In the accelerating race against viruses and malware, a trade-off we are seeing more frequently are the false-positives. Companies like Avast, McAfee, and others have all experienced them and last week was Sophos’ turn. The company’s anti-virus software would report that “‘Virus/spyware’ Shh/Updater-B has been detected and moved to quarantine” on Windows computers.
Sophos started detecting its own auto-update mechanisms and some others like Adobe Flash. Of course, this could prevent Sophos from being able to automatically address the problem with the next definition update. If your policy was set to only quarantine items, the updater files can be restored from quarantine from the Sophos Enterprise Console. If your policy was set to delete the files, you are in a worse position and are recommended to change your policy to quarantine first.
A support forum thread was opened September 19th and has since received over 1000 replies and over 37,800 views. The company acknowledged the issue in a knowledge base article and a blog post. The blog post received 97 comments from individuals hoping to find a solution to the problem while Sophos reports receiving a high number of calls.
The knowledge base articles have been updated through the week with them receiving another update today. Sophos has provided recovery instructions for:
Sophos would be in a hard position to explain how this false positive made it past quality assurance. Some false positives are understandable if they occur on select operating systems or with certain legitimate software (like Avast’s false-positive with Steam). It would be impossible to test against all legitimate software out there but when it is the included updating mechanism and popular, free software like Adobe Flash, it seems like the QA step might have been skipped all together.
Best of luck if you’re trying to recover and we can hope Sophos puts more policies and procedures in place to prevent this from happening again.