Sophos Kills Itself (Shh/Updater-B)

Posted on 2012/09/20 by Felix

Today has been fun.  Arriving early to work, I had to swing straight into the action with my “Incident Response” hat on.  Great swathes of customers were reporting problems accessing various parts of their Microsoft Windows infrastructure. All of them were complaining about strange error messages from their Anti-Virus software.  A message to the effect; “Access denied to shared resource”. The one thing they had in common – Sophos…

Sophos issue

I’ll be honest my first thoughts are that a very effective 0-day exploit is inside the Sophos stack. Upon further investigation, and a little bit of Googling revealed that actually Sophos themselves were the cause.

They had released a duff virus signature file. 

Said signature file was identifying all sorts of executable files as infected and quarantining them.  This ranged from bespoke applications, genuine software updates and even the Sophos executable files themselves!

I first stumbled upon a thread on the Sophos Community Forums when it had about 60 pages and thankfully the way to resolve the problem had been published.  Second up I found a post in the Sophos Knowledge Base.  Amusingly enough, several hours after we had finished fixing the problem we also received an email letting us know how to fix it…

This makes me wonder about the QA process that Sophos perform for their virus signatures, it also makes me wonder how many of those customers will want to renew as their subscriptions expire…

This entry was posted in Lessons Learnt. Bookmark the permalink.