It's 2016, and anti-virus products still goof up like this...

Sophos false alarms on Winlogon.exe, causing chaos for some users.

Sophos false alarms on Winlogon.exe, causing chaos for some users.

Are you running Sophos on your computers?

If so, you might see a warning message like this appear on your enterprise management software:

Virus/spyware 'Troj/FarFli-CT' has been detected in "C:\Windows\System32\winlogon.exe". Cleanup unavailable.

Alternatively, if you're an end user, you might not see anything at all. All you might see is a black screen on starting up your Windows PC.

This is clearly not good news. But what makes it worse is that Sophos is making a mistake - false alarming on the Windows 7 version of winlogon.exe, and messing with users' machines.

In short, your anti-virus is giving you a tech support headache rather than saving you from a genuine malware infection.

Some victims of the false alarm took to Twitter to express their frustration:

SophosTo its credit, Sophos issued an update at 9am UTC on Sunday, fixing the false alarm.

But you have to wonder how - 30 year after the first anti-virus software was made available - we can still have security products mistaking common programs that ship with Windows for malware.

I know that's important to get security updates for new malware threats out rapidly, but it's important to balance a speedy response with proper quality control to ensure that huge goofs like this cannot occur.

This isn't just a problem with Sophos, of course. Many other vendors have suffered from similar problems in the past, and will no doubt continue to do so in the future.

You can read more about the false alarm, and what Sophos has done about it, in this Sophos knowledgebase article.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

10 Responses

  1. drsolly

    September 5, 2016 at 2:19 am #

    It's very difficult to do daily updates, and also do a full test of each update before it's released. Actually, it's very difficult to do that monthly. I can't imagine how AV companies can do it for daily updates.

    I remember when Virus Bulletin (a sister company to Sophos) did the same thing with Command.com.

    • Graham Cluley in reply to drsolly.

      September 5, 2016 at 9:12 am #

      But VB doesn't have a security product… do you mean that they erroneously included a clean command.com in their collection of files that anti-virus products should detect?

      Or are you mixing up with F-Prot detecting command.com?

      https://twitter.com/VessOnSecurity/status/772404324563574785

      • RMc-Canada in reply to Graham Cluley.

        September 6, 2016 at 7:19 pm #

        Its Unacceptable 30 years on as you say Graham bottom line…

      • drsolly in reply to Graham Cluley.

        September 6, 2016 at 11:18 pm #

        VB used to publish scan strings so people could write their own antivirus. And they got them from Fridrik. And Fridrik gave them the Commnd.com scan string, and they published it as a scan string that would find viruses.

        It was only the lucky happenstance that pretty much no-one ever used the VB scan strings that stood between that and a major embarrassment.

        • Graham Cluley in reply to drsolly.

          September 6, 2016 at 11:26 pm #

          Ah yes, I remember Virus Bulletin publishing those "scan strings" now.

          I always found it hard to believe that anyone would ever bother typing them in, and even more astonishing quite how many years VB kept publishing them…. I guess it filled up pages of the mag, but was hardly the most edifying of reads.

          Thanks for the explanation.

  2. Karl

    September 5, 2016 at 7:29 am #

    At work yesterday one of our PCs failed to boot. After many restarts we found the problem to be Sophos having a problem with the login script. That PC worked eventually, but another PC could kept restarting after Windows login. Oops.

  3. John

    September 5, 2016 at 3:22 pm #

    "In short, your anti-virus is giving you a tech support headache rather than a genuine malware infection."

    Uh, people generally don't rely on their antivirus to give them a malware infection ;)

    • Graham Cluley in reply to John.

      September 5, 2016 at 5:56 pm #

      Whoops! Now fixed. Thanks!

  4. nick ioannou

    September 7, 2016 at 11:28 am #

    One of the enterprise security products I use tracks each endpoint client by the machine name and OS build version. Unfortunately Microsoft lately has been changing the OS build version every month via updates. Needless to say this is causing issues as machines stop being protected as result. I think Microsoft has to take some of the blame, rather than only the security and AV companies.

  5. David L

    September 9, 2016 at 9:12 pm #

    Maybe Sophos should have checked with Tavis Ormandy first? Seems Sophos has been rather laced in other areas this year.
    https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html?m=1

    But, I'm only tweaking your nose Graham, knowing how much you love the little guy ( – ;

Leave a Reply