Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Anti-Virus Bug Briefly Identified Windows Explorer as Malware

Posted by Zonk on Tuesday December 25, @11:23AM
from the err-oops-pay-no-attention-to-your-OS dept.
SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."

Related Stories

Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • I don't get it... (Score:5, Funny)

    by Anonymous Coward on Tuesday December 25, @11:25AM (#21815044)
    Windows identified as malware... why is this a bug?
  • Obligatory fixed (Score:4, Funny)

    by Anonymous Coward on Tuesday December 25, @11:25AM (#21815048)
    Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware
  • Windows Is Not A Virus! (Score:5, Funny)

    by filesiteguy (695431) on Tuesday December 25, @11:30AM (#21815076) Homepage
    Viruses are small and efficient.
  • jk (Score:4, Funny)

    by wizardforce (1005805) on Tuesday December 25, @11:32AM (#21815090) Journal
    that's not a bug, it's a feature
    • Re:jk by Phroggy (Score:2) Tuesday December 25, @04:50PM
      • 1 reply beneath your current threshold.
  • by Anonymous Coward on Tuesday December 25, @11:33AM (#21815094)
    Shouldn't this have been caught by even the simplest test before releasing?

    That's my first reaction, now I'm off to RTFA
  • O rly? (Score:5, Funny)

    by Dunbal (464142) on Tuesday December 25, @11:52AM (#21815218)
    The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.

          And yet it still made the front page of Slashdot.
    • Re:O rly? by Shohat (Score:2) Tuesday December 25, @12:20PM
      • Re:O rly? by The Anarchist Avenge (Score:1) Tuesday December 25, @01:10PM
      • Re:O rly? by Matt867 (Score:2) Tuesday December 25, @03:36PM
        • Re:O rly? by bigstrat2003 (Score:2) Wednesday December 26, @01:37AM
    • Re:O rly? (Score:5, Insightful)

      by rhizome (115711) on Tuesday December 25, @01:02PM (#21815650) Homepage
      It made the front page of Slashdot because a corporate user shouldn't be stupid enough to use Microsoft Explorer over a real browser.

      So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?
      • Re:O rly? by Decameron81 (Score:2) Wednesday December 26, @07:48AM
      • Re:O rly? by atraintocry (Score:2) Wednesday December 26, @01:58PM
    • Re:O rly? by MMC Monster (Score:3) Tuesday December 25, @03:27PM
      • Re:O rly? by marcello_dl (Score:2) Tuesday December 25, @04:23PM
        • Re:O rly? by MMC Monster (Score:2) Tuesday December 25, @04:49PM
        • Yes by SEMW (Score:2) Tuesday December 25, @08:10PM
          • Re:Yes by marcello_dl (Score:2) Thursday December 27, @04:33PM
    • 2 replies beneath your current threshold.
  • Random Thought (Score:1)

    by Cruicky (1122359) on Tuesday December 25, @12:50PM (#21815572)
    Why not have the virus scanner, upon detection of a virus, check for a Microsoft digital signature in the binary, and maybe behave differently in this situation? Might just save a few systems in the future from incorrect signatures. I can't see this change in logic being beneficial to malware writers as they won't have a Microsoft signature, and if they can somehow change the anti-virus program to check for digital signatures against a different public key, you are already compromised.
  • by pcgabe (712924) on Tuesday December 25, @12:53PM (#21815596) Homepage

    "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being
    falsely identified as malicious code.
    "Falsely?"

    It's not a virus, sure. Viruses tend to mature, become more efficient...

    But Explorer sure feels like malicious code...
  • Dumb article (Score:2, Funny)

    by Anonymous Coward on Tuesday December 25, @01:01PM (#21815646)
    From TFA:

    As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.

    Gee, makes it sound like losing explorer.exe is only mildly inconvenient.
  • AND???? (Score:1)

    by lorenlal (164133) <lalonde9@m s u .edu> on Tuesday December 25, @01:02PM (#21815648)
    Nothing to see here, move along. If it made news every time someone released something that broke explorer, we couldn't read about our beloved Beowulf clusters of toasters!

    What's funny is, if I saw that explorer was missing on my system, by the time I reloaded the OS (cause *obviously* it's infected/broken/normal operating procedure), I never would've known the cause. It was pulled by the time I would've finished installing.

    Of course, then I'd have to go and find my Gentoo CD so I could reload GRUB. That would've been more painful than the rest of the OS reload that I expect to do every six months anyway.
    • Re:AND???? by cbiltcliffe (Score:2) Tuesday December 25, @10:23PM
    • Re:AND???? by bcmm (Score:2) Wednesday December 26, @04:51AM
      • Re:AND???? by TheCarp (Score:2) Wednesday December 26, @10:57AM
        • Re:AND???? by bcmm (Score:2) Wednesday December 26, @12:30PM
          • Re:AND???? by TheCarp (Score:2) Wednesday December 26, @02:27PM
  • Slow news day (Score:2)

    by jamesl (106902) on Tuesday December 25, @01:12PM (#21815708)
    Very slow news day.
  • Seen it all before... (Score:3, Interesting)

    by Alioth (221270) <dyls@alioth.net> on Tuesday December 25, @01:17PM (#21815748) Homepage Journal
    ...last year, when Symantec flagged part of the Windows Server 2003 resource kit as a trojan. That one stayed in 'the wild' much longer, probably because the resource kit in particular wasn't a widely installed piece of software.

    We've also had Norton 'false positive' on the Windows version of Oolite.

    One of these days, a widely used, automatically updated virus scanner is going to detect something like KERNEL32 as malware and kill a whole lot of machines. Wasn't there a problem like this with the Chinese version of Windows earlier this year?
  • by SlappyBastard (961143) on Tuesday December 25, @01:33PM (#21815854)
    http://www.huhk.com/intro_background.html [huhk.com] Hmmm... Truly viral marketing.
  • by tristian_was_here (865394) on Tuesday December 25, @02:34PM (#21816202)
    So what does that mean? are we all fucked?
  • No Mistake (Score:1)

    by BanjoBob (686644) on Tuesday December 25, @02:52PM (#21816300) Homepage Journal
    What? Windows Explorer is malicious code. In Vista, just try and move a file to another device and you can wait for the rest of your life for the copy/delete functions to take place ;)

    • 1 reply beneath your current threshold.
  • Correction (Score:1, Redundant)

    by Kazymyr (190114) on Tuesday December 25, @03:06PM (#21816376) Journal
    What do you mean falsely identified?
  • by slicenglide (735363) on Tuesday December 25, @03:58PM (#21816652)
    I know a guy who is Kaspersky happy, and installs it on everything he touches. All of the machines he touched were affected by this bug. I think it's more than a handful.
  • Why things like this happen (Score:5, Insightful)

    by Opportunist (166417) on Tuesday December 25, @05:54PM (#21817228)
    Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).

    But how? Don't they test?

    Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.

    Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.

    How do you solve that quandary?

    There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:

    MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.

    Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.

    That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.
  • Thats funny (Score:2)

    by Micro$will (592938) on Tuesday December 25, @08:04PM (#21817854) Homepage Journal
    Yesterday, AVG Free identified Quake4.exe as a trojan on my machine. I had to disable AVG and run the Quake 4 update to get it running again.
  • by cavebison (1107959) on Wednesday December 26, @01:19AM (#21819424)
    Then it's a good thing Kaspersky doesn't have voice recognition. I don't want to be confined for something I say.

    oops. shh, don't want to give the government any more ideas here..
  • by Waccoon (1186667) on Wednesday December 26, @01:19AM (#21819428) Homepage
    Note to anti-virus companies: ask the user what to do, instead of automatically deleting files you don't own. I stopped using all anti-virus software on my Windows machine because of rubbish like this.
  • by ozsynergy (634652) on Wednesday December 26, @07:00AM (#21820382)
    Yeah, I don't know where they got there numbers from. But I was apart of the handful....
    Without any information about the "virus detection" at the time, I took the only safe path I could...
    Doing a full backup and reinstalling Windows and Linux. Wasted an entire day, thanks kasperkey :(
  • by Impecca (929846) on Wednesday December 26, @12:10PM (#21822132)
    A customer brought in their computer because they thought they had a virus because the computer was running slower. So they installed Kaspersky and it "found a virus" which happened to be explorer.exe. Sadly for this guy, it ended up costing him $120. Is it possible he could get his money back from Kaspersky? I doubt it. I seriously doubt it happened to just a handful of people if I happened to get a customer with this issue.
  • by Master of Transhuman (597628) on Wednesday December 26, @05:48PM (#21825016)
    Kaspersky has made TWO major mistakes in a week's time.

    First, back on the 14th, they screwed up and issued update that had SERIOUS consequences for quite a few people running large networks. One guy had 700 machines down. Turns out they had a bug in the code since 1996, which was only discovered when they switched Microsoft compilers for version 7. The Linux compilers caught the bug and so the Linux version of KAV didn't have a problem. But the Microsoft compilers compiled the bug with no warnings or error messages, so it slipped through. At least that was the explanation Eugene Kaspersky put out on the forum.

    Second, this latest bug with Explorer which was fortunately caught within a couple hours. My client's machines never even saw it because their update cycle was longer.

    I've just started installing KAV 6.0 on one of my client's machines. He was suspicious of using a Russian company in the first place, but I told him it was okay since they're a high detector, got a management kit, good price for his 24 machine, etc.

    Then this shit happened. Doesn't make me look good, either. Fortunately it didn't drop our machines, it just caused a message to pop up saying the application launch didn't work.

    And recovering has not been easy, since the Admin Kit apparently still has the crap in it's source directory used for installing KAV on client machines. I'm going to have to uninstall and reinstall the Kit to make sure the buggy components are not there as I finish installing the rest of the machines.

    But what someone else above said is likely true - sooner or later some AV is going to drop thousands of scores of thousands of machines. This is obviously true when you consider that AVs are programs that burrow deep into the OS AND have almost continual updates of both signatures and software components. It's like running Windows Update every hour of every day! Sooner or later there's going to be a catastrophe. It's just not a sustainable process.
  • Re:windows? a virus? no wai (Score:1, Redundant)

    by Entropius (188861) on Tuesday December 25, @12:18PM (#21815356)
    only the dumb windows users.
  • Re:bug? (Score:1)

    by Kopiok (898028) on Tuesday December 25, @04:05PM (#21816692)
    Except for the part where they give their consent. (Informed that only dirty hippies use OSX).
    • Re:bug? by saxoholic (Score:1) Thursday December 27, @07:17PM
  • 7 replies beneath your current threshold.