Possible Bug?

I'm quickly learning that Sophos does not want to know about any problems with the 'Anti-virus Home Edition', it's almost like they're refusing to stand behind their product.

---

photoglyph wrote:

I'm quickly learning that Sophos does not want to know about any problems with the 'Anti-virus Home Edition', it's almost like they're refusing to stand behind their product.

---

If they are like most anti-virus companies, their paid version uses the same basic scanning mechanism as their free version. So in general, anything that affects the free version would also affect the paid version. So while it is understandable that they may not being willing to provide full support for the free version one would think they would be interested in any bug report, regardless of the source (free user or paid user). And regardless of the claims to the contrary, I believe most legal authorities still require a company that produces a product to assume some level of responsability for that product, even if they give it away for free. But my impression is not just that they aren't standing behind their product but that they don't want any suggestion made that their product may not be perfect lest they loose paying customers. But in fact, I think if they try to hide issues, then more damage will be done when the issues become known. And they will be known at some point.

Just to avoid misunderstandings - I'm neither Sophos nor speaking on behalf of Sophos.

Nevertheless being responsible for support at our site I want to add some comments which might explain the situation a little bit. While we don't have products in this sense I know the problems in conjunction with supported/unsupported. On the one end there is supported and on the other definitely unsupported with a large best effort area in between (for example a web application on a non-standard platform/browser/configuration or a VPN client not on the supported list). Whenever you even only make it appear that you follow the same procedures as for the supported category word gets around quickly and you are flooded with requests and complaints and why-not-mes? It might seem harsh and unfriendly but my team is instructed to follow the arranged procedures - this includes neither labeling something as a "special case" and act on their own nor promising any further handling and volunteering escalation of the request.

@LDMartin1959: You are correct about the paid vs. free - but I can't subscribe to your conclusions/impression. Most established vendors can live with a suggestion made that their product may not be perfect. For one thing past (perhaps erroneous, perhaps just unlucky) strategic decisions often can't be corrected immediately and you just have to face "imperfection" at least for some time. Another thing is that for corporate customers product selection is based on many factors, not just a single bug or feature. Think about - say - a digital semi-professional camera. Apart from the body you have a set of lenses you can use with different models of this vendor, you know how it works, you probably have special software and have spent quite some time to learn to work with the whole system. At one point you might have gripes because of a certain issue but you'd think more than twice before turning to another maker (well, it's not a perfect example as you can have more than one camera - if you can afford it:smileywink:). Furthermore wouldn't silently supporting a request be better suited to hide an issue than rejecting the query?

There is a support channel (but not a one-to one) - this forum. You've probably read that several issues reported by users have been extensively dealt with (mostly though Andrew/Agile) but there were other exchanges (and outside of this forum too) as well. Returning to paying customers - guess they'd be miffed if the got the impression that non-paying customers receive the same level of support than them (and not all of them would buy the argument that overall it's also to their benefit). Don't forget that free users get in practice the same level of frequent updates (now including real-time lookups) as paying customers (and the required infrastructure is neither free for Sophos nor is it sponsored in any way) - so the offers (free vs. paid) have to be carefully balanced (this is true for any vendor).

Don't know what detail you have submitted to Support - unfortunately not having Time Machine I couldn't help you at least by trying to recreate the problem - but from you initial post there's not much to works with other than asking: What was/were the detection(s)? And where? And - are you running v7 or v8 (please excuse if I have missed it)? I see you have already provided some additional details in your edit. A (possible) issue of incorrect paths has come up in this forum here.

As I've already been (overly) lecturing I might as well add a word about the seriousness of the bug. Current AV's major function is on-access scanning (additionally backed by real-time threat information). While there is - as far as I can judge - definitely a bug which has to be corrected (you could restore an infected backup to a location which is exempted from on-access scanning) it seems not to affect the most important components and therefore doesn't call for all hands on deck.    

Christian 

Hi LDMartin1959,

First off, apologies if you feel you were "chastised" about posting on the SophosTalk forum instead of here. The intention was simply to concentrate debate in one place to make it easier for everyone else to follow the discussion. I understand you might have wanted to maximise exposure to get our attention. You have.

Please rest assured that we do take note of your report of a possible bug, as we would with anyone posting in this forum. Why would we not? We've invested in setting up this community for precisely this reason. Your feedback is valuable. I can't see any evidence in these posts that it isn't being taken seriously. Nor do I see how a thread in a discussion forum can be construed as hiding anything. We wouldn't have forums if we didn't want discussion.

We most certainly do stand behind our products, whether free or available via paid license. They're what we do for a living and we're proud of them. We take note of problems reported by users: that's what has driven the updates issued since the Home Edition tool was initially released. It's also the case that we take responsibility for them. As I said, we've invested a great deal in setting up and maintaining this community. It's value as a Support mechanism is demonstrated by the fact that we get next to zero attempts to gain free tools Support via other channels.

In my role as Admin for this community, I hope I've shed some light on the way we view our products and this support community. I can't promise that our development teams will immediately drop what they're doing to look at the issue you've raised. I can, however, guarantee that if it turns out to have substance, it will not be ignored.

Regards,

spike

Spike/QC,

I quess part of the problem stems from the lack of clarity on the part of Sophos. When someone has a possible bug to report, historically (and this may be going back before your time, depending on your age), users submit that directly to support, not through the heavy filtering of a forum (which by it's very nature serves to insulate the people who need to recieve such reports from those who have those reports to make). So let's consider what a customer does to report a possible bug: They look for the support option in the navigation menu. This option offers several dead ends ("support services" suggests it is an option for this, but once you get there it isn't), so you end up selecting the "contact us" option < http://www.sophos.com/en-us/support/contact-support.aspx >. Nothing about not contacting about free products there. So then the next choice is primarily between a second "contact us" page < http://www.sophos.com/en-us/support/contact-support/contact-information.aspx > which provides direcdt email contact information, or "submit a query" < https://secure2.sophos.com/en-us/support/contact-support/support-query.aspx >. Either seem to be appropriate since they are both addressed to support. Yet again, nothing about not contacting about free products there. Sure, there is a field for "license or serial number" but that field is optional, which is consistant with the forms for most companies since they accept issue reports for both purchased and free products through the same foarm mechanism. So why should I suspect any difference here, particularly (as I say) since there is nothing to indicate submissions from free product users are not welcome here. But when support responds you find that out: "Can you please provide sophos license number for further investigating?"

Now, what about those forums. Well, lets go back to that navigation menu. The single forum option is "sophostalk community". Once you get there, there is a reference (buried at the bottom of several paragraphs; funtionally equivalent to mouse print) a suggestion that "If you're a user of the brilliant, free Sophos Anti-Virus for Mac: Home Edition tool, try visiting the SophosFreeTalk online community." A suggestion, not a requirment.

First off, burying something at the bottom of several paragraphs is a good way to hide it, not make it readily apparant and stress any importance to on it. Secondly, my experience is that such forums are strictly (or at least primarily) user to user and not an adequate means to bring an issue to the attention of the company since these forums are only moderated by company staff, and even then, typically not true support people but customer service people working for the support department. The company support forums are typically at least a place where there is some technical support people, thus providing at least some possibility that the issue  will be brought to the attention of those who need to at least have some influence in getting the issue looked at (although even those are secondary to a direct report of a possible bug).

Secondly, there is again nothing to state that submissions from free product users are not welcome here. There is a suggestion to use other forums but nothing is stated specifically that questions from free users are not allowed here. In fact, there is a section SPECIFICALLY MARKED FOR QUESTIONS REGARDING FREE SOFTWARE. It's called "Sophos free tools". But post a message there and you'll find out quickly enough that you are not welcome there, despite being posted in a forum section SPECIFICALLY MARKED FOR QUESTIONS REGARDING FREE SOFTWARE.

I think I have explained, based on Sophos own website and the responses of it's own people, how a user of Sophos free software could easily get the impression that they are being segregated from the "real" customer.

Oh, and QC, your example of the camera sounds "good" but it's fabricated nonsense. Companies like Canon have seperate sections within their forums for specific models and groups of products (pro, non-pro) but they typically do not maintain seperate forums. Yes, if you post a message in the incorrect section, you will have your message moved but you won't be exiled to bum-f* where only 2nd class customers are allowed.

With regard to your comment about 'original locations', it's interesting that the files you mentioned originally appeared to be media files. I was recently asked by a neighbour to help them secure their Mac and ran the Home Edition product on it. It reported a whole load of Windows malware in files whose names suggested they were MP3s, WMAs or other media files. They had all been downloaded from media sharing services or sites like Limewire. Looking at the files more closely, it was clear they were Windows executables, but they had been placed on media sharing sites to try and trick Windows users into running them.

Regarding the Time Machine issue, is it possible that the original files have been disinfected and the old copies are still there in an old backup, or are the infected items in very recent backups? If you've changed the original file, wouldn't Time Machine still keep a copy of the original as well as a copy of the new (clean) version - after all, that's what it's supposed to do in the case of legitimate changes to files such as editing documents, modifying photos, etc.

Regards

Rich

---

RBaldry wrote:

With regard to your comment about 'original locations', it's interesting that the files you mentioned originally appeared to be media files. I was recently asked by a neighbour to help them secure their Mac and ran the Home Edition product on it. It reported a whole load of Windows malware in files whose names suggested they were MP3s, WMAs or other media files. They had all been downloaded from media sharing services or sites like Limewire. Looking at the files more closely, it was clear they were Windows executables, but they had been placed on media sharing sites to try and trick Windows users into running them.

---

While I am aware of this trick, I can attest that this is not the case here. First, the actual files on which Sophos hit were an .exe and a .dll flle (the second being part of OpenOffice for Windows). Second, it was not the files on which Sophos hit which were media files, the files identified as media files were reported in QM as the source files. Third, I viewed the reported files in my Time Machine structore and there were in fact showing as the .exe and .dll which Sohpos reported. So, unless Time Machine changed the names of those files, then your example is not applicable here.

---

Regarding the Time Machine issue, is it possible that the original files have been disinfected and the old copies are still there in an old backup, or are the infected items in very recent backups? If you've changed the original file, wouldn't Time Machine still keep a copy of the original as well as a copy of the new (clean) version - after all, that's what it's supposed to do in the case of legitimate changes to files such as editing documents, modifying photos, etc.

---

[Repsonse edited for clarificaiton: 11:59 PDT] Is it possible that the original files have been disinfected and the old copies are still there in an old backup? I suppose it is possible, but I have not seen anything from Sophos to indicate that this was the case (edit: that is, nothing to indicate that the source files had been infected and hed been cleaned, thus creating the situation you describe). Plus, the TM files are recent, in some cases [apparantly] as they are being written to the TM archive. But again, it is the TM file that is triggering and not the source file. I am confused however by the fact that QM generally references multiple source files for the TM infected file.

---

...wouldn't Time Machine still keep a copy of the original as well as a copy of the new (clean) version - after all, that's what it's supposed to do in the case of legitimate changes to files such as editing documents, modifying photos, etc.

---

Yes, TM would access, read, compare then copy the files the first time after they were changed, but after that, TM (as I understand it) only compares the current version of a file to the last backed up version of the file. If the infected version is multiple back-ups in the past why would Sophos be reading those files if I am not accessing them and if TM is not longer accessing them as part of it's comparison process?

Since there has been some concern expressed about some of the files referenced in my comments/report (the suggestion was made that I had downloaded a video that was really a malicous program), allow me to dispel that with another example. This is an uploaded copy of the "source" file, a photo of my granddaughters taken by my wife (okay, 1-1/2 of my granddaughters):

Now, first notice that Sophos reports this file as being clean:

Now, lets look at the QM, in this first screen shot, observe that the file name in question is the same but the "infected" file is in the Time Machine archive (and although I was unable to show it, by hovering over the truncated path information, I confirmed that this is the correct backup file for the above indicated "source" file, not a different version of the same source file):

Now, for more detail regarding the file path for the "infected" copy in the TM, lets look at this screen shot. You will notice that this screenshot clearly indicates that this is from the TM archive which is currently being created (".InProgress"). Further, note the times: The QM report was last night after I went to bed, the direct scan of the source file was this morning just after I got up. This is about as close to a direct, real-time comparison as I could get under the circumstances:

Now, does anyone have any further doubts about the fact that Sophos is alerting on back-up files in TM that it is not alerting on with the source file? Now, will someone now please take my report seriously and stop trying to shift the blame to the "user" (who often just happens to know abit more than you seem to want to give them credit for knowing)? Again, I have to go back to my statement that one of these things is wrong: Rationally, either they are both infected or neither are infected: Sophos is failing in a major way, by either giving totally bogus false positives or by totally missing infected files.

Hi LDMartin1959,

Thanks for bringing this issue up. Yes its cause for concern, but not panic. The detection logic for this particular file type (Exp/MS04-028) is attempting to find JPEG files which exploit a known weakness in the Windows gdiplus.dll. So the fact that JPEG files were identified is correct and reasonably useful. The fact that files might be detected in your Time Machine backup but not on disk is odd but not entirely unbelievable - Time Machine backups are decoded and parsed differently than "regular files". This isn't supposed to lead to false positives or false negatives, of course, but please understand that it isn't entirely impossible.

The detection logic for this particular item (Exp/MS04-028) was updated within in the last few weeks. If you hadn't run a full scan recently (e.g. within the last few weeks) then perhaps the older detection logic would have generated a false positive or false negative. But assuming your system is up to date and you have run a scan recently (which I believe you say you did in your recent postings) then this is further evidence of a potential product defect.

Unfortunately we cannot reproduce your situation in our lab (although we have tried). Other than obtaining a copy of your Time Machine backup, we are stuck having to ask and answer pretty basic questions in order to get to the bottom of the issue. I don't think anyone has attempted to "shift blame to the user" as you've suggested. As a software vendor we must be open to the idea that our software is less than perfect, and respond appropriately. There are zero posts in this forum by a Sophos employee that would suggest otherwise.

I would say that we have taken reasonable steps to further understand the root of the problem you started to describe (and from reading this thread, your problem report changed over time). The fact that you posted a lot of detail in response to these types of questions effectively proves the point of why we might be asking these questions in the first place. I'm sorry you took offense, but please consider those posts from others at Sophos in the context of trying to find out more detail for what is obviously a non-obvious problem.

So far we know that the image you attached to your recent post does not trigger a detection for Exp/MS04-028. But then your own machine gets that same result. Any suggestions about how we can make your problem reproducible in our test lab will be very helpful.

The only suggestion I could come up with would be to let the image be backed up onto a Time Machine volume and then see what AV does. Again, the source image passes, it's the back-up in the Time Machine that doesn't so that's where the focus should be concentrated.