Forgot your password?
typodupeerror
Security Bug Operating Systems Software Windows

Anti-Virus Bug Briefly Identified Windows Explorer as Malware 131

Posted by Zonk
from the err-oops-pay-no-attention-to-your-OS dept.
SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."
This discussion has been archived. No new comments can be posted.

Anti-Virus Bug Briefly Identified Windows Explorer as Malware

Comments Filter:
  • by Anonymous Coward on Tuesday December 25, 2007 @12:25PM (#21815044)
    Windows identified as malware... why is this a bug?
    • by Anonymous Coward on Tuesday December 25, 2007 @12:35PM (#21815112)
      > Windows identified as malware... why is this a bug?

      Because it only identified the explorer component.
      • by BCW2 (168187)
        I agree! Since IE is the home of 50%+ of all Windows vulnerabilities, it is mal-ware!
      • by weicco (645927)

        So the real news is don't trust Kaspersky Lab's antivirus software.

        • So the real news is don't trust Kaspersky Lab's antivirus software.

          Perhaps. I'd say the "news" is that Windows is a stupid, broken OS where stuff like this is bound to happen because it's designed to need antivirus software in the first place.

          If someone pulls on one of these doorhandles [wordpress.com] who's more to blame? The designer or the user?

          The designer.

          • by weicco (645927)

            Please run this as root: rm -rf /

            So every *nix version is a stupid, broken OS where stuff like this is bound to happen? How on earth OS is able to tell which command or executable is a valid one and which should be ignored?

            When you have answer for that, patent it and sell it to some major OS vendor. You'll be very, very rich then.

            • Please run this as root: rm -rf /
              So every *nix version is a stupid, broken OS where stuff like this is bound to happen?

              On the contrary. "rm -rf /" doesn't violate user expectations.

              "Screensavers" and "games" that can do malicious things with files unrelated to their own operation, for example, violate user expectations. I find it amazing that Microsoft---a company that makes US $14.06 billion a year in profit---still hasn't produced an operating system that does proper sandboxing. That the same company can barely compete technically with a few geeks hacking in their basements is a testament to its utter lack of innov

              • by weicco (645927)

                Eh. How about I put "rm -rf /" inside a file which I cleverly name fetch_pictures_of_pamela_nude.sh? User expects to see large breasts but ends up with a very screwed OS. Of course it doesn't work unless user runs it as root but same goes for Windows and Vista especially. Just because there aren't a lot of stupid attacks like this targeted on *nix system doesn't mean that it isn't possible.

                The problem with Windows is users. I know a heck lot of users who, as you correctly said, install every goddamn Messen

                • Just because there aren't a lot of stupid attacks like this targeted on *nix system doesn't mean that it isn't possible.

                  I'm not proposing *nix as a solution to the problem.

                  And I don't really see how sandboxin everything solves the problem with trojans.

                  I wouldn't say it completely solves the problem, but it would go a long way. If everyday things could be installed into some sort of sandbox, then a user could be taught to think twice before giving some process extra privileges. (Which is partly why *nix is somewhat better in practise---you don't generally run stuff as root---but it doesn't go far enough in that respect.)

                  • by weicco (645927)

                    I wouldn't say it completely solves the problem, but it would go a long way. If everyday things could be installed into some sort of sandbox, then a user could be taught to think twice before giving some process extra privileges. (Which is partly why *nix is somewhat better in practise---you don't generally run stuff as root---but it doesn't go far enough in that respect.)

                    Well for instance spam bot doesn't have to be run as root. It only needs connection to outside world to recieve orders and send spam. P

      • Well, to keep their signature files small, a lot of AV companies started tracking only the most damaging parts of a malware kit.
    • by iamacat (583406) on Tuesday December 25, 2007 @12:43PM (#21815160)
    • Windows identified as malware... why is this a bug?
      Because it failed to take the proper corrective action ...loading linux andfirefox
      • by dolo724 (22338) on Tuesday December 25, 2007 @02:00PM (#21815640)
        In the late 90s and into the early 00s a few MS components and some legitimate DLLs were identified as virus laden. I solved the problem on my work machine by formatting the HD and installing RH-7, then VMWare for the only windows-dependent executable I couldn't get to run on wine. I had the fastest software package in-house and it made a kick-ass Quake server.

        maybe that's why I got laid off...
        • by Heembo (916647)
          At least you didn't use the entire corporate network to find the next prime number. :)
    • by NeverVotedBush (1041088) on Tuesday December 25, 2007 @01:28PM (#21815420)
      Any story that puts MS in a bad light or makes fun of them almost always gets the story about some guy enjoying another's feces.

      I guess it's just too early still in Seattle... Maybe they will post it later.

      Merry Christmas Bill!
    • "...best thing for it, really...it's therapy was going nowhere..."
    • Reminds me of an old joke about Windows 95 being a virus... http://aryhma.oy.cx/damu/humor/win95_virus.html [aryhma.oy.cx] Could apply to Vista as well, I'm afraid...
  • by Anonymous Coward on Tuesday December 25, 2007 @12:25PM (#21815048)
    Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware
  • by filesiteguy (695431) <kai@perfectreign.com> on Tuesday December 25, 2007 @12:30PM (#21815076) Homepage
    Viruses are small and efficient.
    • You are correct!

      It is a trojan!
      • Nope. Trojans are being streamlined to hide better from the user's eye, usually have a fairly small footprint (less than 100k normally, and few are bigger than 500k), get updated at the very least every other week, are tested and tried until they are bug free and will never ever blow up in the user's face.

        Windows is not a trojan.

        It is a bug.
  • jk (Score:4, Funny)

    by wizardforce (1005805) on Tuesday December 25, 2007 @12:32PM (#21815090) Journal
    that's not a bug, it's a feature
  • by Anonymous Coward on Tuesday December 25, 2007 @12:33PM (#21815094)
    Shouldn't this have been caught by even the simplest test before releasing?

    That's my first reaction, now I'm off to RTFA
    • by ubrgeek (679399) on Tuesday December 25, 2007 @12:35PM (#21815114)
      You're right. But sometimes MS is in a hurry to get their product out.

      Oh, you mean Kaspersky Labs ...
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Shouldn't this have been caught by even the simplest test before releasing?

      [X] In Soviet Russia, IE tests YOU!
      [X] Only old Koreans bother with testing!
      [X] "But it IS malware, boss!"
      [X] Netcraft confirms it - testing is dead!
      [X] I don't run IE, you ignorant clod!
      [X] "We tried to test it on Vista, and we will, as soon as its finished booting ..."

      • Haha, I haven't seen netcraft confirms it in a long time - is netcraft dead? And Vista boots near instantly on my computer, but I understand it's a joke and also that I built my computer two months ago seeking out the best low-cost components possible, so my case may be something of an anomaly. But it's kind of funny because with XP I would usually hit the power switch, go take a piss or something, come back and find out that it still hasn't finished loading antivirus, firewall, etc... but that's more becau
        • Netcraft is dead... Netcraft confirmed it!

          Also, always good to see another Vista user. Now I'll have someone to get my back when I defend Vista against haters. ;)

          • Yeah, I'm sure as time passes more and more people will be using Vista and realizing there's nothing really fundamentally wrong with it once you disable UAC (which I didn't really want to do because of the security feature but I really know what I'm doing and don't need 3 prompts when I want to change something in Program Files). And by the time Windows 7 rolls around everyone will be like "You can pry my Vista SP2 from my cold dead hands!" etc.
  • O rly? (Score:5, Funny)

    by Dunbal (464142) on Tuesday December 25, 2007 @12:52PM (#21815218)
    The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.

          And yet it still made the front page of Slashdot.
  • Why not have the virus scanner, upon detection of a virus, check for a Microsoft digital signature in the binary, and maybe behave differently in this situation? Might just save a few systems in the future from incorrect signatures. I can't see this change in logic being beneficial to malware writers as they won't have a Microsoft signature, and if they can somehow change the anti-virus program to check for digital signatures against a different public key, you are already compromised.
    • Building fail-safes would make sense and might work.
    • "Why not have the music player, upon detection of a track, check for a Microsoft digital signature in the WMA, and maybe behave differently in this situation? Might just save a few systems in the future from incorrect signatures. I can't see this change in logic being beneficial to song writers as they won't have a Microsoft signature, and if they can somehow change the music playing program to check for digital signatures against a different public key, you are already liberated."

      Just an analogy to the w

      • by Al Dimond (792444)
        That doesn't make sense at all as an analogy. This idea assumes that all Microsoft-signed binaries are clean and that any virus signatures found in those files should be ignored. It's not an extra layer of security, it's a way to prevent the annoyance of false-positives in an existing layer. I can't think of a direct analogy involving DRM; it would have to involve exempting files meeting certain criteria from restriction.

        If an AV scanner decides to let all MS-signed binaries go, they might also consider
      • by niteice (793961)
        So...you imply that this "security cake" is more useless, more of an illusion as time goes on....

        so you're saying that the cake is a lie?
  • by pcgabe (712924) on Tuesday December 25, 2007 @01:53PM (#21815596) Homepage Journal

    "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being
    falsely identified as malicious code.
    "Falsely?"

    It's not a virus, sure. Viruses tend to mature, become more efficient...

    But Explorer sure feels like malicious code...
  • by Anonymous Coward
    From TFA:

    As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.

    Gee, makes it sound like losing explorer.exe is only mildly inconvenient.
    • Gee, makes it sound like losing explorer.exe is only mildly inconvenient.

      Wel at least they didn't claim it was "bricked" ...
    • by Ant P. (974313)
      In that situation you can still use the task manager and the original windows 3.1 program/file managers. They might've stopped including those two after XP though, I dunno
      • by iivel (918436)
        progman.exe and winfile.exe no longer execute in XP (though they were still there in win2K)
    • Ctrl-Shift-Esc, Alt f n, "powershell.exe" (or "cmd.exe" for old-timers).

      Bah. Explorer. Who needs it?
    • > As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.

      Hmm:

      Start/run: enter "c:\cygwin\bin\bash.exe

      click ok

      find . -name thingee.wot

      How is that hard?

  • Nothing to see here, move along. If it made news every time someone released something that broke explorer, we couldn't read about our beloved Beowulf clusters of toasters!

    What's funny is, if I saw that explorer was missing on my system, by the time I reloaded the OS (cause *obviously* it's infected/broken/normal operating procedure), I never would've known the cause. It was pulled by the time I would've finished installing.

    Of course, then I'd have to go and find my Gentoo CD so I could reload GRUB. That
    • What's funny is, if I saw that explorer was missing on my system, by the time I reloaded the OS (cause *obviously* it's infected/broken/normal operating procedure), I never would've known the cause. It was pulled by the time I would've finished installing.

      You'd reload Windows because explorer.exe is missing? Holy crap, is that ever overkill.

      Run WinUBCD, change the shell to cmd.exe, reboot, and run sfc. That would fix you right up, in about 10 minutes. And it would also give you the opportunity to figu

    • by bcmm (768152)
      How is reinstalling Grub more painful than an XP install?

      Also, had you thought of just backing up and restoring the MBR with dd?
      • by TheCarp (96830) *
        Duh.... read the comment...

        Its because he fucked up the order of operations and reinstalled windows before finding the ubuntu cd. When you add searching for a CD you haven't seen in 6 months to the complexity of a task, it can become far more daunting, (YMMV, I guess not everyone has trouble in this area, you could be an anal retentive organized freak).

        -Steve
        • by bcmm (768152)
          Linux != Ubuntu, contrary to currently popular beliefs.
          • by TheCarp (96830) *
            Whops. Mea Culpa.

            Ok, so _I_ would generally be searching for an ububtu CD, since its what I use on the desktop and a desktop is the only think I would consider dual booting. Though, Ubuntu, gentoo... they sound so similar... pure accident that I upgraded him to ubuntu :)

            -Steve
  • Very slow news day.
  • by Alioth (221270) <no@spam> on Tuesday December 25, 2007 @02:17PM (#21815748) Journal
    ...last year, when Symantec flagged part of the Windows Server 2003 resource kit as a trojan. That one stayed in 'the wild' much longer, probably because the resource kit in particular wasn't a widely installed piece of software.

    We've also had Norton 'false positive' on the Windows version of Oolite.

    One of these days, a widely used, automatically updated virus scanner is going to detect something like KERNEL32 as malware and kill a whole lot of machines. Wasn't there a problem like this with the Chinese version of Windows earlier this year?
    • Re: (Score:3, Insightful)

      by Ash Vince (602485)
      Both of the items you mention I can just about understand making it through a software testing process. It is feasible that none of the test machines had the two peices of software you mention installed. But if you can find me a windows box without explorer.exe I will show you a borked installation.

      It is not an optional component to install last time I checked so all of their test machines should have had this file. At least some of their test machines should have had exactly that same version of this file
  • by SlappyBastard (961143) on Tuesday December 25, 2007 @02:33PM (#21815854) Homepage
    http://www.huhk.com/intro_background.html [huhk.com] Hmmm... Truly viral marketing.
  • So what does that mean? are we all fucked?
  • What? Windows Explorer is malicious code. In Vista, just try and move a file to another device and you can wait for the rest of your life for the copy/delete functions to take place ;)

  • Correction (Score:1, Redundant)

    by Kazymyr (190114)
    What do you mean falsely identified?
  • I know a guy who is Kaspersky happy, and installs it on everything he touches. All of the machines he touched were affected by this bug. I think it's more than a handful.
    • Yes, there are plenty of jokes, or 'insights' here gleefully playing on the irony of explorer.exe being identified as 'malware', but out here in the real world it caused real problems.

      My sister is a normal person who doesn't know a great deal about technology but bought a PC, uses it for a bit of entertainment, and a bit of home office work. Runs firewall and anti-virus and is intelligent enough not to do stupid things.

      She rang me a few days ago to say she'd deleted a virus and now her PC wouldn't work.

      I vi
      • it happened the same to my girlfriend, she's a standard user as well, so she deleted the file.. i contacted Kaspersky saying that i was angry but they didn't even bother to answer.
  • by Opportunist (166417) on Tuesday December 25, 2007 @06:54PM (#21817228)
    Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).

    But how? Don't they test?

    Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.

    Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.

    How do you solve that quandary?

    There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:

    MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.

    Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.

    That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.
    • by osssmkatz (734824)
      Can I ask where you work? Because Mcafee does not impress me at the moment. You can send me an e-mail.. smkatz@gmail.com if you would prefer not to say so publicly. (I'm not worried about spam, because Gmail filters it.)
    • by ydrol (626558)
      That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode.

      Your average end users cant really make that decision. Thats the whole point of them *trusting* an AV product.

    • by umonkey (843174)
      So how do you know if that was an AV malfunction or something had really infected your explore.exe?
      • Take the file in question and send it to VirusTotal [virustotal.com]. There you can see whether your AV tool is the only one who claims an infection, or whether more AV manufacturers consider it a threat.

        Now, this is of course not a 100% surefire way to detect a false alarm, but it usually is a good indicator. Especially when it comes to system files. Infectors are today a tiny minority of malware, malware (especially commercial malware) comes in the form of trojans which don't infect files but try to dig into the system an
  • Yesterday, AVG Free identified Quake4.exe as a trojan on my machine. I had to disable AVG and run the Quake 4 update to get it running again.
  • Then it's a good thing Kaspersky doesn't have voice recognition. I don't want to be confined for something I say.

    oops. shh, don't want to give the government any more ideas here..
  • Note to anti-virus companies: ask the user what to do, instead of automatically deleting files you don't own. I stopped using all anti-virus software on my Windows machine because of rubbish like this.
  • Yeah, I don't know where they got there numbers from. But I was apart of the handful....
    Without any information about the "virus detection" at the time, I took the only safe path I could...
    Doing a full backup and reinstalling Windows and Linux. Wasted an entire day, thanks kasperkey :(
  • A customer brought in their computer because they thought they had a virus because the computer was running slower. So they installed Kaspersky and it "found a virus" which happened to be explorer.exe. Sadly for this guy, it ended up costing him $120. Is it possible he could get his money back from Kaspersky? I doubt it. I seriously doubt it happened to just a handful of people if I happened to get a customer with this issue.
  • Kaspersky has made TWO major mistakes in a week's time.

    First, back on the 14th, they screwed up and issued update that had SERIOUS consequences for quite a few people running large networks. One guy had 700 machines down. Turns out they had a bug in the code since 1996, which was only discovered when they switched Microsoft compilers for version 7. The Linux compilers caught the bug and so the Linux version of KAV didn't have a problem. But the Microsoft compilers compiled the bug with no warnings or error

Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"

Working...