Anti-Virus Bug Briefly Identified Windows Explorer as Malware

SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."

I don't get it...

[by Anonymous Coward]

Windows identified as malware... why is this a bug?

Re:I don't get it...

[by Anonymous Coward]

> Windows identified as malware... why is this a bug?

Because it only identified the explorer component.

Re:

[BCW2 (168187)]

I agree! Since IE is the home of 50%+ of all Windows vulnerabilities, it is mal-ware!

Re:

[weicco (645927)]

So the real news is don't trust Kaspersky Lab's antivirus software.

Re:

[Opportunist (166417)]

Well, to keep their signature files small, a lot of AV companies started tracking only the most damaging parts of a malware kit.

Re:I don't get it...

[iamacat (583406)]

Here is an explanation why it is a bug [annoyances.org]

Re:

[Harmonious Botch (921977)]

Windows identified as malware... why is this a bug?

Because it failed to take the proper corrective action ...loading linux andfirefox

Re:I don't get it...

[dolo724 (22338)]

In the late 90s and into the early 00s a few MS components and some legitimate DLLs were identified as virus laden. I solved the problem on my work machine by formatting the HD and installing RH-7, then VMWare for the only windows-dependent executable I couldn't get to run on wine. I had the fastest software package in-house and it made a kick-ass Quake server.

maybe that's why I got laid off...

Where is the Obligatory Gay Male Coprophilia Porn

[NeverVotedBush (1041088)]

Any story that puts MS in a bad light or makes fun of them almost always gets the story about some guy enjoying another's feces.

I guess it's just too early still in Seattle... Maybe they will post it later.

Merry Christmas Bill!

Re:

[AmyRose1024 (1160863)]

The actual patch is here: http://www.kubuntu.org/ [kubuntu.org]

Re:

[kdemetter (965669)]

well at least you are more honest about your spam .

Obligatory fixed

[by Anonymous Coward]

Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware

Windows Is Not A Virus!

[filesiteguy (695431)]

Viruses are small and efficient.

Re:

[NeverVotedBush (1041088)]

You are correct!

It is a trojan!

Re:

[Opportunist (166417)]

Nope. Trojans are being streamlined to hide better from the user's eye, usually have a fairly small footprint (less than 100k normally, and few are bigger than 500k), get updated at the very least every other week, are tested and tried until they are bug free and will never ever blow up in the user's face.

Windows is not a trojan.

It is a bug.

jk

[wizardforce (1005805)]

that's not a bug, it's a feature

Re:

[Phroggy (441)]

Not a bug [wordpress.com]

um, don't they test these things before releasing?

[by Anonymous Coward]

Shouldn't this have been caught by even the simplest test before releasing?

That's my first reaction, now I'm off to RTFA

Re:um, don't they test these things before releasi

[ubrgeek (679399)]

You're right. But sometimes MS is in a hurry to get their product out.

Oh, you mean Kaspersky Labs ...

Re:

[by Anonymous Coward]

Shouldn't this have been caught by even the simplest test before releasing?

[X] In Soviet Russia, IE tests YOU!
[X] Only old Koreans bother with testing!
[X] "But it IS malware, boss!"
[X] Netcraft confirms it - testing is dead!
[X] I don't run IE, you ignorant clod!
[X] "We tried to test it on Vista, and we will, as soon as its finished booting ..."

Re:

[bigstrat2003 (1058574)]

Netcraft is dead... Netcraft confirmed it!

Also, always good to see another Vista user. Now I'll have someone to get my back when I defend Vista against haters. ;)

O rly?

[Dunbal (464142)]

The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.

      And yet it still made the front page of Slashdot.

Re:

[Shohat (959481)]

I use IE7 (due to policies and ) at work and FF at home. Why am I stupid ?

Re:

[Matt867 (1184557)]

"I use IE7 (due to policies and ) at work and FF at home. Why am I stupid ?" For starters your sentence should have been typed like this: "I use IE7 (due to job-related policies) at work and FF at home. Why am I stupid?"

Re:O rly?

[rhizome (115711)]

It made the front page of Slashdot because a corporate user shouldn't be stupid enough to use Microsoft Explorer over a real browser.

So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?

Re:

[MMC Monster (602931)]

I was under the impression that explorer.exe was the MSWindows file manager. As a file manager, it actually is quite nice and has some interesting (good, or at least different) properties compared to nautilus. Such as copying a folder with the same name as a folder in the target will perform a merge of the two folder contents rather than deleting the original contents or the target.

Re:

[marcello_dl (667940)]

The idea of merging is cool, but if a merge is the most intuitive outcome of a folder copy for you, it sure isn't for me. Hopefully the user is notified about the proposed merge? else it's housekeeping time for me when i get back to work.

Re:

[MMC Monster (602931)]

I'm not sure if it is more intuitive or not. Presumably MSFT has good usability lab to figure that out. It is less destructive, though.

It's been a while since I got burnt by it in nautilus. Does nautilus warn you if it's about to delete the entire contents of a folder because another folder with the same name is being copied over it?

I know that at at least until a year ago, on filesystems that are case retentive but not case sensitive (ie: fat32 and ntfs), nautilus aborts without any warning if it copies

Yes

[SEMW (967629)]

Hopefully the user is notified about the proposed merge? else it's housekeeping time for me when i get back to work.

You get a "Confirm Folder Replace" dialogue [lowendmac.com].

BTW, is pressing "ctrl-z" ( / edit -> undo) really that much housekeeping work?

Have you even used windows lately?

[pcgabe (712924)]

"Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being
falsely identified as malicious code.

"Falsely?"

It's not a virus, sure. Viruses tend to mature, become more efficient...

But Explorer sure feels like malicious code...

Dumb article

[by Anonymous Coward]

From TFA:

As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.

Gee, makes it sound like losing explorer.exe is only mildly inconvenient.

Re:

[BlueParrot (965239)]

Gee, makes it sound like losing explorer.exe is only mildly inconvenient.

Wel at least they didn't claim it was "bricked" ...

Who needs explorer?

[SEMW (967629)]

Ctrl-Shift-Esc, Alt f n, "powershell.exe" (or "cmd.exe" for old-timers).

Bah. Explorer. Who needs it?

Slow news day

[jamesl (106902)]

Very slow news day.

Not as slow as yesterday

[strcpy(NULL,... (1089693)]

Yesterday, we read about a dork playing jingle bells by hitting his video card fan. This story is an improvement.

Seen it all before...

[Alioth (221270)]

...last year, when Symantec flagged part of the Windows Server 2003 resource kit as a trojan. That one stayed in 'the wild' much longer, probably because the resource kit in particular wasn't a widely installed piece of software.

We've also had Norton 'false positive' on the Windows version of Oolite.

One of these days, a widely used, automatically updated virus scanner is going to detect something like KERNEL32 as malware and kill a whole lot of machines. Wasn't there a problem like this with the Chinese version of Windows earlier this year?

Re:

[Ash Vince (602485)]

Both of the items you mention I can just about understand making it through a software testing process. It is feasible that none of the test machines had the two peices of software you mention installed. But if you can find me a windows box without explorer.exe I will show you a borked installation.

It is not an optional component to install last time I checked so all of their test machines should have had this file. At least some of their test machines should have had exactly that same version of this file

HUHK = Hamburger University of Hong King

[SlappyBastard (961143)]

http://www.huhk.com/intro_background.html [huhk.com] Hmmm... Truly viral marketing.

Anti-Virus Bug Briefly Identified Windows Explorer

[tristian_was_here (865394)]

So what does that mean? are we all fucked?

Re:Anti-Virus Bug Briefly Identified Windows Explo

[realdodgeman (1113225)]

So what does that mean? are we all fucked?

No, just you. We run Mac, Linux and BSD.

Re:

[Phroggy (441)]

Touché! Well played, sir.

Why things like this happen

[Opportunist (166417)]

Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).

But how? Don't they test?

Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.

Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.

How do you solve that quandary?

There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:

MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.

Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.

That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.

Re:

[osssmkatz (734824)]

Can I ask where you work? Because Mcafee does not impress me at the moment. You can send me an e-mail.. smkatz@gmail.com if you would prefer not to say so publicly. (I'm not worried about spam, because Gmail filters it.)

Thats funny

[Micro$will (592938)]

Yesterday, AVG Free identified Quake4.exe as a trojan on my machine. I had to disable AVG and run the Quake 4 update to get it running again.

Re:

[pembo13 (770295)]

Was is a "legal" copy of Quake? or a warez version?

Because the AV business ain't about solutions

[SlappyBastard (961143)]

Building fail-safes would make sense and might work.

Re:

[Warbothong (905464)]

"Why not have the music player, upon detection of a track, check for a Microsoft digital signature in the WMA, and maybe behave differently in this situation? Might just save a few systems in the future from incorrect signatures. I can't see this change in logic being beneficial to song writers as they won't have a Microsoft signature, and if they can somehow change the music playing program to check for digital signatures against a different public key, you are already liberated."

Just an analogy to the w

Re:

[Al Dimond (792444)]

That doesn't make sense at all as an analogy. This idea assumes that all Microsoft-signed binaries are clean and that any virus signatures found in those files should be ignored. It's not an extra layer of security, it's a way to prevent the annoyance of false-positives in an existing layer. I can't think of a direct analogy involving DRM; it would have to involve exempting files meeting certain criteria from restriction.

If an AV scanner decides to let all MS-signed binaries go, they might also consider

Re:

[cbiltcliffe (186293)]

What's funny is, if I saw that explorer was missing on my system, by the time I reloaded the OS (cause *obviously* it's infected/broken/normal operating procedure), I never would've known the cause. It was pulled by the time I would've finished installing.

You'd reload Windows because explorer.exe is missing? Holy crap, is that ever overkill.

Run WinUBCD, change the shell to cmd.exe, reboot, and run sfc. That would fix you right up, in about 10 minutes. And it would also give you the opportunity to figu

Re:

[causality (777677)]

I never stated a thing about being "fulfilled": I just stated people are wise to use something that IS the most used, so they are ready for it in the workplace, so they can get paid. Job requirements & training for them is what running Windows @ home does for most folks.

The point I was making, which should be clear to you, was that there is no merit in making a choice just because it is popular. I can choose to eat food because "everyone else does" and it means nothing; I can choose to eat food becau