Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 1740 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Opinion on the updater snafu from a Senior Admin

Pagjsp

I've been in this business over 30 years, and I have, believe me, gone through Hell with a lot of previous anti-virus products in the past. Sophos was, and still is in my opinion, the best and easiest to administer. So, it's amusing to read some of the posts on the Internet from rookie admins doing a good imitation of a Drama Queen. Knee-jerk reactions won't do you any good when something like this happens. I too, could not get through to Sophos yesterday afternoon. But, I understood that their phone lines were probably overtaxed, so I just waited for them to fix the problem, applied the fixes from other admins I found on the Net, and by the time I went home to a cold supper, things were more or less back to normal.

Now, having said all that, and holding Sophos in such high esteem for so long, I'm as disappointed as anyone over this. I expect, in fact I demand, more from Sophos. If they want to be held up as the gold standard in this business, they'd better review procedures and try to make sure this doesn't happen again. Furthermore, a supreme gesture of good faith would be some sort of discount on their loyal customer's next maintenance contract.

:31353


This thread was automatically locked due to age.
Parents
  • 0

    Even though FPing their own files is bad - that Sophos don't exempt their own files is actually a good thing IMO.

    At this point it's still mere speculation. And like probably many others I'm trying to imagine a probable scenario. Right now I'm leaning to a slip-up during release, an "experimental generic but targeted detection". Looks like it is/was supposed to verify the integrity of various vendor's updating components (updaters, callers and supporting libraries) with additional emphasis on AutoUpdate. In addition it's instructed to call home (viz: to use Live Protection). Now I think that it (at least the version distributed) has not passed QA. Presumably it wasn't even intended for release but  "somehow" managed to slip-in.

    What's rarely to never seen from "our side" is the struggle to provide timely and effective protection. Malware is a highly organized and profitable business and the "products" undergo regular and sophisticated development and testing. AV companies naturally don't wait for final versions to be released but prepare for expected (and sometimes announced) new features in the malware. New proactive detections might catch alpha or beta versions and thus facilitate further specific measures. Labs is not just sitting and waiting for samples to be submitted and writing a detection in response. That's no excuse for what we have seen but maybe it puts the whole "mess" into perspective.  

    Christian

    :32153
Reply
  • 0

    Even though FPing their own files is bad - that Sophos don't exempt their own files is actually a good thing IMO.

    At this point it's still mere speculation. And like probably many others I'm trying to imagine a probable scenario. Right now I'm leaning to a slip-up during release, an "experimental generic but targeted detection". Looks like it is/was supposed to verify the integrity of various vendor's updating components (updaters, callers and supporting libraries) with additional emphasis on AutoUpdate. In addition it's instructed to call home (viz: to use Live Protection). Now I think that it (at least the version distributed) has not passed QA. Presumably it wasn't even intended for release but  "somehow" managed to slip-in.

    What's rarely to never seen from "our side" is the struggle to provide timely and effective protection. Malware is a highly organized and profitable business and the "products" undergo regular and sophisticated development and testing. AV companies naturally don't wait for final versions to be released but prepare for expected (and sometimes announced) new features in the malware. New proactive detections might catch alpha or beta versions and thus facilitate further specific measures. Labs is not just sitting and waiting for samples to be submitted and writing a detection in response. That's no excuse for what we have seen but maybe it puts the whole "mess" into perspective.  

    Christian

    :32153
Children
No Data