This is genius... Sophos Antimalware Discovers Itself

  • (2 Pages)
  • +
  • 1
  • 2

16 Replies - 1714 Views - Last Post: 29 September 2012 - 11:25 PM

#1 Bort  Icon User is online

  • Ill-informed Mongoloid
  • member icon

Reputation: 396
  • View blog
  • Posts: 2,919
  • Joined: 18-September 06

This is genius... Sophos Antimalware Discovers Itself

Posted 21 September 2012 - 03:19 AM

*
POPULAR

I spotted this article, and I think it is brilliant. Basically, Sophos Antimalware detected parts of itself as malware and started deleting its own binaries, rendering itself useless until it was repaired.

Link to the full article
Is This A Good Question/Topic? 5
  • +

Replies To: This is genius... Sophos Antimalware Discovers Itself

#2 BenignDesign  Icon User is offline

  • holy shitin shishkebobs
  • member icon




Reputation: 5935
  • View blog
  • Posts: 10,346
  • Joined: 28-September 07

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 21 September 2012 - 03:25 AM

This is the email I received at work yesterday:

Quote

Sophos (our anti-virus) company put out an update (called Shh/Updater-B ) and much to their error (and now humiliation), late last night, they (the anti-virus company) released an update that they had inadvertently flagged as a potential threat/virus. Yes, THEY flagged THEIR own update as a threat. They’ve been back pedaling trying to fix it since.

We learned of the error at about 8:30 this morning when we received over 1500 system messages regarding the Shh/Updater-B threat. Their official release is included below.

I’ve gotten the fixes from Sophos and have made most of them.

Again, DO NOT be concerned with Shh/Updater-B messages.

You’re computer has not been infected, hacked, or otherwise attacked as a result of Sophos’ error.


:wub:
Was This Post Helpful? 0
  • +
  • -

#3 Bort  Icon User is online

  • Ill-informed Mongoloid
  • member icon

Reputation: 396
  • View blog
  • Posts: 2,919
  • Joined: 18-September 06

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 21 September 2012 - 03:34 AM

Haha, excellent! I'm impressed someone here was actually affected by it :)
Was This Post Helpful? 0
  • +
  • -

#4 raziel_  Icon User is offline

  • Like a lollipop
  • member icon

Reputation: 464
  • View blog
  • Posts: 4,255
  • Joined: 25-March 09

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 21 September 2012 - 04:30 AM

we used to use Avira @ my last job and he was detecting itself as a virus too. I kinda like Avira though it never rly show any viruses (which either i didn't have any or it wasn't working). However @ my current job we use Microsoft Forefront Endpoint Protection and he was detecting google as malware. A quick update fixed this problem.

This post has been edited by raziel_: 21 September 2012 - 04:31 AM

Was This Post Helpful? 0
  • +
  • -

#5 Mikhail  Icon User is offline

  • Bastard Operator From Hell
  • member icon

Reputation: 58
  • View blog
  • Posts: 1,378
  • Joined: 26-October 07

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 21 September 2012 - 01:11 PM

View PostBenignDesign, on 21 September 2012 - 05:25 AM, said:

This is the email I received at work yesterday:

Quote

Sophos (our anti-virus) company put out an update (called Shh/Updater-B ) and much to their error (and now humiliation), late last night, they (the anti-virus company) released an update that they had inadvertently flagged as a potential threat/virus. Yes, THEY flagged THEIR own update as a threat. They’ve been back pedaling trying to fix it since.

We learned of the error at about 8:30 this morning when we received over 1500 system messages regarding the Shh/Updater-B threat. Their official release is included below.

I’ve gotten the fixes from Sophos and have made most of them.

Again, DO NOT be concerned with Shh/Updater-B messages.

You’re computer has not been infected, hacked, or otherwise attacked as a result of Sophos’ error.


:wub:


I spy with my little eye "you're" being used incorrectly.
Was This Post Helpful? 1
  • +
  • -

#6 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5182
  • View blog
  • Posts: 26,880
  • Joined: 10-May 07

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 21 September 2012 - 01:22 PM

Seen a few infected machines with Sophos come into the shop. This software isn't very impressive, imo.
Was This Post Helpful? 0
  • +
  • -

#7 strawhat89  Icon User is offline

  • The Watcher Outside Your Window


Reputation: 247
  • View blog
  • Posts: 1,795
  • Joined: 11-July 11

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 23 September 2012 - 10:24 PM

I used to have Symantec installed in the system and when the license ran out, I decided not to renew it and got Kaspersky instead. Kaspersky detected the Symantec installer .exe as a malware. Talk about competition!
Was This Post Helpful? 0
  • +
  • -

#8 fromTheSprawl  Icon User is offline

  • Monomania
  • member icon

Reputation: 513
  • View blog
  • Posts: 2,056
  • Joined: 28-December 10

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 23 September 2012 - 10:40 PM

I wonder if they really do that, marking competitions software with "potential thread" and putting a big "remove/delete/uninstall" beside it.

By the way, this thread my my day. Thank you.
Was This Post Helpful? 0
  • +
  • -

#9 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3467
  • View blog
  • Posts: 10,687
  • Joined: 05-May 12

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 24 September 2012 - 04:15 PM

RE: competition being detected as malware

Something I just learned about 3-4 weeks ago when Chrome Beta was going nuts on me. Apparently Avast uses DLL code injection, and in the process of injecting code into Chrome, they broke Chrome Beta. Consider that doing DLL code injection a common malware practice that most normal programs wouldn't be doing. I'm willing to bet that if somebody asks in DIC C# or C/C++ sections about how to do DLL code injection, the thread will be closed along the same lines that we don't help people write a keylogger.

So if your antivirus program goes and scans files and it discovers a byte pattern that looks like the byte codes for doing DLL injection, won't the file go into the suspicious pile the requires more scanning? The "more scanning" process will likely do more extensive analysis, and potentially have heuristics including a white list. Unless you have a comprehensive white list of all files that use DLL injection, then you'll be forced to make a decision: "the file is good" or "the file is bad." I think as a antivirus program writer, I would lean towards "the file is bad."

Apart from the DLL injection specific issue, other AV software also does the same things that malware would do including installing device drivers, hooking API calls, opening ports, etc. So unless every AV writer has an up-to-date library of every other AV software ever released so that they can do extensive testing, and building of white lists, then there will always be a chance of false positives.

There are also some bits of malware that go around and mask themselves by actually exploiting bugs in brand name AV software and installing themselves into that AV software.

I do find it particularly hilarious that Sophos classified itself to be malware. A tester and/or test manager will likely be getting a stern talking to, if not be losing a job.
Was This Post Helpful? 3
  • +
  • -

#10 Choscura  Icon User is offline

  • D.I.C Lover


Reputation: 461
  • View blog
  • Posts: 2,222
  • Joined: 18-October 08

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 25 September 2012 - 04:14 AM

Does anybody know if this is the result of some kind of basic AI / unsupervised machine learning? That would be interesting to find out.

TLDR: You there, HAL?
Was This Post Helpful? 1
  • +
  • -

#11 Bort  Icon User is online

  • Ill-informed Mongoloid
  • member icon

Reputation: 396
  • View blog
  • Posts: 2,919
  • Joined: 18-September 06

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 25 September 2012 - 04:44 AM

View PostChoscura, on 25 September 2012 - 12:14 PM, said:

TLDR: You there, HAL?


No Dave. That's not me. I'm not stupid enough to delete core parts of my programming. - HAL.
Was This Post Helpful? 1
  • +
  • -

#12 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1002
  • View blog
  • Posts: 3,562
  • Joined: 05-June 09

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 25 September 2012 - 04:59 AM

This affected where I work and it was quite funny to watch :)

To be honest, at least their code was working fine, it did in fact detect several updaters including their own, Sage's and Adobe's. The detection was technically correct :D
Was This Post Helpful? 0
  • +
  • -

#13 calvinthedestroyer  Icon User is offline

  • D.I.C Lover

Reputation: 167
  • View blog
  • Posts: 1,908
  • Joined: 13-October 07

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 25 September 2012 - 08:02 PM

Sophos> singing
I detect myself
I want you to find me
When I'm feelin' down
I want to alert me
I search myself
I want you to find me
I delete myself
I want you to remove me
Was This Post Helpful? 2
  • +
  • -

#14 nK0de  Icon User is offline

  • Catch me As Exception
  • member icon

Reputation: 204
  • View blog
  • Posts: 823
  • Joined: 21-December 11

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 27 September 2012 - 12:56 PM

I remember reading about once a Norton update mistakenly quarantining some Windows system files resulting people to reinstall the OS. hah!

This post has been edited by nK0de: 27 September 2012 - 08:57 PM

Was This Post Helpful? 0
  • +
  • -

#15 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5182
  • View blog
  • Posts: 26,880
  • Joined: 10-May 07

Re: This is genius... Sophos Antimalware Discovers Itself

Posted 27 September 2012 - 01:03 PM

XP SP3 was caught by Kaspersky & another AntiVirus, causing the networking to be fubar.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2