes me LOL.

Re:Don't they test these things before deploying?? (1)

Anonymous Coward | about 2 years ago | (#41401345)

False positive. Microsoft pays off anti-virus developers so they could flag keygens, cracks, etc. as viruses.

Re:Don't they test these things before deploying?? (1)

flimflammer (956759) | about 2 years ago | (#41402277)

Why in gods name do you attribute this only to Microsoft? It's standard practice because the source of these aren't trustworthy and they're moderately easy to detect. I doubt Microsoft gives two shits if you download a keygen for a video game, yet they will pretty much all be detected by such AV software, generally even free software not theoretically bound by corporate purse strings.

Re:Don't they test these things before deploying?? (1)

MickyTheIdiot (1032226) | about 2 years ago | (#41401347)

malware from whom's perspective. Adobe absolutely things keygens are malware.

Re:Don't they test these things before deploying?? (1)

amicusNYCL (1538833) | about 2 years ago | (#41401381)

It makes me LOL that people still have keygens for Windows XP.

Re:Don't they test these things before deploying?? (2)

jamstar7 (694492) | about 2 years ago | (#41401461)

Considering all the people I know that still want to stay with XP no matter what, it doesn't surprise me at all.

Re:Don't they test these things before deploying?? (1)

denisbergeron (197036) | about 2 years ago | (#41401619)

I'm at work actually, and use XP, you insensitive crow !

Re:Don't they test these things before deploying?? (1)

amicusNYCL (1538833) | about 2 years ago | (#41401767)

Considering all the people I know that still want to stay with XP no matter what, it doesn't surprise me at all.

I was like that until I realized that Windows 7 is a very good OS. And, as a gamer, I also prefer DirectX 10 over 9.

Re:Don't they test these things before deploying?? (1)

Githaron (2462596) | about 2 years ago | (#41401813)

What will those people do when Microsoft ends support in less than 2 years. [microsoft.com]

Re:Don't they test these things before deploying?? (1)

Culture20 (968837) | about 2 years ago | (#41402057)

What will those people [Windows XP lovers] do when Microsoft ends support in less than 2 years.

Be smugly satisfied that they eeked every ounce of use from their software while simultaneously feeling dirty for having to buy Windows 9.

Re:Don't they test these things before deploying?? (1)

ThatsMyNick (2004126) | about 2 years ago | (#41402303)

Be happy that they dont have endure Patch Tuesday any longer.

Re:Don't they test these things before deploying?? (1)

trevc (1471197) | about 2 years ago | (#41402173)

It makes me LOL that people still have keygens for Windows XP.

It makes me LOL that people use LOL on Slashdot.

Re:Don't they test these things before deploying?? (1)

Anonymous Coward | about 2 years ago | (#41401745)

And that goes to show precisely why you should always use free AV instead of commercial AV.

Re:Don't they test these things before deploying?? (0)

tlhIngan (30335) | about 2 years ago | (#41402097)

In other news, I have a Windows XP keygen that is absolutely not malware, which gets flagged as malware by every virus scanner I've tried except ClamAV. That makes me LOL.

Most keygens don't contain malware, but they contain wrappers that are downloaders for malware. Perhaps your virus scanners are picking up the fact that they're wrapped?

I've seen plenty of wrapped keygens that work completely normally - the wrapper starts first and silently downloads the malware in the background while the original keygen works normally. (They detect the downloader). The download is necessary in order to download the latest stuff that won't be detected.

And modern malware these days don't require admin priviledges - they'll take it if they can get it, but if it'll trigger a UAC or admin dialog, they'll disable that part of the functionality. Turns out that for being part of a botnet, you don't need admin (opening ports and incoming/outgoing connections are user available, as are writing files and starting up from the user's profile).

Have the malware be split into a ping and pong runtimes that monitor each other and they'd be very difficult to kill.

For keygens, I run them in an isolated VM instance and roll back the disk files after I'm done using them. You can never be too sure.

Re:Don't they test these things before deploying?? (0)

Anonymous Coward | about 2 years ago | (#41402169)

Keygens are fraudware though. If you're licensed to use a product, then you need a key. On a Windows PC it is printed on the PC. If you use volume licensing then you have your own key you can use.

Most corporations don't want to have software about that is basically used to break the law. Detecting keygens as malware is an excellent idea.

Re:Don't they test these things before deploying?? (0)

Anonymous Coward | about 2 years ago | (#41402291)

Thanks Captain Obvious!

Can We Say Test our Code, anyone??? (4, Insightful)

realsilly (186931) | about 2 years ago | (#41401307)

This is a classic case of not thoroughly testing code and making sure you have enough variations of test machines to ensure as little pain to clients as possible.

If I were a customer, I would be shopping for a better company.

Re:Can We Say Test our Code, anyone??? (3, Insightful)

MrEricSir (398214) | about 2 years ago | (#41401519)

If I were a customer, I would be shopping for a better company.

Is there a better company, though? Seems like all the major antivirus vendors have had embarassing false positives like this in the past.

Re:Can We Say Test our Code, anyone??? (1)

LWATCDR (28044) | about 2 years ago | (#41401645)

Hello QA department your fired.

Re:Can We Say Test our Code, anyone??? (1)

rbrausse (1319883) | about 2 years ago | (#41402117)

Hello QA department your fired.

nah, more like: Hello $computerguy, you're hired. we need a QA dept.

Re:Can We Say Test our Code, anyone??? (3, Informative)

girlintraining (1395911) | about 2 years ago | (#41401731)

This is a classic case of not thoroughly testing code and making sure you have enough variations of test machines to ensure as little pain to clients as possible.

Antivirus engines and definitions change daily, weekly at the most. Where do you suppose this "thorough testing" of code is supposed to happen? It costs time and money, and while you're busy doing that testing, the support lines are being flooded with "We've been infected by something your software doesn't protect against! What are we paying you for, anyway?" As a bonus, your competitors, who didn't decide to setup a massive lab with dozens of employees in it, testing all the typical configurations of a half dozen operating systems and the couple hundred most popular software packages of each... they already released a patch.

Now, a software patch that causes the application to stomp on its own dick is amusing (and difficult to forgive), but demanding a massive expenditure of time and money is almost as unforgiveable. It's easy to demand best practices and ample safety margins: It's quite another thing to deliver it in a business environment. Most people in the industry, including the people at Sophos I'm sure, do the best they can with what they're given. It's pretty much the work creed of anyone in this industry -- few have the time and resources to do it right, they have to settle for 'good enough'.

And sometimes, good enough breaks.

Re:Can We Say Test our Code, anyone??? (2)

Culture20 (968837) | about 2 years ago | (#41402203)

A simple group of ~20 VMs could handle this egregious type of error. Who cares if AV X marks some specialty software with a false positive? It should at least not detect itself! Load the new sigs to the test VMs, and if they don't commit suicide after a full scan, upload the sigs to the prod download servers. At most, this costs a company ~$5,000/year for equipment and ~$40,000/year for labor. That's pocket change compared to how much the company can lose over a screw up like this.

Re:Can We Say Test our Code, anyone??? (1)

DigiShaman (671371) | about 2 years ago | (#41401823)

In no particular order. Vipre, Trend Micro WFB, and Symantec Endpoint are all good products. Everything else is a crapshoot. And stay the hell away from McAfee. That shit will eat your servers alive! (no really, blocks registry write backs from most legit software including Windows Updates)

Re:Can We Say Test our Code, anyone??? (1)

Anonymous Coward | about 2 years ago | (#41402029)

Yes but all of those have had just as bad gaffes. Vipre flagging false positives on Samsung laptops last year, Trend Micro and Symanec having issued multiple updates that have wrecked and crippled systems. Sure, they're better than McAfee but that's like trying to claim you don't stink since that dog turd next to you smells worse than you.

If this was someone else's product.. (0)

Anonymous Coward | about 2 years ago | (#41402221)

If this wasn't their own product, my experience with AV companies suggests that you'd be SOL trying to get them to remove the flag. Once an AV product falsely flags your software, you will quickly find that most AV companies dispute process is horrendous, and you generally do better to simply let your affected users complain to them about it. Worse, they often share definitions so unless a false positive is contained quickly it can spread among vendors. It turns out for legal reasons virtually no AV company will advise you why your product is being flagged or suggest how to remedy the situation, and some AV vendors can categorize perfectly legitimate software as "potentially unwanted" on a whim, showing notices to end users that look almost indistinguishable from their virus notifications.

AV as an industry is so terribly unregulated that after years of dealing with their false-positive BS, even though Sophos has a better reputation than many, I can only feel like they got what they deserved when things like this happen.

How interesting... (1)

joaommp (685612) | about 2 years ago | (#41401331)

... the chicken ate the egg, after all...

Re:How interesting... (1)

mapfortu (2567463) | about 2 years ago | (#41401389)

I love these occurrences. Similar events are known as fortune cookies resulting from mathematical buffer overruns when the great sphinx is patterned into the great wall of china. Sometimes the fortune cookies work out for enormous profit, sometimes they result in bombing runs on tech support centers.

fedex will be happy... (0)

Anonymous Coward | about 2 years ago | (#41401335)

The most CDs since AOL ended its carpet bombing campaign will make them a shit ton of money.

HA HA

All 4 Macs Running Sophos are safe! (0)

TheReverandND (926450) | about 2 years ago | (#41401383)

That's a relief.

QA? (1)

mschaffer (97223) | about 2 years ago | (#41401391)

So, how much testing do they perform on their own product. I suppose they do not even know how their own "dogfood" tastes.

Re:QA? (2)

MickyTheIdiot (1032226) | about 2 years ago | (#41401413)

they're running Avast free version like everyone else.

Which just goes to show... (1)

roc97007 (608802) | about 2 years ago | (#41401411)

"test by eyeballing the code" has its drawbacks.

In a perfect world, the QA manager would be updating his resume.

Re:Which just goes to show... (5, Funny)

localman57 (1340533) | about 2 years ago | (#41401559)

"test by eyeballing the code" has its drawbacks.

Exactly. Sometimes code that looks useless is really pretty important. The article follow up said they removed this test from an iteration loop, since there weren't comments about what it did. Apparently the original programmers thought it obvious...

if ( asimov_3rd_violation())
{
continue;
}
else
{
remove_file(filename);
}

Re:Which just goes to show... (0)

Anonymous Coward | about 2 years ago | (#41401739)

"test by eyeballing the code" has its drawbacks.

Exactly. Sometimes code that looks useless is really pretty important. The article follow up said they removed this test from an iteration loop, since there weren't comments about what it did. Apparently the original programmers thought it obvious...

if ( asimov_3rd_violation())

{

                    continue;

}

else

{

remove_file(filename);

}

To be fair to the original programmers, that is fairly obvious, though perhaps only in hindsight.

Re:Which just goes to show... (2)

roc97007 (608802) | about 2 years ago | (#41401915)

This should be obvious to any geek! What is Asimov's 3rd law? All together now: "A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws."

I've never seen the code in question, and it's obvious to me that this means "don't delete myself".

Re:Which just goes to show... (3, Insightful)

localman57 (1340533) | about 2 years ago | (#41401961)

Just so this whole thing doesn't spin out of control, the code is total bullshit I made up myself. Seemed better than just posting a comment about the 3rd law.

Re:Which just goes to show... (1)

roc97007 (608802) | about 2 years ago | (#41401931)

Oh, that's brilliant. The thing is, any geek would get the significance immediately. What kind of dunderhead would delete it?

Could be worse (1)

SJester (1676058) | about 2 years ago | (#41401417)

I once had Malwarebytes identify ATAPI.SYS as malware and remove it. That update also lasted a few hours but left lots of angry customers with expensive bricks to repair.

Only Windows? (1)

guppysap13 (1225926) | about 2 years ago | (#41401429)

Strangely enough, two days ago the Sophos install I have on Mac OS also started flagging itself as a threat and disabling itself...

Blasted it off as quickly as I could. No harm done that I can find.

That's why I don't install AV software on my PC (0, Troll)

TheLink (130905) | about 2 years ago | (#41401433)

That's why I don't install AV software on my PC. I'm less likely to screw up than AV vendors are. Seriously. My own PCs have NEVER been infected by a virus. And yes I know how to check, and I know how to upload suspicious stuff to VirusTotal, and I know how to run browsers with different user accounts from my main account. Whereas the AV vendors make this sort of screw up every few years. So it's no point for me to slow down my computer with AV software. The sort of malware that would infect me would probably not be detected by their stuff anyway.

BUT I do install AV software on other people's PCs. Since they do screw up more often. Despite that my sister somehow still managed to get her PC infected, and the AV software (Avira) just wouldn't detect or clean it...

I don't put AV software on production servers either unless PHBs etc require it. In my experience if you do things right, AV software is more likely to cause you problems than a virus.

Re:That's why I don't install AV software on my PC (5, Funny)

asmkm22 (1902712) | about 2 years ago | (#41401551)

That's like saying you don't use condoms because you know how to pull out.

Re:That's why I don't install AV software on my PC (3, Insightful)

Anonymous Coward | about 2 years ago | (#41401685)

No, it's like saying you don't use condoms because you only go to bed with people you know well enough to trust them when they say they're on the pill.

Re:That's why I don't install AV software on my PC (2)

jones_supa (887896) | about 2 years ago | (#41401723)

I would say it's like having sex without a condom with a long-term partner who you trust not to carry diseases.

Re:That's why I don't install AV software on my PC (0)

Anonymous Coward | about 2 years ago | (#41402053)

I would say it's like having sex without a condom with a long-term partner who you trust not to carry diseases.

Is that becuase you think she dosent have any other holes that are vunerable ??????

Re:That's why I don't install AV software on my PC (0)

Anonymous Coward | about 2 years ago | (#41402195)

Sorry My bad

Is that becuase you think She\He dosent have any other holes that are vunerable ??????

Re:That's why I don't install AV software on my PC (1)

dmmiller2k (414630) | about 2 years ago | (#41401785)

That's like saying you don't use condoms because you know how^H^H^Hwhen to pull out.

There, fixed that for you

Re:That's why I don't install AV software on my PC (1)

TheLink (130905) | about 2 years ago | (#41402141)

This is slashdot. A better analogy would be saying I don't use condoms because I only have sex with myself. And if I ever do have sex with someone else, I'd use a condom, or do it virtually ;).

Re:That's why I don't install AV software on my PC (5, Funny)

localman57 (1340533) | about 2 years ago | (#41401651)

My cousin used to say the same sort of thing about his know-it-all supervisor at work that was always riding him to wear safetly glasses. After he got back from disability, the guy got him a couple of tickets to Avatar in 3d, just to be an asshole.

Re:That's why I don't install AV software on my PC (1)

Ben4jammin (1233084) | about 2 years ago | (#41401707)

And you also know that you would need to monitor both incoming and outgoing network traffic (at the router, not the client) to make sure nothing is calling home to a command server? Because you know that there is yucky stuff out there that is NOT obvious in any way other than network traffic monitoring?

Re:That's why I don't install AV software on my PC (1)

MachineShedFred (621896) | about 2 years ago | (#41401747)

I don't put AV software on production servers either unless PHBs etc require it. In my experience if you do things right, AV software is more likely to cause you problems than a virus.

And you are the reason why my company gets discounted rates on payment card processing. We actually *pass* the PCI audit every year.

Re:That's why I don't install AV software on my PC (1)

JustOK (667959) | about 2 years ago | (#41401841)

No infections that you KNOW of.

Re:That's why I don't install AV software on my PC (2)

TheLink (130905) | about 2 years ago | (#41402211)

AV users have a very similar situation too. They have no infections that they or their AV software know of.

You might assume the AV vendor is really good at spotting malware, but their job is like solving the halting problem, only without knowledge of the full inputs and program.

I on the other hand prefer to "solve" the halting problem by ensuring the program actually halts no matter what happens- aka Sandboxing.

Re:That's why I don't install AV software on my PC (1)

trevc (1471197) | about 2 years ago | (#41402295)

Fool.

FINALLY (1)

chill (34294) | about 2 years ago | (#41401435)

An honest scan report from a major anti-virus vendor. Was it flagged as spyware/advertising trojan?

Tautologies are fun (4, Funny)

dkleinsc (563838) | about 2 years ago | (#41401439)

Obviously, once this change had gone in, Sophos was correct to identify itself as malicious.

software leukemia! (2)

scharkalvin (72228) | about 2 years ago | (#41401463)

Let's see this isn't a virus, it's kinda like software leukemia or a software autoimmune disease.

Re:software leukemia! (2, Funny)

idontgno (624372) | about 2 years ago | (#41401507)

It's not software lupus. It's never software lupus.

Re:software leukemia! (1)

gstoddart (321705) | about 2 years ago | (#41401849)

It's not software lupus. It's never software lupus.

+1 House reference

Quarantine the doctor. (1)

TheSwift (2714953) | about 2 years ago | (#41401989)

You might as well lock yourself in a jail cell and throw away the keys.

Re:software leukemia! (0)

Anonymous Coward | about 2 years ago | (#41402129)

The way it spead through our systems it was more like anaphylactic shock

In other news... (3, Funny)

MachineShedFred (621896) | about 2 years ago | (#41401477)

The detection rate for Sophos's malware engine inched closer to 100%.

False positives HAPPEN LIKE MAD (-1)

Anonymous Coward | about 2 years ago | (#41401485)

If you don't believe me? Write Nir Sofer of NIRSOFT -> http://www.nirsoft.net/contact-new.html [nirsoft.net]

He'll tell you what he & I discussed at GREAT LENGTH a few years ago via email on that very thing... as he & I have BOTH had apps falsely accused of being malwares, & none of the apps were!

I had to prove that to this list of antivirus makers:

---

1.) Computer Associates (passed ALL 21 of their removal questions for their IKARUS db (iirc, that's theirs & many others use it, and IT IS LOADED WITH FALSE POSITIVES) to which they lowered it to ZERO threat levels (which upset me since it wasn't even scriptable for attack OR a threat, should have been OUTRIGHT REMOVED)

For another app recently:

2.) McAfee (released & removed another app of mine)
3.) Comodo (released & removed another app of mine)
4.) Symantec/Norton (released & removed another app of mine)
5.) ClamAV
6.) Arcabit/ArcaVir (released & removed another app of mine)

& others... the worst part is, the app noted in 2-6 is ANYTHING BUT a malware & intended to STOP malware!

(Can you stand it?)

---

* Now, that "all said & aside"? I don't "hate them" for it, since I know "shit happens", just like it did to Sophos against their OWN CODE on this one, but... it is annoying, and I suspect done intentionally @ times even (Mr. Sofer noted above & I discussed THAT POSSIBILITY as well).

APK

P.S.=> Also, you *might* want to inquire with Dr. Mark Russinovich of Microsoft (former "co-worker" of mine for Sunbelt Software in the mid to late 90's selling wares we did thru them) - he's had it happen too, for his apps being misused/abused by malware makers & pretty much EVERYONE KNOWS he's most DEFINITELY "not about making malwares"...

... apk

Best you've got = UNJUSTIFIABLE downmods? (-1)

Anonymous Coward | about 2 years ago | (#41401751)

That's directed to the pussy who downmodded me here -> http://tech.slashdot.org/comments.pl?sid=3132237&cid=41401485 [slashdot.org]

SO, is that the "best you've got" vs. FACTS, troll? Especially FACTS YOU CAN VERIFY with the people (notables in this industry no less) I mentioned...

* ANSWER THAT QUESTION...

APK

P.S.=> If you have the BALLS to even answer weasel, I am going to IMMENSELY ENJOY tearing you apart, but... I also severely DOUBT you'll answer ( too much bisphenol-A is making the downmodder of my post into a WOMAN, instead of a MAN it seems... lol!)

I state that, since a man could and WOULD backup his words - not pull "bitch tactics" of doing unjustified downmods ( & running)... apk"

Re:Best you've got = UNJUSTIFIABLE downmods? (0)

DaWhilly (2555136) | about 2 years ago | (#41402109)

I've a sudden desire to downmod your response... if only I had access.... which, now, I never will since I would abuse my power for evil purposes..

To the NEW OWNERS of /. (dice.com, iirc)... apk (-1)

Anonymous Coward | about 2 years ago | (#41402209)

That's pure off-topic trolling bullshit. Just as expected. You fail, troll.

APK

P.S.=> The 1 problem with /.'s "so-called 'moderation system'" is this ( NOTE TO SLASHDOT's NEW OWNERS in DICE.COM ):

It is IMPOSSIBLE to confront a bogus downmodding detractor so they abuse the "so-called 'moderation system'" here in applying UNJUSTIFIABLE DOWNMODERATIONS!

CHANGE IT, dice!!!

Just so folks like myself that have IDIOTS like "DaWhilly" & his brand-new 7 digit "registered 'luser'" account, no doubt just an alternate ONE OF MANY HE HAS, for trolling purposes only!).

Now, I truly DO understand, that all the bisphenol-A in drink containers have loaded these trolling "not men" to the point of turning into WOMEN rather than MEN by faking estrogen in their systems, lol...

So, to that?

Well - We can't DO anything about THAT, but... YOU FOLKS CAN on the "moderation" system here, per my suggestions!

... apk

Own Goal (1)

Nom du Keyboard (633989) | about 2 years ago | (#41401493)

A definite Own Goal. This gaffe is one that will be repeated for years to come, if not decades.

It was a fun ride. (0)

Anonymous Coward | about 2 years ago | (#41401503)

Been with Sophos for 3 years and this is the first issue we've had. Prior with Symantec we were constantly having it mess with critical systems, delete itself, etc.
To Sophos' credit it was only 3 hours before they'd posted fixes on their google plus. Strangely not yet integrated with the formal KB.

What worked was variant on:
1. Delete agen-xuv.ide from C:\Program Files\Sophos\Sophos Anti-Virus\ [C:\Program Files (x86)\Sophos\Sophos Anti-Virus\]
2. Restart the 'Sophos Anti-Virus Service'
3. Update SUM via the Sophos Enterprise Console

Had this issue yesterday (1)

asmkm22 (1902712) | about 2 years ago | (#41401531)

It was more funny than anything, explaining to my clients what happened. To their credit, Sophos released a patch within, I think, about 30 minutes. All in all, it wasn't that big of a deal to fix the 80 or so computers I manage since you just disable autoupdate and remove all of the false positives out of quarantine. Worst case scenario is you remotely uninstall a bunch of clients and redeploy through the Control Center.

Re:Had this issue yesterday (0)

Anonymous Coward | about 2 years ago | (#41401925)

I wish i only had 80 I'm looking at 4583 installs according to the console.

And since the auto-updater is broken they will need to be handled 'by hand'

Re:Had this issue yesterday (1)

lymang (207777) | about 2 years ago | (#41402161)

Oh man. See, this is what I was referring to in my post below. I don't envy you. That was the scale of users I dealth with in my last job - about 5K give or take, and it gave me the night terrors imagining this scenario. Especially since most of them were remote. Even if you have another system in place, like some ESD delivery system (whether it's microsoft, or whatever) you still have a lot of work cut out for you prepping a patch to send out to that many users and then trying to get compliance from them.

McAfee (1)

onyxruby (118189) | about 2 years ago | (#41401583)

As memory serves McAfee did this about 8-10 years ago with an update. It's a sign of poor release management and a failure to follow best practices. If they fail to follow best practices for something like this that is high visibility and customer facing, imagine what they look inside the company.

Time to start bringing your business elsewhere.

There needs to be an award for this (4, Interesting)

phrackwulf (589741) | about 2 years ago | (#41401607)

Every year, we need to go down the list of software makers who have managed to totally Bork their users. The Meltdown awards. Just to distinguish between the companies that handle it well and the companies that are incompetent.

Re:There needs to be an award for this (2)

SandyBrownBPK (1031640) | about 2 years ago | (#41402253)

YESSIR! the Slashdot Meltdown/Brick award! Let's do it!

it happens (0)

Anonymous Coward | about 2 years ago | (#41401615)

Same thing happened to McAfee and Symantec in years past... it happens I guess :p

Operationsystemic lupus sophosus (1)

K. S. Kyosuke (729550) | about 2 years ago | (#41401627)

These autoimmune diseases ain't a whole lot of fun. I'd prescribe some computosteroids and avoiding sunlight. Just stay in the basement.

Nobody expects the Spanish Inquisition (1)

Mister Whirly (964219) | about 2 years ago | (#41401683)

"It's a trap!"

Perfect attack vector for a real infection - as part of the AV suite. Talk about stealthy.

Le me get this straight... (1)

rstanley (758673) | about 2 years ago | (#41401733)

The problem ONLY affects the VERY O/S that it needs to protect the most??? ;^) How many MILLIONS of different malware instances are out the in the wild??? I'll stick to Linux! ;^)

Measure twice, cut once!

AND

Test, Test, then TEST!!!

Malware makers take note! (4, Interesting)

erroneus (253617) | about 2 years ago | (#41401799)

Wanna cause problems? Add code from the various AV vendors...

Re:Malware makers take note! (0)

Anonymous Coward | about 2 years ago | (#41401863)

Shut up stooge.

Re:Malware makers take note! (1)

macbeth66 (204889) | about 2 years ago | (#41402175)

Stooge? How so? He should be commended for pointing out yet another possible threat.

They're not the first AV vendor to do this. (1)

nuckfuts (690967) | about 2 years ago | (#41401923)

Avira had a similar problem [theregister.co.uk] last year.

Here's more than AVIRA... apk (0, Interesting)

Anonymous Coward | about 2 years ago | (#41402041)

McAfee:

http://tech.slashdot.org/article.pl?sid=10/04/21/1735211 [slashdot.org]

Symantec/Norton:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019958 [computerworld.com]

ODDLY ENOUGH?

SOPHOS (vs. Google Analytics)

http://www.google.com/search?hl=en&source=hp&q=%22Sophos%22+and+%22Google+Analytics%22&btnG=Google+Search&gbv=1 [google.com]

APK

P.S.=> And I can & DID point out a LOT MORE, & it's happened to myself in wares I wrote, and those of VERY NOTABLE FOLKS in this industry (Nir Sofer of Nirsoft, as well as Dr. Mark Russinovich of Microsoft -> http://tech.slashdot.org/comments.pl?sid=3132237&cid=41401485 [slashdot.org] which some dork downmodded & ran... )

... apk

Identifies itself as malware? (0)

Anonymous Coward | about 2 years ago | (#41402015)

Well to be fair it is a bit of dodgy code.

So it failed twice... (1)

macbeth66 (204889) | about 2 years ago | (#41402035)

First for calling itself out. And then again for NOTcalling Windows out.

So it goes...

Don't hate me for laughing (1)

lymang (207777) | about 2 years ago | (#41402111)

Am I a bad person for laughing at this? Probably.

On a more serious note: this is the worst nightmare for anyone who has to manage a mobile/remote workforce (or in this case, a large remote customer-base). The idea that some code could break the ability to for a system that depends on communication to communicate is why there is such a thing as a development environment in many corporations where MS updates, AV updates, etc. are tested NOT on the production network. Of course, many corporations have had to cut back, and due to budgetary restrictions many companyies have effectively outsourced their testing to the vendors releasing the updates, depending on the vendor to test and not release some ridiculous update that (for instance) pushes out a firewall rule that stops the system from communicating, or as in this case, an update that nukes the AV software itself, and the ability for the AV software to repair itself by auto-updating. I do NOT envy any IT managers who are at a corporation using Sophos who let their users auto-update and don't do as I previously mentioned (i.e. test the updates/definitions). Ouch.

And now back to laughing.

How to Fix (1)

Anonymous Coward | about 2 years ago | (#41402181)

As one of the techs trying to correct this, here's what I got to work:
1. Open the endpoint controls
2. Disable the on-access scanning
3. Clear the false detections
4. Manually launch ALMon.exe
5. Update and then re-enable the on-access scanning

Windows AV programs are malware (3, Interesting)

dskoll (99328) | about 2 years ago | (#41402193)

Just think about it. The average Windows AV program runs with sufficient privilege to wreck your system by altering or removing arbitrary files. And it gets fed multiple updates per day created by teams of workers working in a hugely stressful situation: When a new virus appears, you've got to get those signatures out NOW.

I'm amazed people don't see this risks in this.

NOW read the post above (0)

Anonymous Coward | about 2 years ago | (#41402249)

its NOW offical today is the day of stupid , POST your stupid.....

Got bit (0)

Anonymous Coward | about 2 years ago | (#41402255)

Got bit by this yesterday on the xp laptop provided by the PHB. It quarantined a couple of things I don't use or care about. Still, not at all cool of Sophos.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...