Sophos releases bungled definition update, causing mayhem for corporates [Update: Fix is available]

The Sophos forums are buzzing today with reports of an issue with Sophos antivirus. The company released an update (as it does every day), but the latest update appears to incorrectly class innocent files as viruses. 

The update detects any software that includes an updater, such as Adobe Flash Updater, Google Update or Adobe Reader Updater as a virus and repeatedly warns the user about it. If configured to send emails (as many corporates have), support desks have been inundated with requests for help from their users with the "Updater-B" virus. Some very large clients are affected, such as the University of Texas. 

On the Sophos forums there are 14 pages of users reporting issues already, and many are saying that their Sophos has crippled its own updating process, so even if the company does push out an update it will be near impossible to update the clients to resolve it.

Neowin contacted Sophos for comment who responded with "we are aware of the problems and are working on this issue at this time." They also responded to a forum user via email:

I am sorry currently this is a false positive, we have removed the bad detection and you should see the detections begin to go away. Please let me know if you have any further questions.

Regards,
Dave Pomerleau
Sophos Technical Support

Right now, we recommend you disable your Sophos Update Manager by stopping the service on your update server, to avoid corrupting the endpoint updating mechanism. 

Update: Sophos claims it will release a patch in the next hour, but it's not clear how they plan on getting end users to push that out. The bungled update actually causes endpoints to crash, so lets hope they have a workaround for that.

Update 2: Sophos have released the patch. The instructions to resolve the problem are as follows:

Please follow these steps in the console: 

1. Turn-off 'on-access' scanning in all of your Anti-virus and HIPS policy. 
2. Go to the Update Managers in your Enterprise Console, right-click your Update Managers and choose 'Update now'.
3. Wait for the update manager to finish downloading the latest updates (Download status changes to Matches) 
4. Edit all of your 'Updating' policies in Enterprise Console. Click on 'Schedule' and change the check for update time to 5 minutes.
5. Wait 8-10 minutes.
10. The number of false-positive Virus/Spyware detection should start falling.
11. Enable the on-access scanner when the number of false-positive detection has fallen significantly.
12. If there are any computers still showing the false-positive alert then they have either not received the latest update or the 'on-access' scanner was still enabled when they tried to update. The above steps can be repeated for just those computers.

Report a problem with article
Previous Story

$25 Google Play credit offer for Nexus 7 ends Sept. 30th

Next Story

Office for Mac 2011 finally gets Retina display support

30 Comments

Commenting is disabled on this article.

Hello,

Sophos is a long-time anti-malware company with a great track record and a top-notch set of researchers. I hope they and their customers have a speedy recovery from this unfortunate problem.

Regards,

Aryeh Goretsky

goretsky said,
Hello,

Sophos is a long-time anti-malware company with a great track record and a top-notch set of researchers. I hope they and their customers have a speedy recovery from this unfortunate problem.

Regards,

Aryeh Goretsky

Sounds like Sophos have seen these comments and have sent one of their damage limitation robots out......

Adobe updaters and google updaters identified as malware... sounds right to me. Currently dealing with users that updated flash on their own and got the google botnet browser installed with it. I'd prefer our AV scanner blocked it!

Currently fixing this for a school. Computers that have deleted the affect files cannot update. Pushing out the client re-install doesn't appear to be working either.

SK[ said,]Currently fixing this for a school. Computers that have deleted the affect files cannot update. Pushing out the client re-install doesn't appear to be working either.

Same.

remixedcat said,
What anti-virus company hasn't botched an update????

Problem with this update is its deleting their own software. This pretty much confirms that this was tested.

SK[ said,]

Problem with this update is its deleting their own software. This pretty much confirms that this was tested.

what? what? WHAT?!!!!

really now??? OMG

I've always wondered how this happens. Don't these companies have like an SSD in in raid with different machines each with a different version of windows and updates with popular things such as flash. So when they release a definition update they can use it and scan the system once with it Very quickly to see if it kills anything?

Had loads of issues with the Sophos enterprise software n the past, so switched all customers (on renewal) to trend micro worry free - and it has been!

It's not the first time they've done a definition update/application update which has caused havoc on our network. Even though we receive Sophos for free through a council agreement, I've ditched them for Microsoft Forefront for this very reason! One mistake is understandable, even two is forgiveable, but 3 or more times is just not on...

I stopped paying for security apps since Norton products, then McAfee let me down. Malwarebyte's Anti Malware, Microsoft Security Essentials (or ForeFront on my company servers) and SpyBot S&D are all you need.

Comodo Internet Security is AWESOME too, and completely FREE, even for COMMERCIAL use!! I use that on my secondary backup and test laptop. With so many free alternatives I don't see why people pay to be let down with bloatware like AVG and Norton rubbish.

Norton probably gets away with it and is only popular because PC World are such fanbois of theirs they push it to every customer coming through the door! If DSG went bust and took PixMania, Dixons and Currys with them Norton would suddenly disappear

My company had a similar issue with ESET a couple years ago where a bad update brought down many systems for a good part of the day. These things happen, unfortunately. Not condoning it, but it's not like Sophos is the only one it happens to.

Oops! But we're human, it happens, so get over it. Look what happened with the NatWest IT disaster, that soon blew over, albeit it was bigger scale than this.

To err is human, to forgive divine....

As an additional note if you do decide to move a file to their infected folder it still pops up saying its a problem even in there.

If you try and clear an item from the list it brings it straight back to Quarantine again... this is going to take some sorting from them!

Just popped up for me around 10 minutes ago, rather amusingly it caught their own update program so there is probably no way for it to get automatically fixed if you don't realise it is not a virus!

duddit2 said,

what?

Likely a troll reply, however, recently Microsoft released an update to WSUS (certificate related) which caused many headaches and issues. . .it was a wonder how it got through testing.