09-21-12 | Blog Post
On Wednesday, the Sophos antivirus software started detecting its own program updates as malware, and subsequently quarantined the executable files. As a result, the updating function was disabled and unable to update, according to ZDNet.com.
Below is a screenshot of the false positive ‘malware’ from Sophos.com, detected as Shh/Updater-B:
Sophos.com reports that by enabling Live Protection, you should no longer see the detections, since the files are now marked ‘clean’ in the Live Protection cloud. If you don’t have Live Protection enabled, once javab-jd.ide has been downloaded by your endpoint computers, you will stop seeing detections.
Sophos is directing users to this knowledgebase article that provides more information about the false positives and how to update endpoints with the latest IDE files: Advisory: Shh/Updater-B False Positives. The steps, with more detail in the article, are:
What could have caused this bug? One theory attributes the issue to the lack of developer testing during the development cycle, and the failure to check code for bugs or security vulnerabilities. According to a survey conducted by Forrester Consulting and software vendor Coverity, more than 70 percent of respondents that had experienced a security incident also claimed there was a lack of security and technology processes for their developers.
Meanwhile, 79 percent of respondents could not keep pace with the rising code volume, and more than 60 percent stated there was not enough security funding. The short time-to-market also forced 41 percent of respondents to put security during development on the back burner.
“This has lots to do with developers being pressured to get out code,” said Steve Aiello, Sr. Systems Engineer, CISSP at Online Tech. “The primary objective in many companies is to make money, and that means the developers are pushed to get their product out quickly. This is a really good case and point on how even in the security industry, these things can happen.”
The issue has affected users and partners worldwide. If you need more technical support or want to read how others are handling the issue, visit SophosTalk, the Sophos community forum for Sophos Endpoint Protection.
References:
Sophos Antivirus Detects Own Update as False Positive Malware
Shh/Updater-B False Positive by Sophos Anti-Virus Products
Study Finds Web Developers Undertake Too Little Vulnerability Testing