Thursday, 20 September 2012

False Report of a Virus with Sophos AntiVirus

Last night GMT, Wednesday, Sophos AntiVirus released a pattern file which has caused the program to report itself as a virus, and also some other anti-spyware programs (in my case, Ad-Aware) which update themselves. If you use Sophos and see notices about a virus called “ssh/updater-B”, please do not take any action. It is not a real virus.

Going by forum reports on the Internet last night, it looks like this has affected tens of thousands of computers. After a few hours, Sophos finally publicly admitted there was a problem and posted an article and a fix here.

Background: pattern files get downloaded by the anti-virus program from their manufacturer to get the very latest list of known viruses out there, and instructions on how to find and quarantine them. Sophos' default update interval is every 10 minutes. The problem here is that one of the files it deemed to be a virus was the program component that actually does the updating, so there is a bit of a process to get around this. I suspect there will be a few physical visits to computers today.

I happened to be on-line last night and, of course, our systems are managed by Sophos AntiVirus. I saw it happen. All of a sudden I got notices from the program informing me of viruses. I could see that the files in question were Sophos files themselves and for a while I was really impressed that the virus detected the anti-virus program and turned it itself into a virus. I went ahead and deleted the files before I had gone on-line to research it. In the end I had to manually un-install Sophos (deleting files and doing registry sweeps) and then install it again manually. By this time the bad update had been removed, replaced by one to fix it.

It could be worse. I believe that every vendor out there has had something like this happen to them. I remember in 1999 - Norton AntiVirus' central console (newly installed by me at a client site) distributed an update which promptly caused all the Windows NT computers to crash with a "blue screen of death" (BSOD). Still, I would have thought that software production and testing processes would have improved vastly in the 13 years that have passed.