The Sophos forums are buzzing today with reports of an issue with Sophos antivirus. The company released an update (as it does every day), but the latest update appears to incorrectly class innocent files as viruses.
The update detects any software that includes an updater, such as Adobe Flash Updater, Google Update or Adobe Reader Updater as a virus and repeatedly warns the user about it. If configured to send emails (as many corporates have), support desks have been inundated with requests for help from their users with the "Updater-B" virus. Some very large clients are affected, such as the University of Texas.
On the Sophos forums there are 14 pages of users reporting issues already, and many are saying that their Sophos has crippled its own updating process, so even if the company does push out an update it will be near impossible to update the clients to resolve it.
Neowin contacted Sophos for comment who responded with "we are aware of the problems and are working on this issue at this time." They also responded to a forum user via email:
I am sorry currently this is a false positive, we have removed the bad detection and you should see the detections begin to go away. Please let me know if you have any further questions.
Sophos Technical Support
Right now, we recommend you disable your Sophos Update Manager by stopping the service on your update server, to avoid corrupting the endpoint updating mechanism.
Update: Sophos claims it will release a patch in the next hour, but its not clear how they plan on getting end users to push that out. The bungled update actually causes endpoints to crash, so lets hope they have a workaround for that.
Update 2: Sophos have released the patch. The instructions to resolve the problem are as follows:
Please follow these steps in the console:
1. Turn-off "on-access" scanning in all of your Anti-virus and HIPS policy.
2. Go to the Update Managers in your Enterprise Console, right-click your Update Managers and choose "Update now".
3. Wait for the update manager to finish downloading the latest updates (Download status changes to Matches)
4. Edit all of your "Updating" policies in Enterprise Console. Click on "Schedule" and change the check for update time to 5 minutes.
5. Wait 8-10 minutes.
10. The number of false-positive Virus/Spyware detection should start falling.
11. Enable the on-access scanner when the number of false-positive detection has fallen significantly.
12. If there are any computers still showing the false-positive alert then they have either not received the latest update or the "on-access" scanner was still enabled when they tried to update. The above steps can be repeated for just those computers.