From the Graham Cluley blog: "To its credit, Sophos issued an update at 9am UTC on Sunday, fixing the false alarm."
Which isn't a great deal of use if you can't log on. I hope none of my friends and family are using Sophos.
Users of Sophos’s security software were confronted with a black screen on starting up their Windows PC over the weekend as the resulted of a borked antivirus update. The botched update meant that the Windows 7 version of winlogon.exe was incorrectly labelled as potentially malicious, resulting in chaos and confusion all …
re Sense of humour,
They probably lost it due to all the issues they have had to endure by their favourite supplier doing nasty things to their chosen OS version.
The rest of us were just smart enough to say enough is enough and do something about it, now we're smiling again.
I'm sure they will catch up when they hit their pain threshold too.
It borked almost every updater of hundreds, if not thousands of programs including itself.
Therefore once infected with the Sophos update you couldn't re-update to a safe version. You also couldn't remotely uninstall as it wasn't working, or re-install a new version. Most of the programs on individual PCs were borked, some proved almost impossible to repair without a re-image - very inconvenient for laptop users and non-standard image users.
Overall it took 3 days of overnight work to get many PCs working again, a week to get slightly stable and months before all PCs were back to how they should be - although there was still the odd issue that was never fixed.
The best part - how could an AV company have such a serious upgrade issue that affected even it's own upgrade service. Apparently it went through 5 different checks which all should have picked up the issue - but they all failed! There was no false-positive testing on an actual Windows machine, the false positive testing was done on a linux box.
https://www.sophos.com/en-us/support/knowledgebase/shh-root-cause-analysis.aspx
It was this, that made me never use Sophos again, and since then I have been using Bitdefender with no major issues.
Hearing this news makes me glad that I chose to move away.
*cues hysterical laughter* What, and Bitdefender is better? The law of averages will get Bitdefender too at some point.
*Every* AV vendor goes through this one, although I'm surprised that Sophos has suffered this *twice* in the last 4 years, given the massive cluster their 'update' SNAFU caused last time and they promised to fix their procedures. Clearly the procedures are *not* fixed.
Shame, shame, shame...
Whether an AV provider will have false positives is not in question. The difference is their Q&A. Any update should not bork their own software or any standard set of software including the operating system itself.
I don't mind (too much) if a piece of niche software, or an ancient version of well known software gets quarantined - that's to be expected. However for Sophos to kill about 50% of software on the system including. catastrophically, its own executables is unforgivable. So is killing a core Windows executable.
This leads me to believe their fundamental management and systems are not working properly. No-one knows exactly what the processes and flaws in other providers are until they have a similar issue - Bitdefender hasn't, so far, while I've been using it. If they have something similar then I will also be leaving them - it's a matter of trust.
Hence the 'shame, shame, shame' because it's clear that management has *not* learned from the last catastrophic cockup. Or they learned, forgot, and well, you know what they say about forgetting the past, right?
But yes, *anyone* who buys into a software package in the belief that 'it'll *never* happen to them, surely' is naive at best. Sorry, I'm extremely cynical when it comes to sales pitches. :-)
Oh God: That was about six weeks of cleanup across the customer base. On the plus side, after a few (Strong and loud) words with my account manager, most of them didn't pay for Antivirus for three years after that, which is precisely how much most of them thought it was worth...
winlogon.exe is presumably signed by Microsoft so why exactly doesn't AV software respect this ?
Might have something to do with the fact that signing keys have been stolen in the past. Might have something to do with the fact that signing keys don't even have to be stolen to infect signed files:
Basic defense-in-depth principles require that the design of each layer must assume that the other layers may have been compromised.
Early this century I had a gig as a QA engineer at a well known AV vendor. They had just built out a big rig to check for false positives, as they'd recently suffered a similarly embarrassing cock-up leading to a core Windows DLL being quarantined as infected "with hilarious consequences". The very first test apps to be loaded onto the FP environment were every version of Windows then around, including the shiny new Itanic version of XP. I find it really hard to understand why a reasonably large vendor like Sophos wouldn't have something similar in their update build / test / release chain, in 2016. It's not as if it's very expensive, in the grand scheme of things, you could pick up a copy of probably 80% of code in use for, oh, well under £50k I should think.
All antivirus is solving the wrong problem, attempting to recognize an infinite variety of patterns - which is, of course, impossible. The need for this arises because the operating system itself is laughably insecure and attempts to run everything from everywhere by default.
The correct solution to this problem is to use an operating system correctly designed and configured to not take candy from strangers. Then antivirus is not needed.
Have an upvote to couinter-act the presumably robo-downvote.
OS design is the problem. Windows is also not the only culprit. Until people are willing to swap performance/features for solid security, things won't change.
The OS needs to mediate all resource access, not just disk, ram allocation and CPU. We need finer-grained control over applications that simply, "which user is it running under." That control needs to include declared network/url access, disk access, it needs to be set at install time and vendors need to take the lead in providing secure, not just functional permissions. There is no good reason for flash running in a browser to have access to every file the user owns. Rights should be inherited. Running a PHP interpreter from a browser should mean it gets the browser's rights which may be different from running the same thing from a desktop shell. Along with virtual memory, how about providing each application with virtual disk and a virtual network proxy? The OS filesystem should be read-only. OS and application binaries and configuration should not be co-mingled. Binaries and config should not be co-mingled. Applications should not be running random executables to update themselves - the OS should be checking known repositories for updates.
All this AV stuff is a fudge and a massive performance drain. Has anyone tried measuring the performance hit of AV vs doing OS design right?
While there is always room to make OSs more secure, it is possible to configure Windows to be reasonably secure in pro/enterprise editions with group policy... it is just not convenient, so the majority of users never do. Software Restriction Policies is a powerful feature, but sadly is under utilised.
A large part of this falls into security versus convenience problem...
AV currently works on the basis of "blacklist" the bad stuff - allow anything else.
To get your solution means turning it on its head and whitelist what is allowed and block everything else. It can be done as long as everything executable on the computer is stable and does not change very often - and that needs planned and tested updates.
Sadly not exactly practicable now unless you wall the OS off from all other software creators/vendors and only allow certified software from a "store"....oh wait..
I don't really believe that title is true although, I do still highly recommend Sophos Home, I run it on all my Macs and PCs (never used the Linux or Android offerings). In exchange for a couple of details they give home users some pretty impressive security tools and software - including their cloud based AV, and it's all free of charge.
I can't imagine this 'outbreak' being a very significant problem - a business or user home user who is running Sophos AND a 32-bit version of Windows 7 SP 1. That seems like a very niche and shrinking market, further deluding these wild conspiracy theories.
Unsurprisingly maybe, I didn't immediately see anything mentioned on their security blog/website (that I won't mention by name here).
Half our fleet needs replacing with freshly SOE'd machines, it doesn't uninstall itself properly - about 25% of installs keep the service running which means the problem of it slowing systems to a crawl whilst scanning the partitions (this is on Core i5's with 8GB's of RAM and 250GB SSD's for god's sake) is still occurring - we've had to replace multiple machines with freshly imaged ones and all we hear back is it's with the developers.
Although if it came down to using Trend versus any Symantec product, we'd stick with Trend any day.