Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 6 subscribers
  • Views 3188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible Bug?

LDMartin1959

I originally posted this on the main Sophos forums and was chastised and told to post it here. I was directed to do this by a forum moderator, so please do not criticise me for cross-posting.

I have noticed an odd situation. I am using the free Mac edition on Lion. Sophos keeps reporting infection in a couple of files in my Time Machine backup. But it does not report infection of the same files on the primary drive where the primary/original copies of those files reside. It simply doesn't make sense that the primary/original copy of a file could be free of infection and the backup copy made from that primary/original file could be infected. Rationally, one of these things is wrong: Rationally, either they are both infected or neither are infected. Not sure which is the case, but it certianly shakes myfaith in Sophos AntiVirus.

Update: Since my initial posting on the main forums, I've noticed one additional apparant anomoly in this matter. Amoung the multiple references to "Original Locations" for each infected file are some "Original Locations" which seem to make no sense. For example, a reported infected Windows .DLL file includes an identification of originally being a .WMA file, and a reported infected Windows .EXE  file includes an identification of originally being a .RM file. Ignoring the fact that these "original location" references are nonsensical, even if we were to accept for the moment that these file name/format transformations did somehow occur, there is still the fact that these referenced "original" files do not report as being infected. As I say, all this certianly shakes my faith in Sophos AntiVirus.

As I mention in the thread on the main forums, my posting was and is in reference to a possible bug and to (hopefully) bring the matter to the attention of the Sophos folks so that if it is a bug it can be addressed. This is not principly a request for support or assistance to solve/explain my dilema, although such will be gladly accepted.

:1008143


This thread was automatically locked due to age.
Parents
  • 0

    Hi LDMartin1959,

    Thanks for bringing this issue up. Yes its cause for concern, but not panic. The detection logic for this particular file type (Exp/MS04-028) is attempting to find JPEG files which exploit a known weakness in the Windows gdiplus.dll. So the fact that JPEG files were identified is correct and reasonably useful. The fact that files might be detected in your Time Machine backup but not on disk is odd but not entirely unbelievable - Time Machine backups are decoded and parsed differently than "regular files". This isn't supposed to lead to false positives or false negatives, of course, but please understand that it isn't entirely impossible.

    The detection logic for this particular item (Exp/MS04-028) was updated within in the last few weeks. If you hadn't run a full scan recently (e.g. within the last few weeks) then perhaps the older detection logic would have generated a false positive or false negative. But assuming your system is up to date and you have run a scan recently (which I believe you say you did in your recent postings) then this is further evidence of a potential product defect.

    Unfortunately we cannot reproduce your situation in our lab (although we have tried). Other than obtaining a copy of your Time Machine backup, we are stuck having to ask and answer pretty basic questions in order to get to the bottom of the issue. I don't think anyone has attempted to "shift blame to the user" as you've suggested. As a software vendor we must be open to the idea that our software is less than perfect, and respond appropriately. There are zero posts in this forum by a Sophos employee that would suggest otherwise.

    I would say that we have taken reasonable steps to further understand the root of the problem you started to describe (and from reading this thread, your problem report changed over time). The fact that you posted a lot of detail in response to these types of questions effectively proves the point of why we might be asking these questions in the first place. I'm sorry you took offense, but please consider those posts from others at Sophos in the context of trying to find out more detail for what is obviously a non-obvious problem.

    So far we know that the image you attached to your recent post does not trigger a detection for Exp/MS04-028. But then your own machine gets that same result. Any suggestions about how we can make your problem reproducible in our test lab will be very helpful.

    :1008201
Reply
  • 0

    Hi LDMartin1959,

    Thanks for bringing this issue up. Yes its cause for concern, but not panic. The detection logic for this particular file type (Exp/MS04-028) is attempting to find JPEG files which exploit a known weakness in the Windows gdiplus.dll. So the fact that JPEG files were identified is correct and reasonably useful. The fact that files might be detected in your Time Machine backup but not on disk is odd but not entirely unbelievable - Time Machine backups are decoded and parsed differently than "regular files". This isn't supposed to lead to false positives or false negatives, of course, but please understand that it isn't entirely impossible.

    The detection logic for this particular item (Exp/MS04-028) was updated within in the last few weeks. If you hadn't run a full scan recently (e.g. within the last few weeks) then perhaps the older detection logic would have generated a false positive or false negative. But assuming your system is up to date and you have run a scan recently (which I believe you say you did in your recent postings) then this is further evidence of a potential product defect.

    Unfortunately we cannot reproduce your situation in our lab (although we have tried). Other than obtaining a copy of your Time Machine backup, we are stuck having to ask and answer pretty basic questions in order to get to the bottom of the issue. I don't think anyone has attempted to "shift blame to the user" as you've suggested. As a software vendor we must be open to the idea that our software is less than perfect, and respond appropriately. There are zero posts in this forum by a Sophos employee that would suggest otherwise.

    I would say that we have taken reasonable steps to further understand the root of the problem you started to describe (and from reading this thread, your problem report changed over time). The fact that you posted a lot of detail in response to these types of questions effectively proves the point of why we might be asking these questions in the first place. I'm sorry you took offense, but please consider those posts from others at Sophos in the context of trying to find out more detail for what is obviously a non-obvious problem.

    So far we know that the image you attached to your recent post does not trigger a detection for Exp/MS04-028. But then your own machine gets that same result. Any suggestions about how we can make your problem reproducible in our test lab will be very helpful.

    :1008201
Children
No Data