I don't normally have much sympathy for the NHS as so much is self-inflicted, but feeling sorry for anyone working in IT in the NHS after the last few weeks.
An anti-malware update from Sophos caused borked systems at University College London Hospitals (UCLH) on Thursday. Sophos confirmed the problem in a brief statement, adding that it was working with the NHS Trust to get to the bottom of the issue. Sophos can confirm that the Trust raised a support case yesterday regarding an …
It's the contractors doing the work while the in house IT staff do nothing I feel sorry for.
I worked for a company that contracted to a West London NHS trust and I was absolutely dumbfounded when I turned up to do some SQL server maintenance. They had 12 or so internal tech staff. Most of which were playing Quake 3.
I did a project for them not so long ago. The internal NHS IT project staff were great, but working within the dreadful bureaucracy. Only went wrong when it was handed to the operational team of NHS lifers. Never heard from them again and it looks like it was never rolled out properly.
"False positives are a well-known prat-fall of all anti-malware packages"
Unfortunately Sophos seems to get them more than most and seems to have the biggest, meanest of all, often meaning a complete bork.
It was why in 2012 when they took out most of our systems we moved away and have never looked back. The reason for the false positives? They went through 5 layers of testing without realising that it detected itself as a virus (and loads of other programs)
So how do you know these were false positives and not some really really good worm which has so far gone undetected? Stuxnet took over a year to just be reversed engineered and classified as a virus!
I'm always intrigued by these False Positives, because what it boils down to is believing someone or something else and not your anti virus software because the truth appears to be too uncomfortable!
Put it like this, when your AV software flags itself up, how do you know its not been infected?
Do you, like any good scientist have anything else to back up your position/opinion like a hash sum of the file in question compared to a known offline good copy for example?
Do MS even provide a list of their files & version numbers with a variety of hash sums, for people to use to verify and trust their Windows files independent of AV software analysis?
How do you know the Spooks are not redirecting your DNS lookup's or intercepting your network connections (MITM) to a hypothetical web link to MS which lists the hash sums of their own files?
Some people don't appear to have thought things through properly.
Look at the update:
Updated on Monday 10.00 UTC to add: Sophos has been in touch to say: “Sophos can confirm that the Trust raised a support case yesterday regarding an issue they experienced during a planned software upgrade. We worked quickly with them to resolve the issue and we continue to work with the customer on root cause analysis. Our investigation into the case has confirmed this is not a false positive.”
So this wasn't a false positive and just a planned software upgrade. So this article is totally wrong as the issue has nothing to do with a false positive.