Are you running Sophos on your computers?
If so, you might see a warning message like this appear on your enterprise management software:
Virus/spyware ‘Troj/FarFli-CT’ has been detected in “C:\Windows\System32\winlogon.exe”. Cleanup unavailable.
Alternatively, if you’re an end user, you might not see anything at all. All you might see is a black screen on starting up your Windows PC.
This is clearly not good news. But what makes it worse is that Sophos is making a mistake – false alarming on the Windows 7 version of winlogon.exe, and messing with users’ machines.
In short, your anti-virus is giving you a tech support headache rather than saving you from a genuine malware infection.
Some victims of the false alarm took to Twitter to express their frustration:
Today I found out how many of my twitter buddies also use @Sophos in their day jobs.
They all sound angry and tired.
— Techhelplist (@Techhelplistcom) September 4, 2016
Thanks for the lack of sleep Sophos
— Melissa Dyer (@DyerM268) September 4, 2016
To its credit, Sophos issued an update at 9am UTC on Sunday, fixing the false alarm.
But you have to wonder how – 30 year after the first anti-virus software was made available – we can still have security products mistaking common programs that ship with Windows for malware.
I know that’s important to get security updates for new malware threats out rapidly, but it’s important to balance a speedy response with proper quality control to ensure that huge goofs like this cannot occur.
This isn’t just a problem with Sophos, of course. Many other vendors have suffered from similar problems in the past, and will no doubt continue to do so in the future.
You can read more about the false alarm, and what Sophos has done about it, in this Sophos knowledgebase article.