I teach 109

I'm Luke, I teach CMPT-109 at Montclair State University and this is my blog.


Sophos Antivirus False Positives


technology

It has come to my attention that the latest definition update has made Sophos Antivirus has been causing false positive detections that may leave the client in a broken state. This is relevant because Montclair State Office of Information Technology uses Sophos as a primary virus protection agent on all university machines and distributes it’s copies to all students and instructors.

There is a thread about it on the official Sophos forums, and another one at /r/sysadmin. There is also an official Sophos Advisory that includes detailed instructions on resolving the issue. Unfortunately these instructions are targeted at systems administrators and server maintainers rather than end users.

The specifics of the problem are as worrisome as they are interesting. Apparently the update caused Sophos to detect one of it’s own internal files as a possible infection. That file happened to be the component responsible for downloading and updating virus definitions from the internet. Normally such an issue could be easily fixed by pushing out another definition update that overrides the previous one.

Unfortunately since the affected file is the Sophos auto-update program, chances are it will be marked as an infection and quarantined or deleted before that happens. Therefore every affected client will become stuck in a broken state without the ability to update itself.

As far as I can tell, the best solution for end users is to:

  • Un-install and re-install the Sophos client.

MSU students and faculty should be able to download it from the OIT Software Repository.

This issue has been verified to affect Windows users. I’m not sure if it impacts Mac users. I’m also not certain if MSU community will be affected by this glitch. OIT may have not pushed the faulty patch yet. If they did, they might issue an official fix as well. If that happens I will post an update here.

Update

Got a confirmation that, yes, MSU community is affected. Only Windows users may see this issue. As of yet, there seems to be no official fix, therefore the re-install workaround is probably the simplest route to resolve it for end users.

Update 2 (9/21/12)

The OIT sent out an official advisory email last night. They recommend holding off on attempts to fix this issue yourself:

There is no immediate action you need to take at this time. Information Technology has evaluated the problem and is currently testing a solution based in part on Sophos’s own published suggested fixes. We will be coordinating efforts with Sophos, Inc. and the technology support teams in the various colleges to implement the solution as soon as possible.

So they are aware of the issue, are working to resolve it. I recommend watching your MSU email for follow-up instructions.