Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Anti-Virus Bug Briefly Identified Windows Explorer as Malware

Posted by Zonk on Tue Dec 25, 2007 12:23 PM
from the err-oops-pay-no-attention-to-your-OS dept.
SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."
+ -
story

Related Stories

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • by Anonymous Coward on Tuesday December 25 2007, @12:25PM (#21815044)
    Windows identified as malware... why is this a bug?
  • by Anonymous Coward on Tuesday December 25 2007, @12:25PM (#21815048)
    Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware
  • by filesiteguy (695431) on Tuesday December 25 2007, @12:30PM (#21815076) Homepage
    Viruses are small and efficient.
  • jk (Score:4, Funny)

    by wizardforce (1005805) on Tuesday December 25 2007, @12:32PM (#21815090) Journal
    that's not a bug, it's a feature
  • by Anonymous Coward on Tuesday December 25 2007, @12:33PM (#21815094)
    Shouldn't this have been caught by even the simplest test before releasing?

    That's my first reaction, now I'm off to RTFA
    • by ubrgeek (679399) on Tuesday December 25 2007, @12:35PM (#21815114)
      You're right. But sometimes MS is in a hurry to get their product out.

      Oh, you mean Kaspersky Labs ...
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Shouldn't this have been caught by even the simplest test before releasing?

      [X] In Soviet Russia, IE tests YOU!
      [X] Only old Koreans bother with testing!
      [X] "But it IS malware, boss!"
      [X] Netcraft confirms it - testing is dead!
      [X] I don't run IE, you ignorant clod!
      [X] "We tried to test it on Vista, and we will, as soon as its finished booting ..."

  • O rly? (Score:5, Funny)

    by Dunbal (464142) on Tuesday December 25 2007, @12:52PM (#21815218) Homepage
    The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.

          And yet it still made the front page of Slashdot.
      • I use IE7 (due to policies and ) at work and FF at home. Why am I stupid ?
      • Re:O rly? (Score:5, Insightful)

        by rhizome (115711) on Tuesday December 25 2007, @02:02PM (#21815650) Homepage
        It made the front page of Slashdot because a corporate user shouldn't be stupid enough to use Microsoft Explorer over a real browser.

        So what does that make people who are stupid enough to mistake Internet Explorer for Windows Explorer?
      • Re: (Score:3, Interesting)

        I was under the impression that explorer.exe was the MSWindows file manager. As a file manager, it actually is quite nice and has some interesting (good, or at least different) properties compared to nautilus. Such as copying a folder with the same name as a folder in the target will perform a merge of the two folder contents rather than deleting the original contents or the target.
  • by pcgabe (712924) on Tuesday December 25 2007, @01:53PM (#21815596) Homepage Journal

    "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being
    falsely identified as malicious code.
    "Falsely?"

    It's not a virus, sure. Viruses tend to mature, become more efficient...

    But Explorer sure feels like malicious code...
  • by Alioth (221270) <dyls@alioth.net> on Tuesday December 25 2007, @02:17PM (#21815748) Homepage Journal
    ...last year, when Symantec flagged part of the Windows Server 2003 resource kit as a trojan. That one stayed in 'the wild' much longer, probably because the resource kit in particular wasn't a widely installed piece of software.

    We've also had Norton 'false positive' on the Windows version of Oolite.

    One of these days, a widely used, automatically updated virus scanner is going to detect something like KERNEL32 as malware and kill a whole lot of machines. Wasn't there a problem like this with the Chinese version of Windows earlier this year?
    • Re: (Score:3, Insightful)

      Both of the items you mention I can just about understand making it through a software testing process. It is feasible that none of the test machines had the two peices of software you mention installed. But if you can find me a windows box without explorer.exe I will show you a borked installation.

      It is not an optional component to install last time I checked so all of their test machines should have had this file. At least some of their test machines should have had exactly that same version of this file
  • by SlappyBastard (961143) on Tuesday December 25 2007, @02:33PM (#21815854)
    http://www.huhk.com/intro_background.html [huhk.com] Hmmm... Truly viral marketing.
  • by Opportunist (166417) on Tuesday December 25 2007, @06:54PM (#21817228)
    Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).

    But how? Don't they test?

    Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.

    Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.

    How do you solve that quandary?

    There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:

    MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.

    Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.

    That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.
              • Re: (Score:3, Insightful)

                I never stated a thing about being "fulfilled": I just stated people are wise to use something that IS the most used, so they are ready for it in the workplace, so they can get paid. Job requirements & training for them is what running Windows @ home does for most folks.

                The point I was making, which should be clear to you, was that there is no merit in making a choice just because it is popular. I can choose to eat food because "everyone else does" and it means nothing; I can choose to eat food becau