Sophos False Positive with WinLogon.EXE

nadnerB

Bad news for those running Sophos, an update is detecting winlogon.exe as a Trojan (I sense giggles from the Linux users )

Dipping sauces:
http://www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/
http://www.itnews.com.au/news/sophos-antivirus-gaffe-locks-out-windows-users-436333?

Fix:
https://community.sophos.com/kb/en-us/125000

travisdh1

@nadnerB said in Sophos False Positive with WinLogon.EXE:

Bad news for those running Sophos, an update is detecting winlogon.exe as a Trojan (I sense giggles from the Linux users )

Why whatever would we giggle about, next thing we know someone replaces the correct ls command with a rootkit version

scottalanmiller

Snicker

iroal

@nadnerB said in Sophos False Positive with WinLogon.EXE:

Bad news for those running Sophos, an update is detecting winlogon.exe as a Trojan (I sense giggles from the Linux users )

Dipping sauces:
http://www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/
http://www.itnews.com.au/news/sophos-antivirus-gaffe-locks-out-windows-users-436333?

Fix:
https://community.sophos.com/kb/en-us/125000

This is the reason I don't like to install Antivirus in windows servers, except specifics cases.

I had a similar case with Nod32 in a Windows 2003 Server, It started to detect all Dlls in System 32 as Virus.. It was a mess

IRJ

Yep. Saw all the alerts this morning. We are Sophos users.

scottalanmiller

@iroal said in Sophos False Positive with WinLogon.EXE:

@nadnerB said in Sophos False Positive with WinLogon.EXE:

Bad news for those running Sophos, an update is detecting winlogon.exe as a Trojan (I sense giggles from the Linux users )

Dipping sauces:
http://www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/
http://www.itnews.com.au/news/sophos-antivirus-gaffe-locks-out-windows-users-436333?

Fix:
https://community.sophos.com/kb/en-us/125000

This is the reason I don't like to install Antivirus in windows servers, except specifics cases.

I had a similar case with Nod32 in a Windows 2003 Server, It started to detect all Dlls in System 32 as Virus.. It was a mess

But I think what is important is installing good software of any type. Nod32 is, of course, bad. So using that as an example of why not to use AV makes no sense. There is bad, dangerous or worthless software in every category. But we don't avoid all software for that reason. We strive to use good software and products. There are terrible operating systems out there, but we don't rule out Windows just because some other OS is bad. The flaw is with that software, not with Microsoft or Windows. The issues with Nod32 are ESET's problems, not antivirus problems. You are using "bad software experience" and leveraging it incorrectly. It should have made you wary of ESET, not wary of AV.

iroal

@scottalanmiller said in Sophos False Positive with WinLogon.EXE:

@iroal said in Sophos False Positive with WinLogon.EXE:

@nadnerB said in Sophos False Positive with WinLogon.EXE:

Bad news for those running Sophos, an update is detecting winlogon.exe as a Trojan (I sense giggles from the Linux users )

Dipping sauces:
http://www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/
http://www.itnews.com.au/news/sophos-antivirus-gaffe-locks-out-windows-users-436333?

Fix:
https://community.sophos.com/kb/en-us/125000

This is the reason I don't like to install Antivirus in windows servers, except specifics cases.

I had a similar case with Nod32 in a Windows 2003 Server, It started to detect all Dlls in System 32 as Virus.. It was a mess

But I think what is important is installing good software of any type. Nod32 is, of course, bad. So using that as an example of why not to use AV makes no sense. There is bad, dangerous or worthless software in every category. But we don't avoid all software for that reason. We strive to use good software and products. There are terrible operating systems out there, but we don't rule out Windows just because some other OS is bad. The flaw is with that software, not with Microsoft or Windows. The issues with Nod32 are ESET's problems, not antivirus problems. You are using "bad software experience" and leveraging it incorrectly. It should have made you wary of ESET, not wary of AV.

The problem is that almost all Av companies have had similars issues.

I execute all weeks malwarebytes and Gdata Antivirus in all my servers to check the files but don't let them to be online.

scottalanmiller

@iroal said in Sophos False Positive with WinLogon.EXE:

The problem is that almost all Av companies have had similars issues.

It's true, most have. But none that we use do we know of having had any Nothing will be 100% perfect. But we've not had a false positive in decades. It's not a common thing. But they do stop a lot of threats.

aaron-closed account

This post is deleted!

scottalanmiller

Sophos is decent, I'd definitely not be too wary of it. But neither does it make my "going to pay for and deploy this" list

JaredBusch

@scottalanmiller said in Sophos False Positive with WinLogon.EXE:

@iroal said in Sophos False Positive with WinLogon.EXE:

The problem is that almost all Av companies have had similars issues.

It's true, most have. But none that we use do we know of having had any Nothing will be 100% perfect. But we've not had a false positive in decades. It's not a common thing. But they do stop a lot of threats.

We get false positives from Webroot all of the time. But it is from custom manufacturer software that is poorly written. So I do not blame Webroot. Just add a new exception every time it happens.

Dashrender

other than webroot, who's had more false positives at my one client who uses them than panda that I have been running for 10+ years.

StrongBad

@Dashrender said in Sophos False Positive with WinLogon.EXE:

other than webroot, who's had more false positives at my one client who uses them than panda that I have been running for 10+ years.

I'm not understanding your statement. This feels like only part of a sentence. Is this a question?

Dashrender

@StrongBad said in Sophos False Positive with WinLogon.EXE:

@Dashrender said in Sophos False Positive with WinLogon.EXE:

other than webroot, who's had more false positives at my one client who uses them than panda that I have been running for 10+ years.

I'm not understanding your statement. This feels like only part of a sentence. Is this a question?

It's a statement - I'll re-word.

Webroot has had more false positives in the 3 years a client of mine has been using Webroot, than I have had in the 10+ years another client has been using Panda AV.

So while I love Webroot (primarily the journaling), it does require more support than other options I have/do use.

StrongBad

@Dashrender said in Sophos False Positive with WinLogon.EXE:

@StrongBad said in Sophos False Positive with WinLogon.EXE:

@Dashrender said in Sophos False Positive with WinLogon.EXE:

other than webroot, who's had more false positives at my one client who uses them than panda that I have been running for 10+ years.

I'm not understanding your statement. This feels like only part of a sentence. Is this a question?

It's a statement - I'll re-word.

Webroot has had more false positives in the 3 years a client of mine has been using Webroot, than I have had in the 10+ years another client has been using Panda AV.

So while I love Webroot (primarily the journaling), it does require more support than other options I have/do use.

I see, thanks for the clarification. That's not what I had read you to mean at all. That makes more sense.