OSX/Inqtana.A, OSX/Inqtana.B worm (#3): Sophos fixes false positive flaw
As we noted yesterday, Sophos' AntiVirus software was generating false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues.
The company has now fixed the issue (actually, a patch was issued only a few hours after the release of the flawed definition) and users now report running Sophos AntiVirus without generation of false positives.
In a statement, Sophos says:
"Sophos apologizes for any inconvenience that this problem has caused. Measures have been put in place to ensure that the problem does not occur again. Any customers who require further guidance are recommended to contact Sophos Technical Support."
Still, many users did not receive the second patch until it was too late.
One reader writes:
"Indeed Microsoft, Stuffit and Adobe applications where soon in a fine mess and not usable at all. From the ± 190.000 files scanned with Sophos there were about 43 files infected and deleted in the same sweep. After the "virus" was removed/deleted by running Sophos a couple times, and bearing in mind that in the worst case I had to rebuild the Mac I simply started to test which programs where not usable or responding.
"All the Stuffit related programs I had to reinstall, and in my case reinstalling the latest update for the Microsoft Office application, was enough to make things work again, hence, I didn't have a lot of time to test it all proper, but they are at least accessible and one can work in it."
This issue should serve as a reminder to refrain from enabling automatic deletion of "infected" files in AntiVirus scanning software, opting instead to manually delete such items after verifying the possibility of infection.
In this case for instance, no user running Mac OS X 10.4.5 could possibly have been infected with the Inqtana worm in its current known forms, so a report of infection on a system running Mac OS X 10.4.5 should raise suspicion.
Feedback? Late-breakers@macfixit.com.
Previous coverage:
- OSX/Inqtana.A, OSX/Inqtana.B worm (#2): Sophos AntiVirus software generating false positives, wreaking system havoc
- OSX/Inqtana.A worm affects older versions of Mac OS X 10.4.x (Tiger) -- not found in wild
:%20Sophos%20fixes%20false%20positive%20flaw%20%7C%20MacFixIt%20-%20CNET%20Reviews&srcUrl=http://reviews.cnet.com/8301-13727_7-10330571-263.html){kind=small}
and still use crap like Virex, Norton, etc., etc... you get what you deserve.
implication that it is trouble-free. In fact, there have been cases where there
have been bad virus definition updates for ClamAV (like the one for Sophos
yesterday, they were fixed within a couple of hours). WE didn't notice because
the problems did not involve Mac malware.
The fact is, yes, there are bad anti-virus products out there (Virex). I consider
Norton Anti-Virus to be only marginally better because of their lame
subscription fee. However, to bunch Sophos Anti-Virus in with those products
and labeling them all as "crap" is highly inaccurate, not to mention
foolish.
---
Gann Matsuda
- by gmatsuda February 23, 2006 1:04 PM PST
- One more thing...no anti-virus solution is perfect. I've seen ClamAV miss
- Like this Reply to this comment
-
(3 Comments)malware files, and I've seen Sophos do the same. I run both on my mail server,
scanning e-mail messages. When one misses something, the other catches it
virtually every time.
So...what was your point again?
---
Gann Matsuda