Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sophos detecting itself as SHH/Updater-B - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sophos detecting itself as SHH/Updater-B

The latest definition file for Sophos is having some unintended consequences.  It is currently being discussed on their website: http://community.sophos.com/t5/Sophos-Endpoint-Protection/Is-any-one-else-seing-this-alert/td-p/29723

More to come.

Kevin Liston

292 Posts
ISC Handler
- http://www.sophos.com/en-us/support/knowledgebase/118311.aspx
Updated: 19 Sep 2012
"Issue: Numerous binaries are falsely detected as ssh/updater-B.
Cause: An identity released by SophosLabs for use with our Live Protection system is causing False Positives against many binaries that have updating functionality.
What To Do: Customer should ensure that endpoints are update to date with the latest IDE files. This issue is resolved with javab-jd.ide which was released at Wed, 19 Sep 2012 18:48:35 +0000.,,
.
Jack

160 Posts
How that identity ever got past QC in the first place is a mystery, I mean this thing appears to have detected any file that had remotely anything to do with updating as SHH/Updater-B

Wreaked utter havoc.
Chavez243

15 Posts
AV vendors have an incredible challenge keeping up with the threats, but is there really any excuse for what appears to be absolutely no testing? I for one am making a mental note every time I see this happen (2 AV vendors so far this year) and it will influence my company's buying decisions.
PhilBAR

24 Posts
This is actually more serious than Sophos is making it out to be. I posted a comment to:
http://nakedsecurity.sophos.com/2012/09/19/sshupdater-b-fsophos-anti-virus-products/
but my message was never approved by their blog admin.
I'm hoping I can share my story here.
shh/updater-b did not only detect Sophos itself as a threat, but many other updater services as well. We have been able through our logs to pinpoint Adobe Flash, Oracle Java, Fujitsu AutoUpdater, Dell AutoUpdate Utilities, etc.
If you read what they describe in the link I provided in regards to protection levels set to move or delete infected files this is where the big problem resides. We had our Sophos install setup to move/delete infected/suspected files.
All of the auto-updaters mentioned above were deleted off hundreds of PCs. Now none of these applications will auto-update moving forward.
What makes my story unique is we are a medical facility. Our Electronic Health Records (EHR) application had a DLL used for auto-updating that application that was detected and deleted as a part of the shh/updater-b false positive fiasco. The absence of this DLL file prevented the application from opening and crashed every time you tried to load it. This created a threat to patient safety for us. Even though Sophos may have fixed the problem and fixed their own software, there is a monumental amount of work we have to do to clean up after this mess. I've worked in IT for 16 years and have NEVER had a virus/trojan/spyware/malware cause problems and disrupt our systems the way this did. Who can I trust anymore when even my security AV vendor can wreak more havoc on our systems than a virus infection outbreak can.
PhilBAR
2 Posts
I should also note that we found a number of other products as well such as Adobe Reader, etc. It seems like any binaries (EXE, DLL) that seem to use Java code to autoupdate their applications are caught up in this although I can't confirm. My technology reseller has informed me that one of the biggest customers of Sophos is government agencies. We now as of today have millions of Sophos customers with an AV product that is not able to receive definition updates and the auto-updaters for applications/plugins that are under high attack like Flash and Java are no longer updating moving forward as well. This couldn't come at a worse time when cyber threat levels are being elevated due to a number of high profile exploits currently in the wild.
PhilBAR
2 Posts
- http://www.sophos.com/en-us/support/knowledgebase/118322.aspx
Updated: 22 Sep 2012
- http://www.sophos.com/en-us/support/knowledgebase/118323.aspx
Updated: 22 Sep 2012
- http://www.sophos.com/en-us/support/knowledgebase/118315.aspx
Updated: 22 Sep 2012
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!