Sophos Anti-Virus Update Identifies Sophos Code As Malware 245
An anonymous reader writes "Yesterday afternoon anti-virus company Sophos Inc. released a normal anti-virus definition update that managed to detect parts of their own software as malicious code and disabled / deleted sections of their Endpoint security suite, including its ability to auto-update and thus repair itself. For many hours on the 19th, Sophos technical call centers were so busy customers were unable to even get through to wait on hold for assistance. Today thousands of enterprise customers remain crippled and unable to update their security software."
Sophos points out that not everyone will be affected: "Please note this issue only affects Windows computers."
Re:Can We Say Test our Code, anyone??? (Score:4, Informative)
This is a classic case of not thoroughly testing code and making sure you have enough variations of test machines to ensure as little pain to clients as possible.
Antivirus engines and definitions change daily, weekly at the most. Where do you suppose this "thorough testing" of code is supposed to happen? It costs time and money, and while you're busy doing that testing, the support lines are being flooded with "We've been infected by something your software doesn't protect against! What are we paying you for, anyway?" As a bonus, your competitors, who didn't decide to setup a massive lab with dozens of employees in it, testing all the typical configurations of a half dozen operating systems and the couple hundred most popular software packages of each... they already released a patch.
Now, a software patch that causes the application to stomp on its own dick is amusing (and difficult to forgive), but demanding a massive expenditure of time and money is almost as unforgiveable. It's easy to demand best practices and ample safety margins: It's quite another thing to deliver it in a business environment. Most people in the industry, including the people at Sophos I'm sure, do the best they can with what they're given. It's pretty much the work creed of anyone in this industry -- few have the time and resources to do it right, they have to settle for 'good enough'.
And sometimes, good enough breaks.
Re:99.999% (Score:5, Informative)
So far, there have only been a couple 'proof of concept' viri for Linux. Nobody's figured out a way to pry any money away from us yet. :D
but linux antivirus aren't used to protect linux, they are useful if you run a mail server or a proxy so you can clean mails and webpage before they infect a windows user, or to clean an infected windows installation, for example the kaspersky live cd is based on linux
Notes from an effected enterprise (Score:5, Informative)
Yes, this was bad. The virus signature in question appears to match any software that does auto-updates (possibly trying to spot phone-home malware?) so it's flagged dozens of software packages and according to what policy you've set, quarantined or deleted the files. This includes the auto-update part of the sophos client. The flood of emails from the sophos enterprise manager package as machines were switched on this morning quickly alerted us that this wasn't good, and just looking at names of the files it was flagging was enough to see that this was a false positive. Cleanup continues.
We've been very happy with sophos enterprise, and I'm staggered that this signature made it out the door - they should have numerous controls in place to ensure this can never happen and I await an explanation for how they failed.
I'm not too impressed by some of the advice given in their cleanup procedure [sophos.com] - they advise setting the policy to not scan certain sophos directories - guess where viruses may try to hide in future.
This is an embarassing fubar which will have had a high impact on thousands of enterprises. It'll be interesting to see if Sophos come clean about the circumstances and can be convincing enough about how it's never going to happen again.