[Bort]

I spotted this article, and I think it is brilliant. Basically, Sophos Antimalware detected parts of itself as malware and started deleting its own binaries, rendering itself useless until it was repaired.

Link to the full article

[BenignDesign]

This is the email I received at work yesterday:

Quote

Sophos (our anti-virus) company put out an update (called Shh/Updater-B ) and much to their error (and now humiliation), late last night, they (the anti-virus company) released an update that they had inadvertently flagged as a potential threat/virus. Yes, THEY flagged THEIR own update as a threat. They’ve been back pedaling trying to fix it since.

We learned of the error at about 8:30 this morning when we received over 1500 system messages regarding the Shh/Updater-B threat. Their official release is included below.

I’ve gotten the fixes from Sophos and have made most of them.

Again, DO NOT be concerned with Shh/Updater-B messages.

You’re computer has not been infected, hacked, or otherwise attacked as a result of Sophos’ error.

[Bort]

Haha, excellent! I'm impressed someone here was actually affected by it

[raziel_]

we used to use Avira @ my last job and he was detecting itself as a virus too. I kinda like Avira though it never rly show any viruses (which either i didn't have any or it wasn't working). However @ my current job we use Microsoft Forefront Endpoint Protection and he was detecting google as malware. A quick update fixed this problem.

This post has been edited by raziel_: 21 September 2012 - 04:31 AM

[Mikhail]

BenignDesign, on 21 September 2012 - 05:25 AM, said:

This is the email I received at work yesterday:

Quote

Sophos (our anti-virus) company put out an update (called Shh/Updater-B ) and much to their error (and now humiliation), late last night, they (the anti-virus company) released an update that they had inadvertently flagged as a potential threat/virus. Yes, THEY flagged THEIR own update as a threat. They’ve been back pedaling trying to fix it since.

We learned of the error at about 8:30 this morning when we received over 1500 system messages regarding the Shh/Updater-B threat. Their official release is included below.

I’ve gotten the fixes from Sophos and have made most of them.

Again, DO NOT be concerned with Shh/Updater-B messages.

You’re computer has not been infected, hacked, or otherwise attacked as a result of Sophos’ error.

I spy with my little eye "you're" being used incorrectly.

[no2pencil]

Seen a few infected machines with Sophos come into the shop. This software isn't very impressive, imo.

[strawhat89]

I used to have Symantec installed in the system and when the license ran out, I decided not to renew it and got Kaspersky instead. Kaspersky detected the Symantec installer .exe as a malware. Talk about competition!

[fromTheSprawl]

I wonder if they really do that, marking competitions software with "potential thread" and putting a big "remove/delete/uninstall" beside it.

By the way, this thread my my day. Thank you.

[Skydiver]

RE: competition being detected as malware

Something I just learned about 3-4 weeks ago when Chrome Beta was going nuts on me. Apparently Avast uses DLL code injection, and in the process of injecting code into Chrome, they broke Chrome Beta. Consider that doing DLL code injection a common malware practice that most normal programs wouldn't be doing. I'm willing to bet that if somebody asks in DIC C# or C/C++ sections about how to do DLL code injection, the thread will be closed along the same lines that we don't help people write a keylogger.

So if your antivirus program goes and scans files and it discovers a byte pattern that looks like the byte codes for doing DLL injection, won't the file go into the suspicious pile the requires more scanning? The "more scanning" process will likely do more extensive analysis, and potentially have heuristics including a white list. Unless you have a comprehensive white list of all files that use DLL injection, then you'll be forced to make a decision: "the file is good" or "the file is bad." I think as a antivirus program writer, I would lean towards "the file is bad."

Apart from the DLL injection specific issue, other AV software also does the same things that malware would do including installing device drivers, hooking API calls, opening ports, etc. So unless every AV writer has an up-to-date library of every other AV software ever released so that they can do extensive testing, and building of white lists, then there will always be a chance of false positives.

There are also some bits of malware that go around and mask themselves by actually exploiting bugs in brand name AV software and installing themselves into that AV software.

I do find it particularly hilarious that Sophos classified itself to be malware. A tester and/or test manager will likely be getting a stern talking to, if not be losing a job.

[Choscura]

Does anybody know if this is the result of some kind of basic AI / unsupervised machine learning? That would be interesting to find out.

TLDR: You there, HAL?

[Bort]

Choscura, on 25 September 2012 - 12:14 PM, said:

TLDR: You there, HAL?

No Dave. That's not me. I'm not stupid enough to delete core parts of my programming. - HAL.

[RudiVisser]

This affected where I work and it was quite funny to watch

To be honest, at least their code was working fine, it did in fact detect several updaters including their own, Sage's and Adobe's. The detection was technically correct

[calvinthedestroyer]

Sophos> singing
I detect myself
I want you to find me
When I'm feelin' down
I want to alert me
I search myself
I want you to find me
I delete myself
I want you to remove me

[nK0de]

I remember reading about once a Norton update mistakenly quarantining some Windows system files resulting people to reinstall the OS. hah!

This post has been edited by nK0de: 27 September 2012 - 08:57 PM

[no2pencil]

XP SP3 was caught by Kaspersky & another AntiVirus, causing the networking to be fubar.