On False Positives
Sophos is not immune, either.
Over the last couple of years, several anti-virus vendors have had some bad press related to false positives that deleted significant or important files from systems. My anti-virus vendor of choice, Sophos, has not been one of those mentioned. Until today.
Last night, I received antivirus alerts from several systems that Sophos had found and taken action on several files, most notably QuickBooks files (C:\Program Files\Intuit\QuickBooks 2009\Components\PConfig\Data1.cab, although it was the same thing for versions all the way back to 2006 as well). I had already been in the process of changing the default actions of Sophos to "quarantine" instead of "delete" but had not hit all of my systems with that update yet. I put a quick call into Sophos tech support early this morning (gotta love that 24x7 support when you need it) and found out that their update that was released last night before 9pm CST had a false positive string in it, and the scheduled scans I had set to run at 9pm on these systems used that false positive update and nuked these QB files. Sophos did report that they have already released additional updates that have alleviated the problem, but because of the timing of the updates and the timing of my scheduled scans, several of my clients have QuickBooks data files that I get to go back and restore.
In the grand scheme of things, this isn't huge (like nuking a Windows system file) but for my accounting and financial services clients, well, it's a good thing it happened on Thanksgiving morning so it will minimize the impact on their operations. We'll be able to restore the specific file from backup in most cases, and worst case do a reinstall of the app on a workstation. Much better than having to rebuild a box or reload the OS.
Over the weekend, I'll be finishing up getting my Sophos configs updated to "quarantine" and not "delete" to help protect against future false positives. Still, just goes to show, it can happen to anyone. Past history of false positives (or lack thereof) shouldn't be the only deciding factor in choosing an anti-virus solution for your business or your clients.