Anti-Virus Bug Briefly Identified Windows Explorer as Malware

SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."

I don't get it...

[Anonymous Coward]

Windows identified as malware... why is this a bug?

Re:I don't get it...

[Anonymous Coward]

> Windows identified as malware... why is this a bug?

Because it only identified the explorer component.

Re:

[BCW2]

I agree! Since IE is the home of 50%+ of all Windows vulnerabilities, it is mal-ware!

Re:

[inkspot78]

They are referring to Windows Explorer (explorer.exe), not Internet Explorer (iexplore.exe).

Re:

[weicco]

So the real news is don't trust Kaspersky Lab's antivirus software.

Re:

[Schraegstrichpunkt]

So the real news is don't trust Kaspersky Lab's antivirus software.

Perhaps. I'd say the "news" is that Windows is a stupid, broken OS where stuff like this is bound to happen because it's designed to need antivirus software in the first place.

If someone pulls on one of these doorhandles [wordpress.com] who's more to blame? The designer or the user?

The designer.

Re:

[weicco]

Please run this as root: rm -rf /

So every *nix version is a stupid, broken OS where stuff like this is bound to happen? How on earth OS is able to tell which command or executable is a valid one and which should be ignored?

When you have answer for that, patent it and sell it to some major OS vendor. You'll be very, very rich then.

Re:

[Schraegstrichpunkt]

Please run this as root: rm -rf /
So every *nix version is a stupid, broken OS where stuff like this is bound to happen?

On the contrary. "rm -rf /" doesn't violate user expectations.

"Screensavers" and "games" that can do malicious things with files unrelated to their own operation, for example, violate user expectations. I find it amazing that Microsoft---a company that makes US $14.06 billion a year in profit---still hasn't produced an operating system that does proper sandboxing. That the same company can barely compete technically with a few geeks hacking in their basements is a testament to its utter lack of innov

Re:

[weicco]

Eh. How about I put "rm -rf /" inside a file which I cleverly name fetch_pictures_of_pamela_nude.sh? User expects to see large breasts but ends up with a very screwed OS. Of course it doesn't work unless user runs it as root but same goes for Windows and Vista especially. Just because there aren't a lot of stupid attacks like this targeted on *nix system doesn't mean that it isn't possible.

The problem with Windows is users. I know a heck lot of users who, as you correctly said, install every goddamn Messen

Re:

[Schraegstrichpunkt]

Just because there aren't a lot of stupid attacks like this targeted on *nix system doesn't mean that it isn't possible.

I'm not proposing *nix as a solution to the problem.

And I don't really see how sandboxin everything solves the problem with trojans.

I wouldn't say it completely solves the problem, but it would go a long way. If everyday things could be installed into some sort of sandbox, then a user could be taught to think twice before giving some process extra privileges. (Which is partly why *nix is somewhat better in practise---you don't generally run stuff as root---but it doesn't go far enough in that respect.)

Re:

[weicco]

I wouldn't say it completely solves the problem, but it would go a long way. If everyday things could be installed into some sort of sandbox, then a user could be taught to think twice before giving some process extra privileges. (Which is partly why *nix is somewhat better in practise---you don't generally run stuff as root---but it doesn't go far enough in that respect.)

Well for instance spam bot doesn't have to be run as root. It only needs connection to outside world to recieve orders and send spam. P

Re:

[Opportunist]

Well, to keep their signature files small, a lot of AV companies started tracking only the most damaging parts of a malware kit.

Re:I don't get it...

[iamacat]

Here is an explanation why it is a bug [annoyances.org]

Re:

[Harmonious Botch]

Windows identified as malware... why is this a bug?

Because it failed to take the proper corrective action ...loading linux andfirefox

Re:I don't get it...

[dolo724]

In the late 90s and into the early 00s a few MS components and some legitimate DLLs were identified as virus laden. I solved the problem on my work machine by formatting the HD and installing RH-7, then VMWare for the only windows-dependent executable I couldn't get to run on wine. I had the fastest software package in-house and it made a kick-ass Quake server.

maybe that's why I got laid off...

Re:

[Heembo]

At least you didn't use the entire corporate network to find the next prime number. :)

Where is the Obligatory Gay Male Coprophilia Porn

[NeverVotedBush]

Any story that puts MS in a bad light or makes fun of them almost always gets the story about some guy enjoying another's feces.

I guess it's just too early still in Seattle... Maybe they will post it later.

Merry Christmas Bill!

Re:

[the honger]

"...best thing for it, really...it's therapy was going nowhere..."

Re:

[jansegers]

Reminds me of an old joke about Windows 95 being a virus... http://aryhma.oy.cx/damu/humor/win95_virus.html [aryhma.oy.cx] Could apply to Vista as well, I'm afraid...

Re:

[AmyRose1024]

The actual patch is here: http://www.kubuntu.org/ [kubuntu.org]

Re:

[kdemetter]

well at least you are more honest about your spam .

Obligatory fixed

[Anonymous Coward]

Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware

Windows Is Not A Virus!

[filesiteguy]

Viruses are small and efficient.

Re:

[NeverVotedBush]

You are correct!

It is a trojan!

Re:

[Opportunist]

Nope. Trojans are being streamlined to hide better from the user's eye, usually have a fairly small footprint (less than 100k normally, and few are bigger than 500k), get updated at the very least every other week, are tested and tried until they are bug free and will never ever blow up in the user's face.

Windows is not a trojan.

It is a bug.

Today's virus are not efficient at all!

[JcMorin]

I agree, today virus are not efficient at all, most of time customer discover they have virus because their system is getting very slow.

jk

[wizardforce]

that's not a bug, it's a feature

Re:

[Phroggy]

Not a bug [wordpress.com]

um, don't they test these things before releasing?

[Anonymous Coward]

Shouldn't this have been caught by even the simplest test before releasing?

That's my first reaction, now I'm off to RTFA

Re:um, don't they test these things before releasi

[ubrgeek]

You're right. But sometimes MS is in a hurry to get their product out.

Oh, you mean Kaspersky Labs ...

Re:

[Anonymous Coward]

Shouldn't this have been caught by even the simplest test before releasing?

[X] In Soviet Russia, IE tests YOU!
[X] Only old Koreans bother with testing!
[X] "But it IS malware, boss!"
[X] Netcraft confirms it - testing is dead!
[X] I don't run IE, you ignorant clod!
[X] "We tried to test it on Vista, and we will, as soon as its finished booting ..."

Re:

[i.of.the.storm]

Haha, I haven't seen netcraft confirms it in a long time - is netcraft dead? And Vista boots near instantly on my computer, but I understand it's a joke and also that I built my computer two months ago seeking out the best low-cost components possible, so my case may be something of an anomaly. But it's kind of funny because with XP I would usually hit the power switch, go take a piss or something, come back and find out that it still hasn't finished loading antivirus, firewall, etc... but that's more becau

Re:

[bigstrat2003]

Netcraft is dead... Netcraft confirmed it!

Also, always good to see another Vista user. Now I'll have someone to get my back when I defend Vista against haters. ;)

Re:

[i.of.the.storm]

Yeah, I'm sure as time passes more and more people will be using Vista and realizing there's nothing really fundamentally wrong with it once you disable UAC (which I didn't really want to do because of the security feature but I really know what I'm doing and don't need 3 prompts when I want to change something in Program Files). And by the time Windows 7 rolls around everyone will be like "You can pry my Vista SP2 from my cold dead hands!" etc.

O rly?

[Dunbal]

The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.

      And yet it still made the front page of Slashdot.

Re:

[Shohat]

I use IE7 (due to policies and ) at work and FF at home. Why am I stupid ?

Re:

[The Anarchist Avenge]

When gp talked about corporations as an entity, he was referring to the people in the corporations to make software policy. So you aren't stupid, the people above you are.

Re:

[Matt867]

"I use IE7 (due to policies and ) at work and FF at home. Why am I stupid ?" For starters your sentence should have been typed like this: "I use IE7 (due to job-related policies) at work and FF at home. Why am I stupid?"

Re:

[bigstrat2003]

It's a bit rich to call anyone who uses IE stupid, considering calling IE not a real browser is pretty stupid in itself. IE7 works beautifully, thank you very much. Bully for you if you want to use Firefox (or any other browser), but that doesn't mean you should come in here insulting IE users.

Re:O rly?

[rhizome]

It made the front page of Slashdot because a corporate user shouldn't be stupid enough to use Microsoft Explorer over a real browser.

So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?

Re:

[Decameron81]

So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?

Yeah, completely stupid people.

It's like mistaking Windows Vista Starter [microsoft.com] with Windows Vista Home Basic [microsoft.com] or with Windows Vista Home Premium [microsoft.com] or with Windows Vista Business [microsoft.com] or with Windows Vista Enterprise [microsoft.com] or with Windows Vista Ultimate [microsoft.com].

Or like believing that Plays For Sure [microsoft.com] plays for sure.

Re:

[atraintocry]

So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?

The Windows Team, circa 1998.

Re:

[MMC Monster]

I was under the impression that explorer.exe was the MSWindows file manager. As a file manager, it actually is quite nice and has some interesting (good, or at least different) properties compared to nautilus. Such as copying a folder with the same name as a folder in the target will perform a merge of the two folder contents rather than deleting the original contents or the target.

Re:

[marcello_dl]

The idea of merging is cool, but if a merge is the most intuitive outcome of a folder copy for you, it sure isn't for me. Hopefully the user is notified about the proposed merge? else it's housekeeping time for me when i get back to work.

Re:

[MMC Monster]

I'm not sure if it is more intuitive or not. Presumably MSFT has good usability lab to figure that out. It is less destructive, though.

It's been a while since I got burnt by it in nautilus. Does nautilus warn you if it's about to delete the entire contents of a folder because another folder with the same name is being copied over it?

I know that at at least until a year ago, on filesystems that are case retentive but not case sensitive (ie: fat32 and ntfs), nautilus aborts without any warning if it copies

Yes

[SEMW]

Hopefully the user is notified about the proposed merge? else it's housekeeping time for me when i get back to work.

You get a "Confirm Folder Replace" dialogue [lowendmac.com].

BTW, is pressing "ctrl-z" ( / edit -> undo) really that much housekeeping work?

Re:

[marcello_dl]

Control z is not going to help much if I had merged folders months ago unknowingly. I said "when i go back to work", even. Luckily there is the dialog so I likely never borked anything.

Random Thought

[Cruicky]

Why not have the virus scanner, upon detection of a virus, check for a Microsoft digital signature in the binary, and maybe behave differently in this situation? Might just save a few systems in the future from incorrect signatures. I can't see this change in logic being beneficial to malware writers as they won't have a Microsoft signature, and if they can somehow change the anti-virus program to check for digital signatures against a different public key, you are already compromised.

Because the AV business ain't about solutions

[SlappyBastard]

Building fail-safes would make sense and might work.

Re:

[Warbothong]

"Why not have the music player, upon detection of a track, check for a Microsoft digital signature in the WMA, and maybe behave differently in this situation? Might just save a few systems in the future from incorrect signatures. I can't see this change in logic being beneficial to song writers as they won't have a Microsoft signature, and if they can somehow change the music playing program to check for digital signatures against a different public key, you are already liberated."

Just an analogy to the w

Re:

[Al Dimond]

That doesn't make sense at all as an analogy. This idea assumes that all Microsoft-signed binaries are clean and that any virus signatures found in those files should be ignored. It's not an extra layer of security, it's a way to prevent the annoyance of false-positives in an existing layer. I can't think of a direct analogy involving DRM; it would have to involve exempting files meeting certain criteria from restriction.

If an AV scanner decides to let all MS-signed binaries go, they might also consider

Re:

[niteice]

So...you imply that this "security cake" is more useless, more of an illusion as time goes on....

so you're saying that the cake is a lie?

Have you even used windows lately?

[pcgabe]

"Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being
falsely identified as malicious code.

"Falsely?"

It's not a virus, sure. Viruses tend to mature, become more efficient...

But Explorer sure feels like malicious code...

Dumb article

[Anonymous Coward]

From TFA:

As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.

Gee, makes it sound like losing explorer.exe is only mildly inconvenient.

Re:

[BlueParrot]

Gee, makes it sound like losing explorer.exe is only mildly inconvenient.

Wel at least they didn't claim it was "bricked" ...

Re:

[Ant P.]

In that situation you can still use the task manager and the original windows 3.1 program/file managers. They might've stopped including those two after XP though, I dunno

Re:

[iivel]

progman.exe and winfile.exe no longer execute in XP (though they were still there in win2K)

Who needs explorer?

[SEMW]

Ctrl-Shift-Esc, Alt f n, "powershell.exe" (or "cmd.exe" for old-timers).

Bah. Explorer. Who needs it?

Re:

[Tired and Emotional]

> As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.

Hmm:

Start/run: enter "c:\cygwin\bin\bash.exe

click ok

find . -name thingee.wot

How is that hard?

AND????

[lorenlal]

Nothing to see here, move along. If it made news every time someone released something that broke explorer, we couldn't read about our beloved Beowulf clusters of toasters!

What's funny is, if I saw that explorer was missing on my system, by the time I reloaded the OS (cause *obviously* it's infected/broken/normal operating procedure), I never would've known the cause. It was pulled by the time I would've finished installing.

Of course, then I'd have to go and find my Gentoo CD so I could reload GRUB. That

Re:

[cbiltcliffe]

What's funny is, if I saw that explorer was missing on my system, by the time I reloaded the OS (cause *obviously* it's infected/broken/normal operating procedure), I never would've known the cause. It was pulled by the time I would've finished installing.

You'd reload Windows because explorer.exe is missing? Holy crap, is that ever overkill.

Run WinUBCD, change the shell to cmd.exe, reboot, and run sfc. That would fix you right up, in about 10 minutes. And it would also give you the opportunity to figu

Re:

[bcmm]

How is reinstalling Grub more painful than an XP install?

Also, had you thought of just backing up and restoring the MBR with dd?

Re:

[TheCarp]

Duh.... read the comment...

Its because he fucked up the order of operations and reinstalled windows before finding the ubuntu cd. When you add searching for a CD you haven't seen in 6 months to the complexity of a task, it can become far more daunting, (YMMV, I guess not everyone has trouble in this area, you could be an anal retentive organized freak).

-Steve

Re:

[bcmm]

Linux != Ubuntu, contrary to currently popular beliefs.

Re:

[TheCarp]

Whops. Mea Culpa.

Ok, so _I_ would generally be searching for an ububtu CD, since its what I use on the desktop and a desktop is the only think I would consider dual booting. Though, Ubuntu, gentoo... they sound so similar... pure accident that I upgraded him to ubuntu :)

-Steve

Slow news day

[jamesl]

Very slow news day.

Not as slow as yesterday

[strcpy(NULL,...]

Yesterday, we read about a dork playing jingle bells by hitting his video card fan. This story is an improvement.

Re:

[armareum]

Strangely, I want a link to that story. :s

Re:

[angus_rg]

Maybe, but regardless of the news day, anyone incorrectly identifying a file native to Windows is Front Page(TM) news.

Seen it all before...

[Alioth]

...last year, when Symantec flagged part of the Windows Server 2003 resource kit as a trojan. That one stayed in 'the wild' much longer, probably because the resource kit in particular wasn't a widely installed piece of software.

We've also had Norton 'false positive' on the Windows version of Oolite.

One of these days, a widely used, automatically updated virus scanner is going to detect something like KERNEL32 as malware and kill a whole lot of machines. Wasn't there a problem like this with the Chinese version of Windows earlier this year?

Re:

[Ash Vince]

Both of the items you mention I can just about understand making it through a software testing process. It is feasible that none of the test machines had the two peices of software you mention installed. But if you can find me a windows box without explorer.exe I will show you a borked installation.

It is not an optional component to install last time I checked so all of their test machines should have had this file. At least some of their test machines should have had exactly that same version of this file

HUHK = Hamburger University of Hong King

[SlappyBastard]

http://www.huhk.com/intro_background.html [huhk.com] Hmmm... Truly viral marketing.

Anti-Virus Bug Briefly Identified Windows Explorer

[tristian_was_here]

So what does that mean? are we all fucked?

Re:Anti-Virus Bug Briefly Identified Windows Explo

[realdodgeman]

So what does that mean? are we all fucked?

No, just you. We run Mac, Linux and BSD.

Re:

[Anonymous Coward]

So what does that mean? are we all fucked?

No, just you. We run Mac, Linux and BSD.

Quite right. Mac, Linux and BSD users are rarely if ever fucked. ;)

Re:

[Phroggy]

Touché! Well played, sir.

Re:

[tristian_was_here]

Know what all that means? shit...

Re:

[shannara256]

Obligatory XKCD [xkcd.com]

No Mistake

[BanjoBob]

What? Windows Explorer is malicious code. In Vista, just try and move a file to another device and you can wait for the rest of your life for the copy/delete functions to take place ;)

Correction

[Kazymyr]

What do you mean falsely identified?

Handful of consumers?

[slicenglide]

I know a guy who is Kaspersky happy, and installs it on everything he touches. All of the machines he touched were affected by this bug. I think it's more than a handful.

Re:

[brown-eyed slug]

Yes, there are plenty of jokes, or 'insights' here gleefully playing on the irony of explorer.exe being identified as 'malware', but out here in the real world it caused real problems.

My sister is a normal person who doesn't know a great deal about technology but bought a PC, uses it for a bit of entertainment, and a bit of home office work. Runs firewall and anti-virus and is intelligent enough not to do stupid things.

She rang me a few days ago to say she'd deleted a virus and now her PC wouldn't work.

I vi

Re:

[siegfri3d]

it happened the same to my girlfriend, she's a standard user as well, so she deleted the file.. i contacted Kaspersky saying that i was angry but they didn't even bother to answer.

Why things like this happen

[Opportunist]

Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).

But how? Don't they test?

Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.

Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.

How do you solve that quandary?

There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:

MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.

Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.

That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.

Re:

[osssmkatz]

Can I ask where you work? Because Mcafee does not impress me at the moment. You can send me an e-mail.. smkatz@gmail.com if you would prefer not to say so publicly. (I'm not worried about spam, because Gmail filters it.)

Re:

[ydrol]

That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode.

Your average end users cant really make that decision. Thats the whole point of them *trusting* an AV product.

Re:

[umonkey]

So how do you know if that was an AV malfunction or something had really infected your explore.exe?

Re:

[Opportunist]

Take the file in question and send it to VirusTotal [virustotal.com]. There you can see whether your AV tool is the only one who claims an infection, or whether more AV manufacturers consider it a threat.

Now, this is of course not a 100% surefire way to detect a false alarm, but it usually is a good indicator. Especially when it comes to system files. Infectors are today a tiny minority of malware, malware (especially commercial malware) comes in the form of trojans which don't infect files but try to dig into the system an

Thats funny

[Micro$will]

Yesterday, AVG Free identified Quake4.exe as a trojan on my machine. I had to disable AVG and run the Quake 4 update to get it running again.

Re:

[pembo13]

Was is a "legal" copy of Quake? or a warez version?

If Language is a Virus..

[cavebison]

Then it's a good thing Kaspersky doesn't have voice recognition. I don't want to be confined for something I say.

oops. shh, don't want to give the government any more ideas here..

Pre-emptive paranoia

[Waccoon]

Note to anti-virus companies: ask the user what to do, instead of automatically deleting files you don't own. I stopped using all anti-virus software on my Windows machine because of rubbish like this.

"Just a handful" of home users

[ozsynergy]

Yeah, I don't know where they got there numbers from. But I was apart of the handful....
Without any information about the "virus detection" at the time, I took the only safe path I could...
Doing a full backup and reinstalling Windows and Linux. Wasted an entire day, thanks kasperkey :(

I just had to repair a system this happened to

[Impecca]

A customer brought in their computer because they thought they had a virus because the computer was running slower. So they installed Kaspersky and it "found a virus" which happened to be explorer.exe. Sadly for this guy, it ended up costing him $120. Is it possible he could get his money back from Kaspersky? I doubt it. I seriously doubt it happened to just a handful of people if I happened to get a customer with this issue.

This isn't all of it

[Master of Transhuman]

Kaspersky has made TWO major mistakes in a week's time.

First, back on the 14th, they screwed up and issued update that had SERIOUS consequences for quite a few people running large networks. One guy had 700 machines down. Turns out they had a bug in the code since 1996, which was only discovered when they switched Microsoft compilers for version 7. The Linux compilers caught the bug and so the Linux version of KAV didn't have a problem. But the Microsoft compilers compiled the bug with no warnings or error

Re:

[Entropius]

only the dumb windows users.

Re:Windows is what is used @ work mostly, which =

[causality]

Hmm where to start... first, you have been trolled and possibly unintentionally (by giving a serious response to a joke). Second, while you might have had a valid objection to the GP, you failed to use it; thus the entirety of your post can be summed up as "Follow the crowd and no one will ever think you're dumb!" That's great, if being a sheep and taking the path of least resistance is what makes you feel fulfilled.

To claim that the popularity of Windows is an inherent virtue of the OS is just plain s

Re:

[causality]

I never stated a thing about being "fulfilled": I just stated people are wise to use something that IS the most used, so they are ready for it in the workplace, so they can get paid. Job requirements & training for them is what running Windows @ home does for most folks.

The point I was making, which should be clear to you, was that there is no merit in making a choice just because it is popular. I can choose to eat food because "everyone else does" and it means nothing; I can choose to eat food becau

Re:

[Kopiok]

Except for the part where they give their consent. (Informed that only dirty hippies use OSX).

Re:

[saxoholic]

but it says INFORMED consent