Sophos false positive causes chaos
Sophos, the anti-virus and network security company, scored an own goal this week when it released a signature update which detected - and disabled - its own software update tool.
Users on Sophos's support forums described enterprise networks thrown into chaos, with thousands of machines reporting infection and needing manual intervention to address.
Brett Myroff, CEO of Netxactics, SA's Sophos partner, estimates that 35% of Sophos users in SA were affected by the glitch. "There are various restore methods. Our support department is assisting customers 24/7."
Although the company rushed out a fix, many users were unable to install it because the updater had been quarantined, and Sophos's central management tool is unable to remove items from quarantine on client systems. While Sophos scrambled to resolve the issue, users on the forum swapped code and ideas for cleaning up the mess.
False positives are a common problem in signature-based anti-virus, and when critical files are mistakenly targeted, the results can be catastrophic. In 2010, for example, McAfee's AV identified svchost.exe, the core Windows networking binary, as a virus, shutting down Windows XP computers en masse.