From the Graham Cluley blog: "To its credit, Sophos issued an update at 9am UTC on Sunday, fixing the false alarm."
Which isn't a great deal of use if you can't log on. I hope none of my friends and family are using Sophos.
Users of Sophos’s security software were confronted with a black screen on starting up their Windows PC over the weekend as the resulted of a borked antivirus update. The botched update meant that the Windows 7 version of winlogon.exe was incorrectly labelled as potentially malicious, resulting in chaos and confusion all …
re Sense of humour,
They probably lost it due to all the issues they have had to endure by their favourite supplier doing nasty things to their chosen OS version.
The rest of us were just smart enough to say enough is enough and do something about it, now we're smiling again.
I'm sure they will catch up when they hit their pain threshold too.
It borked almost every updater of hundreds, if not thousands of programs including itself.
Therefore once infected with the Sophos update you couldn't re-update to a safe version. You also couldn't remotely uninstall as it wasn't working, or re-install a new version. Most of the programs on individual PCs were borked, some proved almost impossible to repair without a re-image - very inconvenient for laptop users and non-standard image users.
Overall it took 3 days of overnight work to get many PCs working again, a week to get slightly stable and months before all PCs were back to how they should be - although there was still the odd issue that was never fixed.
The best part - how could an AV company have such a serious upgrade issue that affected even it's own upgrade service. Apparently it went through 5 different checks which all should have picked up the issue - but they all failed! There was no false-positive testing on an actual Windows machine, the false positive testing was done on a linux box.
It was this, that made me never use Sophos again, and since then I have been using Bitdefender with no major issues.
Hearing this news makes me glad that I chose to move away.
*cues hysterical laughter* What, and Bitdefender is better? The law of averages will get Bitdefender too at some point.
*Every* AV vendor goes through this one, although I'm surprised that Sophos has suffered this *twice* in the last 4 years, given the massive cluster their 'update' SNAFU caused last time and they promised to fix their procedures. Clearly the procedures are *not* fixed.
Shame, shame, shame...
Whether an AV provider will have false positives is not in question. The difference is their Q&A. Any update should not bork their own software or any standard set of software including the operating system itself.
I don't mind (too much) if a piece of niche software, or an ancient version of well known software gets quarantined - that's to be expected. However for Sophos to kill about 50% of software on the system including. catastrophically, its own executables is unforgivable. So is killing a core Windows executable.
This leads me to believe their fundamental management and systems are not working properly. No-one knows exactly what the processes and flaws in other providers are until they have a similar issue - Bitdefender hasn't, so far, while I've been using it. If they have something similar then I will also be leaving them - it's a matter of trust.
Hence the 'shame, shame, shame' because it's clear that management has *not* learned from the last catastrophic cockup. Or they learned, forgot, and well, you know what they say about forgetting the past, right?
But yes, *anyone* who buys into a software package in the belief that 'it'll *never* happen to them, surely' is naive at best. Sorry, I'm extremely cynical when it comes to sales pitches. :-)
Oh God: That was about six weeks of cleanup across the customer base. On the plus side, after a few (Strong and loud) words with my account manager, most of them didn't pay for Antivirus for three years after that, which is precisely how much most of them thought it was worth...
winlogon.exe is presumably signed by Microsoft so why exactly doesn't AV software respect this ?
Might have something to do with the fact that signing keys have been stolen in the past. Might have something to do with the fact that signing keys don't even have to be stolen to infect signed files:
Basic defense-in-depth principles require that the design of each layer must assume that the other layers may have been compromised.
Early this century I had a gig as a QA engineer at a well known AV vendor. They had just built out a big rig to check for false positives, as they'd recently suffered a similarly embarrassing cock-up leading to a core Windows DLL being quarantined as infected "with hilarious consequences". The very first test apps to be loaded onto the FP environment were every version of Windows then around, including the shiny new Itanic version of XP. I find it really hard to understand why a reasonably large vendor like Sophos wouldn't have something similar in their update build / test / release chain, in 2016. It's not as if it's very expensive, in the grand scheme of things, you could pick up a copy of probably 80% of code in use for, oh, well under £50k I should think.
All antivirus is solving the wrong problem, attempting to recognize an infinite variety of patterns - which is, of course, impossible. The need for this arises because the operating system itself is laughably insecure and attempts to run everything from everywhere by default.
The correct solution to this problem is to use an operating system correctly designed and configured to not take candy from strangers. Then antivirus is not needed.
Have an upvote to couinter-act the presumably robo-downvote.
OS design is the problem. Windows is also not the only culprit. Until people are willing to swap performance/features for solid security, things won't change.
The OS needs to mediate all resource access, not just disk, ram allocation and CPU. We need finer-grained control over applications that simply, "which user is it running under." That control needs to include declared network/url access, disk access, it needs to be set at install time and vendors need to take the lead in providing secure, not just functional permissions. There is no good reason for flash running in a browser to have access to every file the user owns. Rights should be inherited. Running a PHP interpreter from a browser should mean it gets the browser's rights which may be different from running the same thing from a desktop shell. Along with virtual memory, how about providing each application with virtual disk and a virtual network proxy? The OS filesystem should be read-only. OS and application binaries and configuration should not be co-mingled. Binaries and config should not be co-mingled. Applications should not be running random executables to update themselves - the OS should be checking known repositories for updates.
All this AV stuff is a fudge and a massive performance drain. Has anyone tried measuring the performance hit of AV vs doing OS design right?
While there is always room to make OSs more secure, it is possible to configure Windows to be reasonably secure in pro/enterprise editions with group policy... it is just not convenient, so the majority of users never do. Software Restriction Policies is a powerful feature, but sadly is under utilised.
A large part of this falls into security versus convenience problem...
AV currently works on the basis of "blacklist" the bad stuff - allow anything else.
To get your solution means turning it on its head and whitelist what is allowed and block everything else. It can be done as long as everything executable on the computer is stable and does not change very often - and that needs planned and tested updates.
Sadly not exactly practicable now unless you wall the OS off from all other software creators/vendors and only allow certified software from a "store"....oh wait..
I don't really believe that title is true although, I do still highly recommend Sophos Home, I run it on all my Macs and PCs (never used the Linux or Android offerings). In exchange for a couple of details they give home users some pretty impressive security tools and software - including their cloud based AV, and it's all free of charge.
I can't imagine this 'outbreak' being a very significant problem - a business or user home user who is running Sophos AND a 32-bit version of Windows 7 SP 1. That seems like a very niche and shrinking market, further deluding these wild conspiracy theories.
Unsurprisingly maybe, I didn't immediately see anything mentioned on their security blog/website (that I won't mention by name here).
Half our fleet needs replacing with freshly SOE'd machines, it doesn't uninstall itself properly - about 25% of installs keep the service running which means the problem of it slowing systems to a crawl whilst scanning the partitions (this is on Core i5's with 8GB's of RAM and 250GB SSD's for god's sake) is still occurring - we've had to replace multiple machines with freshly imaged ones and all we hear back is it's with the developers.
Although if it came down to using Trend versus any Symantec product, we'd stick with Trend any day.
Microsoft has made it official. Windows Subsystem for Linux 2 distributions are now supported on Windows Server 2022.
The technology emerged in preview form last month and represented somewhat of an about-face from the Windows giant, whose employees had previously complained that while the tech was handy for desktop users, sticking it on a server might mean it gets used for things for which it wasn't intended.
(And Windows Server absolutely had to have the bloated user interface of its desktop stablemate as well, right?)
Microsoft has dropped a preview of its next batch of Windows fixes, slipping a resolution for broken Wi-Fi hotspots in among the goodies.
The release – KB5014668 for Windows 11 – addresses the Wi-Fi hotspot functionality broken in June's patch Tuesday alongside some less necessary features like "search highlights," which "present notable and interesting moments of what's special about each day."
KB5014697, which was released on June 14 for Windows 11, had a selection of issues. Some .NET Framework 3.5 apps might fail and connecting to a Windows device acting as a hotspot wouldn't always work. The only fix was to roll back the patch or disable the Wi-Fi hotspot feature.
Updated Microsoft's latest set of Windows patches are causing problems for users.
Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).
KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.
Microsoft has blocked the installation of Windows 10 and 11 in Russia from the company's official website, Russian state media reported on Sunday.
Users within the country confirmed that attempts to download Windows 10 resulted in a 404 error message.
Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.
Microsoft celebrated the demise of Internet Explorer by releasing another Insider Dev Channel build of Windows 11 and no, Surface Pro X users need not apply.
The wind has been sucked from the sails of Microsoft's bleeding edge build of Windows by the rapid move of the new tabbed File Explorer functionality from the Dev to the Beta Channel, possibly before all the Dev Channel Insiders had a chance to check it out.
Perhaps a shame, since build 25140 contained plenty of fixes for the new code (as well as a Euphemia typeface for languages that use the Canadian Syllabic script.)
Internet Explorer breathed its last for many users this week, and netizens have observed its passing in their own special way.
One joker chose to celebrate the passing of the former web bigwig with a tombstone where one could go and pay homage to the malign influence exerted by the browser.
The end is nigh for support for Internet Explorer 11 on some editions of Windows 10. That is, unless users look a little too hard at Windows' internals.
Support is ending today for the Internet Explorer 11 desktop application on the Window 10 semi-annual servicing channel.
From tomorrow – June 15, 2022 – customers still clinging to the past will have to do so without the (seemingly) neverending patches for Microsoft's browser.
Right after the latest release of the KDE Frameworks comes the Plasma Desktop 5.25 plus the default desktop for the forthcoming Linux Mint 23.
Microsoft has added tabbed File Explorer functionality to the Window Insider beta channel, opening up the possibility of it making an appearance in the next major Windows Update.
File Explorer Tabs turned up in the bleeding edge Windows Insider Dev Channel last week, although – as is so frustratingly often the case – Microsoft opted for a staggered rollout. (It's not as if you joined the Insider channel for the latest and greatest to actually get your hands on the latest and greatest, right?)
Since then, things went well enough for Microsoft to roll out the tabs in build 22621.160 for the Beta Channel. Build 22621 is currently in the Release Preview Channel and is expected to be the basis for Windows 11 22H2, due at some point in the coming months.
Biting the hand that feeds IT © 1998–2022