Sophos detecting itself as SHH/Updater-B

Published: 2012-09-19. Last Updated: 2012-09-19 21:39:47 UTC
by Kevin Liston (Version: 2)
6 comment(s)

The latest definition file for Sophos is having some unintended consequences.  It is currently being discussed on their website: http://community.sophos.com/t5/Sophos-Endpoint-Protection/Is-any-one-else-seing-this-alert/td-p/29723

More to come.

Update 21:39 GMT Binary updates appear to be reaching customers now.

Keywords:
6 comment(s)

Comments

- http://www.sophos.com/en-us/support/knowledgebase/118311.aspx
Updated: 19 Sep 2012
"Issue: Numerous binaries are falsely detected as ssh/updater-B.
Cause: An identity released by SophosLabs for use with our Live Protection system is causing False Positives against many binaries that have updating functionality.
What To Do: Customer should ensure that endpoints are update to date with the latest IDE files. This issue is resolved with javab-jd.ide which was released at Wed, 19 Sep 2012 18:48:35 +0000.,,
.
How that identity ever got past QC in the first place is a mystery, I mean this thing appears to have detected any file that had remotely anything to do with updating as SHH/Updater-B

Wreaked utter havoc.
AV vendors have an incredible challenge keeping up with the threats, but is there really any excuse for what appears to be absolutely no testing? I for one am making a mental note every time I see this happen (2 AV vendors so far this year) and it will influence my company's buying decisions.
This is actually more serious than Sophos is making it out to be. I posted a comment to:
http://nakedsecurity.sophos.com/2012/09/19/sshupdater-b-fsophos-anti-virus-products/
but my message was never approved by their blog admin.
I'm hoping I can share my story here.
shh/updater-b did not only detect Sophos itself as a threat, but many other updater services as well. We have been able through our logs to pinpoint Adobe Flash, Oracle Java, Fujitsu AutoUpdater, Dell AutoUpdate Utilities, etc.
If you read what they describe in the link I provided in regards to protection levels set to move or delete infected files this is where the big problem resides. We had our Sophos install setup to move/delete infected/suspected files.
All of the auto-updaters mentioned above were deleted off hundreds of PCs. Now none of these applications will auto-update moving forward.
What makes my story unique is we are a medical facility. Our Electronic Health Records (EHR) application had a DLL used for auto-updating that application that was detected and deleted as a part of the shh/updater-b false positive fiasco. The absence of this DLL file prevented the application from opening and crashed every time you tried to load it. This created a threat to patient safety for us. Even though Sophos may have fixed the problem and fixed their own software, there is a monumental amount of work we have to do to clean up after this mess. I've worked in IT for 16 years and have NEVER had a virus/trojan/spyware/malware cause problems and disrupt our systems the way this did. Who can I trust anymore when even my security AV vendor can wreak more havoc on our systems than a virus infection outbreak can.
I should also note that we found a number of other products as well such as Adobe Reader, etc. It seems like any binaries (EXE, DLL) that seem to use Java code to autoupdate their applications are caught up in this although I can't confirm. My technology reseller has informed me that one of the biggest customers of Sophos is government agencies. We now as of today have millions of Sophos customers with an AV product that is not able to receive definition updates and the auto-updaters for applications/plugins that are under high attack like Flash and Java are no longer updating moving forward as well. This couldn't come at a worse time when cyber threat levels are being elevated due to a number of high profile exploits currently in the wild.
- http://www.sophos.com/en-us/support/knowledgebase/118322.aspx
Updated: 22 Sep 2012
- http://www.sophos.com/en-us/support/knowledgebase/118323.aspx
Updated: 22 Sep 2012
- http://www.sophos.com/en-us/support/knowledgebase/118315.aspx
Updated: 22 Sep 2012
.

Diary Archives